i PHP code injection – All things in moderation

PHP code injection

Introduction

Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data.

Code Injection differs from Command Injection in that an attacker is only limited by the functionality of the injected language itself. If an attacker is able to inject PHP code into an application and have it executed, he is only limited by what PHP is capable of. Command injection consists of leveraging existing code to execute commands, usually within the context of a shell.

Example

This example server use PHP eval() function:
– The eval() function evaluates a string as PHP code. It’s accepts a string of PHP code to be executed.

Consider folowing url:

http://192.168.223.128/bWAPP/phpi.php?message=test

In this example server recieve message from url request client and send back to client using eval() function.

 <?php @eval ("echo " . $_REQUEST["message"] . ";");?>

As there is no input validation, the code above is vulnerable to a Code Injection attack. Lets check by request with parameter message=test;phpinfo();

Sample output:

With exploiting this bug, an attacker can execute system command. For example.
message=test;system(‘ls -la’);

Sample output:

Leave a Reply