what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 100 RSS Feed


Posted Oct 21, 2006
Authored by dimmoborgir

The php functions "exec", "system", "popen" (and similar) keep file descriptors of the parent process opened. When a new process is run this program will inherit all opened file descriptors of its parent. This can be used by hostile programs to listen and accept connections on port 80, or write to the apache log files.

tags | advisory, php
SHA-256 | df0886b7417f348dce9959a45e47a889aa6e01dd100f026507d0c694e50c33e3

Related Files

Firebase PHP-JWT Algorithm Confusion
Posted Aug 15, 2021
Site paragonie.com

Firebase's PHP-JWT suffers from an algorithm confusion issue. Proof of concept code included.

tags | exploit, php, proof of concept
SHA-256 | bb3896b28adac75139b54397d609f1fd54d05c94094f3213dbc7a00f3fa5c0c6
PHP 8.1.0-dev Backdoor Remote Command Injection
Posted May 24, 2021
Authored by Richard Jones

PHP version 8.1.0-dev backdoor unauthenticated remote command injection exploit.

tags | exploit, remote, php
SHA-256 | f51b0d373568167c85b67d4b60c1a737739975e2f231f5619d8e1b7a3a1058f6
PHP-FPM 7.x Remote Code Execution
Posted Mar 5, 2020
Authored by cdelafuente-r7, neex | Site metasploit.com

This Metasploit module exploits an underflow vulnerability in PHP-FPM versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx. Only servers with certain Nginx + PHP-FPM configurations are exploitable. This is a port of the original neex's exploit code (see refs). First, it detects the correct parameters (Query String Length and custom header length) needed to trigger code execution. This step determines if the target is actually vulnerable (Check method). Then, the exploit sets a series of PHP INI directives to create a file locally on the target, which enables code execution through a query string parameter. This is used to execute normal payload stagers. Finally, this module does some cleanup by killing local PHP-FPM workers (those are spawned automatically once killed) and removing the created local file.

tags | exploit, local, php, code execution
advisories | CVE-2019-11043
SHA-256 | b0bb267ae212db3146c03348b75e67574095c1e4c6cca10f25f575609f95bc2f
PHP PHP_INI_SYSTEM Ineffective Controls
Posted May 21, 2019
Authored by Imre Rad

Security controls configured via php.ini directives at the PHP_INI_SYSTEM level are ineffective as they could be bypassed by malicious scripts via writing their own process memory on the Linux platform. Proof of concept code included.

tags | exploit, php, proof of concept
systems | linux
SHA-256 | a746a7f8973556b23ebea90b00627034fee20f44dce632fd39f31dcfa7483ceb
PHP Source Code Analysis
Posted Dec 12, 2018
Authored by Engin Demirbilek

Whitepaper called PHP Source Code Analysis. Written in Turkish.

tags | paper, php
SHA-256 | eed125e2cc2676aec303d76c9979e0735faf36491551cb904ab2c7ddf56da611
PHP imap_open Remote Code Execution
Posted Nov 28, 2018
Authored by h00die, Anton Lopanitsyn, Twoster | Site metasploit.com

The imap_open function within PHP, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, this exploit works against the following applications: e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM/e107/hostcms require administrator credentials.

tags | exploit, arbitrary, php, imap
systems | linux, debian, ubuntu
SHA-256 | 5db80502619550a84a9d8068ff710ec5534f3d8a3239b812c7c114f85cc7972a
The Powerful Resource Of PHP Stream Wrappers
Posted Nov 15, 2018
Authored by Netsparker

In this article, the author explores ways to bypass protection methods using the PHP Stream Wrappers, which are responsible for handling protocol related tasks like downloading data from a web or ftp server and exposing it in a way in that it can be handled with PHP's stream related functions.

tags | paper, web, php, protocol
SHA-256 | eb1b419125c1b9aa31bd933a42cb8186ad467dc3e63433095d4ed7b2fb2a7128
GitList 0.6.0 Argument Injection
Posted Jul 7, 2018
Authored by Kacper Szurek, Shelby Pace | Site metasploit.com

