LFGA Web

PHP Vulnerabilities - Learning Section


The vulnerability of assert()

The first thing that we need to know is what does the assert function do. Source:assert


The assert() will check the given assertion and take appropriate action if its result is FALSE.

The vulnerability lies in this part: If the assertion is given as a string it will be evaluated as PHP code by assert().

Reviewing the documentation we can see that it is not a vulnerability of the function, but rather the misuse or bad practices of the developers.

Let's see a little example of it: PHP-Assert()

Basically what we are going to look for is to identify how the assert is working and from there build a payload that contains a string to be executed as PHP code.


The vulnerability of preg_replace()

In first place, let's read the documentation preg_replace.

Now that we now know what does the preg_replace function do, we can see how it can be exploited, here: preg_replace() PHP Function Exploitation.

And finally the The unexpected dangers of preg_replace().


Type Juggling and Comparisons

First, let's see an explanation of what it is, you can find it here: Type Juggling and Comparisons. Source:

And now we can see an example PHP String comparison vulnerabilities.

You can find a nice cheat sheet here: Comparison PHP cheat sheet.

And this one too: PHP Variable Comparison.

These are really usefull cheat sheets that could help us with a challenge.


PHP Object Injection

Last but not least we are going to learn what is PHP Object Injection, this is very common to find in CTF and understanding how it works and how to exploit it is a must.

First, let's see what are we talking about: What is PHP Object Injection.

Now let's see some examples: PHP Object Injection

Now you should know what does the magic methods do: 16 Magic Methods That PHP Developers Must Know and the cheat: PHP Magic Methods Cheatsheet.


That's all!

There are a lot of vulnerabilities, but we can't go through all of them, but you can always research about a specific method, now let's go to the challenge section.