Is this code explotable in any way?
<?
$arg=$_REQUEST['arg'];
preg_replace("/([0-9]+)(.+)/e",'list($var,$var2)=array("$1","$2")',$arg);
echo "$var - $var2";
?>
Is it possible to use special characters or some other method to inject code?
I'm using similar code in some projects and I just want to make sure that it is safe.
Using
(.+)
with /e parameter is always exploitable because it allows any language constructions there.
Example exploit code:
$test = new test();
$test->setSuperSecret();
$test->exploitableExpression();
class test
{
private $mySuperSecretVariable;
public function exploitableExpression()
{
$arg= '1234$this->mySuperSecretVariable';
preg_replace("/([0-9]+)(.+)/e",'list($var,$var2)=array("$1","$2")',$arg);
var_dump($var,$var2);
}
public function setSuperSecret()
{
$this->mySuperSecretVariable = 'SECRET!';
}
}