1. We have moved from vBulletin to XenForo and you are viewing the site in the middle of the move. Though the functional aspect of everything is working fine, we are still working on other changes including the new design on Xenforo.
    Dismiss Notice

Understanding Arbitrary Eval Code Injection Vulnerabilities

Discussion in 'Ethical hacking Tips' started by lionaneesh, Jul 31, 2011.

  1. lionaneesh

    lionaneesh New Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    India
    Arbitrary Code Injection Vulnerability is a type of vulnerability that occurs in web applications if the input provided is not successfully sanitized or filtered.
    Arbitrary means random without any reason or system, as the name suggests Arbitrary Code Injection allows the attacker to execute his specified code on the victim Host and which can further lead to a security breach , data leak and Unauthorized access.

    The aim of this tutorial is to teach you what these vulnerabilities are and how they can be exploited.
    There are numerous ways to inject code in PHP, but for the scope of this tutorial we’ll only concentrate on exec() code injection ,

    Now that we know something about these kinds of vulnerabilities let’s have a look on a piece of vulnerable script.


    Proof of Concept



    For demonstrating the Attack I have created a PHP Vulnerable script which simply inputs some data and from the user and outputs (using eval() ) that data without sanitizing or filtering.

    Code_execution.php
    Code:
      <?php
       
      /**
       * @author lionaneesh
       * @copyright 2011
       * @page code_injection.php
       */
       
      // If the upload request has been made , Upload the file
       
      $output = "";
       
      if (isset($_POST['id']))
      {
            
            eval('$output = ' . $_POST['id'] . ';');
       
      }
       
      ?>
       
      <html>
       
      <head>
       
          <title>Welcome to Vulnerable Apps</title>
       
      </head>
       
      <body>
       
      <h1>Arbitrary Code Injection ( POC )</h1>
      <hr />
       
      <p>Hey all this is a sample php script to Input a ID number and print some output , This script doesn't contains sanitizing or filtering code which makes it prone to Arbitrary Code Injection vulnerability. </p>
       
      <hr />
      <h2>Input</h2>
      <hr />
       
      <table>
      <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
          <tr>
          
              <td width="100">Input</td>
              <td width="380"><input type="text" name="id"/></td>
              <td><input type="submit" name="submit" class="own" value="Submit"/></td>
          
          </tr>
      </form>
      </table>
      <?php
      echo "<b>You  entered " . $output . " !! </b>";
      ?>
       
      </body>
       
      </html> 
    In the above code there is an insecure way of executing eval function in PHP. The eval execution above assigns the value of the $_POST[‘id ’] to $output variable without even checking or sanitizing the input. This is a common way of how these vulnerabilities occurs in web applications.


    How to exploit it



    These vulnerabilities are yet easier to exploit. To these vulnerabilities an attacker can simply provide some php code as input and the script will go and execute it blindly. The process is made clearer in the following pictures.

    1. Go to the Link

    [​IMG]

    2. Provide the Desired code to execute (PHP Code)

    [​IMG]

    3. Output Received

    [​IMG]

    That's all for this tutorial stay tuned for more.
     

Share This Page