Code Execution 03

Bookmarked!

This exercise is one of our challenges on Code Execution

PRO
Tier
Medium
< 1 Hr.
12349

This lab focuses on the PCRE_REPLACE_EVAL modifier in PHP, specifically the /e modifier, which causes the preg_replace function to evaluate the new value as PHP code before performing the substitution. This functionality, although deprecated as of PHP 5.5.0, has historically allowed attackers to execute arbitrary PHP code by manipulating the regular expression pattern.

Through a hands-on example, you will modify a pattern by adding the /e modifier and observe how preg_replace attempts to evaluate the value as a constant. By replacing this with a function call to phpinfo(), you can visualize the result and understand the potential for executing arbitrary commands using the system function. This lab highlights the importance of understanding and preventing such vulnerabilities in PHP applications.

Want to learn more? Get started with PentesterLab Pro! GOPRO