Hex string passed to php script in $_REQUEST array isn't being interpreted?

Question

Here's a really simple example:

$val = "";

if(array_key_exists("param", $_REQUEST)) {
    $val = $_REQUEST["param"];
}

print "echo \"$val\"";
passthru("echo \"$val\"");

I'm expecting the passthru() to print A if I pass test.php?param=\x41. However, it doesn't look like PHP is interpreting the escape sequence and passing "\x41" to passthru. I know that the \xAA shorthand only works on double quoted strings in PHP, but that condition should be satisfied in the example above. Does reading a variable out of $_REQUEST modify anything?

Escape sequences are only processed in string literals, not string data. — Barmar, Feb 20 '20 at 02:28

score 0 · Accepted Answer · answered Feb 20 '20 at 03:18

Escape sequences aren't expanded in strings, they're only expanded in string literals in code.

The shell command printf will process escape sequences in its format string argument, so you can do:

passthru("printf '$val'");

You can also use a shell string quoted with $'' to process escape sequences.

passthru("echo \$'$val'");

Hex string passed to php script in $_REQUEST array isn't being interpreted?

1 Answers1