RCE allows an attacker to run their own code on a remote machine over the network. In PHP applications, this often results from security flaws that improperly handle user input or system outputs.
The eval()
function in PHP evaluates a string as PHP code.
If this function improperly handles user input, it can execute malicious code.
For example: php $code = $_GET['code']; eval($code);
Here, if an attacker passes PHP code through the code
parameter in the URL, the server will execute it.
These statements are used to include files during execution.
If not properly validated, user input can lead to inclusion of files that contain malicious code, or even remote files.
For example: php $file = $_GET['file']; include($file . '.php');
An attacker could potentially include files like `http://malicious.com/malicious.php` by manipulating the URL parameter.
Functions that execute shell commands can be exploited if user inputs are not sanitized.
For example: php $cmd = $_GET['cmd']; shell_exec($cmd);
This allows an attacker to execute any command on the server.
You can try the Shell_exec RCE in our "Beyond Echo" lab.
As you generally don't always have access to the source code (in non open source projects), you will have to think how, the function has been written and used, to by pass some elements which could block your commands.
For example, in the example below, if you wanted to execute commands, you would have to comment to remaining of the execution:
$userInput = $_POST['inputText'];
$command = "echo -n " . $userInput . " | md5sum";
$output = shell_exec($command);
Here could feed the echo
with random data and use &&
to execute the attacker's command, and then use #
to ignore the | md5sum
part.
Unserialization of data containing user input without proper sanitization can lead to code execution. PHP objects often trigger code execution through magic methods like __wakeup
and __destruct
.
eval()
in handling shortcodes. Attackers could execute arbitrary PHP code by crafting malicious shortcodes.eval()
, exec()
, and raw SQL queries. Instead, use higher-level APIs that abstract these functionalities safely.
Is `shell_exec()` safe to use in PHP?
Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.