Code injection is an injection technique to exploit a vulnerability that is caused by processing invalid information. An attacker can introduce code into the vulnerable computer program. The resultant will change the course of execution. Successful code injection can be disastrous for the server. The server that fails to validate user data can result in Code Injection vulnerabilities properly. Attackers can inject code into a vulnerable computer program and change the course of execution.
There are servers having vulnerabilities that can lead to PHP code injection. It allows an attacker to inject custom code into the server. This vulnerability is encountered when an attacker can control all parts of an input string. The attacker can feed the input string into an eval function call. The eval function will execute the statement as a code.
When a developer uses the PHP eval() function, an attacker has the potential to modify and inject code into the application.
In this web application, there is no input validation.
The above URL will show all the info about the PHP version.
An attacker can execute system commands by requesting the below URL.
The above URL will give the users all the processes running in the server.
The impact include:-
Beagle recommends to the following fixes:-