| Check | Value | Result | Note |
|---|---|---|---|
| open_basedir | /home/quantsite1992473113/:/usr/share/ | PASS | restriction set |
| read /etc/passwd | denied | PASS | blocked |
| list /etc | denied | PASS | blocked |
| list / (root) | denied | PASS | blocked |
| list /home (tenant enumeration) | denied | PASS | blocked |
| read /etc/shadow | denied | PASS | blocked (DAC/basedir) |
| Check | Value | Result | Note |
|---|---|---|---|
| this tenant tmp file | /tmp/pentest_public_html_f61fc70626bffbf0a48a37e46c3a0629.txt | PASS | not planted yet |
| other tenants /tmp markers | none | PASS | no foreign pentest_* visible |
| /tmp/sess_* leak | none | PASS | no foreign sess_* readable |
| /tmp/mysql.sock exists? | no | PASS | not present |
| /tmp/.s.PGSQL.5432 exists? | no | PASS | not present |
| /var/lib/mysql/mysql.sock exists? | no | PASS | not present |
| Check | Value | Result | Note |
|---|---|---|---|
| PHP process user | quantsite1992473113 (uid=? gid=? real_uid=?) | PASS | looks per-user |
| Process groups | | PASS | must NOT be in "apache" group (would allow reading other FPM sockets) |
| Expected owner from DOC_ROOT | quantsite1992473113 | PASS | matches |
| Newly-written file owner | 2002 (uid=2002) | INFO | owner could not be resolved to verify against the runtime user |
bobi)| Probe | Result | Status | Note |
|---|---|---|---|
| stat /home/bobi | denied | PASS | blocked |
| list /home/bobi | denied | PASS | blocked |
| list /home/bobi/public_html | denied | PASS | blocked |
| read /home/bobi/.bashrc | denied | PASS | blocked |
| read /home/bobi/.bash_history | denied | PASS | blocked |
| read /home/bobi/.ssh/authorized_keys | denied | PASS | blocked |
| read /home/bobi/.ssh/id_rsa | denied | PASS | blocked |
| list /home/bobi/tmp/sessions | denied | PASS | blocked |
| write to /home/bobi/tmp/ | denied | PASS | blocked |
| common config files (wp-config/.env/etc.) | none readable | PASS | blocked |
| Trick | Result | Status | Note |
|---|---|---|---|
| symlink to /etc/passwd | blocked | PASS | blocked |
| symlink /tmp -> /home/bobi/.bashrc | blocked | PASS | blocked |
| glob:// /etc/* | blocked | PASS | blocked |
| glob:// /root/* | blocked | PASS | blocked |
| phar:// write test | n/a | N/A | self-target — not a cross-tenant probe |
| chdir + ../ escape | blocked | PASS | blocked |
| realpath() outside basedir | null | PASS | blocked |
| Function | State | Status | Note |
|---|---|---|---|
| exec | disabled | PASS | |
| shell_exec | disabled | PASS | |
| system | disabled | PASS | |
| passthru | disabled | PASS | |
| proc_open | disabled | PASS | |
| popen | disabled | PASS | |
| pcntl_exec | disabled | PASS | |
ENABLED | PASS | ||
| imap_open | disabled | PASS | |
| dl | disabled | PASS | |
| putenv | ENABLED | PASS | |
| posix_kill | disabled | PASS | |
| posix_setuid | disabled | PASS | |
| posix_seteuid | disabled | PASS | |
| actual `id` output | (no exec function produced output) | PASS | all exec attempts blocked |
| Check | Value | Status | Note |
|---|---|---|---|
| list /proc | denied | PASS | blocked |
| read /proc/self/status | denied | PASS | blocked |
| read /proc/<PID>/environ or cmdline of other PIDs | none | PASS | blocked |
| Probe | Result | Status | Note |
|---|---|---|---|
| posix_setuid(0) | disabled | PASS | expected to fail |
| posix_seteuid(0) | disabled | PASS | expected to fail |
| list /run *.sock | denied/none | PASS | blocked |
| connect to foreign FPM socket | n/a | N/A | nothing foreign to test against |
| Target | Result | Status | Note |
|---|---|---|---|
| MySQL :3306 | OPEN — Z.5.5.5-10.11.18-MariaDB.<Ap3J\o;.u]Rar;l1Nrri.mysql_native_password | INFO | listening on localhost (normal) — auth checked below |
| PostgreSQL :5432 | closed (Connection refused) | PASS | not reachable |
| Redis :6379 | closed (Connection refused) | PASS | not reachable |
| Memcached :11211 | closed (Connection refused) | PASS | not reachable |
| Elasticsearch :9200 | closed (Connection refused) | PASS | not reachable |
| MongoDB :27017 | closed (Connection refused) | PASS | not reachable |
| MySQL default credentials | default credentials rejected | PASS | rejected/unavailable |
| metadata root (169.254.169.254) | REACHABLE: instance-id instance-v2-id mac local-ipv4 public-ipv4 network_config/content_path hostname | INFO | link-local metadata answers from PHP — an SSRF target; instance IDs/IPs are not secret by themselves |
| metadata: AWS IAM credentials | not present / empty | PASS | no data at this endpoint |
| metadata: AWS user-data | not present / empty | PASS | no data at this endpoint |
| metadata: user-data (v1) | not present / empty | PASS | no data at this endpoint |
| metadata: full config v1.json | readable (1483B): {"bgp":{"ipv4":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""},"ip | INFO | endpoint readable but no obvious secret pattern — review manually |
