# PHP

Functions that **might be vulnerable** if you control the data ([**in-depth guide here**](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)): `file_get_contents`, `readfile`, `finfo->file`, `getimagesize`, `md5_file`, `sha1_file`, `hash_file`, `file`, `parse_ini_file`, `copy`, `file_put_contents (only target read only with this)`, `stream_get_contents`, `fgets`, `fread`, `fgetc`, `fgetcsv`, `fpassthru`, `fputs`

## Dangerous PHP Functions

### Command Execution

```php
exec           - Returns last line of commands output
passthru       - Passes commands output directly to the browser
system         - Passes commands output directly to the browser and returns last line
shell_exec     - Returns commands output
\`\` (backticks) - Same as shell_exec()
popen          - Opens read or write pipe to process of a command
proc_open      - Similar to popen() but greater degree of control
pcntl_exec     - Executes a program
```

### PHP Code Execution

```php
assert()  - identical to eval()
preg_replace('/.*/e',...) - /e does an eval() on the match
create_function()
include()
include_once()
require()
require_once()
$_GET['func_name']($_GET['argument']);
$func = new ReflectionFunction($_GET['func_name']); $func->invoke(); or $func->invokeArgs(array());
```

### Useful Extensions

```php
.php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps 
.pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc

$ cat info.phar 
<?php phpinfo(); ?>
```

## PHP-relevant HackTheBox machines

1. UpDown
2. Vessel (Single / Double quote confusion + PHP file write)