Here's a really simple example:
$val = "";
if(array_key_exists("param", $_REQUEST)) {
$val = $_REQUEST["param"];
}
print "echo \"$val\"";
passthru("echo \"$val\"");
I'm expecting the passthru() to print A if I pass test.php?param=\x41. However, it doesn't look like PHP is interpreting the escape sequence and passing "\x41" to passthru. I know that the \xAA shorthand only works on double quoted strings in PHP, but that condition should be satisfied in the example above. Does reading a variable out of $_REQUEST modify anything?
Escape sequences aren't expanded in strings, they're only expanded in string literals in code.
The shell command printf will process escape sequences in its format string argument, so you can do:
passthru("printf '$val'");
You can also use a shell string quoted with $'' to process escape sequences.
passthru("echo \$'$val'");