Avoiding EVAL()

There are a shed-load of ways to “eval()” code without actually calling the eval() function — usually done simply to avoid the use of the dreaded “evil()” function.

Here is another simple way to avoid eval() without writing out files to the filesystem etc:

https://gist.github.com/dshafik/9679ca6b44d13d50548a

This uses the new data: stream wrapper (see RFC2397) that was introduced with PHP 5.2.0; and while this seems like a risk, first: The “attacker” already has access to the code on your system, or you’re open to injection anyway, second: PHP 5.2 has also fixed the problem with the introduction of the “allow_url_include” php.ini option.

I just thought it was a neat little streams “hack” I would share; I originally thought to do it using the var stream from PHP’s stream_wrapper_register() documentation, but then Evert Pot posted about creating streams from strings using the data: stream, which led to this final “solution”.

Share Tweet

Comments

gasper_k

Posted February 1, 2009 5:14 pm 0Likes

Nice piece of information, thanks. However, I think either you’re wrong or I understood you wrong, but allow_url_include directive has been available since 5.1.
- Davey Shafik
  
  Posted February 1, 2009 7:56 pm 0Likes
  
  As Johannes pointed out, it was also added in 5.2; it was a typo on my part ;)
  - gasper_k
    
    Posted February 2, 2009 3:23 am 0Likes
    
    Yes, I’ve re-checked it, and it seems it was introduced in 5.2, not in 5.1 as I previously posted.
Johannes Schlüter

Posted February 1, 2009 5:34 pm 0Likes

allow_url_include is no 5.3 but 5.2 introduced feature, data: was no “URL Stream” for one or two versions of that series, but that was fixed soon to avoid troubles like the one above :-)
Andrei

Posted February 2, 2009 12:40 pm 0Likes

Silly and completely useless. I don’t see an serious use case for this “feature”.
- Davey Shafik
  
  Posted February 2, 2009 11:39 pm 0Likes
  
  I never claimed it was useful. And there certainly is no *serious* use case; I just enjoy bending the language :)
  - EllisGL
    
    Posted February 3, 2009 8:36 am 0Likes
    
    There’s a lot of pay scripts that are eval base64 encoded.. Could use this to no use eval.. Still insecure.
Timothy

Posted February 2, 2009 1:04 pm 0Likes

man… and I thought I wrote sinister code! Thanks for sharing, Davey.
Trackback: links for 2009-02-02 — Mior Muhammad Zaki: PHP & JavaScript Programmer
Matt

Posted February 3, 2009 7:02 pm 0Likes

Lookie:

http://pastebin.com/f6662eb57

eval() is significantly faster than include() – on my computer it’s a difference of about 35%.
- Davey Shafik
  
  Posted February 3, 2009 7:58 pm 0Likes
  
  This is quite obvious; there is a base64_encode() and a base64_decode() involved in my solution. However, benchmarks in userland are inherently flawed.
Žilvinas

Posted February 10, 2009 6:37 am 0Likes

On the other hand this shows a nice exploit when eval is disabled. You could easily inject your code to execute by exploiting a bug with dynamic variable includes.