0

I'm experimenting with old PHP (5.3.10) code that uses the now-deprecated /e modifier in preg_replace. I understand /e evaluates the replacement string as PHP code.

Example

<?php
$string = 'phpinfo()';
print preg_replace('/^(.*)/e', 'strtoupper(\\1)', $string);
?>

This works; It calls phpinfo() and outputs the info page. But if I try the following, it does not execute ls -la.

preg_replace('/.*/e', 'system("ls -la")', 'test');

When reading trough this article, I found that the PCRE engine will prevent straightforward command injection. Is phpinfo() not considered a command injection ?

I have these specific questions:

  1. Why exactly does phpinfo() run but system("ls -la") does not in this /e context?

  2. How can I execute a command for example id when the double quotes are wrapped around it?

In the first case, the command id will be executed, but when adding double quotes I'll get an error.

Working example

<?php
$string = '`id`';
print preg_replace('/^(.*)/e', 'strtoupper(\\1)', $string);
?>

Non-working example

<?php
$string = '`id`';
print preg_replace('/^(.*)/e', 'strtoupper(\"\\1\")', $string);
?>

Error

image showing the error when using "id" and strtoupper with doublequotes inside

How can I properly escape the double quotes so that I can pass the backtick command id into system() instead of strtoupper()?

I'm not using this in production - this is for learning purposes on a local, isolated test environment to understand /e behavior and the differences in function execution.

Improve this question
6
  • The e modifier has been completely removed from PHP. The last version which had it was PHP 5, but that branch reached end-of-life back in 2019. So you're riding a dead horse, and I highly doubt you'll learn anything from exploiting ancient PHP versions. Besides this, you seem to struggle more with PHP basics than the actual exploitation, so this question is more suited for Stack Overflow. Commented Aug 13 at 16:10
  • 1
    I was playing a CTF and came across this problem. Like you mentioned, I do struggle with PHP basics . I’m still new to the language I though maybe I would something about php through exploitation challenges. If you have any advice on how I should approach this problem, I’d be glad to hear it. Commented Aug 13 at 16:57
  • Get rid of the backslashes before the double quotes. Commented Aug 13 at 17:11
  • I think I didn't explain well you can't just edit the source code given in the ctf I was given a binay that has to be exploited and the php code explaining what the binary does. I was doing a simulation in my local machine to see what would happen if the double quotes are removed. so my question is how to bypass the double quotes ? Commented Aug 13 at 17:44
  • What have you tried? Depending on the PHP version (which you didn't specify in the question) null injection is possible Commented Aug 13 at 17:57

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.