-7

I'm looking to exploit this preg_replace call: 

$str = preg_replace($pattern, '__', $str);

I can control both $str and $pattern variables, but I'm not sure this is enough to inject arbitrary PHP code. Some idea? :)

gen_Eric
  • 223,194
  • 41
  • 299
  • 337
user2041321
  • 1
  • 2
  • no idea what you are asking –  Feb 04 '13 at 23:11
  • Why are you asking for an exploit? That is not the intention of this website to help exploiting code. – mvbrakel Feb 04 '13 at 23:12
  • What are `$pattern` and `$str`? Exploitable how? Is the result going into a database? Shell? File? What are you trying to do? – gen_Eric Feb 04 '13 at 23:12
  • 1
    If you control both inputs, then obviously it's not exploitable, as there's no user-controlled input. – Oliver Charlesworth Feb 04 '13 at 23:14
  • Think of this: $pattern = $_GET['pattern']; $str = $_GET['str']; $str = preg_replace($pattern, '__', $str); I'm trying to searching for a method to inject arbitrary PHP leveraging the "e" modifier...Something like this vulnerability: http://www.madirish.net/195 – user2041321 Feb 04 '13 at 23:16
  • 1
    @user2041321: Why are you letting the user input a regex? What is your ultimate goal here? – gen_Eric Feb 04 '13 at 23:17

1 Answers1

5

preg_replace is only exploitable if the e modifier is used. This means that the $replacement string is evaluated as PHP code. Since you provide no way for the $replacement to be changed by the remote user, it is not vulnerable to exploits.

lonesomeday
  • 233,373
  • 50
  • 316
  • 318
  • nice interpretation of an ambiguous question –  Feb 04 '13 at 23:16
  • Thanks @lonesomeday, I know that, and this is the reason why I posted the question: to know if someone knows a workaround to inject PHP code even though the $replacement isn't controllable by user input. I was thinking to something like preg_replace("/eval\(phpcode\)/e", "__", "phpcode"). In other words, way to inject PHP code into the $pattern or $subject parameter! – user2041321 Feb 04 '13 at 23:25
  • if you allow users to set those variables, then yes, otherwise no –  Feb 04 '13 at 23:27
  • @user2041321 If you don't provide any way for the user-supplied text to enter the string that is executed (and you don't), there is no way for arbitrary code to be executed. Neither `$pattern` nor `$subject` nor any matches will be executed unless you explicitly say so. – lonesomeday Feb 04 '13 at 23:28
  • @Dagon when I say "I can control both $str and $pattern variables" I mean I'm a remote user that I can set those variable. You say yes, so how can I exploit it? – user2041321 Feb 04 '13 at 23:29