Remote Code Execution
Remote Code Execution
Remote code execution occurs when a server runs code which is not stored on it self. IE a code version of XSS.
With XSS the worst that can happen to a site is that admin cookies can be stolen. Some site such as HBH have methods to stop this and these are easy enough to code.
Remote code execution is a lot harder to prevent, stop and find.
This occurs with the PHP functions require, include, include_once and require_once.
For example a script which runs
<?php
include $_GET['page'];
?>
If this page was called page.php and the url entered was;
page.php?page=index.php the page displayed would be index.php.
If however someone made the page show
page.php?page=http://www.google.com
then google would be displayed.
What other uses are there of the include function in php?
One common use is to shorten codes which are used several times such as a function. This can be used to include the page for its code.
What if someone made the include include a page with UNEXECUTED PHP on it?
Then the local server would run the script on itself. Dangerous scripts can be used to deface and with use of the passthru command they can begin to do great damage.
How can I stop my PHP being executed. The best way of doing this is saving it as a .txt or .jpg because people are less likely to check them and servers do not parse them.
How can I stop this.
Very simply. Don't allow unchecked pages to be included. Use a variable or a MySQL table if possible.
What other methods are there seeing as this is usually pretty secure?
There is the eval injection. For instance. If the server uses the eval on say;
eval($x = $_GET['number']);
The $x = … is still executed and so harmful injections can be inserted into here to execute code etc.
ghost 18 years ago
Do you know, what is relative and absolute address? your expample will do this link: www.victim.com/www.google.com you must use absolute addressing: page.php?page=http://www.google.com
ghost 18 years ago
Good concept. Too bad there's already and article here about it of higher quality, and my article on PHP Injections has been around on HTS and Rohitab.com for a while.
Mr_Cheese 18 years ago
nice article. you might want to include the eval() remote code execution way, as that is another very common exploit, and was what originally become known as "remote code execution". informative article none the less.