Understanding Arbitrary Eval Code Injection Vulnerabilities

Discussion in 'Ethical hacking Tips' started by lionaneesh, Jul 31, 2011.

  1. lionaneesh

    lionaneesh Active Member

    Mar 21, 2010
    Likes Received:
    Trophy Points:
    Arbitrary Code Injection Vulnerability is a type of vulnerability that occurs in web applications if the input provided is not successfully sanitized or filtered.
    Arbitrary means random without any reason or system, as the name suggests Arbitrary Code Injection allows the attacker to execute his specified code on the victim Host and which can further lead to a security breach , data leak and Unauthorized access.

    The aim of this tutorial is to teach you what these vulnerabilities are and how they can be exploited.
    There are numerous ways to inject code in PHP, but for the scope of this tutorial we’ll only concentrate on exec() code injection ,

    Now that we know something about these kinds of vulnerabilities let’s have a look on a piece of vulnerable script.

    Proof of Concept

    For demonstrating the Attack I have created a PHP Vulnerable script which simply inputs some data and from the user and outputs (using eval() ) that data without sanitizing or filtering.

       * @author lionaneesh
       * @copyright 2011
       * @page code_injection.php
      // If the upload request has been made , Upload the file
      $output = "";
      if (isset($_POST['id']))
            eval('$output = ' . $_POST['id'] . ';');
          <title>Welcome to Vulnerable Apps</title>
      <h1>Arbitrary Code Injection ( POC )</h1>
      <hr />
      <p>Hey all this is a sample php script to Input a ID number and print some output , This script doesn't contains sanitizing or filtering code which makes it prone to Arbitrary Code Injection vulnerability. </p>
      <hr />
      <hr />
      <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
              <td width="100">Input</td>
              <td width="380"><input type="text" name="id"/></td>
              <td><input type="submit" name="submit" class="own" value="Submit"/></td>
      echo "<b>You  entered " . $output . " !! </b>";
    In the above code there is an insecure way of executing eval function in PHP. The eval execution above assigns the value of the $_POST[‘id ’] to $output variable without even checking or sanitizing the input. This is a common way of how these vulnerabilities occurs in web applications.

    How to exploit it

    These vulnerabilities are yet easier to exploit. To these vulnerabilities an attacker can simply provide some php code as input and the script will go and execute it blindly. The process is made clearer in the following pictures.

    1. Go to the Link


    2. Provide the Desired code to execute (PHP Code)


    3. Output Received


    That's all for this tutorial stay tuned for more.
    Last edited by a moderator: Jan 21, 2017

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice