Arbitrary Command Execution

PHP

preg_replace()

  • Used in PHP to perform regular expression-based replacements.

    • Syntax: preg_replace(pattern, replacement, subject);

    • If the /e modifier (or PREG_REPLACE_EVAL) is used, the replacement string can be executed as PHP code before the replacement occurs.

Attack Technique

  • While the /e modifier may not be explicitly present in the original code, it can be injected into the regular expression pattern through user input.

  • If user input is used directly in the preg_replace() function, attackers can manipulate requests to inject the /e modifier into the pattern, causing arbitrary PHP code execution.

  • Look for regex patterns on POST requests (/)

  • Some payload examples:

Intercepted POST request
pattern=%2Fx%2Fe&ipaddress=system("id")&text=x
Plain PHP
preg_replace(/x/e, system("id"), x)

Last updated