Avoiding EVAL()
There are a shed-load of ways to “eval()” code without actually calling the eval() function — usually done simply to avoid the use of the dreaded “evil()” function, but often times because the system has eval() disabled using “disable_functions” in php.ini
Here is another simple way to avoid eval() without writing out files to the filesystem etc:
[php]
<?php
$code = ‘<?php echo “Hello World”; ?>;
include(‘data:text/plaintext;base64,’ . base64_encode($code));
?>
[/php]
This uses the new data: stream wrapper (RFC2397) that was introduced with PHP 5.2.0; and while this seems like a risk, first: The “attacker” already has access to the code on your system, or you’re open to injection anyway, second: PHP 5.2 has also fixed the problem with the introduction of the ”allow_url_include” php.ini option.
I just thought it was a neat little streams “hack” I would share; I originally thought to do it using the var stream from PHP’s stream_wrapper_register() documentation, but then Evert Pot posted about creating streams from strings using the data: stream, which led to this final “solution”.
- Davey
BAM! I just unlocked the White Hat cap on @mojolive! http://t.co/GWVUht8R
@dshafik [2 weeks ago]
@rdohms @weierophinney especially here in Florida.
@dshafik [2 weeks ago]
@Arkantoze yeah, but NOT RIGHT OUTSIDE THE FRIGGEN DOOR
@dshafik [2 weeks ago]
@dshafik cool looking spider web!
@Arkantoze [2 weeks ago]
@dshafik Very pretty… and remember, spiders eat other insects…
@weierophinney [2 weeks ago]
















