What is the dynamic code evaluation attack, and how does it work?
In PHP, there is a function eval(), which is used to evaluate a string. For example,
<?php $to = 'Adam'; $from = 'Bob'; $string = 'Hi $to, it is $from here.' echo $string. “\n”; eval("\$string = \"$string\";"); echo $string. “\n”; ?>
In the above code, $to and $from will be replaced by ‘Adam’ and ‘Bob’ in the eval() function. So, the output will be:
Hi $to, it is $from here. Hi Adam, it is Bob here.
The dynamic code evaluation attack is an attack in which all or part of the input string of eval() gets maliciously controlled by the attacker. For example, let’s consider the following piece of code :
<?php $name = 'Adam'; $string = $_GET['arg']; eval("\$name = \"$string\";"); ?>
Here, $string is an input taken from a user, and then, the value is assigned to $name.
But, suppose an attacker gives as input ‘noname; system(“ls”)’. Then, $string will be assigned ‘noname; system(“ls”)’, and inside the eval() function, ‘ls’ will get called. As a result, it will reveal the list of files in the directory. The attacker may even update, delete, or see sensitive files in the server using this vulnerability. And, this is how the dynamic code evaluation …
0 Comments