PHP / Apache

Apache / SSI / CGI / Log Poisoning Checks to Keep in Reserve

A short checklist of classic Apache/PHP misconfig wins — re-enabling PHP/SSI, readable logs, and fd-backed log targets.

web php apache ssi cgi log-poisoning +1

array_map Gadget Inside a Deserialized Object

Use array_map (or another higher-order function) on attacker-controlled object state to call an arbitrary callable from deserialization.

web php deserialization gadget-chain array-map callable +1

Composer\Autoload\ClassLoader as an include Primitive

Deserialize a Composer ClassLoader with a controlled classMap so loadClass() becomes a precise file-include primitive.

web php deserialization composer classloader file-include +1

CSP Removal / Breakage via max_input_vars and PHP Warnings

Trigger early PHP warnings with massive parameter sets to disturb header emission order and suppress or corrupt CSP.

web php csp-bypass max-input-vars php-warnings headers

Forced Suffix Bypass via Double-Encoded Fragment

Use %2523 so a second decode produces a

web php path-traversal double-encoding fragment suffix-bypass

Blind File Oracle via Header set ... "expr=..."

Turn an .htaccess injection into a boolean exfiltration oracle using Apache expression syntax over a sensitive file.

web php apache htaccess blind-oracle file-read +1

.htaccess Line Continuation to Neutralize Require ip

Use a trailing backslash so Apache merges the next line into a directive, turning a Require ip access control into inert text.

web php apache htaccess access-control-bypass injection

LD_PRELOAD + mail() + symlink to a .so

Spawn an external binary via mail() with attacker-controlled LD_PRELOAD to load a malicious shared object even when PHP functions are restricted.

web php ld-preload mail shared-object rce +1

libmagic Confusion with Deep JSON / SVG

Defeat finfo/libmagic upload checks with deeply nested JSON whose leading bytes look like an allowed image, then have the client parse it as JSON.

web php libmagic file-upload mime-confusion xss +1

PHP Object Injection with Blacklist Bypass via Cookie Arrays

Send an array-shaped cookie so a string blacklist fails open, then let the app reassemble the serialized payload with implode.

web php object-injection deserialization blacklist-bypass type-confusion +1

POP Chain to File Read through __toString / __get

Wire a deserialized object graph so magic methods chain into a file-read or include gadget.

web php pop-chain deserialization magic-methods file-read +1

Predictable mt_rand() for Generated Filenames

Recover the mt_rand() state from observed outputs to predict upload names, tokens, or reset artifacts.

web php mt-rand prng predictable-token filename

proc/thread-self/root to Recover / and Read flag.txt

Bounce through procfs to escape path normalization that tries to trap reads under one directory.

web php path-traversal procfs file-read suffix-bypass

Forging Serialized Cookies + Snuffleupagus HMAC

Recover the HMAC key protecting a serialized cookie, then sign your own gadget chain instead of breaking the parser.

web php deserialization hmac snuffleupagus cookie +1

PHP Session File Primitive via Upload Progress

Use PHP upload-progress to write attacker-influenced content into a predictable /tmp/sess_* file as a write primitive.

web php session upload-progress file-write lfi

Snuffleupagus Upload Validation RCE without VLD

When Snuffleupagus is loaded, check whether its upload-validation hooks interpret attacker-controlled bytes before assuming classic PHP routes still work.

web php snuffleupagus file-upload validation rce

SQLite3::loadExtension() as an RCE Pivot

Load a previously written .so through SQLite extension loading — a cleaner native code-loading boundary than hijacking sendmail.

web php sqlite loadextension shared-object rce

XSS through Reflected Session-File Contents

Combine an upload-progress session-file write with a read/quote endpoint that renders the contents as active HTML.

web php xss session upload-progress stored-xss