1. “ ”
10
10 ways to “exploit” PHP that you might not know

2. brushup: What is PHP?
The most overengineered template engine ever.
Often mistaken as a sort of programming language due to its
“your-favorite-language-like” syntatic features.
The world’s first template engine upon which another template
engine is implemented.

3. Uh, so... do you mean PHP is
not a programming language?

6. Why not customize PHP so it would fit more to your
project?

9. Extensions
SAPI ZendEngine2
SAPI module

10. Extensions
SAPI ZendEngine2
SAPI module

11. Extensions
SAPI ZendEngine2
SAPI module

12. Extensions
SAPI ZendEngine2
SAPI module

13. Extensions
SAPI ZendEngine2
SAPI module

15. threads
Slot #1
TLS
Slot #2
TLS
module global
Slot #n
TLS

16. zend_objects.c
zend_object_handlers.c
zend_objects_API.c zend_alloc.c
Objects API Allocator
zend_execute.c zend_API.c
zend_execute_API.c zend_float.c
zend_vm_execute.h
zend_operators.c
Virtual Machine Utilities zend_stream.c
zend_qsort.c
zend_gc.c Garbage
Stack Linked List
Collector
zend_compile.c zend_stack.c
zend_opcode.c Hashtable zend_ptr_stack.c
Opcode emitter zend_llist.c
basic data structure zend_hash.c
Parser Lexer Parser Lexer
zend_language_parser.y
zend_language_scanner.l zend_ini.c
language core ini parser zend_ini_parser.y
zend_ini_scanner.c

17. <?php
?
$a = 1;
$b = 2;
$c = $a + $b;
?>

18. T_OPEN_TAG
<?php T_VARIABLE
$a = 1; ‘=’
$b = 2; T_LNUMBER
$c = $a + $b; ‘;’
?> T_VARIABLE
‘=’
T_LNUMBER
‘;’
T_VARIABLE
‘=’
Lexer T_VARIABLE
‘+’
T_VARIABLE
‘;’
T_CLOSE_TAG

19. zend_op
T_OPEN_TAG ASSIGN
T_VARIABLE
‘=’ zend_op
T_LNUMBER
‘;’
ASSIGN
T_VARIABLE zend_op
‘=’
T_LNUMBER ADD
‘;’
T_VARIABLE zend_op
‘=’
T_VARIABLE
ASSIGN
‘+’
T_VARIABLE
‘;’ zend_op_array
T_CLOSE_TAG
Parser Opcode
emitter

21. opcode handler
result
op1 op2
extended_value
zend_op

22. op_type
opline_num
constant var op_array
jmp_addr

24. $a = $b + $c + $d; ASSIGN
result
ADD op1 op2
ADD ADD
ASSIGN result
op1 op2
ADD
result
op1 op2
TMP_VAR

27. zend_op ASSIGN
ASSIGN
zend_op FETCH_R
ASSIGN
zend_op FETCH_W
ADD
zend_op FETCH_DIM_R
ASSIGN
FETCH_DIM_W
zend_op_array
ECHO
ADD
handlers

34. array(1, 2, 3, 4, 5)->join(’,’)
Java autoboxing PHP
?
autobox __autobox()

38. <?php $a = << ?><?html>
<body>
<?div id=”{$id}”>test</?div>
</body>
</?html>
<?php
// $a DOM
var_dump($a);
?>

45. Boost.PHP

47. #include "boost/php/module.hpp"
#include "boost/php/function.hpp"
using namespace boost;
class m001_module
: public php::module,
public php::function_container<m002_module> {
public:
class handler
: public php::module::handler {
public:
handler(m001_module* mod)
:php::module::handler(mod) {}
};
public:
m001_module(zend_module_entry* entry)
: php::module(entry) {
// entry->functions =
defun("your_function", &handler::your_function);
}
};
#define BOOST_PHP_MODULE_NAME m001
#define BOOST_PHP_MODULE_CAPITALIZED_NAME M001
#define BOOST_PHP_MODULE_VERSION "0.1"
#define BOOST_PHP_MODULE_CLASS_NAME m001_module
#include "boost/php/module_def.hpp"

50. defun(”function_name”, )

53. Thank you for listening!