Code injection is a vulnerability caused by executing invalid information. An attacker can introduce code into the vulnerable computer program through injection. The injected code can change the course of execution. A successful code injection can be disastrous for the server. The server that fails to properly validate user data can result in Code Injection vulnerability. Attackers can inject code into a vulnerable computer program and change the course of execution. If an attacker can inject code into an application and if that application executes the code, this vulnerability can cause code injection.
In a web application using PHP, use eval() function to pass it untrusted data.
In the above code, an attacker can easily get the phpinfo() function by requesting a URL.
The above link will return the version of PHP in that application uses. Also, the attacker can run the system commands.
The id command will reveal all the information about the current user. An attacker can also specify the name of another user to get information about other users.
Using this vulnerability, an attacker can:-
Beagle recommends the following fixes:-