Hello everybody.

Tell me, please, what is the vulnerability of the php code below. As I understand it, an attacker can get the values ​​of all variables in the code (including global ones). Does this code have the ability to execute arbitrary code?

Thanks in advance for the answers.

SOURCE:

<? $user_input = str_replace(array("\\","'", '"'), "", $_GET["user_input"]); eval("echo(\"$user_input\");"); ?>

UPDATE: Good people gave an example of quotation bypass. for example, pass as templateTitle {$ {phpinfo ()}} and other tasty interesting functions. I don't quite understand why braces help to bypass filtering. Probably it is necessary to go to read.

  • Well, yes, if you write something like print_r ($ _ SESSION) in the gett - johniek_comp
  • I don’t understand the essence of the question at all, just accept the fact that any kind of eval from evil (JSON doesn’t count :)) and you will be happy - Zowie

1 answer 1

If you somehow bypass the replacement of double quotes and backslash, you can execute any code by passing it to the templateTitle variable. I have not yet figured out how to pass \" so that they can be replaced with an empty string.

Without replacement, it would be something like this:

 http://site.ru/source.php?templateTitle=\");var_dump($GLOBALS);echo(\"Ok
  • well yes. I also spent a couple of hours thinking about it and spent it on Google to figure out how to bypass the filter and inject a quotation mark, but unfortunately didn’t think of anything - gg4me
  • Maybe insert another variable into the request, and the replacement is no longer done in it: source.php? TemplateTitle = $ _ GET [test] & test = "; - Sergiks