Tricks & Others

Code auditing / Looking for vulnerabilities

Bypass PHP disable_functions and open_basedir

# PHP in Linux calls a binary (sendmail) when the mail() function is executed. 
# If we have putenv() allowed, we can set the environment variable "LD_PRELOAD", so we can 
# preload an arbitrary shared object. Our shared object will execute our custom 
# payload (a binary or a bash script) without the PHP restrictions, so we can have a reverse shell, for example.

# Chankro tool is used for that (
python2 --arch 64 --input --output chan.php --path /var/www/html


# Path truncation
# PHP max path is 4096 char
# It is possible to bypass checks for one file, for example, by flooding the path before requesting a resource

# There is a BIG difference between “$salt” and ‘$salt’.
# Double quotes → interpreted as a variable
# Simple quotes → interpreted as a string

Register Globals

index.php ?_SESSION[logged]=1