What is {${phpinfo()}} called? (Remote Command Execution related)

Question

I hope someone can answer this for me as I've been fairly curious about it for quite some time, haven't seemed to be able to obtain an answer though. However, I'm sure someone here will be able to as there are some very intelligent people here.

Now, to the question. I'll be using a Remote Command Execution vulnerability as an example.

<?php echo preg_replace('/(.*)/e', 'strtoupper("\\1")', $argv[1]); ?>

To exploit this the attacker would simply input {${phpinfo()}} for example. My questions are as follows:

1. What are the braces {} for and why does it look like a variable?
2. Does it have a name of some kind? I don't believe it's a variable function since they're different, no?

Thank you!

Answer 1

This is Complex (curly) syntax.

Functions, method calls, static class variables, and class constants inside {$} work since PHP 5. However, the value accessed will be interpreted as the name of a variable in the scope in which the string is defined. Using single curly braces ({}) will not work for accessing the return values of functions or methods or the values of class constants or static class variables.

So, for a simple variable, single {} will work, like "{$foo}", but phpinfo() is a function, when you need to call it, you need two {}, which your example "{${phpinfo()}}", which will call phpinfo() function.

And this is why the e modifier is discouraged, for example, imaging this

{${eval($_GET['php_code'])}}, which gives the attacker the ability to execute arbitrary PHP code and as such gives him nearly complete access to your server.

To prevent this, use preg_replace_callback() instead.