This Metasploit module exploits an argument injection vulnerability in GitList version 0.6.0. The vulnerability arises from GitList improperly validating input using the php function 'escapeshellarg'.

tags | exploit, php
SHA-256 | 438a7961adff6a24e2b4c17fe41509049358ceda89125f0c70d6808fa38a4266
PHP Vulnerability Audit Cheatsheet
Posted Oct 6, 2016
Authored by dustyfresh

This is a simple set of things to grep for that will help identify potential vulnerabilities in PHP code.

tags | paper, php, vulnerability
SHA-256 | 8700fa18f507e86dc84f2e92e04b5abdb40ce92fcbade4663491cd4222cd6069
PHP Backdoor Collection
Posted May 10, 2016
Authored by Bart Blaze

This is a collection of PHP backdoors to be used for testing purposes.

tags | tool, php, rootkit
systems | unix
SHA-256 | 997ab3e72c4fbfbfe776d677c590bd7dc9957932824d7df93b620c71def18bec
PHP Utility Belt Remote Code Execution
Posted Mar 11, 2016
Authored by Jay Turla, WICS | Site metasploit.com

This Metasploit module exploits a remote code execution vulnerability in PHP Utility Belt, which is a set of tools for PHP developers and should not be installed in a production environment, since this application runs arbitrary PHP code as an intended functionality.

tags | exploit, remote, arbitrary, php, code execution
SHA-256 | 2e8528e3811c7d93f83ce9f7eaaa80a6321b298dc7b5c63c52212036dbd43291
PHP SplDoublyLinkedList Use-After-Free
Posted Aug 7, 2015
Authored by Taoguang Chen

A use-after-free vulnerability was discovered in unserialize() with SplDoublyLinkedList object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

tags | exploit, arbitrary
SHA-256 | 0871a6862315dddb4b458e935baa1d9975da14b6a2a6fe621eb91c225e281bb8
PHP SplObjectStorage Use-After-Free
Posted Aug 7, 2015
Authored by Taoguang Chen

A use-after-free vulnerability was discovered in unserialize() with SplObjectStorage object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

tags | exploit, arbitrary
SHA-256 | 671f2a7c738b31dc6a03417ab29ce95089173d2f3c6b80d8f3156839a758dae5
PHP SPL ArrayObject Use-After-Free
Posted Aug 7, 2015
Authored by Taoguang Chen

A use-after-free vulnerability was discovered in unserialize() with SPL ArrayObject object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

tags | exploit, arbitrary
SHA-256 | bdc3dd33954af63076460ec415aa1687a2a7bb0690e51d14cc41bd321bce45d0
PHP 5.6.9 Use-After-Free
Posted Jun 10, 2015
Authored by High-Tech Bridge SA | Site htbridge.com

High-Tech Bridge Security Research Lab discovered use-after-free vulnerability in a popular programming language PHP, which can be exploited to cause crash and possibly execute arbitrary code on the target system. The vulnerability resides within the 'spl_heap_object_free_storage()' PHP function when trying to dereference already freed memory. A local attacker can cause segmentation fault or possibly execute arbitrary code on the target system with privileges of webserver.

tags | exploit, arbitrary, local, php
SHA-256 | 97375f017fbc6339f20309d1873f364d4f4bb2e3171ae12a6883001f4efb66fc
PHP Exception Type Confusion / Heap Overflow
Posted Apr 29, 2015
Authored by Taoguang Chen

A type confusion vulnerability was discovered in exception object's __toString()/getTraceAsString() method that can be abused for leaking arbitrary memory blocks or heap overflow.

tags | exploit, overflow, arbitrary
SHA-256 | b3a8329c29d10dca9d7ddc4c0f46af58e29999c11da31e6009cf9c41975e1db6
Laravel Framework PHP Object Injection
Posted Apr 20, 2015
Authored by Scott Arciszewski

Laravel Framework versions since 4.1 suffer from a PHP objection injection vulnerability when encryption is turned off.

tags | advisory, php
SHA-256 | 77f22e2a8757288c75c6f2b204358f81cc4f63d582e81dad74eced0ce382209a
PHP 5.x / Bash Shellshock Proof Of Concept
Posted Nov 25, 2014
Authored by Saeid Bostandoust

