1

I'm testing a site and I found a file with critical php code but this does not have extension name, my question is it could be exploited for a shell attack or something like?

I don't found nothing about this case.

I have this file in the server. http://midomain.com/yii

And I have this code.

#!/usr/bin/env php
<?php
/**
 * Yii console bootstrap file.
 *
 * @link http://www.yiiframework.com/
 * @copyright Copyright (c) 2008 Yii Software LLC
 * @license http://www.yiiframework.com/license/
 */

defined('YII_DEBUG') or define('YII_DEBUG', true);

require(__DIR__ . '/vendor/autoload.php');
require(__DIR__ . '/vendor/yiisoft/yii2/Yii.php');

$config = require(__DIR__ . '/config/console.php');

$application = new yii\console\Application($config);
$exitCode = $application->run();
exit($exitCode);
Benjamin
  • 11
  • 2

2 Answers2

2

Yes

The presence of #!/usr/bin/env php as the first line means that this is meant to be used from a shell context - not from the web. When executing from the command line with a line like the above, the extension doesn't matter. So yes, this can be exploited in an attack.

If you found a file like this on your server and you didn't put it there, I would assume your server is compromised and the file is being actively used by your attacker. Nuke it from orbit. This is very different from the sort of malicious PHP scripts you normally see (apparently a hacker decided to build their payload on top of Yii?), but that doesn't change the facts or my advice.

It's worth pointing out that extensions are not really very important. Windows makes them more important than they need to be, but especially in *nix style systems, the extension is rarely important to the underlying system. Even in a web-server context a PHP file without a PHP extension might get executed as PHP, depending on the server configuration. It would take a non-default and less-than-ideal server configuration, but it is entirely possible and not even hard to do. Not only that, but (h/t Ghedipunk) the application executing for the web server can further invoke shell commands or do anything else it wants. As a result an attacker with remote-code-execution abilities on your server can certainly execute code wherever they want, however they want, regardless of extension.

Conor Mancone
  • 30,380
  • 13
  • 92
  • 98
  • To add to the point in the last paragraph... In a web context, _only_ the web server cares if the file has a .php extension, and it only cares when deciding to use the PHP interpreter on that first file it's loading in order to fulfil the HTTP request. All files parsed by the PHP interpreter are free to (and encouraged to) load other files as though they are either raw output or executable PHP regardless of file extension. – Ghedipunk Jul 18 '19 at 16:42
  • @ConorMancone thanks. I tried execute but I don't found a way for do it. The extension execution is administrated by apache and I think is not possible. Do you have more information for exploit it? – Benjamin Jul 19 '19 at 15:18
  • How are you trying to execute it? You have to login via an ssh shell. `cd` into the directory the file lives in, make sure the file has execute permissions (`chmod u+x filename`) and then execute `./filename`. If you're trying to execute through a website then, per my answer, no, it probably won't execute (unless the server is misconfigured). – Conor Mancone Jul 19 '19 at 15:38
0

This file is a yii framework CLI tool, part of standard installation.

It can be interpreted as PHP and run by the web server if the server is misconfigured, but typically that would not happen. I don't know if you can actually exploit it remotely if the server would actually execute it, but I'm leaning towards no.

You can, however, use its source code to determine the version of yii framework you're dealing with and try to find vulnerabilities applicable to this version.

Andrew Morozko
  • 1,759
  • 7
  • 10