Pentestlab--Web for Pentester - Code Injection
Web for Pentester: This exercise is a set of the most common web vulnerability
Pentester lab: Code executions come from a lack of filtering and/or escaping of user-controlled data. When you are exploiting a code injection, you will need to inject code within the information you are sending to the application. For example, if you want to run the command ls, you will need to send system(“ls”) to the application since it is a PHP application.
1 2 3 4 5
The developer use function
eval to echo the name. Hpwever, the developer doesn’t filter the input of eval function. By using concatenation
., I can add code after the input and use
# to comment the rest of code
hacker".system('uname -a');# needs to be URL encoded.
1 2 3 4 5 6 7 8 9 10
The function usort is often used with the function create_function to dynamically generate the “sorting” function, based on user-controlled information. If the web application lacks potent filtering and validation, this can lead to code execution.
1 2 3
We talked earlier about regular expression modifiers with multi-line regular expression. Another very dangerous modifier exists in PHP: PCRE_REPLACE_EVAL (/e). This modifier will cause the function preg_replace to evaluate the new value as PHP code, before performing the substitution.
This example is based on the function assert. When used incorrectly, this function will evaluate the value received. This behaviour can be used to gain code execution.