A quick PoC/tutorial on executing arbitrary PHP code via PHP’s eval() function in Infosec Institutes Level 2 CTF challenge. Full details on the challenge can be found here: http://ctf.infosecinstitute.com/ctf2/. All credits go to [email protected]
STEP 1: Understanding the use of eval()
Based on the applications function, we can guess that the application is using similar backend code to calculate the result:
<?php eval(\"$num1\" \"$operand\" \"$num2\"); ?>
STEP 2: Editing the operand field
Since there appears to be server side validation preventing non-integer values for $num1 and $num2, we can try to edit the operand field to get our injected PHP code to run. This can be done using a web browser and right-clicking the element and selecting “Inspect Element”.
STEP 3: Edit the operand field to inject our PHP code
To inject our PHP code, we will edit the operand field as shown below to control the execution of the original function without producing an error:
<option value=" + 1; phpinfo(); 1 + "> + 1; phpinfo(); 1 + </option>
After clicking Submit, you will notice that our injected PHP function is executed and displayed. To prevent these types of attacks, all use of eval() should be avoided at all costs and all user input should be sanitized and validated before being executed.