├── LICENSE └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | "THE BEER-WARE LICENSE" (Revision 42): 2 | @dustyfresh wrote this file. As long as you retain this notice you 3 | can do whatever you want with this stuff. If we meet some day, and you think 4 | this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Cheatsheet for finding vulnerable PHP code using grep 2 | 3 | This will assist you in the finding of potentially vulnerable PHP code. Each type of grep command is categorized in the type of vulnerabilities you generally find with that function. 4 | 5 | Some of this came from a source long forgotten. If you know the source of the original sheet please let me know so I may add credit where due.. 6 | 7 | follow me: [@dustyfresh](https://twitter.com/dustyfresh) | website: https://lol.systems 8 | 9 | XSS: 10 | ---- 11 | ```grep -Ri "echo" .``` 12 | 13 | ```grep -Ri "\$_" . | grep "echo"``` 14 | 15 | ```grep -Ri "\$_GET" . | grep "echo"``` 16 | 17 | ```grep -Ri "\$_POST" . | grep "echo"``` 18 | 19 | ```grep -Ri "\$_REQUEST" . | grep "echo"``` 20 | 21 | Command execution: 22 | ------------------ 23 | ```grep -Ri "shell_exec(" .``` 24 | 25 | ```grep -Ri "system(" .``` 26 | 27 | ```grep -Ri "exec(" .``` 28 | 29 | ```grep -Ri "popen(" .``` 30 | 31 | ```grep -Ri "passthru(" .``` 32 | 33 | ```grep -Ri "proc_open(" .``` 34 | 35 | ```grep -Ri "pcntl_exec(" .``` 36 | 37 | Code execution: 38 | --------------- 39 | ```grep -Ri "eval(" .``` 40 | 41 | ```grep -Ri "assert(" .``` 42 | 43 | ```grep -Ri "preg_replace" . | grep "/e"``` 44 | 45 | ```grep -Ri "create_function(" .``` 46 | 47 | SQL Injection: 48 | -------------- 49 | ```grep -Ri "\$sql" .``` 50 | 51 | ```grep -Ri "\$sql" . | grep "\$_"``` 52 | 53 | SQLMAP Cheatsheet for WordPress: 54 | -------------------------------- 55 | ``` 56 | sqlmap -u "http://target.tld/?paramater=1" -p "parameter" --technique=B --dbms=mysql --suffix=")--" --string="Test" --sql-query="select user_login,user_pass from wp_users" 57 | ``` 58 | 59 | Information leak via phpinfo: 60 | ----------------------------- 61 | ```grep -Ri "phpinfo" .``` 62 | 63 | Find dev and debug modes: 64 | ------------------------- 65 | ```grep -Ri "debug" .``` 66 | 67 | ```grep -Ri "\$_GET['debug']" .``` 68 | 69 | ```grep -Ri "\$_GET['test']" .``` 70 | 71 | RFI/LFI: 72 | -------- 73 | ```grep -Ri "file_include" .``` 74 | 75 | ```grep -Ri "include(" .``` 76 | 77 | ```grep -Ri "require(" .``` 78 | 79 | ```grep -Ri "require(\$file)" .``` 80 | 81 | ```grep -Ri "include_once(" .``` 82 | 83 | ```grep -Ri "require_once(" .``` 84 | 85 | ```grep -Ri "require_once(" . | grep "\$_"``` 86 | 87 | Misc: 88 | ----- 89 | ```grep -Ri "header(" . | grep "\$_"``` 90 | 91 | ```grep -Ri '$_SERVER["HTTP_USER_AGENT"]' .``` 92 | 93 | Path Traversal: 94 | --------------- 95 | ```grep -Ri file_get_contents .``` 96 | 97 | ### [RATS Auditing tool for C, C++, Perl, PHP and Python](https://www.fortify.com/ssa-elements/threat-intelligence/rats.html) 98 | --------------------------------------------------------------------------------