Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  • Method 1
  • Method 2
  • PHP Reduction Challenge: Use 8 characters to run the id command
  • First reduction: PHP tags allow for being unclosed.
  • Second reduction: PHP short tags.
  • Third reduction: Changing the method of executing the command.
  • Interview Question
  • Author
  1. Web

Simple bypass PHP

The common way of writing PHP is start with <? and ends with ?>

Example:

<?php phpinfo();?>

When attempting to upload file or modify templates, often it will check if the content starts with `<?php` tags

So what are the ways to bypass it?

Method 1

Use upper and lower case

<?pHp system('id');?>

Method 2

Replace the php starting tag with =

E.g.

<?= system('id');?>

PHP Reduction Challenge: Use 8 characters to run the id command

Origin Command

<?php system('id');?>  // 21 character

First reduction: PHP tags allow for being unclosed.

PHP has a feature where PHP tags are allowed to be unclosed. This means that you can use <?php without using ?>, and it won't affect the execution of the PHP code.

Utilizing this feature, we can reduce the previous code as follows.

<?php system('id'); // 19 character

Second reduction: PHP short tags.

In addition to the standard way of writing PHP tags, there are two other forms, also known as short tags.

<?= ?>

Utilizing this feature, we can reduce the previous code as follows.

<?= system('id'); // 17 character

Third reduction: Changing the method of executing the command.

Since our goal is to successfully execute the command, is there a method that can shorten the code for executing the command? For example, is there a function that is shorter than system?

PHP, being a large language, of course, has functions shorter than system that can also execute commands.

eval()
popen()
exec()
....

These are still not short enough. The shortest of all is the backticks ` `. PHP can execute commands using backticks.

system('id')  =>  `id`

Utilizing this feature, we can reduce the previous code as follows.

<?=`id`;

Interview Question

It is interesting to see how the backticks can excute shell commands, does backticks bind to system function or shell_exec function?

Will disable this 2 functions preventing backtick from executing? If not how do you prevent it?

Author

Ikonw

PreviousAPI PrinciplesNextServer-side Template Injection (SSTI)

Last updated 9 months ago