Abdelrahman Elshinbary

Abdelrahman Elshinbary

Penetration Tester & HTB Player

Web Security Vulnerabilities - Remote Code Execution

4 minute read

SQL-Injection

Table of Contents

What is Remote Code Execution?

Remote Code Execution, also known as RCE is a security vulnerability that allows an attacker to gain unauthorized access to a system and execute arbitrary commands. This usually happens due to poor validation or improper handling of user input. It allows an attacker to run system commands through a vulnerable application. It can be exploited through various vulnerabilities such as File Upload Vulnerability, Command Injection, SQL Injection, and more.

How does RCE work?

RCE vulnerabilities can be exploited through various methods, often following these phases:

  1. Identify the vulnerability on website or system.
  2. Exploit this vulnerability by injection malicious arbitrary code or malware.
  3. Once the attacker gain access to the system, they can access, edit and/or delete sensitive data.

How to find RCE?

Finding RCE vulnerability mainly requires analysis of an application and understanding how it works. here are some steps you can do to find RCE:

  1. Identify user input and check for special characters (;, &&, |, <, >).
  2. Analyze file upload feature and try to upload files with unexpected extensions (.php, .asp, .sh, .py, etc)
  3. Check for the running service and its version then search for known CVEs.
  4. For White Pentesting, analyze source code and check for unsafe functions.

Impact Of RCE

RCE has very critical vulnerability that lead to a lot of damage of the server. It may lead to:

  1. Sensitive Data Exposure: Once attackers exploit RCE, they can access unauthorized data and gain unauthorized control over the system
  2. Denial Of Service: An attacker can exploit RCE to make damage/crash on the system.
  3. Privilege Escalation: When an attackers achieve RCE and gain control over the system, they can internal vulnerabilities and gain more privileges on the system or other systems
  4. Malware Execution: These attackers lock up a computer system and use ransomware to force victims into paying to have their systems unlocked.

How To Prevent From RCE?

Mitigating RCE vulnerabilities is critical for ensuring system security. Here are some strategic solutions to prevent RCE:

  1. Input Validation: Don’t trust user inputs. always validate and filter user inputs to prevent malicious code injection.
  2. Use WAFs: Employ Web Application Firewalls (WAFs) to filter out malicious requests and detect suspicious activities.
  3. Secure Coding Practices: Developers should be aware of RCE vulnerabilities and follow secure coding practices to avoid them.
  4. Making server up to date: outdated software may has known vulnerabilities and CVEs, so it’s important to patch and update software regularly.

Vulnerabilities can lead to RCE

  1. SSTI ==> RCE (We will talk about it later)
  2. LFI ==> RCE
  3. Command Injection ==> RCE
  4. SQL Injection ==> RCE
  5. File upload ==> RCE
  6. Insecure Deserialization ==> RCE
  7. Insecure Configuration ==> RCE
  8. Log4j
  9. Spring4shell
  10. Zerologon
  11. CVE-2021-1844

Time To Practice

Let’s apply this knowledge through some practical labs to better understand RCE vulnerabilities.

Challenge #1

In this challenge, our goal is to execute system commands. Here’s how to proceed:

Challenge_intro

The challenge includes a functionality to ping a network. Let’s try pinging 127.0.0.1 and intercept the request using Burp Suite.

Challenge_test

Challenge_burp

We assume the command to ping the network looks like: ping -c 10 $IP.

We can exploit it by using command separators like ;, |, or &&. For instance, use the payload 127.0.0.1;ls to ping the specified network and list directories and files in the current directory.

Challenge_test_2

The payload executed successfully. Let’s try to get a shell for full control and read flag.txt.

Challenge_exploit_1

Challenge_exploit_2

Challenge #2

In the second challenge from Portswigger, we can see in the challenge name that we can achieve Remote Code Execution from File upload functionality.

So, let’s start and check the web page.

Challenge_description

We can see it’s a blog with a file upload feature. Let’s upload a normal image to test it.

Challenge_intro

Challenge_login

We can see that we have upload feature, so let’s upload a normal image and see what happens.

Challenge_upload_1

Challenge_upload_2

Now let’s access the uploaded image.

Challenge_upload_3

The upload seems normal, so let’s abuse this feature. Intercept the upload request using Burp Suite and change the file extension to .php.

Challenge_upload_4

Since the application lacks validation on uploaded files, it allows malicious files to be uploaded. Access the uploaded file and execute system commands via the rce parameter.

Challenge_upload_5

Challenge_upload_6

We can see above the application doesn’t have any validation on the upload feature, which allows an attacker to upload malicious files.

So, now let’s access the upload file from browser and execute system commands using rce parameter.

Challenge_exploit_1

Let’s try to access /home/carlos/secret and solve the lab.

Challenge_exploit_2

Challenge_exploit_3

Challenge_solve

Resources

Imperva - RCE

Bugcrowd - RCE

InsiderPhD - RCE

Intigriti - 7-ways-to-achieve-remote-code-execution

Conclusion

RCE vulnerabilities allow attackers to execute arbitrary code remotely, potentially leading to data theft, malware installation, or full system control. Understanding and addressing RCE is crucial for maintaining secure systems.

Hope you enjoy! Thanks for reading.

Categories:

Updated: