PHP Source Code Review

This will explain how to quickly search though the backend Source Code of an application. Such as user controlled HTTP parameters that goes through dangerous functions, such as EXEC that could potentially execute code for an RCE!

Note: Good tools to use are GitTools for extracting a found .git repository, and GitLeaks to quickly and easily find hidden keys or secrets, credentials etc within this repository!

Extracting Vulnerable Code

Try to see where user defined input parameters are sent to vulnerable functions. A sample of vulnerable functions may be these where Code Execution might be possible if not sanitized properly:

eval()
assert()
preg_replace()
create_function()

A sample of vulnerable PHP code could look like this in the backend, located at /wp-content/uploads/2023/09/vulnerable.php:

<?php exec($_POST('parameter_name'));?>

In this instance, one could create a POST request towards the following endpoint, to attempt to execute arbitrary code on the webserver:

POST /wp-content/uploads/2023/09/vulnerable.php HTTP/1.1
Host: www.example.com
Content-Type: application/x-www-form-urlencoded

parameter_name=whoami

Github - Grep Syntaxes

• Cheatsheet Link

This will search for vulnerable PHP code

• The dot at the end of the grep syntax will search within this current directory.
• The -R flag is recursive - This searches through the whole branch recursively
• The -i flag removes case sensitivity

Cross-Site Scripting

Anything Echo Related

grep -Ri "echo" .

Anything related to GET, POST or requests

grep -Ri "\$_" . | grep "echo"

Related to GET requests

grep -Ri "\$_GET" . | grep "echo"

Related to POST requests

grep -Ri "\$_POST" . | grep "echo"

Related to requests

grep -Ri "\$_REQUEST" . | grep "echo"

Code execution:

grep -Ri "eval(" .

grep -Ri "assert(" .

grep -Ri "preg_replace" . | grep "/e"

grep -Ri "create_function(" .

SQL injection:

grep -Ri "\$sql" .

grep -Ri "\$sql" . | grep "\$_"

Information Disclosure:

grep -Ri "phpinfo" .

Debug/Test modes:

grep -Ri "debug" .

grep -Ri "\$_GET['debug']" .

grep -Ri "\$_GET['test']" .

Local File Inclusion / Remote File Inclusion:

grep -Ri "file_include" .

grep -Ri "include(" .

grep -Ri "require(" .

grep -Ri "require(\$file)" .

grep -Ri "include_once(" .

grep -Ri "require_once(" .

grep -Ri "require_once(" . | grep "\$_"

Misc:

grep -Ri "header(" . | grep "\$_"

grep -Ri '$_SERVER["HTTP_USER_AGENT"]' .

Path Traversal:

grep -Ri file_get_contents .

Learn More!

• Semgrep Search Engine
• TruffleHog
• More Grep Commands

Real World Example

1. Found an exposed git repository and used GitTools to extract the source code. Noted that it contained the backend source code for a custom made WordPress Theme
2. After it was extracted and dumped into a separate folder, I went to the most recent commit. The larger the number, before the hash, the newer it is
3. Used the GREP command to to find vulnerable PHP code and got a hit Here we may see that it contains the parameter name class within the /wp-content/themes/<THEME_NAME>/front-page.php. At first, I thought that the class parameter must be sent through that endpoint specifically, but when navigated to, I was met with a 500 Internal Server Error. By taking a closer look within the front-page.php file, we could see this vulnerable PHP code:

<?php get_header(); ?>
<div class="c-intro <?php echo $_GET["class"]; ?>">
    <div class="c-intro__logo"></div>
</div>

4. An attempt was made to test it out in the root folder to see if it was reflected, and it worked!
5. By testing this payload out on the root folder, we could see that the the PHP was totally unsensitized! BOOM!! It worked!!

Why did it work? My guess is that the /index.php calls for the theme /wp-content/themes/<THEME_NAME>/front-page.php (where the vulnerable code existed) and therefore uses the unsanitized GET parameter class. Because the git repo was downloaded, I only had access from /wp-content/* folder and onwards. This is why I "assume" about the index.php because I cannot see the source code further back in the directory of the application.

6. What to do now? Well, because this is within a Theme, I fuzzed the whole application by going to Target > Right-Click the target and "Copy All URL's in Host". Make a proper wordlist of all URL's within the application and fuzz it! This had sadly no further success and I did not find any more vulnerable endpoints on the application.