Remote Command Execution (R.C.E) vulnerability

Hi guys, today I’m going talk about Remote Command Execution (R.C.E). This is top level vulnerability in penetration tester. In this vulnerability we can run our code in the server where user input. This vulnerability have two types.

Webapp Based R.C.E

In this case we can run a code using website input field.

System Based R.C.E

In this type we can run a code in server using running another code.

Webapp Based R.C.E

Let’s get this PHP code.

<?php

$cmd = $_get[cmd];

System($cmd)

?>

I will show you what happened in one by one code.

<?php – PHP engine knows this is a PHP code.

(We write PHP code inside of HTML code. PHP code running in the server and we only can see pure HTML code)

$cmd = $_get[cmd]; – In here get the input from html form and create a variable name as cmd. Basically user input equal to cmd here.

System($cmd); – This is a function of PHP. In this function run on the server any code between brackets. We using here $cmd code, so now it’s run in the server.

?> – Using this code PHP engine know end of PHP script.

I think now you have some idea about what are we using now. Now let’s see how is this using in real life?

Imagine a website, find hostname using whois command after we input website address. (There is an example code for similar that.)

<?php

$host = $_get[url];

System(whois $host);

?>

Now you know what happened in this code.

Get the user input URL and its equal to host variable. Then running whois $host command. (whois is a linux command and, we can find host details using this.)

If my input same to www.secdevil.com we receive my website details. Ok now we need to run some malicious command in server. Imagine we need to run β€œrm /user/home/soney_leon_hot.jpg” command. If I input this code instead host command. Let’s see what we receive.

System(whois rm /user/home/soney_leon_hot.jpg);

Now it’s also detect there is not a host after whois command. Because of we receive an error after running this. How can we solve this? In the linux Bash (Born Again SHell) we can run two commands in same time add β€˜&’, β€˜&&’ or  β€˜|’ and β€˜||’ symbols. So now I input like this.

secdevil.com && rm /user/home/soney_leon_hot.jpg

Now server running likes this.

whois secdevil.com && rm /user/home/soney_leon_hot.jpg

In BASH, if two commands are separated by &&, then both run if both sides are valid. Now both codes are running. We can run any codes like this. Now let’s see advance attack like this.

<?php

$host = $_get[url];

System(whois $host –v);

?>

We used β€˜-v’ command most times in linux. It’s mean verbose. Using this code we can watch everything behind the screen.

Ex – if we add β€˜-v’ to the end of netcat, we can see what doing in netcat.

Do you input it as before and run it?

No It’s not running. Because of there not should be any arguments for β€˜rm’. For this we use look like this command.

Whois secdevil.com && rm /user/home/soney_leon_hot.jpg & -v

If β€˜&’ sign will run if either of the one side correct from both sides. So if β€˜-v’ command not valid other one will be running.

I think this post enough for today. Let’s meet another tutorial, please add a comment if you can.

1 thought on “Remote Command Execution (R.C.E) vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *