Back

PHP code injection

By
Rejah Rehim
Published on
02 Jul 2018
2 min read

What is PHP code injection?

Code injection is an injection technique to exploit a vulnerability that is caused by processing invalid information. An attacker can introduce code into the vulnerable computer program.

The resultant will change the course of execution. Successful code injection can be disastrous for the server.

The server that fails to validate user data can result in Code Injection vulnerabilities properly. Attackers can inject code into a vulnerable computer program and change the course of execution.

There are servers having vulnerabilities that can lead to PHP code injection. It allows an attacker to inject custom code into the server. This vulnerability is encountered when an attacker can control all parts of an input string. The attacker can feed the input string into an eval function call. The eval function will execute the statement as a code.

Example

When a developer uses the PHP eval() function, an attacker has the potential to modify and inject code into the application.

        //The URL to access this https://www.example.beaglesecurity.com/index.php?arg=1
        $myvar = "varname";
        $x = $_GET['arg'];
        eval("\$myvar = \$x;");
        Run on IDE

In this web application, there is no input validation.

https://www.example.beaglesecurity.com/index.php?arg=1; phpinfo()

The above URL will show all the info about the PHP version.

An attacker can execute system commands by requesting the below URL.

https://www.example.beaglesecurity.com/index.php?arg=1; system(‘id’)

The above URL will give the users all the processes running in the server.

        uid=33(www-data) gid=33(www-data) groups=33(www-data)

Impact of PHP code injection

The impact include:-

  • Data loss

  • Data corruption

  • Lack of accountability

  • Denial of access attacks

  • Complete host takeover

Precaution against PHP code injection

Beagle Security recommends to the following fixes:-

  • Properly sanitise the user input.

  • Properly validate the input variables.

  • Create a whitelist of all the acceptable inputs specific to the application.

  • During the input validation process, consider all required properties like length, type of input, missing or extra input and many more.

  • Make sure to check invalid characters.

  • Try to set up all the page files in a separate directory.

  • For recreating desired functionalities, try to implement using library calls rather than using external processes.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.
Product tour
Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.
Product tour