2020-05-25 19:10:06 +02:00
|
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
|
|
// This maps internal function names to sink types that we don’t want to end up there
|
|
|
|
|
|
|
|
|
|
|
|
return [
|
|
|
|
|
|
'exec' => [['shell']],
|
2020-06-19 17:56:04 +02:00
|
|
|
|
'file_get_contents' => [['text']],
|
2020-05-25 19:10:06 +02:00
|
|
|
|
'file_put_contents' => [['shell']],
|
|
|
|
|
|
'fopen' => [['shell']],
|
2020-05-29 06:24:07 +02:00
|
|
|
|
'header' => [['text']],
|
2020-06-29 23:54:47 +02:00
|
|
|
|
'igbinary_unserialize' => [['text']],
|
2020-05-29 06:24:07 +02:00
|
|
|
|
'ldap_search' => [['text']],
|
|
|
|
|
|
'mysqli_query' => [[], ['sql']],
|
2020-05-25 19:10:06 +02:00
|
|
|
|
'passthru' => [['shell']],
|
|
|
|
|
|
'pcntl_exec' => [['shell']],
|
|
|
|
|
|
'printr' => [['html', 'user_secret', 'system_secret']],
|
|
|
|
|
|
'PDO::prepare' => [['sql']],
|
|
|
|
|
|
'PDO::query' => [['sql']],
|
|
|
|
|
|
'PDO::exec' => [['sql']],
|
2020-05-29 06:24:07 +02:00
|
|
|
|
'setcookie' => [['text'], ['text']],
|
2020-05-25 19:10:06 +02:00
|
|
|
|
'shell_exec' => [['shell']],
|
|
|
|
|
|
'system' => [['shell']],
|
2020-06-29 23:54:47 +02:00
|
|
|
|
'unserialize' => [['text']],
|
2020-05-25 19:10:06 +02:00
|
|
|
|
];
|
