Arbitrary Command Execution

PHP

preg_replace()

Used in PHP to perform regular expression-based replacements.
- Syntax: preg_replace(pattern, replacement, subject);
- If the /e modifier (or PREG_REPLACE_EVAL) is used, the replacement string can be executed as PHP code before the replacement occurs.

Attack Technique

While the /e modifier may not be explicitly present in the original code, it can be injected into the regular expression pattern through user input.
If user input is used directly in the preg_replace() function, attackers can manipulate requests to inject the /e modifier into the pattern, causing arbitrary PHP code execution.
Look for regex patterns on POST requests (/)
Some payload examples:

Intercepted POST request

pattern=%2Fx%2Fe&ipaddress=system("id")&text=x

Plain PHP

preg_replace(/x/e, system("id"), x)

Last updated 2 months ago

PHP

preg_replace()

Used in PHP to perform regular expression-based replacements.
- Syntax: preg_replace(pattern, replacement, subject);
- If the /e modifier (or PREG_REPLACE_EVAL) is used, the replacement string can be executed as PHP code before the replacement occurs.

Attack Technique

While the /e modifier may not be explicitly present in the original code, it can be injected into the regular expression pattern through user input.
If user input is used directly in the preg_replace() function, attackers can manipulate requests to inject the /e modifier into the pattern, causing arbitrary PHP code execution.
Look for regex patterns on POST requests (/)
Some payload examples:

Intercepted POST request

pattern=%2Fx%2Fe&ipaddress=system("id")&text=x

Plain PHP

preg_replace(/x/e, system("id"), x)

Last updated 2 months ago