Donate to us!
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill
Sunday, June 24, 2018
 Need Help?
Members Online
Total Online: 81
Guests Online: 78
Members Online: 3

Registered Members: 105569
Newest Member: ShivamChhapola
Latest Articles

Remote Code Execution

Arrow Image A basic guide on how this method works and how to stop it

Remote code execution occurs when a server runs code which is not stored on it self. IE a code version of XSS.

With XSS the worst that can happen to a site is that admin cookies can be stolen. Some site such as HBH have methods to stop this and these are easy enough to code.

Remote code execution is a lot harder to prevent, stop and find.

This occurs with the PHP functions require, include, include_once and require_once.

For example a script which runs


include $_GET['page'];


If this page was called page.php and the url entered was;

page.php?page=index.php the page displayed would be index.php.

If however someone made the page show


then google would be displayed.

What other uses are there of the include function in php?

One common use is to shorten codes which are used several times such as a function. This can be used to include the page for its code.

What if someone made the include include a page with UNEXECUTED PHP on it?

Then the local server would run the script on itself. Dangerous scripts can be used to deface and with use of the passthru command they can begin to do great damage.

How can I stop my PHP being executed. The best way of doing this is saving it as a .txt or .jpg because people are less likely to check them and servers do not parse them.

How can I stop this.

Very simply. Don't allow unchecked pages to be included. Use a variable or a MySQL table if possible.

What other methods are there seeing as this is usually pretty secure?

There is the eval injection. For instance. If the server uses the eval on say;

eval($x = $_GET['number']);

The $x = ... is still executed and so harmful injections can be inserted into here to execute code etc.


deathaliveon July 15 2006 - 17:06:03
Do you know, what is relative and absolute address? your expample will do this link: you must use absolute addressing: page.php?page=
thousandtooneon July 15 2006 - 21:04:32
Good concept. Too bad there's already and article here about it of higher quality, and my article on PHP Injections has been around on HTS and for a while.
Mr_Cheeseon July 15 2006 - 23:52:32
nice article. you might want to include the eval() remote code execution way, as that is another very common exploit, and was what originally become known as "remote code execution". informative article none the less.
turbocharged_06on December 09 2006 - 20:23:48
:ninja:thanks for the good article and for the contributions youve madePfft
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.