Check your .htaccess file
Using AddType in your .htaccess file, you can add many other extensions from which PHP can be ran. This is generally how .html extensions can be used while still using PHP within themselves. So, yes, it's possible:
AddType application/x-httpd-php .jpg
You can test this if you like.
- Create a directory with two files: .htaccess and test.php.jpg
- Set content of .htaccess to
AddType application-x-httpd-php .jpg
- Set content of test.php.jpg to
<?php echo 'foo'; ?>
- Access test.php.jpg through localhost
If all goes as planned, "foo" will be output to your screen. You could expand upon this to move /tmp files around if you like.
Definitely something you want to be very careful with.
Check exposed calls to include/require
Another way this could have been done is through a call to require() or include() (or any of the _once() methods) where by the hacker was able to load in his badfile.php.jpg file that had been uploaded under the guise of an innocent image:
<?php
include $_GET["file"];
?>
In the above case (simplified example), the hacker could pass in a path to his .php.jpg file and have its contents loaded in and processed as PHP code.
Other (frightening) ideas
Require, Include, and their related methods aren't the only ways you can process external scripts - unfortunately you can use eval() as well. I would hope that you have none of this going on though. If you did have any scripts on your server that were using any one of the file functions to read the contents of another script, and then eval() to evaluate that content as PHP, this could also provide a gaping security hole in your website.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
