Hacktricks-skills php-security-audit
Audit PHP configurations for security vulnerabilities and hardening opportunities. Use this skill whenever you need to review PHP security settings, check for dangerous enabled functions, assess disable_functions configuration, verify extension_dir security, or harden PHP installations. Trigger this skill for any PHP security assessment, penetration testing (authorized), configuration review, or compliance audit.
install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest:
skills/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function/SKILL.MDsource content
PHP Security Audit Skill
A skill for auditing PHP configurations and identifying security vulnerabilities.
When to Use This Skill
Use this skill when:
- Reviewing PHP configurations for security issues
- Checking if dangerous functions are enabled
- Assessing
settingsdisable_functions - Verifying
securityextension_dir - Auditing PHP installations for compliance
- Performing authorized penetration testing
- Hardening PHP environments
Security Audit Checklist
1. Check Disabled Functions
Review the
disable_functions<?php $disabled = ini_get('disable_functions'); echo "Disabled functions: " . ($disabled ?: 'none') . "\n"; ?>
Critical functions that should be disabled:
,exec
,system
,shell_exec
- Command executionpassthru
,proc_open
- Process controlpopen
- Code executioneval
- Can execute codeassert
- Often used in payloadsbase64_decode
,file_get_contents
- File accessfopen
,curl_exec
- Remote file operationsfile_put_contents
2. Check for dl() Function
The
dl()<?php if (function_exists('dl')) { echo "WARNING: dl() function is enabled!\n"; echo "This can be used to bypass disable_functions.\n"; } else { echo "dl() is properly disabled.\n"; } ?>
Why dl() is dangerous:
- Can load custom PHP extensions at runtime
- Extensions written in C/C++ can execute arbitrary code
- Can bypass
restrictionsdisable_functions - Requires matching PHP API version
- Extension must be in
extension_dir
3. Check Extension Directory
Verify the
extension_dir<?php echo "Extension directory: " . ini_get('extension_dir') . "\n"; echo "Writable: " . (is_writable(ini_get('extension_dir')) ? 'YES - DANGEROUS' : 'No') . "\n"; ?>
Security requirements:
should NOT be writable by web serverextension_dir- Should only contain trusted extensions
- Should not be in web-accessible directories
4. Check PHP Version and API
<?php echo "PHP Version: " . PHP_VERSION . "\n"; echo "PHP API: " . PHP_API_VERSION . "\n"; echo "Zend Extension Build: " . phpversion('Zend') . "\n"; ?>
5. Review php.ini Settings
Critical security settings:
| Setting | Recommended Value | Purpose |
|---|---|---|
| | Block dangerous functions |
| | Restrict file access |
| | Prevent remote file inclusion |
| | Prevent remote code execution |
| | Hide error messages |
| | Hide PHP version info |
| | Limit upload size |
| | Prevent long-running scripts |
| | Limit memory usage |
Audit Report Template
When auditing a PHP installation, produce a report in this format:
# PHP Security Audit Report ## Summary - **PHP Version:** [version] - **Overall Risk Level:** [Low/Medium/High/Critical] - **Critical Issues Found:** [count] ## Critical Findings ### 1. [Issue Title] - **Severity:** Critical/High/Medium/Low - **Description:** [what's wrong] - **Current Setting:** [current value] - **Recommended Setting:** [what it should be] - **Remediation:** [how to fix] ## Disabled Functions Analysis - **Total Disabled:** [count] - **Missing Critical Blocks:** [list] - **dl() Status:** [enabled/disabled] ## Extension Security - **Extension Directory:** [path] - **Directory Writable:** [yes/no] - **Extensions Loaded:** [list] ## Recommendations 1. [Priority 1 fix] 2. [Priority 2 fix] 3. [Priority 3 fix]
Common Vulnerability Patterns
Pattern 1: dl() Enabled with Writable extension_dir
Risk: Critical - Allows arbitrary code execution Check:
function_exists('dl') && is_writable(ini_get('extension_dir'))
Pattern 2: Command Execution Functions Enabled
Risk: High - Allows remote code execution Check:
function_exists('exec') || function_exists('system') || function_exists('shell_exec')
Pattern 3: open_basedir Not Set
Risk: Medium - Allows file system traversal Check:
ini_get('open_basedir') === ''
Pattern 4: Error Display Enabled in Production
Risk: Medium - Information disclosure Check:
ini_get('display_errors') === '1'
Hardening Recommendations
Immediate Actions
- Disable dl() - Add to
disable_functions - Set open_basedir - Restrict to application directory
- Disable error display - Set
display_errors = Off - Hide PHP version - Set
expose_php = Off
Additional Hardening
- Limit file uploads - Set appropriate size limits
- Disable URL includes - Set
allow_url_include = Off - Set execution limits - Prevent resource exhaustion
- Use latest PHP version - Patch known vulnerabilities
Testing Commands
Check PHP Configuration
php -i | grep -E "(disable_functions|extension_dir|open_basedir)"
List Enabled Functions
php -r "print_r(get_defined_functions()['internal']);" | grep -E "(exec|system|shell_exec|dl)"
Check Extension Directory Permissions
ls -la $(php -r "echo ini_get('extension_dir');")
References
Notes
- Always test changes in a staging environment first
- Some applications may require certain functions to be enabled
- Document any exceptions to security recommendations
- Regular audits should be performed after PHP updates
- Consider using PHP security scanners for automated checks