PHP Cheatsheet

• searching for vulnerable shell functions

egrep -r --include "*.php" -e "(system|pcntl_exec|passthru|exec|shell_exec|popen|pcntl_exec|proc_open)\(" .

• searching for certain vulnerable php execution functions

egrep -r --include "*.php" -e "(eval|assert|create_function|preg_replace)\(" .

• Useful for XSS. Searching variables that are echoed without htmlspecialchars()

egrep -r --include "*.php" -e "echo\s*\\$.*;" .

• searching for the back tick operator, used to execute arbitrary shell commands

egrep -r --include "*.php" -e "\`.*\`" .

• searching for hardcoded credentials

egrep -r --include "*.php" -e "(\\$|\->)?(\\[\")?(user|pass|username|password)(\"\\])?\s*=\s*\".*\"" .
egrep -r --include "*.php" -e "(mysql_connect|mysqli)\(\s*(\"|\').+(\"|\')\,\s*(\"|\').+(\"|\')\,\s*(\"|\').+(\"|\')" .

• potential sql injection instances

egrep -r --include "*.php" -e "\->(query|exec)\(\s*\".*\".*\." .

• file system access

egrep -r --include "*.php" -e "(fopen|fread|fwrite|fclose)\(" .

• possible xxe instances, look for the true parameter

egrep -r --include "*.php" -e "libxml_disable_entity_loader\(" .