0

Can anyone explain how this gets executed? This is a webshell and and the only function I can see is preg_replace. The webshells I usually see are base64 encoded and then just eval()ed but this one uses preg_replace() as the final function. 

preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'7b1tVxs<<SNIPPED>>Hhkj6Yn/xc='\x29\x29\x29\x3B",".");?>

The code is too long so I posted only a part of the code. You can view the full source here

This part

\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28

is equal to 

eval(gzinflate(base64_decode(

but its still inside the double quotes so it should still be treated as string or am I missing something?

kuchi
  • 840
  • 11
  • 19
  • 1
    Your missing the deprecated modifier `e`, which will call a callback as replacement. – Rizier123 Jul 10 '16 at 18:48
  • 1
    Possible duplicate of [Can someone explain the /e regex modifier?](http://stackoverflow.com/questions/16986331/can-someone-explain-the-e-regex-modifier) – rjdown Jul 10 '16 at 18:53

1 Answers1

1

The /e is a PCRE modifier (PREG_REPLACE_EVAL), which evaluates the string as PHP before the replacement. As no replacement takes place, it evaluates exaclty what you copied. After PHP 5.5 it triggers DEPRECATED, after 7.0, it has been removed, due to security issues.

You can find the corresponding documentation about PCRE modifiers here.

Tacsiazuma
  • 746
  • 5
  • 11