Bypass PHP's str_replace() when replacing a single character

Question

So, I am studying some PHP security using DVWA ( http://www.dvwa.co.uk/ ). Right now I'm on an exercise where the author tries to teach us to execute commands on vulnerable applications. In this level, it adds a very simple blacklist which removes important characters :

$substitutions = array(
        '&&' => '',
        ';' => '',
    ); 

I obviously can use some other characters to still get code executed (like | , || , & , etc.), but I wanted to know how I'd evade the substitution for the single character " ; ". I've seen some examples around which fools the substitution with code like " <scr<script>ipt> " and I've tried stuff like " ;;; "; tried to encode in hex and base64 and such but it didn't work.

Is there a way to evade str_replace() when it is looking for a single character? This is PHP 5.5.3.

Answer 1

I'm not sure why the author is showing how to use a black-list, its too easily subverted, perhaps this idea is shredded further on in the tut. http://en.wikipedia.org/wiki/Secure_input_and_output_handling

Although the example you link to is the 'medium' level, even the 'harder' level does not use PHPs Filter FILTER_VALIDATE_IP

Even a REGEX would do a better job. See half way down the page of: http://www.regular-expressions.info/examples.html

If you are trying to protect against XSS attacks (you mention a mangled script tag) then white-listing is the way to go. Validate against what you expect to get, or abort.

EDIT

Hmmm.. now I see the site is called Damned Vulnerable Web App, perhaps the idea is to teach you all the poor examples ...

Answer 2

I found this page to be useful when I was doing this. It turns out there are other operators which can be used other than ';' to plug your own command in!

The "hard" setting on this is currently causing myself some trouble, I think there may be a workaround using URL encoded characters or something of the sort, but it remains to be seen.