Follow us on Twitter!
It is the path of least resistance that makes rivers and men crooked. - Bj Palmer
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 25
Guests Online: 24
Members Online: 1

Registered Members: 82885
Newest Member: ConiBE
Latest Articles

Remote Code Execution

Arrow Image A basic guide on how this method works and how to stop it



Remote code execution occurs when a server runs code which is not stored on it self. IE a code version of XSS.

With XSS the worst that can happen to a site is that admin cookies can be stolen. Some site such as HBH have methods to stop this and these are easy enough to code.

Remote code execution is a lot harder to prevent, stop and find.

This occurs with the PHP functions require, include, include_once and require_once.

For example a script which runs

<?php

include $_GET['page'];

?>

If this page was called page.php and the url entered was;

page.php?page=index.php the page displayed would be index.php.

If however someone made the page show

page.php?page=http://www.google.com

then google would be displayed.

What other uses are there of the include function in php?

One common use is to shorten codes which are used several times such as a function. This can be used to include the page for its code.

What if someone made the include include a page with UNEXECUTED PHP on it?

Then the local server would run the script on itself. Dangerous scripts can be used to deface and with use of the passthru command they can begin to do great damage.

How can I stop my PHP being executed. The best way of doing this is saving it as a .txt or .jpg because people are less likely to check them and servers do not parse them.

How can I stop this.

Very simply. Don't allow unchecked pages to be included. Use a variable or a MySQL table if possible.

What other methods are there seeing as this is usually pretty secure?

There is the eval injection. For instance. If the server uses the eval on say;

eval($x = $_GET['number']);

The $x = ... is still executed and so harmful injections can be inserted into here to execute code etc.

Comments

deathaliveon July 15 2006 - 17:06:03
Do you know, what is relative and absolute address? your expample will do this link: www.victim.com/www.google.com you must use absolute addressing: page.php?page=http://www.google.com
thousandtooneon July 15 2006 - 21:04:32
Good concept. Too bad there's already and article here about it of higher quality, and my article on PHP Injections has been around on HTS and Rohitab.com for a while.
Mr_Cheeseon July 15 2006 - 23:52:32
nice article. you might want to include the eval() remote code execution way, as that is another very common exploit, and was what originally become known as "remote code execution". informative article none the less.
turbocharged_06on December 09 2006 - 20:23:48
:ninja:thanks for the good article and for the contributions youve madePfft
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.