PHP
Functions that might be vulnerable if you control the data (in-depth guide here): file_get_contents
, readfile
, finfo->file
, getimagesize
, md5_file
, sha1_file
, hash_file
, file
, parse_ini_file
, copy
, file_put_contents (only target read only with this)
, stream_get_contents
, fgets
, fread
, fgetc
, fgetcsv
, fpassthru
, fputs
Dangerous PHP Functions
Command Execution
exec - Returns last line of commands output
passthru - Passes commands output directly to the browser
system - Passes commands output directly to the browser and returns last line
shell_exec - Returns commands output
\`\` (backticks) - Same as shell_exec()
popen - Opens read or write pipe to process of a command
proc_open - Similar to popen() but greater degree of control
pcntl_exec - Executes a program
PHP Code Execution
assert() - identical to eval()
preg_replace('/.*/e',...) - /e does an eval() on the match
create_function()
include()
include_once()
require()
require_once()
$_GET['func_name']($_GET['argument']);
$func = new ReflectionFunction($_GET['func_name']); $func->invoke(); or $func->invokeArgs(array());
Useful Extensions
.php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps
.pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc
$ cat info.phar
<?php phpinfo(); ?>
PHP-relevant HackTheBox machines
UpDown
Vessel (Single / Double quote confusion + PHP file write)
Last updated
Was this helpful?