So, I am studying some PHP security using DVWA (http://www.dvwa.co.uk/). Right now I'm on an exercise where the author tries to teach us to execute commands on vulnerable applications. In this level, it adds a very simple blacklist which removes important characters:
$substitutions = array(
'&&' => '',
';' => '',
);
I obviously can use some other characters to still get code executed (like |
, ||
, &
, etc.), but I wanted to know how I'd evade the substitution for the single character ";
". I've seen some examples around which fools the substitution with code like "<scr<script>ipt>
" and I've tried stuff like ";;;
"; tried to encode in hex and base64 and such but it didn't work.
Is there a way to evade str_replace()
when it is looking for a single character? This is PHP 5.5.3.