Parsing and dealing with the eval function in PHP

Question

Disclaimer: This is just an example for learning PHP code injection, not production code to be used in any way. I'm fully aware that this is not good coding practice.

I have the following PHP script:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <title>Example script</title>
  </head>
  <body>
    <h1>Example page</h1>
    <p>Now for the math. Please enter a formula to calculate. For example: 1 1. </p>
    <form method="get">
      <p>Formula: <input type="text" name="maths" /></p>
      <p><input type="submit" value="calculate" /></p>
    </form>
<?
  if (( isset($_REQUEST["maths"])) && ($_REQUEST["maths"] != "") )
    {

      echo "<p>The result is:";
      eval("echo (".$_REQUEST["maths"].");");
      echo "</p>";
    }
?>
  </body>
</html>

This script is vulnerable to PHP code injection, I was able to break it by doing the following (mostly found out by trial and error):

$a='1');phpinfo();echo($a

However, I don't fully understand the rationale. From what I understand, I need to complete the echo statement, insert my own code (e.g. phpinfo()), and then write another function (e.g. echo) to handle the closing bracket.

I thought code like this would work:

");phpinfo();echo("

However, this does not work because phpinfo is considered part of the string and is not evaluated by the eval function. I also tried escaping the quotes without success.

Question:

• What is the correct way to inject code here?
• Why does$a='1');phpinfo();echo($a work?

Answer 1

The problem is that this statement is invalid:

echo ();

It will cause parsing errors. So you need to inject something to avoid this error. For example:

$var = "1); phpinfo(); echo (1";
eval("echo ($var);");

Answer 2

When you use that input, the result of substituting the variable is:

eval("echo ($a='1');phpinfo();echo($a);");

So $a='1' is assigned here, and the result of the assignment is output (that is, the value assigned to $a). Then phpinfo() was executed. Finally $a is output again.

If you try to use );phpinfo();echo(, it won't work because it's trying to do echo (). But echo At least one parameter is required.

So to inject code here, you have to make sure the input starts with something valid after echo () and ends with something valid before );. Place any additional code you want to inject between these two parts.