📔
Cyber Security Notes
  • Introduction
  • CVEs
    • CVE-2022-33106
  • Paper Reviews
    • Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
  • Security Basics Notes
    • Identification, Authentication and Authorization
  • Enumeration and Initial Compromise
    • Methodology
    • Footprinting
    • Network Protocols
      • FTP
      • SMB
      • DNS
      • NFS
      • SMTP
      • IMAP/POP3
      • SNMP
      • MySQL
      • MSSQL
      • Oracle TNS
      • IPMI
    • Nifty One Liners
    • Brute-Force Web Pages
      • Hydra
    • Network Pentest
      • Quick SMB cheatsheet
      • SSH keypair basics
      • Compromise using SSH Key
      • Networking fundamentals Interview topics
      • nmap quick cheatsheet
      • Metasploit Quick Reference
    • Web Pentest
      • Web Pentest Interview top topics
      • Wordpress Exploitation
      • Joomla Exploitation
      • Login Bypass using Cookie Tampering/Poisoning
      • Subdomain Enumeration
      • CSRF mitigation
      • XSS mitigation
      • CSP bypass with JSONP
      • PHP Vulnerabilities
      • Python Serialization Vulnerabilities - Pickle
      • SQL Injections
        • SQLmap
      • SSTI
      • XSS
    • Buffer Overflow Prep
      • Understanding CPUs
      • Virtual Memory and Paging
      • Syscalls
      • Theorem Proving
      • Stripping readable function names
      • Insecure C functions
      • Stack Canaries
      • Linking - GOT,PLT
      • Return Oriented Programming
    • Active Directory - Basics
      • AD DS
      • Managing OUs
      • Group Policies
      • Authentications
      • Trees, Forests and Trusts
      • Kerberos
      • Attacking Kerberos
      • Priv Esc (Post Exploitation)
    • DNS/Domain Enum Masterguide
  • Post Exploitation
    • Shell Escape Techniques
    • Getting stable shell after compromise
    • Linux Privilege Escalation
      • Sudoers file
      • Sudoers entry - Yum
      • Wildcards - Basics
      • Wildcards - Chown
      • Wildcards - Tar
      • Linux Permissions & SUID/SGID/Sticky Bit
      • SUID - nmap
      • SUID - bash
      • SUID - man
      • NFS no_root_squash
      • SUID - pkexec
      • Bad permissions
    • Windows Privilege Escalation
      • SeImpersonatePrivilege Token Impersonation
      • Firefox Creds
      • Potatoes
      • Print Spooler Basics
      • Print Spooler CVE 2020-1030
      • SpoolFool
    • Data Exfiltration Post Exploitation
  • Port Forwarding Cheatsheet
  • Powershell Essentials
    • Powershell Basics
    • Powershell Enumeration
    • Powershell Port Scanner
    • Powershell One Liner Port Scanning
    • Powershell Port Scan in a given CIDR
  • Application Security
    • System Calls in Linux
    • Buffer Overflow Defenses
    • Format string vulnerabilities
    • Sample Github Actions
    • Basic Bugs in Demo Application
    • Using AFL++
  • Linux 64-bit Assembly
    • GDB Basics
      • My relevant GDB cheatsheet
      • Task 1 - Tamper strcmp logic
      • Breakpoints
      • Always starting with intel flavor
      • GDB TUI Mode
    • Basic Hello World Program
    • Registers in 64-bit
    • global directive
    • Reducing instructions and Removing NULL-> Optimizing memory in Assembly
    • Data Types
    • Endianness
    • Moving Data
    • push, pop, and the stack
    • Analysis - Writing data on memory location and referencing
    • Arithmetic Operations
    • Bitwise Logical Operations
    • Bit-Shifting Operations
    • Control Instructions
    • Loops
    • Procedures
    • Stack-Frames and Procedures
    • String Operations
    • Shellcoding basics
      • Introduction and Common Rules
      • Basic Shellcodes->Exit
      • Testing shellcode->Skeleton Code
      • Techniques-> JMP,CALL,POP
      • Techniques-> Stack
      • Techniques-> (64-bit only) RIP Relative Addressing
      • Shellcode 1 -> execve(/bin/sh) STACK PUSH
      • Shellcode 1 -> execve(/bin/sh) JMP CALL POP
      • Techniques-> XOR-Encoder
  • Cloud Security
    • Foundational Technology
    • Learning Through Project Omega
    • IAM Essentials
      • Deep dive into IAM - Part 1
    • Amazon S3
    • Risk Management & Data Controls
    • Enumeration
      • S3 - Enum Basics - PwnedLabs
      • S3 - Identify the AWS Account ID from a Public S3 Bucket
      • EBS - Loot Public EBS Volumes
      • S3- Exploit Weak Bucket Policies for Privileged Access
  • API Security
    • WSDL
  • Reverse Engineering
    • Some string Operations
    • Numbers and Inputs
    • Address inputs
    • Recursive Function
    • Crackme: level1
    • Crackme: level2
    • CTF: Memory Dereferencing
    • CTF: Monty Python
  • CTF Challenge Learnings
    • vsCTF 2024
      • Sanity Check
      • not-quite-caesar
      • Intro to reversing
    • NCL Individual 2024
      • Web Challenges
        • PiratePals
        • Pierre's Store
    • Pico CTF 2024
      • Web Exploitation
        • Bookmarklet
        • WebDecode
        • Unminify
        • Trickster
      • General Skills
        • Commitment Issues
        • Time Machine
        • Blame Game
        • Collaborative Development
        • Binary Search
        • Dont-you-love-banners
    • Sunshine CTF
      • Knowledge Repository
    • Amazon WiCys CTF
      • I am Lazy
      • Password Locker on the Web
      • Happy Birthday Card Generator
      • Bloggergate
      • simple offer
      • Bad Actor
      • Secret Server
      • Simple PCAP
      • Hidden Message
    • C code using getenv()
    • Command Injection with filter
    • Pwning
      • Shoddy_CMP
      • PLT_PlayIT
  • Applied Cryptography
    • Linear Congruential Generator
  • Tools for everything
Powered by GitBook
On this page

