Understanding Arbitrary Eval Code Injection Vulnerabilities
Arbitrary Code Injection Vulnerability is a type of vulnerability that occurs in web applications if the input provided is not successfully sanitized or filtered.
Arbitrary means random without any reason or system, as the name suggests Arbitrary Code Injection allows the attacker to execute his specified code on the victim Host and which can further lead to a security breach , data leak and Unauthorized access.
The aim of this tutorial is to teach you what these vulnerabilities are and how they can be exploited.
There are numerous ways to inject code in PHP, but for the scope of this tutorial we’ll only concentrate on exec() code injection ,
Now that we know something about these kinds of vulnerabilities let’s have a look on a piece of vulnerable script.
For demonstrating the Attack I have created a PHP Vulnerable script which simply inputs some data and from the user and outputs (using eval() ) that data without sanitizing or filtering.
These vulnerabilities are yet easier to exploit. To these vulnerabilities an attacker can simply provide some php code as input and the script will go and execute it blindly. The process is made clearer in the following pictures.
1. Go to the Link
2. Provide the Desired code to execute (PHP Code)
3. Output Received
That's all for this tutorial stay tuned for more.
|All times are GMT +5.5. The time now is 18:00.|