PHP function name bypasses

[lifeforms]

In PHP code, functions are called like system('uname') which triggers our PHP function names blacklist. However, PHP functions can also be called as follows:

# as made famous by https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/
(system)('uname')         # triggers 942370 by accident
(sy.(st).em)('uname')
(string)"system"('uname')

# some others
define('x', 'sys' . 'tem');
(x)/* comment */('uname');

$y = 'sys'.'tem';
($y)('uname')

define('z', [['sys' .'tem']]);
(z)[0][0]('uname');

Can we block these patterns, for instance with a regular expression?
Probably would be in a higher paranoia level.

[theMiddleBlue]

I think that the idea on rule 942430 about matching anomaly number of special chars is a good way to block this kind of patterns. Probably just for []()"'. could be enough.

define('z', [['sys' .'tem']]);
(z)[0][0]('uname');

I didn't think about this, cool!

[spartantri]

We will catch it as excessive non word chars and things like that not properly classify it as php injection bypass attempt, do somebody knows how to write transforms? it would be really nice to have the php equivalent t:phpdecode functionality to that of t:cmdline for bash as there will be a lot of possible combinations of this.

[theMiddleBlue]

it would be really nice to have the php equivalent t:phpdecode functionality to that of t:cmdline for bash

yeah! it would be nice to have something that executes string concatenation syntaxes like: (sy.(st).e."\x6d") in system

[fgsch]

Is this resolved by #1294? Can we close it?

[dune73]

Yes, @theMiddleBlue covered this in #1294. So this is done. Closing now. Please reopen if I'm wrong.