Php

https://web.facebook.com/groups/pentesting4arabs/permalink/1147252752397687/?app=fbl&_rdc=1&_rdr

Quick reconnaissance checklist (do these after initial enumeration)

1. Inspect query parameters for debug flags

   • Try ?debug=true, ?debug=1, ?showerrors=1 and others. Look for verbose error messages or stack traces.

2. Look for admin panels & path mangling bypasses

   • Check common admin paths: /admin, /administrator, /cpanel, /manage.

   • Test path-mangling tricks: /admin/..;/, /admin%2e%2e/, /admin/. and variations that sometimes bypass naive ACLs.

3. Test non-standard headers for auth bypasses

   • Try headers such as X-Original-URL, X-Rewrite-URL, X-Forwarded-Host, X-Forwarded-For, X-HTTP-Method-Override — some infrastructures rewrite the target or bypass auth when they trust headers.

4. Parameter pollution & duplicate parameters

   • Send repeated parameters and mixed encodings to observe how the server or PHP interpreter resolves them (e.g., id=1&id[]=2 or id=1&id=2). Many PHP apps merge or pick the first/last value unexpectedly.

5. CSRF checks

   • Look for missing anti-CSRF tokens on state-changing forms and endpoints. Test form submissions with an intercepted request and a missing/invalid token.

6. PHPUnit / testing endpoints

   • Check for common PHPUnit endpoints (/phpunit/, /vendor/phpunit/, phpunit.xml) and known gadgets that allow remote code execution on exposed instances.

7. .env / config leaks

   • Try .env, config.php, wp-config.php (when applicable), /.env or direct file access if the server is misconfigured. Search for backups and .bak files too.

8. PHP Object Injection (POI)

   • Test serialization endpoints (unserialize() sinks) and upload / cookie values that might be unserialized. Look for gadget chains or deserialization sinks.

9. Header / User-Agent code injection

   • Test injection in headers (User-Agent, Referer, X-Forwarded-For) where server-side logging or eval-like behavior might exist.

10. Burp / tooling extensions & helper scripts

    • Use extensions to automate POI, fuzzing, and payload delivery (see Resources below).

Useful repos & resources (collected links)

• Burp POI helper: https://github.com/ricardojba/poi-slinger

• PHP bugs & payloads: https://github.com/bowu678/php_bugs

• PHP audit labs: https://github.com/hongriSec/PHP-Audit-Labs

• Code audit challenges: https://github.com/CHYbeta/Code-Audit-Challenges

• Audit learning collection: https://github.com/jiangsir404/Audit-Learning

• PHP bug wiki: https://github.com/aleenzz/php_bug_wiki

• PHP vulnerability cheatsheet: https://github.com/dustyfresh/PHP-vulnerability-audit-cheatsheet