Courses / Remote Code Execution (RCE)

RCE in PHP

Last Edit: 10-05-2024

RCE allows an attacker to run their own code on a remote machine over the network. In PHP applications, this often results from security flaws that improperly handle user input or system outputs.

Common Sources of RCE Vulnerabilities in PHP

1. Eval() Function

The eval() function in PHP evaluates a string as PHP code.

If this function improperly handles user input, it can execute malicious code.

For example: php $code = $_GET['code']; eval($code);

Here, if an attacker passes PHP code through the code parameter in the URL, the server will execute it. 

2. include() and require() Statements

These statements are used to include files during execution.

If not properly validated, user input can lead to inclusion of files that contain malicious code, or even remote files.

For example: php $file = $_GET['file']; include($file . '.php'); 

An attacker could potentially include files like `http://malicious.com/malicious.php` by manipulating the URL parameter.

3. Shell_exec() and Similar Functions

Functions that execute shell commands can be exploited if user inputs are not sanitized.

For example: php $cmd = $_GET['cmd']; shell_exec($cmd);

This allows an attacker to execute any command on the server. 

You can try the Shell_exec RCE in our "Beyond Echo" lab.

As you generally don't always have access to the source code (in non open source projects), you will have to think how, the function has been written and used, to by pass some elements which could block your commands.

For example, in the example below, if you wanted to execute commands, you would have to comment to remaining of the execution:

$userInput = $_POST['inputText'];
$command = "echo -n " . $userInput . " | md5sum";
$output = shell_exec($command);

Here could feed the echo with random data and use && to execute the attacker's command, and then use # to ignore the | md5sum part.

4. Deserialization of Untrusted Data

Unserialization of data containing user input without proper sanitization can lead to code execution. PHP objects often trigger code execution through magic methods like __wakeup and __destruct.

Real-World Examples of PHP RCE Attacks

  • WordPress Plugin Vulnerability: In notable cases, popular WordPress plugins were found to have an RCE vulnerabilities due to the improper use of eval() in handling shortcodes. Attackers could execute arbitrary PHP code by crafting malicious shortcodes.
  • Magento SQL Injection Leading to RCE: Magento experienced an RCE vulnerability that started with an SQL injection flaw, which allowed attackers to create admin accounts and inject malicious PHP scripts into the site.

Prevention and Mitigation Strategies 

  • Input Validation: Ensure all user input is validated against a strict whitelist of allowed values. Never trust user input implicitly. 
  • Use of Higher-Level APIs: Avoid using functions like eval(), exec(), and raw SQL queries. Instead, use higher-level APIs that abstract these functionalities safely. 
  • Minimal Permissions: Run your PHP environment with minimal permissions. Limit what PHP and the web server can read, write, and execute. 
  • Regular Updates: Keep PHP and all third-party libraries up to date. Security patches often address known vulnerabilities, including potential RCE exploits.
  • Error Handling: Disable detailed error reporting on production servers. Detailed errors can provide attackers with insights into potential vulnerabilities. 
  • Security Tools: Utilize tools like web application firewalls (WAFs) and security-focused PHP extensions (such as Suhosin) to help mitigate attacks.

 

 
Question Answer the question below to validate the course and earn easy points:

Is `shell_exec()` safe to use in PHP?

Course Summary
RCE: Introduction
1 point
RCE in PHP
1 point
Shellshock (CVE-2014-6271)
1 point