PHP
Dangerous Functions
PHP Temporary Files
PHP will create temporary files for files send with POST and for sessions. If we have a LFI we can get our php code onto the box and then include these.
PHP_SESSION_UPLOAD_PROGRESS (will create sess_xct in /tmp):
Disable Functions Bypass
Mail
PHP7 Backtrace
https://raw.githubusercontent.com/mm0r1/exploits/master/php7-backtrace-bypass/exploit.php
Interesting Behavior
PHP's REQUEST
takes values from GET, POST and also COOKIE. This can lead to some interesting behavior by setting GET/POST and COOKIE parameters to different values. Values from COOKIE are disabled by default though.
PHAR SSRF
If we have a file_exists or similar method on uploaded content, we can request via phar:// wrapper. This allows to use deserialization gadgets.
If no good gadgets are available SoapClient can be used to SSRF via gopher to other local services like MySQL.
Eval Code Injection
Simple but effective:
Upload & Execute File
Last updated