5.1.11. Sink

5.1.11.1. Arbitrary code execution

• eval

• assert

• call_user_func

5.1.11.2. Execute system commands

• pcntl_exec

• exec

• passthru

• popen

• shell_exec

• system

• proc_open

5.1.11.3. Magic function

• __construct() It is a method that gets called automatically after the creation of an object.

• __destruct() Destructor is a common feature of the object-oriented language that gets triggered as soon as there are no other references to a particular object.

• __call() This method is called when an undefined or inaccessible method is called.

• __callStatic() This method is called when an undefined or inaccessible method is invoked in a static manner.

• __get() This method is used for getting values for class properties created dynamically by PHP property overloading.

• __set() This method is used for putting values for class properties created dynamically by PHP property overloading.

• __isset() This method will be called while calling isset or empty() for an undefined or inaccessible member.

• __unset() This method will be called while calling reset() for an undefined or inaccessible member.

• __sleep() This method is called first while executing serialize().

• __wakeup() This method is called while deserialization() is executed. It would reverse work to restore objects properties and resources on invoking deserialization().

• __toString() This method will be called while using echo method to print an object directly

• __invoke() This method is defined in a class that will be called while trying to call an object in a way of calling function.

• __set_state() This method is called while calling var_export().

• __clone() This method is called when the object is copied.

• __debugInfo() This method is called by var_dump() while dumping an object to get the properties that should be shown

5.1.11.4. File-related sensitive function

• move_uploaded_file

• file_put_contents / file_get_contents

• unlink

• fopen / fgets

5.1.11.5. SSRF

• file_get_contents()

• fsockopen()

• curl_exec()

• fopen()

• readfile()

5.1.11.6. phar trigger point

• fileatime / filectime / filemtime

• stat / fileinode / fileowner / filegroup / fileperms

• file / file_get_contents / readfile / fopen`

• file_exists / is_dir / is_executable / is_file / is_link / is_readable / is_writeable / is_writable

• parse_ini_file

• unlink

• copy

• exif

  • exif_thumbnail

  • exif_imagetype

• gd

  • imageloadfont

  • imagecreatefrom***

• hash

  • hash_hmac_file

  • hash_file

  • hash_update_file

  • md5_file

  • sha1_file

• file / url

  • get_meta_tags

  • get_headers

• standard

  • getimagesize

  • getimagesizefromstring

5.1.11.7. Native Class Exploitation

• XSS

  • Error

  • Exception

• SSRF

  • SoapClient

• open_basedir bypass

  • DirectoryIterator combined glob://

• XXE

  • SimpleXMLElement