Hacking using “rename()” of PHP.

rename()” is a PHP method used to rename file or directory.

You can read more about this method here.

This method receives two string parameters, the first being the files current name, and the second is the new name.

But how can I destroy a system exploiting the rename method?

In order to hack a system using this method, you need to input parameters through a client like a $_POST, $_GET for the attack to succeed.

Example usage:

http://www.target.com/?oldImage=imageX.jpg

$_GET['oldImage'] = 'imageX.jpg';
<?php 
$newName = 'imageNewName.jpg';
rename( $_GET['oldImage'], $newName );
?>

The system will then rename imageX.jpg to imageNewName.jpg, and imageX.jpg will not exist anymore.

Example attack :

http://www.target.com/?oldImage=../../index.php

$_GET['oldImage'] = '../../index.php';

If you use $_GET[‘oldImage’] with ‘index.php’ or use transversal directory using ../ like ../../folderX/index.php you can rename an important file of the system.

The result is that index.php will be removed.

When the system tries to find the file and doesn’t find it, the system is corrupted and will stop working.

It can be worse if this system is a cms like WordPress, Joomla or Drupal as if you rename the config file you can reinstall system.

For frameworks, like laravel, you can rename file configuration like env and stop the framework from working correctly.

Watch this video for an example:

Take it easy and be a better developer.

Soon you will learn how to protect yourself from this kind of attack.

2 comments on “Hacking using “rename()” of PHP.

    1. Unfortunately not, addslashes is used to save in others attacks. In friday I will show a example to defense.

Leave a Reply

Your email address will not be published. Required fields are marked *