# PHPINFO

<figure><img src="/files/g13udpDHV6sCNYSWwuRo" alt=""><figcaption></figcaption></figure>

### Always Check First

#### 1. **System Information**

```
System → Linux hostname kernel version
```

* **Why**: Tells you OS, kernel version (kernel exploits?), hostname (domain clues)

#### 2. **Disabled Functions**

```
disable_functions =
```

* **Why**: Shows what you CAN'T use for RCE (exec, system, passthru, etc.)

#### 3. **Open Basedir**

```
open_basedir = 
```

* **Why**: If set, you're jailed to specific directories

`open_basedir` in PHP is a security restriction that limits which directories a PHP script is allowed to access on the server’s filesystem.

<pre><code>open_basedir = <a data-footnote-ref href="#user-content-fn-1">/var/www/html</a>:/<a data-footnote-ref href="#user-content-fn-2">tmp</a>
</code></pre>

#### 4. **Allow URL Include**

```
allow_url_include = Off/On
allow_url_fopen = Off/On
```

* **Why**: RFI (Remote File Inclusion) possible if On

#### 5. **Document Root**

```
DOCUMENT_ROOT = /var/www/html
```

* **Why**: Know where web files live for LFI/RFI

#### 6. Upload Tmp Dir

```
upload_tmp_dir = 
```

* **Why**: Where uploaded files temporarily store (check if writable)

#### 7. Session Save Path

```
session.save_path = 
```

* **Why**: Session file location for session hijacking/injection

#### 8. Extension Directory

```
extension_dir = /usr/lib64/php8/extensions
```

* **Why**: Know where PHP extensions are loaded from

#### 9. Include Path

```
include_path = .:/usr/share/php8:/usr/share/php/PEAR
```

**Why**: Paths where PHP looks for includes (LFI potential)<br>

#### 10. **Display Errors**

```
display_errors = Off/On
display_startup_errors = Off/On
```

* **Why**: If On, errors leak path info, DB creds, etc.

#### 11. **Expose PHP**

```
expose_php = On/Off
```

* **Why**: If On, adds `X-Powered-By: PHP/8.4.8` header (version disclosure)

#### 12. Magic Quotes (deprecated but check)

```
magic_quotes_gpc = 
```

**Why**: Old escape mechanism (can cause injection issues)

#### 13. MySQL/PDO Settings

```
mysqli.default_socket = /run/mysql/mysql.sock
pdo_mysql.default_socket = /run/mysql/mysql.sock
```

* **Why**: Socket location (local DB access possible)
* **Also check**: `mysqli.default_host`, `mysqli.default_user` (might have defaults!)

#### 14. **SQLite3**

```
sqlite3.extension_dir
```

**Why**: SQLite DB file locations

#### 15. **Server Software**

```
SERVER_SOFTWARE = nginx/1.21.5
```

* **Why**: Web server version (specific exploits)

#### 16. **Server Name / IP**

```
SERVER_NAME = l1nuxkid.dev
SERVER_ADDR = 10.69.69.6
REMOTE_ADDR = 10.10.15.156 (your IP)
```

* **Why**: Internal IPs, hostnames, potential other services

#### 17. **HTTP Headers**

```
HTTP_USER_AGENT, HTTP_HOST, etc.
Why: Sometimes custom headers reveal internal systems
```

#### 18. **Dangerous Modules Enabled**

Check these (each enables specific attacks):

<table data-header-hidden><thead><tr><th width="214.38671875"></th><th width="335.4140625"></th></tr></thead><tbody><tr><td>Module</td><td>Attack Vector</td></tr><tr><td><strong>curl</strong></td><td>SSRF, file:// reads</td></tr><tr><td><strong>gd</strong></td><td>ImageTragick (CVE-2016-3714)</td></tr><tr><td><strong>imagick</strong></td><td>ImageMagick exploits</td></tr><tr><td><strong>zip/phar</strong></td><td>PHAR deserialization</td></tr><tr><td><strong>xml</strong></td><td>XXE attacks</td></tr><tr><td><strong>soap</strong></td><td>SSRF, XXE</td></tr><tr><td><strong>ldap</strong></td><td>LDAP injection</td></tr><tr><td><strong>ssh2</strong></td><td>SSH execution</td></tr><tr><td><strong>ftp</strong></td><td>FTP injection</td></tr></tbody></table>

#### 19. **Serialization Handlers**

```
session.serialize_handler = php
```

**Why**: If set to `php_serialize` or `php_binary` - Insecure deserialization

#### 20. **$\_SERVER Variables**

```
SCRIPT_FILENAME = /var/www/html/phpinfo.php
DOCUMENT_ROOT = /var/www/html
```

* **Why**: Absolute paths, config locations

#### 21. **$\_ENV Variables**

```
USER = wwwrun
HOME = /var/lib/wwwrun
```

* **Why**: Environment variables may contain:
  * Database passwords
  * API keys
  * Application secrets
  * Paths to config files

#### 22. **Input Variables**

```
max_input_vars = 1000
max_input_nesting_level = 64
post_max_size = 8M
upload_max_filesize = 2M
```

* **Why**: Limits for DoS or bypass techniques

#### 23. **CGI/FastCGI Settings**

```
cgi.fix_pathinfo = On
```

* **Why**: If On, pathinfo vulnerability (e.g., `/image.jpg/x.php` executes as PHP)

<br>

<br>

<br>

<br>

<br>

[^1]: website files

[^2]: temporary files


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/web-application-pentesting/phpinfo.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.