How can you find the PHP version a website is using using LFI?

Question

If a website is vulnerable to Local File Inclusion (LFI), how can you use it to find out the PHP version? Is there any file which says the version of PHP being used. I'm trying to do a PHP sessions LFI to RCE attack, but I don't know where the session files are stored. I think finding the PHP version will help. It has to be a file that is already there because there is no way of putting a file on the target (apart from the session file).

Of course, I am not attacking a machine without permission, this is part of a challenge.

score 1 · Answer 1 · answered Nov 19 '20 at 20:09

1

There's a couple ways to get PHP version:

If you can find the error.log from the webserver, you can request http://example.com/<?php phpinfo() ?> first, then use the LFI to include it on a PHP file, and get it to parse the log.
You can include /usr/bin/php or /usr/local/bin/php or another path, and get the executable itself.
You can use the logfile trick to send a webshell, and use the webshell to get PHP version.
You can use the logfile trick to execute functions that aren't available on certain versions, and by the error message you can deduce the version in use.

answered Nov 19 '20 at 20:09

ThoriumBR

50,648
13
127
142

If you are able to obtain the PHP executable, how could you find the version of it? – 201120 Nov 19 '20 at 20:26
1

By reading it? There are several `BUILD` strings on the PHP executable with its version... – ThoriumBR Nov 19 '20 at 20:29

How can you find the PHP version a website is using using LFI?

1 Answers1