Was this helpful?

  1. Enumeration and Initial Compromise
  2. Web Pentest

PHP Vulnerabilities

PreviousCSP bypass with JSONPNextPython Serialization Vulnerabilities - Pickle

Last updated 1 year ago

Was this helpful?

PHP is a dinosaur now. But still relevant even in the modern web infrastructure. When we talk about PHP, we talk about dynamic back-end logic that resembles C in a way, and gives programmatic functionality to static HTML pages.

Ahh, good old Facebook days when PHP was super heavy and one of the key languages on the main website.

But soon enough people realized that PHP had inherent vulnerabilities that makes it super easy for an attacker to break into it and moved on to modern Javascript frameworks.

Let's talk about such vulnerabilities for a bit before moving on.

PHP Type Juggling

PHP will do anything to match with a loose comparison. When I say loose comparison it means the double equal sign (==). A strictly equal sign would be the triple equal (===). But if the backend is using double equal (developer habit who use other programming languages frequently) we would see some of the following results:

0 == "0"

0 == null

"0e1234" == "0e4567" (math quirk. anything multiplies by 0 is 0. Yeah, PHP doesn't care if it is a string. It will first convert it to a format it understands then compare it making them equal)

0 == "asdf"

$arr == array(); -> md5($arr) == md5("Array")

Imagine this: If two hashes are starting from the same "0e..." value, they will be the same. This defeats the purpose of password hashing (as in unique strings for each unique password). By this command you'll see various strings starting with 0e. PHP will compare them and tell that they're equal.

for i in {1..4000}; do echo $i | md5sum ; done | grep ^0e

PHP - File Inclusion

require, require_once, include functions would import another PHP file. This can be easily cracked.

eg: require $_GET['page] . ".php";

This would allow includion of a file from URL. eg: example.com?page=index

This is problemmatic since we can easily provide any other file to be included. Even use techniques like null byte to include a non-PHP files too.

PHP - Stream filters

PHP also has its own URL schema=> php://...

The purpose of this URL schema is to filter some output like remove HTML tags or endode data in base64. For example, see the following script which filters out HTML tags except bold, italics and underline (<b>,<i>,<u>)

$fp = fopen('php://output', 'w');
stream_filter_append(
$fp,
'string.strip_tags',
STREAM_FILTER_WRITE,
array('b','i','u'));
fwrite($fp,"<b>bolded</b> enlarged to a <h1>level 1 heading</h1>\n");

Interesting thing to note here is that we can use this php://... URL schema to extract any data that we want! Now the filter is supposed to format a PHP code and perform functions on it, right? But what if the data in stream is not PHP? Let's say base64. Then the filter won't format anything and parse all the raw data!

For example, I want flag.txt file in / directory and base64 encode it. I'd do this:

php://filter/convert.base64-encode/resource=/flag.txt

This would extract flag.txt in base64 and send to browser directly.

This is a good way to leak source code of a PHP web application! in a CTF I encountered a problem where I had to extract a flag hidden in PHP source code. include() function was fetching a file. I craffter the payload like this:

http://site.com/index.php?page=php://filter/convert.base64-encode/resource=flag

And then after deecoding this base64 to readable text, I got the flag (and the PHP source code for flag.php file)

We can even fetch binaries from the server like this. Then do:

pbpaste | bsae64 -D > foo.bin

file foo.bin