Tweetable PHP-Non Alpha
Thursday, 13 December 2012
I started to try and break the 10 charset limit of PHP non-alpha after @InsertScript showed me that PHP Dev supports [] syntax for arrays. I wondered if it would be possible to break the limit within production PHP. At first I thought you could but then after some testing I found that there was no way to concat without “.” and no way to call a string as a function without $ and =. However since I got into PHP Non-alpha again I thought why not try and improve it and make the code tweetable.
The first hack I found was that underscore is usable in PHP as a string since there is a function called “_”. Therefore we can create 0 by simply doing:
echo +_;
You can also create numbers and arrays using undefined variable references like so:
echo ++$_[];//prints 1
You can also chain those together to form more numbers (useful for code generation)
echo (++$_[])+(++$_[]);//2
Lets create assert using these techniques.
First we create an array:
$_[]++;
Then we concat that array with a underscore to do a string conversion. I put the value in the next position of the array so we can reuse the 1 in the first position.
$_[]=$_._;
Here I reuse the 1 to extract the string “Array_” from the second element of the array.
$_=$_[$_[+_]];
I create one using a undefined variable reference ++$__[] and extract “r” from the string.
$___=$__=$_[++$__[]];
Then I extract “A” and reuse it for getting “e”
$____=$_=$_[+_];
Increment “A” a couple of times to get “D”
$_++;$_++;$_++;
Finally increment the other characters to form “assert”.
$_=$____.++$___.$___.++$_.$__.++$___;$_
The final tweetable code:
$_[]++;$_[]=$_._;$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];
$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$_('print "haha";');
文章来源于lcx.cc:Tweetable PHP-Non Alpha
相关推荐: [译文] 逆向分析 D-Link backdoor
在 dlink 的升级包 firmware v1.13中,作者下载放入IDA中分析,发现了异样, 接着查看了带有“alpha”字串的自定义函数: alpha_auth_check 这个函数很有意思。 它在不同地方被调用,着重分析alpha_httpd_par…
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论