Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

PHP function name bypasses

See original GitHub issue

_Issue originally created by user lifeforms on date 2018-12-30 20:59:58. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1274._

In PHP code, functions are called like system('uname') which triggers our PHP function names blacklist. However, PHP functions can also be called as follows:

# as made famous by https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/
(system)('uname')         # triggers 942370 by accident
(sy.(st).em)('uname')
(string)"system"('uname')

# some others
define('x', 'sys' . 'tem');
(x)/* comment */('uname');

$y = 'sys'.'tem';
($y)('uname')

define('z', [['sys' .'tem']]);
(z)[0][0]('uname');

Can we block these patterns, for instance with a regular expression? Probably would be in a higher paranoia level.

Issue Analytics

State:
Created 3 years ago
Comments:5

Top GitHub Comments

1reaction

CRS-migration-botcommented, May 13, 2020

User spartantri commented on date 2019-01-02 13:25:13:

We will catch it as excessive non word chars and things like that not properly classify it as php injection bypass attempt, do somebody knows how to write transforms? it would be really nice to have the php equivalent t:phpdecode functionality to that of t:cmdline for bash as there will be a lot of possible combinations of this.

0reactions

CRS-migration-botcommented, May 13, 2020

User dune73 commented on date 2019-03-08 15:41:50:

Yes, theMiddleBlue covered this in #1294. So this is done. Closing now. Please reopen if I’m wrong.

Top Results From Across the Web

PHP function name bypasses · Issue #1274 · SpiderLabs/owasp ...

In PHP code, functions are called like system('uname') which triggers our PHP function names blacklist. However, PHP functions can also be called as...

PHP - Useful Functions & disable_functions/open_basedir ...

You can use the tool https://github.com/teambi0s/dfunc-bypasser and it will indicate you which technique you can use to bypass disable_functions . Bypassing ...

A deep dive into disable_functions bypass and PHP exploitation

Evading disable_functions in PHP. Analyzing how PHP works and how to evade and exploit disable_functions security.

RCE in PHP or how to bypass disable_functions in ... - Wallarm

Today we will explore an exciting method to remotely execute code even if an administrator set disable_functions in the PHP configuration ...

Bypassing PHP Disable Functions and Upload Filters - YouTube

In this video walk-through, we covered how to bypass disable functions in php and how to evade upload filters in this TryHackMe Machine....