Exploiting PHP preg_replace( ) function

 Introduction:

The preg_replace() function returns a string or array of strings where all matches of a pattern or list of patterns found in the input are replaced with substrings. 

Usage: preg_replace(patterns, replacements, input, limit, count)

This is a userful function but when handled incorrectly could cause severe damage as great as RCE.

Exploitation:

For example see this: 

this will output: world world
No problem, right? But the problem arises if we use this /e modifier in the PHP preg_funtions which allows the PHP code to be executed.

So now lets add the /e modifier and read the contents of index.php
Output
et Voila!
 This was just an example but in real life same thing could be used but with some more complex payloads.
Have nice day.
                                        -DarkRider88

Comments

  1. maeseekahleyFebruary 25, 2022 at 8:57 AM

    ᐈ Casino Review | Online Slots | OKLAHOMA Casino
    Casino 블랙 잭 게임 Review by OnlineSlots.com. Find everything you need to 안전 바카라 know about this casino before 룰렛 돌리기 게임 you play. Find 슬롯사이트 out which casino games w88 com login offer the most

    ReplyDelete

Post a Comment

Popular posts from this blog

THM: Blog Room Writeup

Image
Here is the link of this great room:  Blog by Nameless0ne . L et's start guys.. Enumeration First I ran the nmap scan: 1.First lets check out the Blog itself running on the port 80. From little enumeration we can say that this is a simple blog running on the Wordpress. 2. The blog contains a single post by a user named Karen Wheeler for Billy joel. 3. To enumerate the users on the blog I will be using WPscan.           wpscan --url blog.thm -e u This command will list all the users on the Blog, bjoel & kwheel. 4. Let's try to find out the password of these users using the same tool again.          wpscan -U username --password <pass file> -t 30 --password-attack wp-login --url blog.thm 5. Try to run your own command. It won't take long before the password pops. (hint: try Mom name) 6. After login into the wordpress I saw the user had very limited capabilities so there must be some other way to the shell or some k...
Read more

Carpe-Diem | Tryhackme | Writeup

Image
Room:  Carpe - diem  Big shout out to the creator of this room:  4ndr34z Overview:   In this room we have retrieve the key which is used to encrypt a database file stored at /downloads/database.carpe. For me this room was too challenging and hence this writeup for all the coming folks. I have tried to explain everything so that the beginners could understand it easily. Enumeration: 1. A s usual we will start with NMAP scan From port scan we found there is nothing unique or interesting running except the port 80. So we should open the website and do some enumeration. 2. This website is asking us to send proof of our bitcoin address..and only after that you can retrieve the key..(I think thats what the theme of this room .. a perfect ransomware attack) 3. After that we review the source code of the webpage and always read those javascripts. Explanation:  first this code is checking that you don't copy the same address and send to proof and if you do that it pop up...
Read more

GamingServer | TryHackMe | by Valerie23

Image
LINK TO THE ROOM:  GamingServer NMAP SCAN Let’s do nmap first and see what do we get. nmap -Pn -sV 10.10.159.106 The results come back showing : Port 22 & 80. Since we don't have any credentials lets enumerate port 80 first. GOBUSTER  Lets fireup a gobuster scan for finding hidden directories. gobuster dir -u http://10.10.159.106/ -w /usr/share/wordlists/dirb/common.txt -t 50 WEB ANALYSIS Visiting port 80. And checking its source code gives us a username. Lets visit some of the interesting directories that we found earlier from gobuster scan. /uploads It has a dictionary list that looks like a list of passwords. So we will just copy and paste the content into a new file. And now we are going to visit another directory /secret to find the secrets. Looks like a ssh key but encrypted. In order to decrypt the ssh key we first need to copy and paste it into a file then find its password. Used commands: locate ssh2john /usr/share/john/ssh2john.py sshkey > key_hash Now the fil...
Read more