What is PHP Injection? How does it differ from SQL Injection? And how do you avoid it?

Asked

Viewed 5,738 times

42

  • What is PHP Injection?
  • What difference does it make to SQL Injection?
  • How to avoid PHP Injection in my application?
  • What are the main forms of PHP Injection type attack?

Updating

Observing: Recalling that the SQL Injection is not the same thing as the PHP Injection.

Code Injection in PHP

What is SQL Injection?

  • 2

    PHP Injection, you mean abuse of eval(), extract() and worse things like Globals, Magics?

  • 2

    Wallace is not exactly/completely the same subject but should help: http://answall.com/a/10931/3635

  • @rray What a extract() can do harm?

2 answers

39


Due to numerous comments published (at the time the question was asked by me), I believe there is some doubt as to the PHP Injection. So I’ll explain some points.

What is PHP Injection?

It is a form of attack where the attacker uses a PHP script to attack an application written in PHP.

According to Google:

[...] PHP Injection is a technique used on the Internet consisting of injecting malicious scripts, making the page vulnerable the control of the attacker [...]

Generally, this type of attack consolidates when the developer leaves loopholes in upload forms. For example, the malicious person can send a PHP script through that form and then run it.

The result could be disastrous if the attacker manages to list directories, delete files, steal sensitive data, etc...

Send like this, PHP Injection has no relation to SQL Injection, as some had pointed out in previous comments.

And the SQL Injection?

SQL Injection is an attack that consists of inserting (known as injection) a query via web application.

That is, there is no direct relationship with the PHP Injection.

Ways to avoid PHP Injection

Be careful when uploading!

As stated earlier, one of the biggest ways of this attack is through upload forms, where the attacker manipulates the uploaded content (usually by sending an unexpected PHP script on the server) and, through it, has access to server information.

Avoid the eval

Another dangerous thing about PHP Injection is the use of the function eval, which has the power to make a string in a valid PHP code.

See more information about eval in the question below:

Beware as the modifier e of function preg_replace

Recently, PHP deprecated the modifier e of function preg_replace, because this modifier could use a valid PHP code as a return, being also used by attackers.

See that the preg_replace and the modifier e this question caused some problems for the developer:

In this question asked by @Rodrigoborth, it is clear that the code was injected by a Cracker into the server where his application is.

Although it has been deprecated, it is good to keep an eye out for older library versions or legacy applications that might use this modifier.

Null Byte Attack

It seems that the Null Byte Attack also was a problem in PHP in previous versions too.

See more about this here:

SQL Injection is related to PHP Injection ?

No. These are different matters and, in each case, the safety care should be different.

See the SQL Injection section below to draw your conclusions about the differences:

What not to confuse?

Another thing is to confuse Ataque XSS with PHP Injection. XSS can be done in any other language that does not take proper care. PHP Injection is something specific to PHP.

  • 2

    Formerly it was common practice to make includes based on the URL, example meusite.com/?page=contato where contato was a file of the site, so this gap was taken advantage of by putting there the path to malicious files...

  • 5

    @Kaduamaral, there’s still a lot of code like this, just a few questions ...

  • 3

    Like I said "is not exactly/completely the same subject but should help", I do not disagree with your question and answer, so much so that I gave +1 to both, the difficult is to put up with these votes down "robotic" :( -- congratulations on the answer!

6

Just to contribute to the discussion and given that I went through this bad experience on a site I administer I will detail the incident.

On this site the user is allowed to send ZIP files and images (JPG/PNG). Well, an unfortunate uploaded a JPG file that was actually not an image but a PHP script, it simply changed its extension, moved the file with an image header obviously but at the end of the file there is a php script that created a remote access console with the name of copyright.php , from there he could list the files of the server and consequently see them in detail (with right to connection to the database).

It took work to identify this, fix it was simple but see the php Injection It’s been a lot of work going on, and we never thought you’d imagine it. The interesting thing is that he also used a text browser to visit the image, to come a binary header and then the code to be shown in the browser.

  • 4

    You don’t even have to change the length, depending on the scenario. This is very common if apache’s Magic mime is enabled, pq ai the extension is ignored and metadata is used to determine the server action. In other posts I have already recommended (to the author of the question himself, inclusive) precisely disable this resource. https://httpd.apache.org/docs/current/mod/mod_mime_magic.html

  • @Bacco has a love affair with this mime_magic, can only, kkkkk.

  • Thanks for the @Bacco tip , I did not know this fragility

Browser other questions tagged

You are not signed in. Login or sign up in order to post.