Bypassing str_replace

by Vince
in Blog
Hits: 1809

According to the documentation:  "str_replaceReplace all occurrences of the search string with the replacement string"

I seem to recall bypassing this some time ago or maybe something similar.  If I recall you could double up on parts, get the replacement to remove parts and end up with what you want.  What you see below came from something else but I pulled it over to my machine because I was trying to figure out if I could get code execution.

We're taking input, we're performing a replacement.  The items in quotes are getting replaced with nothing.  For example, if you were trying to insert php, it wouldn't work because the open <? would get removed as would the closing statement. 

With my modified version, I'm just taking in text, to see what I can do with it.  Let's start off simple:

When we hit submit, we see our Hello:

If we enter in the offensive characters following our Hello Again:

When we submit:

It's all stripped.  Let's rework this as a cross site scripting example and change up the replacements:

In an XSS, we would need to script open and close. 

Starting off with just my name:

We see the welcome message.  Adding the XSS:

When we hit enter, we see that the open and close script tags were remove and we're left with just the alert.

This isn't a comprehensive explanation, it's just a teaser for the concept.  Sometimes, the replacement is case sensitive so if we do this:

We get the alert.  We can also embed the open and close between an open and close.  The partials are not offensive but when the offensive is removed, we can an intact open and close:

And the alert once more!  :)