Try   HackMD

Injection on preg_replace php ?

Do you know php preg_replace ? its like replace string on php, so like what u find on some string "azfar" and replace with "jaka" on string "azfar_here", the function will find the string you what find and will replace on the string you have. you can see about preg_replace on php documentation. https://www.php.net/manual/en/function.preg-replace.php

And why preg_replace can injection on php ? every function and some processing on programming can be attack if dont have sanitize, like this code.

<?php 
$string = "azfar_here";
$find = "far";
$replace = "aaaa";

$final = preg_replace($find, $replace, $string);
echo "replaced: " . $final;

?>

preg_replace will processing replacement the delimeter on function, have you ever think if people use the find with /aaa/ this will escape the function, and input some fuction like phpinfo() or some execution on system ?, let me change to you

<?php 

$string = "azfar_here";
$find = '/far/';
$replace = phpinfo();

$final = preg_replace($find, $replace, $string);
echo "replaced: " . $final;
?>

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

yap, you can see if the escape with /aaa/ the function will close and go execute the next command what i use.

and u will say, that just on local

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
let me show on the rill website, oke thats website its normal with 3 input. text, find, and what replace. let me use the payload me show to you.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

i can injection this web for get phpinfo, thats mean i can processing my payload for execute some function, so can i trigger system command

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
,

so let we chaining from preg_replace to command injection,

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
reverse shell.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

prevent injection

its like normaly prevent, everything u have some fitur use input, dont forget, sanitize your input because "hackers will try anything from your input"

Last changed by 
wisnuaz
Planning a plan;
0
1
517

Read more

distract and destory - HTB

Distract and Destroy

Mar 11, 2024
<h2> Forensics - Netcomp U

lalu kami berinisiatif membuat script untuk memudahkan parsing data yang ada lalu dijadikan satu value hex yang akan didecode.

Jan 6, 2024
HTB - Anchored

this my two days for learn android, after punishment for :u learn android for repentest app this my practice on hacktoday Anchored.

Aug 24, 2023
Read more from wisnuaz
Published on HackMD