Tricks & Others
Code auditing / Looking for vulnerabilities
Bypass PHP disable_functions and open_basedir
# PHP in Linux calls a binary (sendmail) when the mail() function is executed.
# If we have putenv() allowed, we can set the environment variable "LD_PRELOAD", so we can
# preload an arbitrary shared object. Our shared object will execute our custom
# payload (a binary or a bash script) without the PHP restrictions, so we can have a reverse shell, for example.
# Chankro tool is used for that (https://github.com/TarlogicSecurity/Chankro)
python2 chankro.py --arch 64 --input rev.sh --output chan.php --path /var/www/html
# Path truncation
# PHP max path is 4096 char
# It is possible to bypass checks for one file, for example, by flooding the path before requesting a resource
# There is a BIG difference between “$salt” and ‘$salt’.
# Double quotes → interpreted as a variable
# Simple quotes → interpreted as a string