7 is too many

[arxenix]

You can do it in 5 :)

[arxenix]

currently being run as a challenge for UIUCTF'21 if you would like to try http://phpfuck-fixed.chal.uiuc.tf

[arxenix]

Now that the CTF is officially over: a working charset is (^.9)

some teams had solutions that were in fact simpler than this (using same charset), but here is my original approach,

after arbitrary string generation, the rest is based off of @splitline 's ideas

How it works

• 9^99 -> 106
  • use xor to generate numbers
• (9).(9) -> '99'
  • use . to concat numbers into strings
• '09'^'1069'^'99' -> '80'
  • xor 2 strings to get a string
• '80'^0 -> 80
  • (ab)use type juggling to cast a string to an int
• Using a combination of the above tricks, you can get all of the digits 0-9
• Can construct any string /[0-9]+/ by concatenating digits
• Can obtain any number by casting to int
• Constructing arbitrary strings requires a bit more work...
  • (99999999999...) -> INF
    • 309 9s gives us INF
  • (INF).(9) -> 'INF9'
    • Can now obtain char values in /[a-zA-Z]/ range!
    • e.g. 'INF9'^'00'^'33'^'99' -> 'st'
  • the only primitive we have for initially obtaining strings is concat, which gives us a length-2 string
  • we can generate /[a-z]{2,}|[A-Z]{2,}/ , but getting single-character strings is not possible
• 'funcname'(param)
  • call functions by simply calling their string name
  • function names are case-insensitive
• strtok(0) -> false
  • call strtok on a number to get false
  • === ('st'+'rt'+'OK')(0)
• (9).false -> '9'
  • concat number with false to get a length-1 string
• 'rw'^'99'^'9' -> 'r'
  • extract first char of any string with xor
• Can now build arbitrary strings /[a-zA-Z]/
• 'CHr'(num)
  • generate other characters (e.g. spaces)
• Can now build any string at all! /.*/
• str_getcsv("a,b") -> ["a", "b"]
  • create string arrays by parsing a CSV
• func(...["a", "b"])
  • use spread operator to pass multiple arguments to a function
• create_function("", "PAYLOAD")()
  • use create_function to create a function w/ arbitrary PHP code and then call it
• Final payload looks like: 'create_function'(...str_getcsv(',"$PAYLOAD"'))

[splitline]

Cool, I only know a 6 charset trick before, nice work!

[lexsd6]

Excuse me, can you share which six characters? I'm interested in it

[arxenix]

@lexsd6 See my above comment for the charset and explanation. you can do it with only 5 characters

[lebr0nli]

Excuse me, can you share which six characters? I'm interested in it

@lexsd6
You can use ([^.]) to do it.
https://github.com/lebr0nli/PHPFun
(Ideas and code are inspired and based on PHPFuck and jsfuck :p)