PHP
Functions that might be vulnerable if you control the data (in-depth guide here): file_get_contents, readfile, finfo->file, getimagesize, md5_file, sha1_file, hash_file, file, parse_ini_file, copy, file_put_contents (only target read only with this), stream_get_contents, fgets, fread, fgetc, fgetcsv, fpassthru, fputs
Dangerous PHP Functions
Command Execution
exec - Returns last line of commands output
passthru - Passes commands output directly to the browser
system - Passes commands output directly to the browser and returns last line
shell_exec - Returns commands output
\`\` (backticks) - Same as shell_exec()
popen - Opens read or write pipe to process of a command
proc_open - Similar to popen() but greater degree of control
pcntl_exec - Executes a programPHP Code Execution
assert() - identical to eval()
preg_replace('/.*/e',...) - /e does an eval() on the match
create_function()
include()
include_once()
require()
require_once()
$_GET['func_name']($_GET['argument']);
$func = new ReflectionFunction($_GET['func_name']); $func->invoke(); or $func->invokeArgs(array());Useful Extensions
.php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps
.pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc
$ cat info.phar
<?php phpinfo(); ?>PHP-relevant HackTheBox machines
UpDown
Vessel (Single / Double quote confusion + PHP file write)
Last updated
Was this helpful?