2

I want to develop code wherein I want to intercept the data being sent to a PHP exploitable function like eval(). However my code should not edit or touch the code wherein the eval exists in any way.

As an example:

I create a PHP file with my interceptor code and use "require" to call it inside a target PHP page with the eval() (or any other PHP exploitable function). How can that be made possible?

Improve this question

2 Answers 2

Reset to default
2

First of, all functions in PHP can be used for exploiting the system.

In order to change the behaviour of PHP in this way you need to modify the PHP interpreter itself - specifically you'll need the intercept or runkit PECL (or rewrite the interpreter yourself). Either that or run a translataion program to remap references to (your list of "exploitable" functions) to wrapper functions (and then specify these wrappers in an include file).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

How would that translation program work exactly to remap references to exploitable functions to wrapper functions? Could you please elaborate? The reason some functions are not exploitable or dangerous is because even in case of receiving unsanitised attack based input, they do not perform any dangerous action. e.g. Print $str; cannot be a sink function (as far as I know) as at most it just displays the string 'str' content. I am more specifically interested in functions that can cause harm or allow a user to gain more knowledge than the system allows for.
"as at most it just displays the string 'str' content" which is enough to steal a session cookie and hijack the session. Translation program? sed 's/eval(/wrap_eval(/' somefile.php > somefile.php
0

To me it sounds as if you want to write a PHP extension which can intercept some buid-in functions. I have no idea about a good tutorial, so you want to use your favorite search engine yourself. One more tip: xdebug already does something like that for var_dump(), print_r(), etc. So maybe you can check the source and toy around with it. Good luck.

Improve this answer

4 Comments

Yes an extension but it has to be in the user space and not inside the PHP core. So I should be able to just use require and get the extension to work. I don't want users to use my version of PHP and have to recompile PHP on their systems.
No need to recompile PHP: Have a look at the xdebug installation guide: xdebug.org/docs/install. This is something that loads alongside with PHP.
Ok...but is there nothing possible that works only on the userspace side of things?
Not that I am aware of. Maybe as of PHP 5.3 you can use namespaces to create an own eval function which wraps the build-in eval function and adds logging there. But this is just an idea…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.