Tweetable PHP-Non Alpha

  • A+
所属分类:lcx

Tweetable PHP-Non Alpha

Thursday, 13 December 2012

I started to try and break the 10 charset limit of PHP non-alpha after @InsertScript showed me that PHP Dev supports [] syntax for arrays. I wondered if it would be possible to break the limit within production PHP. At first I thought you could but then after some testing I found that there was no way to concat without “.” and no way to call a string as a function without $ and =. However since I got into PHP Non-alpha again I thought why not try and improve it and make the code tweetable.

The first hack I found was that underscore is usable in PHP as a string since there is a function called “_”. Therefore we can create 0 by simply doing:

echo +_;

You can also create numbers and arrays using undefined variable references like so:

echo ++$_[];//prints 1

You can also chain those together to form more numbers (useful for code generation)

echo (++$_[])+(++$_[]);//2

Lets create assert using these techniques.

First we create an array:

$_[]++;

Then we concat that array with a underscore to do a string conversion. I put the value in the next position of the array so we can reuse the 1 in the first position.

$_[]=$_._;

Here I reuse the 1 to extract the string “Array_” from the second element of the array.

$_=$_[$_[+_]];

I create one using a undefined variable reference ++$__[] and extract “r” from the string.

$___=$__=$_[++$__[]];

Then I extract “A” and reuse it for getting “e”

$____=$_=$_[+_];

Increment “A” a couple of times to get “D”

$_++;$_++;$_++;

Finally increment the other characters to form “assert”.

$_=$____.++$___.$___.++$_.$__.++$___;$_

The final tweetable code:

$_[]++;$_[]=$_._;$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];
$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$_('print "haha";');

source

文章来源于lcx.cc:Tweetable PHP-Non Alpha

相关推荐: [译文] 逆向分析 D-Link backdoor

在 dlink 的升级包 firmware v1.13中,作者下载放入IDA中分析,发现了异样, 接着查看了带有“alpha”字串的自定义函数: alpha_auth_check  这个函数很有意思。 它在不同地方被调用,着重分析alpha_httpd_par…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: