pwneglyph logo

Note

web php checklist methodology

First-pass triage checklist for PHP/Apache targets — .htaccess, serialized cookies, session files, native-code pivots, and procfs/libmagic/mt_rand.

When the Stack is PHP

A quick triage list for what to think about first when you confirm a PHP/Apache stack.

Checklist

  • Think about .htaccess first if any writable directory sits under Apache.
  • Think about signed serialized cookies, upload-progress session files, and POP chains before assuming "no RCE".
  • Think about native-code pivots such as LD_PRELOAD, mail(), loadExtension(), and writable .so paths.
  • Think about procfs traversal, suffix cutting, libmagic confusion, and mt_rand() when filenames or upload IDs matter.

Sources

  • Aggregated from the PHP / Apache section of the 2026 web corpus.