Tweetable PHP-Non Alpha

  • A+

Tweetable PHP-Non Alpha

Thursday, 13 December 2012

I started to try and break the 10 charset limit of PHP non-alpha after @InsertScript showed me that PHP Dev supports [] syntax for arrays. I wondered if it would be possible to break the limit within production PHP. At first I thought you could but then after some testing I found that there was no way to concat without “.” and no way to call a string as a function without $ and =. However since I got into PHP Non-alpha again I thought why not try and improve it and make the code tweetable.

The first hack I found was that underscore is usable in PHP as a string since there is a function called “_”. Therefore we can create 0 by simply doing:

echo +_;

You can also create numbers and arrays using undefined variable references like so:

echo ++$_[];//prints 1

You can also chain those together to form more numbers (useful for code generation)

echo (++$_[])+(++$_[]);//2

Lets create assert using these techniques.

First we create an array:


Then we concat that array with a underscore to do a string conversion. I put the value in the next position of the array so we can reuse the 1 in the first position.


Here I reuse the 1 to extract the string “Array_” from the second element of the array.


I create one using a undefined variable reference ++$__[] and extract “r” from the string.


Then I extract “A” and reuse it for getting “e”


Increment “A” a couple of times to get “D”


Finally increment the other characters to form “assert”.


The final tweetable code:

$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$_('print "haha";');


文章来源于 PHP-Non Alpha

相关推荐: [译文] 逆向分析 D-Link backdoor

在 dlink 的升级包 firmware v1.13中,作者下载放入IDA中分析,发现了异样, 接着查看了带有“alpha”字串的自定义函数: alpha_auth_check  这个函数很有意思。 它在不同地方被调用,着重分析alpha_httpd_par…


:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: