Offensive Thinking

Internet Thoughtcrime

Auditing PHP code and phpsh

Posted: 2009-11-04

PHP. Yes, I have to work with it. Many of the web applications I pentest are written in PHP, so there’s no way around it. Sometimes I even have to read the source code of the web application to verify something I found while testing or while searching through the code for common vulnerability patterns.

The problem with PHP is… wait, let me rephrase that. One problem with PHP is that it doesn’t come with a REPL. Which sucks because if for example I want to check something quickly in Python or Ruby, I fire up Python or IRB and hack away, including things like tab completion for functions and all that fancy stuff. PHP doesn’t have that.

So I searched for a decent PHP REPL and found phpsh which was developed and released by – drum roll – Facebook. Yeah, I didn’t think it could get worse than PHP either ;). But seriously, it’s surprisingly good. I played a little bit with phpsh and it supports tab completion for functions, classes, global variable names etc., shows you the PHP documentation for a function or identifier, lets you dynamically include new files… All in all, many things you’d expect from a good REPL.

There’s already a PKGBUILD in AUR for phpsh, if you’re using Arch Linux. The only thing you have to do is to add /etc/phpsh/ to open_basedir in your /etc/php.ini, otherwise it will complain.