PHP-Specific

PHP is an interesting language with a number of quirks. Since it was designed for simple personal websites and not as a full blown enterprise grade language, this comes as no shock. Unfortunately, this means older version are easily exposed to a number of obvious exploits.

Some of these will be outdated, and in these situations I'll refer to the documentation. Other's are still relevant and quite common. In all situation when attacking any PHP application, or performing source code auditing, I can not recommend enough that you keep the documentation close to hand. You can find a number of comments for each function which will describe best practices, and often ways in which a function can be misused.

strcmp

Type Juggling

With weak-comparisons in PHP, such as in the case of the == operator, the comparison of two hashes beginning with the integer 0, will cause the expression to reduce to 0==0. These following table lists the most common hashes and the values you can input to produce them:

Source: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/PHP%20juggling%20type

WhiteHatSec maintains quite an extensive table also for various other hash functions.

Regular Expressions

Take, as an example, preg_replace:

preg_replace('/(.*)/', 'A', 'B');

This will just result in the string 'A' being output as everything is replaced in the second string. If we change the regular expression however:

preg_replace('/(.*)/e', 'phpinfo()', 'B');

From the above, the second string will be replaced resulting in 'phpinfo()'. The /e modifier appended to the regular expression, causes the result to be evaluated as PHP code, effectively giving you arbitrary command execution. In this instance we'll be returned the output of phpinfo().

References http://www.madirish.net/402
https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg_replace