PHP
Information about PHP exploitation and prevention techniques
Bypassing the PHP function addslashes
addslashesQuotes and apostrophes are parsed different in PHP (similar as in bash). Variables within quotes "$a" will be interpreted, meaning they will be resolved. Same goes for apostrophes within quotes "'$a'". Variables within Apostrophes won't be interpreted '$a'.
To encapsulate the variable that is meant to be resolved when other characters are appended to the string (e.g. $a123), curly brackets come in handy ${a}they allow the following to be interpreted in an expected manner:${a}123 since 123 is not seen as a part of the variable $a , the content of $a will be interpreted.
Now it is also possible to define a new variable like this and assign a value to it ${a}=123. Since we can encapsulate what the variable name should be, its possible to call a function within the curly brackets, which return value will be used as the variable name and then assign a value to it ${phpinfo()}=123. As an example, the values defined in this operation can be dumped with var_dump(${phpinfo()}=123). The var_dump() function essentially dumps all information for the variable passed to it.
Exploitation / POC
Vulnerable function
while
test"; phpinfo(); echo "testwould be prevented by calling theaddslashesfunction,${phpinfo()}certainly would not.
Remote exploit example
For code execution replace
phpinfo()withsystem("sleep%2010")In this scenario the
vulnerableparameter is evaluated by theaddslashesfunction before it is processed further.The variable
1=is not evaluated by theaddslashesfunction, thus bypassing it completely.
Mitigation
Implement proper input validation and do not process user input unsanitized (especially not by functions such as eval or system). The addslashes function is not designed as a security mechanism and should not be used as such.
References
Last updated
Was this helpful?