PHP Cheatsheet

  • searching for vulnerable shell functions

egrep -r --include "*.php" -e "(system|pcntl_exec|passthru|exec|shell_exec|popen|pcntl_exec|proc_open)\(" .
  • searching for certain vulnerable php execution functions

egrep -r --include "*.php" -e "(eval|assert|create_function|preg_replace)\(" .
  • Useful for XSS. Searching variables that are echoed without htmlspecialchars()

egrep -r --include "*.php" -e "echo\s*\\$.*;" .
  • searching for the back tick operator, used to execute arbitrary shell commands

egrep -r --include "*.php" -e "\`.*\`" .
  • searching for hardcoded credentials

egrep -r --include "*.php" -e "(\\$|\->)?(\\[\")?(user|pass|username|password)(\"\\])?\s*=\s*\".*\"" .
egrep -r --include "*.php" -e "(mysql_connect|mysqli)\(\s*(\"|\').+(\"|\')\,\s*(\"|\').+(\"|\')\,\s*(\"|\').+(\"|\')" .
  • potential sql injection instances

egrep -r --include "*.php" -e "\->(query|exec)\(\s*\".*\".*\." .
  • file system access

egrep -r --include "*.php" -e "(fopen|fread|fwrite|fclose)\(" .
  • possible xxe instances, look for the true parameter

egrep -r --include "*.php" -e "libxml_disable_entity_loader\(" .

Last updated