Regex for Easy 0days

Here is a regex I wrote to detect if a PHP code is calling dangerous functions with tainted variables.

/(\$[a-zA-Z0-9]+) ?=[^;]*\$_(GET|POST|REQUEST)[^;]*;.*(shell_exec|system|exec|passthru|eval)\([^\)]*\1[^\)]*\)/gms

5 Likes

Hey man I am quite new how could I utilize this regex to (in a practical way) find possible flaws? (the image is not loading, also a link to a resource where I can learn it is fine). Thanks in advance.

I mean no offense but if it’s a white box-test you wouldn’t need a regex to identify a blatant RCE from passing $_GET/$_POST/$_REQUEST variables into these methods. Still cool though :slight_smile:

@Tyr4n7 yeah definitely! We were hunting bugs in shitty firmware with my buddy. Then we wondered if its possible to use regex that could spot the low hanging fruit. Turns out it is :smile:

@kaerts you could run this regex through a PHP project using a tool like ‘grep’ to find possible bugs.

2 Likes