This is a proof of concept that demonstrates how the Bash shellshock vulnerability can be used in PHP to bypass disable_functions, safe_mode, etc.

tags | exploit, php, proof of concept, bash
SHA-256 | b9bd9444e5105c1afeb7ec6b5e23447262e07246b635b19251ef95b61a88d237
Wordpress InfusionSoft Upload
Posted Oct 9, 2014
Authored by us3r777, g0blin | Site metasploit.com

This Metasploit module exploits an arbitrary PHP code upload in the wordpress Infusionsoft Gravity Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file upload and remote code execution.

tags | exploit, remote, arbitrary, php, code execution, file upload
advisories | CVE-2014-6446
SHA-256 | bacb9cda0dca5ce55e62347a30c31a677409efc130e924388acca709285381ad
PHP Session Handling
Posted Mar 5, 2014
Authored by Jann Horn

PHP suffers from a user session hijacking vulnerability due to the way sessions are handled on the filesystem.

tags | advisory, php
SHA-256 | 24a591c0d3dcd52cc5ebd27e0fa5e2ca669141ab9ce9ec505ab5e11991b150d3
PHP openssl_x509_parse() Memory Corruption
Posted Dec 15, 2013
Authored by Stefan Esser

The PHP function openssl_x509_parse() uses a helper function called asn1_time_to_time_t() to convert timestamps from ASN1 string format into integer timestamp values. The parser within this helper function is not binary safe and can therefore be tricked to write up to five NUL bytes outside of an allocated buffer. This problem can be triggered by x509 certificates that contain NUL bytes in their notBefore and notAfter timestamp fields and leads to a memory corruption that might result in arbitrary code execution.

tags | exploit, arbitrary, php, code execution
advisories | CVE-2013-6420
SHA-256 | 7406038cb1adf87acf1e03364bbd761251c6d8fc531065990b85c245ae25fbe4
WordPress OptimizePress Theme File Upload
Posted Dec 3, 2013
Authored by United of Muslim Cyber Army, Mekanismen | Site metasploit.com

This Metasploit module exploits a vulnerability found in the the Wordpress theme OptimizePress. The vulnerability is due to an insecure file upload on the media-upload.php component, allowing an attacker to upload arbitrary PHP code. This Metasploit module has been tested successfully on OptimizePress 1.45.

tags | exploit, arbitrary, php, file upload
SHA-256 | d4d53ddb27b4ac9c88bb0c384c50166d149035d70c7d9ddd2d46c5aea886c1cb
Simple PHP Backdoor
Posted Jun 25, 2013
Authored by infodox

This is a simple PHP backdoor using HTTP headers to inject the code as opposed to a GET or POST variable. Uses the fictional "Code: " header as an example, for learning purposes. This is not production code.

tags | tool, web, php, rootkit
systems | unix
SHA-256 | 397d3f851a08bef7d13138eedf2b87ab8e732b35f14514f58a2162c103188aab
Wordpress W3 Total Cache PHP Code Execution
Posted Apr 29, 2013
Authored by H D Moore, juan vazquez, temp66, Christian Mehlmauer | Site metasploit.com

This Metasploit module exploits a PHP Code Injection vulnerability against Wordpress plugin W3 Total Cache for versions up to and including WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on Wordpress must be unchecked for successful exploitation. This Metasploit module has been tested against Wordpress 3.5 and W3 Total Cache on a Ubuntu 10.04 system.

tags | exploit, arbitrary, php
systems | linux, ubuntu
advisories | OSVDB-92652
SHA-256 | e5ac9a6fad8c4d6319f7a5b50dd28589a34b1e7d2753c81dd9c0c17b9fb0bb79
Windows PHP Reverse Shell
Posted Apr 22, 2013
Authored by blkhtc0rp

php_rshell is a ruby script which converts a binary backdoor to hex and creates a windows php reverse backdoor that will be executed on the server.

tags | php, ruby
systems | windows
SHA-256 | 0fecd8cff34a4c706edcda435ad534f566cb1869bf12bb112959c918e6d7771c
Page 1 of 4

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By