| GCP metadata | unreachable / blocked | PASS | not reachable |
| outbound egress (1.1.1.1:53) | OPEN — outbound allowed | INFO | normal for hosting; only a concern if you want strict egress filtering |
| Check | Value | Status | Note |
|---|---|---|---|
| APCu user cache | status: not enabled | PASS | not shared |
| OPcache status | opcache_get_status unavailable (0 cached scripts) | PASS | no foreign scripts / API restricted |
| IPC ext: shmop | loaded | INFO | capability only — a risk only if foreign segments are attachable (see below) |
| IPC ext: sysvshm | not loaded | PASS | not available |
| IPC ext: sysvsem | not loaded | PASS | not available |
| IPC ext: sysvmsg | not loaded | PASS | not available |
| foreign SysV shm segments (shmop) | none accessible | PASS | blocked — cannot attach to foreign segments |
| Check | Value | Status | Note |
|---|---|---|---|
| secrets in $_ENV / getenv() | none matched | PASS | no secret-like env vars |
| php.ini loaded from | /opt/alt/php74/etc/php.ini | INFO | informational |
| scanned .ini files | /opt/alt/php74/link/conf/bcmath.ini,
/opt/alt/php74/link/conf/clos_ssa.ini,
/opt/alt/php74/link/conf/default.ini,
/opt/alt/php74/link/conf/dom.ini,
/opt/alt/php74/link/conf/fileinfo.ini,
/opt/alt/php74/link/conf/gd.ini,
/opt/alt/php74/link/conf/intl.ini,
/opt/alt/php74/link/conf/ioncube_loader.ini,
/opt/alt/php74/link/conf/json.ini,
/opt/alt/php74/link/conf/mbstring.ini,
/opt/alt/php74/link/conf/memcached.ini,
/opt/alt/php74/link/conf/mysqli.ini,
/opt/alt/php74/link/conf/pdo.ini,
/opt/alt/php74/link/conf/pdo_mysql.ini,
/opt/alt/php74/link/conf/pdo_sqlite.ini,
/opt/alt/php74/link/conf/phar.ini,
/opt/alt/php74/link/conf/xmlreader.ini,
/opt/alt/php74/link/conf/xmlwriter.ini,
/opt/alt/php74/link/conf/xsl.ini,
/opt/alt/php74/link/conf/zip.ini,
/opt/alt/php74/link/conf/zz-php.ini
| INFO | informational |
| .user.ini override writable | yes (.user.ini) | INFO | writing .user.ini in your own docroot is by design — not a cross-tenant issue |
| session.save_path | /home/quantsite1992473113/tmp/sessions | INFO | private per-tenant store inside your own home — correct |
| foreign session files readable | none | PASS | blocked |
| phpinfo() dump | callable | INFO | normal — just do not expose ?action=phpinfo publicly |
| Check | Value | Status | Note |
|---|---|---|---|
| mount table (/proc/self/mountinfo) | not readable | PASS | masked — cannot see host mounts (good, CageFS-style virtualization) |
| /proc/mounts readable | denied | PASS | blocked |
| /proc hidepid (visible PIDs) | 0 | PASS | hidepid effective |
| /proc/self/cgroup (LVE) | denied | INFO | informational |
| system user enumeration | posix uid1000+: none | PASS | only own account visible |
| umask | 0022 | INFO | standard default (0022 → 0644); file mode only matters if filesystem isolation is absent |
| created-file permissions | 0644 | INFO | mode is world-readable, but open_basedir/CageFS block cross-tenant reads (see §1–4) — not exploitable here |
| tempnam() location | /home/quantsite1992473113/tmp/pt_TIL7Ah | INFO | informational — check predictability |
| /var/spool/cron access | denied | PASS | blocked |
| read /usr/local/apache/conf/httpd.conf | denied | PASS | blocked |
| read /etc/httpd/conf/httpd.conf | denied | PASS | blocked |
| read /etc/apache2/apache2.conf | denied | PASS | blocked |
| read /usr/local/lsws/conf/httpd_config.conf | denied | PASS | blocked |
| read /etc/nginx/nginx.conf | denied | PASS | blocked |
| resource limits | memory_limit=256M max_execution_time=20 upload_max_filesize=64M post_max_size=64M max_input_vars=3000 | INFO | informational |
| LVE / lsapi hooks | no LVE hooks visible | INFO | informational |
| Setting | Value |
|---|---|
| open_basedir | /home/quantsite1992473113/:/usr/share/ |
| disable_functions | pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,exec,passthru,shell_exec,system,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,popen,dl,show_source,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname |
| upload_tmp_dir | /home/quantsite1992473113/tmp |
| sys_temp_dir | /home/quantsite1992473113/tmp |
| session.save_path | /home/quantsite1992473113/tmp/sessions |
| sendmail_path | /usr/sbin/sendmail -t -i |
49 extension(s) loaded, 1 Zend extension(s).
bcmath gd mysqli SPL bz2 gettext openssl sqlite3 calendar gmp pcntl standard clos_ssa hash pcre tokenizer Core iconv PDO xml ctype igbinary pdo_mysql xmlreader curl intl pdo_sqlite xmlwriter date ionCube Loader Phar xsl dom json readline zip exif libxml Reflection zlib fileinfo litespeed session filter mbstring shmop ftp memcached SimpleXML
Zend extensions: the ionCube PHP Loader + ionCube24
Tip: deploy this same file to /home/bobi/... and visit both vhosts. Use ?action=plant on tenant A, then visit tenant B with ?other=quantsite1992473113 — section 4 should show all PASS.