“rename()” is a PHP method used to rename file or directory.
This method receives two string parameters, the first being the files current name, and the second is the new name.
But how can I destroy a system exploiting the rename method?
In order to hack a system using this method, you need to input parameters through a client like a $_POST, $_GET for the attack to succeed.
$_GET['oldImage'] = 'imageX.jpg';
$newName = 'imageNewName.jpg';
rename( $_GET['oldImage'], $newName );
The system will then rename imageX.jpg to imageNewName.jpg, and imageX.jpg will not exist anymore.
Example attack :
$_GET['oldImage'] = '../../index.php';
If you use $_GET[‘oldImage’] with ‘index.php’ or use transversal directory using ../ like ../../folderX/index.php you can rename an important file of the system.
The result is that index.php will be removed.
When the system tries to find the file and doesn’t find it, the system is corrupted and will stop working.
It can be worse if this system is a cms like WordPress, Joomla or Drupal as if you rename the config file you can reinstall system.
For frameworks, like laravel, you can rename file configuration like env and stop the framework from working correctly.
Watch this video for an example:
Take it easy and be a better developer.
Soon you will learn how to protect yourself from this kind of attack.