Malicious Code Injection

Hi everyone!
This is my first post, so be kind! Basically, I'm trying to get a free host together so am writing some posts. Here's a little summin' summin' about malicious code injection with PHP applications.

Basically, this security exploit is one of the oldest tricks in the books and all comes down to the fact that PHP allows execution of both local and remote scripts with the SAME function... dur. Anyway, this is how it works. Image you've just employed a young go getter, straight outta uni, who has found becoming a Jack of all trades a sinch. You place him on web site design duty and after flicking through a PHP manual is on his way. Thinking it a good idea to keep separate database connection scripts, headers and whatnot, they may have something along the lines of this...

include($_GET['page'] . ".php");

This line of PHP code, is then used in URLs like the following example:

STD

Because the $page variable is not specifically defined, an attacker can insert the location of a malicious file into the URL and execute it on the target server as in this example:

STD[/url]http://forums.xisto.com/ />
This then makes the include function call and execute a remote script from the nosey_bastard domain, which could do all sorts of nasty, even delete the entire content of the website.

You have been warned!

JGLW

Anybody who first of all puts a user modifiable variable into anything that isn't being parsed out, and then puts a pointless delete_all.php page in the same directory deserves to have their website removed. That is just plain stupidity.

Haha... but that's why programmers get paid to surf through their own code and test, test, and test again for loopholes, vulnerabilities, and code injection attacks like these.In all reality, I would promote code injection just to be able to learn from the experience. You get to figure out if your exploit works, why it works, introduce yourself to a little bit of PHP and how it works, and if you're a white hat hacker, you might even score some attention, potential, and a job as a network/Internet security specialist. I for one like to try various code injections into the all-infamous wall that is MySpace, since a lot of the things you do is entangled into a nightmare of code all within a ColdFusion file (index.cfm) and the various JavaScript files it calls on. There might be some PHP in MySpace's design now... I'm not that sure now because it's been a while since I've poked around.

That's also called RFI, Remote File Inclusion, if the vuln let you load a remote page or LFI, Local File Inclusion, if the vuln let you load a page on the same server.It was a quite common vulnerability some time ago.