PHP Injection

    If your background is development, it's natural to look at pages, code, errors, etc., with a different eye than those of us who come from another avenue.  When I see a url that looks something like: 


    I just automatically assume it's SQL.  The first thing we'll do is insert a single quote to break the SQL statement in hopes that it will throw an error. 

    But what happens if we're not dealing with SQL at all?  Take for example, PHP eval (eval is evil!). 

    Let's toss that into a page:

    We're taking input from the user, we're using eval to evaluate it, and we're echoing the output to the screen. 

    For example:

    Again, so we see the equal sign, looks like SQL but if we try to inject:

    We get it echoed right back to us.

    I remember some class and they instructor was explaining that not everything is SQL.  You don't necessarily know what you're dealing with so just start tossing all sort of special characters as input -- attempting to see if something will break.  If we insert a double quote:

    It's not returned to us but we're also not seeing an error.  It's not showing an error but it's also not displaying our input.

    If we edit the php.ini file, we can adjust display_errors -- changing it from Off to On:

    When we restart Apache, we refresh our page:

    Now we're seeing an error and it's telling us something about eval. 

    If we send this over to Burp repeater, we can modify this request and we can enable URL encoding as we type:

    We're going to execute a whoami:

    We get code execution and we see that our id is www-data.  Not that it's hard to understand what's going on here but if we push this over to decoder:

    We can see that the space is a + and the ;# is %3b%23

    You could paste that into the browser but it could be a little easier to use Burp's encode while typing functionality. 

    To put a point on this post and wrap it up, the key takeaway is -- just because we don't see any output to the screen, doesn't mean that we haven't found something.  In this specific example, all other input produces an output until we introduce the double quote.  It's subtle but that's your tell.

    © 2020