what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 100 RSS Feed


Posted Feb 19, 2003
Authored by Jani Taskinen | Site php.net

PHP Security Advisory - PHP 4.3.0 contains a bug that allows direct access to the PHP binary via the CGI SAPI which allows remote attackers to trick the server into executing arbitrary PHP code. PHP 4.3.1 fixes the vulnerability.

tags | advisory, remote, arbitrary, cgi, php
SHA-256 | 21cbf19fe4a85a2248c6ff1bd76047da3c8253975dfcee6e5099cbb61651d08a

Related Files

Firebase PHP-JWT Algorithm Confusion
Posted Aug 15, 2021
Site paragonie.com

Firebase's PHP-JWT suffers from an algorithm confusion issue. Proof of concept code included.

tags | exploit, php, proof of concept
SHA-256 | bb3896b28adac75139b54397d609f1fd54d05c94094f3213dbc7a00f3fa5c0c6
PHP 8.1.0-dev Backdoor Remote Command Injection
Posted May 24, 2021
Authored by Richard Jones

PHP version 8.1.0-dev backdoor unauthenticated remote command injection exploit.

tags | exploit, remote, php
SHA-256 | f51b0d373568167c85b67d4b60c1a737739975e2f231f5619d8e1b7a3a1058f6
PHP-FPM 7.x Remote Code Execution
Posted Mar 5, 2020
Authored by cdelafuente-r7, neex | Site metasploit.com

This Metasploit module exploits an underflow vulnerability in PHP-FPM versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx. Only servers with certain Nginx + PHP-FPM configurations are exploitable. This is a port of the original neex's exploit code (see refs). First, it detects the correct parameters (Query String Length and custom header length) needed to trigger code execution. This step determines if the target is actually vulnerable (Check method). Then, the exploit sets a series of PHP INI directives to create a file locally on the target, which enables code execution through a query string parameter. This is used to execute normal payload stagers. Finally, this module does some cleanup by killing local PHP-FPM workers (those are spawned automatically once killed) and removing the created local file.

tags | exploit, local, php, code execution
advisories | CVE-2019-11043
SHA-256 | b0bb267ae212db3146c03348b75e67574095c1e4c6cca10f25f575609f95bc2f
PHP PHP_INI_SYSTEM Ineffective Controls
Posted May 21, 2019
Authored by Imre Rad

Security controls configured via php.ini directives at the PHP_INI_SYSTEM level are ineffective as they could be bypassed by malicious scripts via writing their own process memory on the Linux platform. Proof of concept code included.

tags | exploit, php, proof of concept
systems | linux
SHA-256 | a746a7f8973556b23ebea90b00627034fee20f44dce632fd39f31dcfa7483ceb
PHP Source Code Analysis
Posted Dec 12, 2018
Authored by Engin Demirbilek

Whitepaper called PHP Source Code Analysis. Written in Turkish.

tags | paper, php
SHA-256 | eed125e2cc2676aec303d76c9979e0735faf36491551cb904ab2c7ddf56da611
PHP imap_open Remote Code Execution
Posted Nov 28, 2018
Authored by h00die, Anton Lopanitsyn, Twoster | Site metasploit.com

The imap_open function within PHP, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, this exploit works against the following applications: e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM/e107/hostcms require administrator credentials.

tags | exploit, arbitrary, php, imap
systems | linux, debian, ubuntu
SHA-256 | 5db80502619550a84a9d8068ff710ec5534f3d8a3239b812c7c114f85cc7972a
The Powerful Resource Of PHP Stream Wrappers
Posted Nov 15, 2018
Authored by Netsparker

In this article, the author explores ways to bypass protection methods using the PHP Stream Wrappers, which are responsible for handling protocol related tasks like downloading data from a web or ftp server and exposing it in a way in that it can be handled with PHP's stream related functions.

tags | paper, web, php, protocol
SHA-256 | eb1b419125c1b9aa31bd933a42cb8186ad467dc3e63433095d4ed7b2fb2a7128
PHP Vulnerability Audit Cheatsheet
Posted Oct 6, 2016
Authored by dustyfresh

