Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

MyBB is a bulletin board application. It has a special template functionality that allows for simple PHP eval execution. However, it has a regex to ensure that anything besides variable access is removed. A good description on what is going on can be found on the DayZeroSec blog.

Regex is amazing for finding patterns. However, it comes at a cost - ReDoS. If the regex is too computationally expensive, then it can eat up all of the memory of a program. This is because of the backtracking on the pattern matching that occurs, resulting in these commonly having limits on the recursive nature of it. To test for ReDoS bugs, there is a tool they used.

In PHP, the Perl based Regex functions (preg_match, preg_replace, etc.) do not throw an exception when they reach their backtrack limit. Instead, it will return null.

The calls to preg_match are wrapped in an if statement. If anything malicious is found, then return. Otherwise, continue on. Since null is being returned instead of a value, the verification for the malicious input can be bypassed.

How do we trigger this? A super nested payload that requires a bunch of backtracking. They went with a eval injection with a lot of [0] inside of it.

Overall, love the post! A seemingly good check on the verification was bypassed by a ReDoS attack. Super slick stuff!