My php files are not being listed

Atif-Uchiha · July 5, 2023, 6:05pm

Website URL: https://ifar.ml/tmp/Idontknow/

Error Message:

403 Forbidden

Information:

In my website I have a php file called “hello.php” but it is not being listed in the directory listing,
Doesn’t matter whatever name I rename it or create a new php file it’s still not showing there,
What should I do?

hello.php

<?php echo "hello"; ?>

This is the code of my “hello.php” file which is just an echo

Greenreader9 · July 5, 2023, 6:19pm

Welcome

Try uploading it again? Are you getting any errors when uploading?

Also, I highly recommend that you secure your database, its quite vulnerable right now:

Oxy · July 5, 2023, 7:28pm

Do you have any .htaccess file which has something to do with the php extension or something similar?

because when I type anything which ends with .php extension leads to 403

e.g. 403 https://ifar.ml/tmp/Idontknow/dummy.php

vs good 404
https://ifar.ml/tmp/Idontknow/dummy.html
https://ifar.ml/tmp/Idontknow/dummy.css

Atif-Uchiha · July 6, 2023, 3:48am

Thanks for the help, the database project was just an test experiment

Atif-Uchiha · July 6, 2023, 3:53am

Happy to hear and I’m glad you liked the 404 page,

The answer to your question is, no I don’t have any .htaccess file please provide some assistance why this this happening and how do I fix it

Atif-Uchiha · July 6, 2023, 4:46am

Hey, Can You Please Provide Some Information

I want to know that how u injected your own php code in the “index.php” file and even when I’m opening the file from a FTP surprisingly your code is not there

SpookyKipper · July 6, 2023, 7:47am

I kinda of did the same thing, but on the insert page, and I can confirm your database is in fact vulnerable.

You should first check if the user input contains characters like "',;, and many more, before running your SQL query. (Search Google how to prevent SQL Injection)

For the code, I’m not teaching others how to hack here. (Can I PM the user? Is that allowed?)

anon42008019 · July 6, 2023, 8:47am

As it should not be.
The vulnerability is not the file modification type, the exploit could be stored in your database, might want to check the table which is responsibe for storing student info.
I heavily recommend learning about the top ten vulnerabilities listed by OWASP. XSS, CSRF and MySQL injection etc.

Greenreader9 · July 6, 2023, 2:02pm

I Dident. That was JavaScript. But it would probably work with PHP as well (Which is even worse). I wanted to prove it is broken and vulnerable without actually breaking anything.

Because it’s in the database, not in the files. However, I could modify those files if I actually injected PHP.

Um, why not just escape / encode everything non-alphanumeric? That’s quite the bit easier in my opinion.

And I heavily second that

system · July 13, 2023, 2:02pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.