Function Injection

Thank you for visiting OWASP.org. We have migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.

Overview

A Function Injection attack consists of insertion or “injection” of a function name from client to the application. A successful function injection exploit can execute any built-in or user defined function. Function injection attacks are a type of injection attack, in which arbitrary function names, in sometimes with parameters are injected into the application and executed. If parameters are passed to the injection function it leads to remote code execution.

Risk Factors

  • These types of vulnerabilities can range from very hard to find, to easy to find
  • If found, are usually moderately hard to exploit, depending on scenario.
  • If successfully exploited, impact could cover loss of confidentiality, loss of integrity, loss of availability, and/or loss of accountability

Examples

Example 1

If an application passes a parameter sent via a GET request to PHP and then the parameter is evaluated as a function by including () after the variable name, the variable will be treated as a function and will be executed.

The URL below passes a function name to the script.

http://testsite.com/index.php?action=edit

The index.php file contains the following code.

<?php

$action = $_GET['action'];

$action();

?>

In this case the attacker can pass any function name to the script for example phpinfo

http://testsite.com/index.php?action=phpinfo

Example 2

This example is an extended and more dangerous version of “Example 1”, in this case, the application not only allows the function name to be provided but also the parameters to that function.

http://testsite.com/index.php?action=edit&pageid=1

The index.php contains the following code.

<?php

$action = $_GET['action'];
$pageid = $_GET['pageid'];

$action($pageid);

?>

In this case the attacker not only passing the function name but also the parameter to that function which can lead to remote code execution by passing the system function with arbitrary commands.

http://testsite.com/index.php?action=system&pageid=ls

This will execute the “ls” command on the system.

Example 3

This example shows another way of evaluating user functions by using call_user_func instead of using brackets.

http://testsite.com/index.php?action=edit

The index.php contains the following code.

<?php

$action = $_GET['action'];

call_user_func($action);
?>

Similar to “example 1” the attacker can pass any function name to the script for example phpinfo

http://testsite.com/index.php?action=phpinfo

Example 4

This example is an extended and more dangerous version of “Example 3”, in this case, the application passes another parameter for call_user_func which will be passed as a parameter to the function provided in the first argument of call_user_func, multiple parameters can passed to call_user_func in the form of an array.

http://testsite.com/index.php?action=edit&pageid=1

The index.php contains the following code.

<?php

$action = $_GET['action'];
$pageid = $_GET['pageid'];

call_user_func($action,$pageid);

?>

In this case the attacker not only passing the function name but also the parameter to that function which can lead to remote code execution by passing the system function with arbitrary commands.

http://testsite.com/index.php?action=system&pageid=ls

This will execute the “ls” command on the system.

References

Category:Injection Category:Attack