I recently got a phishing mail of unusually bad quality; "Please imediatly sign in under the following link, as we are your bank, you know"-ish. The link points to an unconvincing URL with .php
at the end.
I was asking myself why they might use a PHP script instead of just faking the look of the given page and submitting entered data to a form.
I don't really want to click the link to find out, but I would love to get to know what this PHP file is about to do. Is there a way of downloading the script, such as you could with the client-sided JavaScript?
Or am I not able to access the PHP file, as it is executed by the server?
Are there other ways of analyzing this file and its behavior without any danger?
Anders
64.4k24 gold badges178 silver badges215 bronze badges
asked Sep 3, 2015 at 8:51
9
If the server is configured correctly, you cannot download a PHP file. It will be executed when called via the webserver. The only way to see what it does is to gain access to the server via SSH or FTP or some other method.
This is because PHP is a serverside language, all the actions are performed on the server, then the result is sent to your browser [which is clientside].
If you are afraid to mess with your system, you could use Virtualbox with an Ubuntu VM and open the page from there. If you take a snapshot of the VM after installing, and before doing dangerous things, you can later go back to that snapshot and undo anything the script could have done to the VM.
answered Sep 3, 2015 at 9:03
SPRBRNSPRBRN
7,3596 gold badges33 silver badges37 bronze badges
6
As others have said, the PHP file is executed server-side, unless the server is so badly set up that it will simply serve the source.
If you would like to examine what is sent to your client without the possibility of it doing anything untoward, use a text editor like Notepad to open the URL. That is, use File → Open
but open the URL rather than a real file.
The server will interpret the request and send what it would normally send to a browser. Your text editor will receive it, but all a text editor can do is display if for editing. It will never get near a browser or other rendering engine to be executed.
answered Sep 3, 2015 at 21:13
3
There is a way if the server contains an LFI exploit: //www.owasp.org/index.php/Testing_for_Local_File_Inclusion .
Though, if the server is properly configured once should not be able to download PHP files.
I recently had the pleasure of patching this in a project I inherited, hence why I know about it. One could directly download PHP scripts by giving the name of the desired script over the $_GET[]
which would count.
Truth being told, you'd have to have some luck that there's an exploit possible and you'd also need to figure out the way the server's filesystem is structured [i.e. what is the relative path of the script you're interested in compared to the script containing the LFI-vulnerability] So if you plan on exploring the server, use a sandbox/VM. You may be in luck if the server is indeed poorly configured as suggested by the comment from Gustavo Rodrigues.
schroeder♦
123k55 gold badges284 silver badges318 bronze badges
answered Nov 13, 2019 at 15:48
The .php
file is executed on the server side
so there is no way of getting the source code unfortunately. What you can try however is to manipulate the URL with the hope that the sysadmin made a mistake.
When a user visits //www.example.com/index.php, the web server generates the HTML response by /usr/bin/php
executing the index.php
file from /var/www/html
.
Web servers are typically configured to execute .php
files only, so .jpg
or any other file types are served as normal.
If a forgetful sysadmin made a copy
of the .php
file for backup purposes however, you might be able to retrieve the copy without being executed by /usr/bin/php
So if the sysadmin made a copy as /var/www/html/index.php.bak
, you may download its source code by visiting //www.example.com/index.php.bak with your browser.
Finding these leftover files is a cumbersome task, so you might want to have a look on automated URL fuzzing tools.
Finally I recommend using curl
to make these experiments, because it won't execute
JavaScript or Flash on your machine.
answered Sep 4, 2015 at 9:50
GaborGabor
1795 bronze badges
1
No, you can't, because PHP is executed on the server. End.
- There is no need to get the code, because it's not executed on your computer, so there is no security risk for you.
- PHP will serve websites like any other, so that there is no PHP-specific answer.
If you're interesed in a general answer, have a look at How do I safely inspect a suspicious email attachment? Its answers are also true for opening websites safely.
answered Sep 4, 2015 at 10:34
You cannot via HTTP because
A]PHP code written in the file, is deleted from the file by the http server before it is sent to the http client
So an HTML form might reference blah.php which contains a php snippet, code surrounded with php tags, that checks if submitted password=1234 but if you were to wget blah.php you won't see that code. [even if the php supporting web server did let you get blah.php directly, without redirecting you to receive some other file.. it's not really the blah.php on the server that you are getting]. It's blah.php processed by the server with php code removed and replaced with whatever the php outputted. Or with whatever client side code[html/javascript] the php code determined should be shown.
and
B]the HTTP server's php module will execute any php and produce the resultant file to send to the client.
By the way, technically an HTML file on a server can contain PHP. So it's not like PHP files are more dangerous than HTML files. PHP code does server processing and then outputs other client side stuff one may find in an HTML file like HTML or clients side javascript.
answered Jul 5, 2016 at 20:04
barlopbarlop
1294 bronze badges