Go4Expert - Understanding Arbitrary Eval Code Injection Vulnerabilities

Arbitrary Code Injection Vulnerability is a type of vulnerability that occurs in web applications if the input provided is not successfully sanitized or filtered.
Arbitrary means random without any reason or system, as the name suggests Arbitrary Code Injection allows the attacker to execute his specified code on the victim Host and which can further lead to a security breach , data leak and Unauthorized access.

The aim of this tutorial is to teach you what these vulnerabilities are and how they can be exploited.
There are numerous ways to inject code in PHP, but for the scope of this tutorial we’ll only concentrate on exec() code injection ,

Now that we know something about these kinds of vulnerabilities let’s have a look on a piece of vulnerable script.

Proof of Concept

For demonstrating the Attack I have created a PHP Vulnerable script which simply inputs some data and from the user and outputs (using eval() ) that data without sanitizing or filtering.

Code_execution.php

Code:

  <?php

   

  /**

   * @author lionaneesh

   * @copyright 2011

   * @page code_injection.php

   */

   

  // If the upload request has been made , Upload the file

   

  $output = "";

   

  if (isset($_POST['id']))

  {

        

        eval('$output = ' . $_POST['id'] . ';');

   

  }

   

  ?>

   

  <html>

   

  <head>

   

      <title>Welcome to Vulnerable Apps</title>

   

  </head>

   

  <body>

   

  <h1>Arbitrary Code Injection ( POC )</h1>

  <hr />

   

  <p>Hey all this is a sample php script to Input a ID number and print some output , This script doesn't contains sanitizing or filtering code which makes it prone to Arbitrary Code Injection vulnerability. </p>

   

  <hr />

  <h2>Input</h2>

  <hr />

   

  <table>

  <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">

      <tr>

      

          <td width="100">Input</td>

          <td width="380"><input type="text" name="id"/></td>

          <td><input type="submit" name="submit" class="own" value="Submit"/></td>

      

      </tr>

  </form>

  </table>

  <?php

  echo "<b>You  entered " . $output . " !! </b>";

  ?>

   

  </body>

   

  </html>

In the above code there is an insecure way of executing eval function in PHP. The eval execution above assigns the value of the $_POST[‘id ’] to $output variable without even checking or sanitizing the input. This is a common way of how these vulnerabilities occurs in web applications.

How to exploit it

These vulnerabilities are yet easier to exploit. To these vulnerabilities an attacker can simply provide some php code as input and the script will go and execute it blindly. The process is made clearer in the following pictures.

1. Go to the Link

http://imgs.g4estatic.com/code-injec...ies/inject.png

2. Provide the Desired code to execute (PHP Code)

http://imgs.g4estatic.com/code-injec...es/inject2.png

3. Output Received

http://imgs.g4estatic.com/code-injec...es/inject3.png

That's all for this tutorial stay tuned for more.