Cheatsheet for finding vulnerable PHP code using grep

This will assist you in the finding of potentially vulnerable PHP code. Each type of grep command is categorized in the type of vulnerabilities you generally find with that function.

Some of this came from a source long forgotten. If you know the source of the original sheet please let me know so I may add credit where due..

follow me: @dustyfresh | website: https://lol.systems

XSS:

grep -Ri "echo" .

grep -Ri "\$_" . | grep "echo"

grep -Ri "\$_GET" . | grep "echo"

grep -Ri "\$_POST" . | grep "echo"

grep -Ri "\$_REQUEST" . | grep "echo"

Command execution:

grep -Ri "shell_exec(" .

grep -Ri "system(" .

grep -Ri "exec(" .

grep -Ri "popen(" .

grep -Ri "passthru(" .

grep -Ri "proc_open(" .

grep -Ri "pcntl_exec(" .

Code execution:

grep -Ri "eval(" .

grep -Ri "assert(" .

grep -Ri "preg_replace" . | grep "/e"

grep -Ri "create_function(" .

SQL Injection:

grep -Ri "\$sql" .

grep -Ri "\$sql" . | grep "\$_"

SQLMAP Cheatsheet for WordPress:

sqlmap -u "http://target.tld/?paramater=1" -p "parameter" --technique=B --dbms=mysql --suffix=")--" --string="Test" --sql-query="select user_login,user_pass from wp_users"

Information leak via phpinfo:

grep -Ri "phpinfo" .

Find dev and debug modes:

grep -Ri "debug" .

grep -Ri "\$_GET['debug']" .

grep -Ri "\$_GET['test']" .

RFI/LFI:

grep -Ri "file_include" .

grep -Ri "include(" .

grep -Ri "require(" .

grep -Ri "require(\$file)" .

grep -Ri "include_once(" .

grep -Ri "require_once(" .

grep -Ri "require_once(" . | grep "\$_"

Misc:

grep -Ri "header(" . | grep "\$_"

grep -Ri '$_SERVER["HTTP_USER_AGENT"]' .

Path Traversal:

grep -Ri file_get_contents .

RATS Auditing tool for C, C++, Perl, PHP and Python

About

This will assist you in the finding of potentially vulnerable PHP code. Each type of grep command is categorized in the type of vulnerabilities you generally find with that function.

Other