This is a simple set of things to grep for that will help identify potential vulnerabilities in PHP code.

tags | paper, php, vulnerability
SHA-256 | 8700fa18f507e86dc84f2e92e04b5abdb40ce92fcbade4663491cd4222cd6069
PHP Backdoor Collection
Posted May 10, 2016
Authored by Bart Blaze

This is a collection of PHP backdoors to be used for testing purposes.

tags | tool, php, rootkit
systems | unix
SHA-256 | 997ab3e72c4fbfbfe776d677c590bd7dc9957932824d7df93b620c71def18bec
PHP Utility Belt Remote Code Execution
Posted Mar 11, 2016
Authored by Jay Turla, WICS | Site metasploit.com

This Metasploit module exploits a remote code execution vulnerability in PHP Utility Belt, which is a set of tools for PHP developers and should not be installed in a production environment, since this application runs arbitrary PHP code as an intended functionality.

tags | exploit, remote, arbitrary, php, code execution
SHA-256 | 2e8528e3811c7d93f83ce9f7eaaa80a6321b298dc7b5c63c52212036dbd43291
PHP SplDoublyLinkedList Use-After-Free
Posted Aug 7, 2015
Authored by Taoguang Chen

A use-after-free vulnerability was discovered in unserialize() with SplDoublyLinkedList object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

tags | exploit, arbitrary
SHA-256 | 0871a6862315dddb4b458e935baa1d9975da14b6a2a6fe621eb91c225e281bb8
PHP SplObjectStorage Use-After-Free
Posted Aug 7, 2015
Authored by Taoguang Chen

A use-after-free vulnerability was discovered in unserialize() with SplObjectStorage object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

tags | exploit, arbitrary
SHA-256 | 671f2a7c738b31dc6a03417ab29ce95089173d2f3c6b80d8f3156839a758dae5
PHP SPL ArrayObject Use-After-Free
Posted Aug 7, 2015
Authored by Taoguang Chen

A use-after-free vulnerability was discovered in unserialize() with SPL ArrayObject object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

tags | exploit, arbitrary
SHA-256 | bdc3dd33954af63076460ec415aa1687a2a7bb0690e51d14cc41bd321bce45d0
PHP 5.6.9 Use-After-Free
Posted Jun 10, 2015
Authored by High-Tech Bridge SA | Site htbridge.com

High-Tech Bridge Security Research Lab discovered use-after-free vulnerability in a popular programming language PHP, which can be exploited to cause crash and possibly execute arbitrary code on the target system. The vulnerability resides within the 'spl_heap_object_free_storage()' PHP function when trying to dereference already freed memory. A local attacker can cause segmentation fault or possibly execute arbitrary code on the target system with privileges of webserver.

tags | exploit, arbitrary, local, php
SHA-256 | 97375f017fbc6339f20309d1873f364d4f4bb2e3171ae12a6883001f4efb66fc
PHP Exception Type Confusion / Heap Overflow
Posted Apr 29, 2015
Authored by Taoguang Chen

A type confusion vulnerability was discovered in exception object's __toString()/getTraceAsString() method that can be abused for leaking arbitrary memory blocks or heap overflow.

tags | exploit, overflow, arbitrary
SHA-256 | b3a8329c29d10dca9d7ddc4c0f46af58e29999c11da31e6009cf9c41975e1db6
Laravel Framework PHP Object Injection
Posted Apr 20, 2015
Authored by Scott Arciszewski

Laravel Framework versions since 4.1 suffer from a PHP objection injection vulnerability when encryption is turned off.

tags | advisory, php
SHA-256 | 77f22e2a8757288c75c6f2b204358f81cc4f63d582e81dad74eced0ce382209a
PHP 5.x / Bash Shellshock Proof Of Concept
Posted Nov 25, 2014
Authored by Saeid Bostandoust

This is a proof of concept that demonstrates how the Bash shellshock vulnerability can be used in PHP to bypass disable_functions, safe_mode, etc.

