Setting Up Your PHP Debugging Environment for Hacking

Due to popular demand, I’ve decided to create a blog post on how I set up my PHP debugging environment for hacking PHP applications. In this guide, I will walk you through my setup, which includes using an Ubuntu VPS for the web server and Xdebug. Additionally, I use VSCode as my debugging tool and Burp Suite for testing. Let’s get started!

You can get a $200 free credit on DigitalOcean by using this link. Alternatively, you can set up your own Ubuntu server: https://try.digitalocean.com/freetrialoffer/

image

We then create an Ubuntu server and set up our SSH public key.

image

image

Installing PHP, Apache2 and Xdebug

We will need to install PHP and the Apache2 web server to host our testing application.

sudo apt update
sudo apt upgrade
sudo apt install apache2 php libapache2-mod-php php-xdebug

image

image

image

Next, we create our testing PHP file in the /var/www/html/ directory.

<?php

echo "test";

image

Verify that everything is installed by running php -v.

image

Next, we need to set up our Xdebug configuration in /etc/php/8.3/mods-available/xdebug.ini.

image

zend_extension=xdebug.so
xdebug.mode = debug
xdebug.start_with_request = yes
xdebug.client_port = 9000
xdebug.client_host = 164.90.218.170

image

Be sure to replace 192.168.1.52 with the IP address of your Linux machine.

Bringing it all together..

In your VSCode, install the following plugin. This will allow us to connect to our Linux server and control it via VSCode.

image

Once it is installed it is the time to add our VPS server:

image

image

image

Once the plugin is added, you will find your server listed in the plugin menu. If it doesn’t appear, try refreshing the menu. Go ahead and connect to your server.

image

Once you are connected, install the following plugin to add support for Xdebug in our VSCode.

image

Now open the application path. In my case, it is /var/www/html since that is where we created the testing PHP file.

image

Next, navigate to the Debug menu and create the launch.json file, which will be stored in /var/www/html/.vscode.

This file will contain our VSCode debug configuration, which will be used to connect to our Xdebug.

image

image

{
    "version": "0.2.0",
    "configurations": [
      {
        "name": "Listen for XDebug",
        "type": "php",
        "request": "launch",
        "hostname": "164.90.218.170",
        "port": 9000,
        "pathMappings": {
          "/var/www/html/": "${workspaceFolder}/",
        }
      }
    ]
}

Make sure to replace hostname with your machine’s IP address and add the PHP application path to PathMappings.

Now that everything is set up, all that’s left is to set our breakpoints and start the debugger.

image

We set the breakpoint at line 3 where the echo is. Once we visit the page, we can see that the breakpoint is triggered.

image

image

Thanks for reading, and happy hacking!

Written on July 3, 2024