PHP

Functions that might be vulnerable if you control the data (in-depth guide here): file_get_contents, readfile, finfo->file, getimagesize, md5_file, sha1_file, hash_file, file, parse_ini_file, copy, file_put_contents (only target read only with this), stream_get_contentsfgetsfreadfgetcfgetcsvfpassthrufputs

Dangerous PHP Functions

Command Execution

exec           - Returns last line of commands output
passthru       - Passes commands output directly to the browser
system         - Passes commands output directly to the browser and returns last line
shell_exec     - Returns commands output
\`\` (backticks) - Same as shell_exec()
popen          - Opens read or write pipe to process of a command
proc_open      - Similar to popen() but greater degree of control
pcntl_exec     - Executes a program

PHP Code Execution

assert()  - identical to eval()
preg_replace('/.*/e',...) - /e does an eval() on the match
create_function()
include()
include_once()
require()
require_once()
$_GET['func_name']($_GET['argument']);
$func = new ReflectionFunction($_GET['func_name']); $func->invoke(); or $func->invokeArgs(array());

Useful Extensions

.php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps 
.pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc

$ cat info.phar 
<?php phpinfo(); ?>

PHP-relevant HackTheBox machines

1. UpDown

2. Vessel (Single / Double quote confusion + PHP file write)