tags | exploit, php, proof of concept, bash
SHA-256 | b9bd9444e5105c1afeb7ec6b5e23447262e07246b635b19251ef95b61a88d237
Wordpress InfusionSoft Upload
Posted Oct 9, 2014
Authored by us3r777, g0blin | Site metasploit.com

This Metasploit module exploits an arbitrary PHP code upload in the wordpress Infusionsoft Gravity Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file upload and remote code execution.

tags | exploit, remote, arbitrary, php, code execution, file upload
advisories | CVE-2014-6446
SHA-256 | bacb9cda0dca5ce55e62347a30c31a677409efc130e924388acca709285381ad
PHP Session Handling
Posted Mar 5, 2014
Authored by Jann Horn

PHP suffers from a user session hijacking vulnerability due to the way sessions are handled on the filesystem.

tags | advisory, php
SHA-256 | 24a591c0d3dcd52cc5ebd27e0fa5e2ca669141ab9ce9ec505ab5e11991b150d3
WordPress OptimizePress Theme File Upload
Posted Dec 3, 2013
Authored by United of Muslim Cyber Army, Mekanismen | Site metasploit.com

This Metasploit module exploits a vulnerability found in the the Wordpress theme OptimizePress. The vulnerability is due to an insecure file upload on the media-upload.php component, allowing an attacker to upload arbitrary PHP code. This Metasploit module has been tested successfully on OptimizePress 1.45.

tags | exploit, arbitrary, php, file upload
SHA-256 | d4d53ddb27b4ac9c88bb0c384c50166d149035d70c7d9ddd2d46c5aea886c1cb
Simple PHP Backdoor
Posted Jun 25, 2013
Authored by infodox

This is a simple PHP backdoor using HTTP headers to inject the code as opposed to a GET or POST variable. Uses the fictional "Code: " header as an example, for learning purposes. This is not production code.

tags | tool, web, php, rootkit
systems | unix
SHA-256 | 397d3f851a08bef7d13138eedf2b87ab8e732b35f14514f58a2162c103188aab
Wordpress W3 Total Cache PHP Code Execution
Posted Apr 29, 2013
Authored by H D Moore, juan vazquez, temp66, Christian Mehlmauer | Site metasploit.com

This Metasploit module exploits a PHP Code Injection vulnerability against Wordpress plugin W3 Total Cache for versions up to and including WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on Wordpress must be unchecked for successful exploitation. This Metasploit module has been tested against Wordpress 3.5 and W3 Total Cache on a Ubuntu 10.04 system.

tags | exploit, arbitrary, php
systems | linux, ubuntu
advisories | OSVDB-92652
SHA-256 | e5ac9a6fad8c4d6319f7a5b50dd28589a34b1e7d2753c81dd9c0c17b9fb0bb79
Windows PHP Reverse Shell
Posted Apr 22, 2013
Authored by blkhtc0rp

php_rshell is a ruby script which converts a binary backdoor to hex and creates a windows php reverse backdoor that will be executed on the server.

tags | php, ruby
systems | windows
SHA-256 | 0fecd8cff34a4c706edcda435ad534f566cb1869bf12bb112959c918e6d7771c
PHP-Charts 1.0 PHP Code Execution
Posted Jan 20, 2013
Authored by Akastep | Site metasploit.com

This Metasploit module exploits a PHP code execution vulnerability in php-Charts version 1.0 which could be abused to allow users to execute arbitrary PHP code under the context of the webserver user. The 'url.php' script calls eval() with user controlled data from any HTTP GET parameter name.

tags | exploit, web, arbitrary, php, code execution
advisories | OSVDB-89334
SHA-256 | 86b5c1161bf85a443f8e4b8508791a0ee94d2cdae006c712017aee8069f71402
PHP Fuzzing In Action
Posted Oct 9, 2012
Authored by Payam Khaninejad | Site progvig.ir

Whitepaper called PHP Fuzzing In Action. It goes over 15 ways to fuzz PHP source code.

tags | paper, php
SHA-256 | bb090192417591cba5b2f0df6d9d73d90eb45f0d389fde9e0870dfd689d7d9d2
Page 1 of 4

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By