How are you guys, I hope you are enjoying our site.
In some times we call it remote code execution or OS command execution.Any way what's going on hear is same.
We run a shell command through a web application functionality.
First of all we have to understand how is possible to execute a Linux command in a web application.
In PHP we have some functions to do this.Like system(), exec() etc.
Now let's see how these functions work
<?php $cmd = 'uname -a' ; system($cmd); ?>
what this function does is get the command as a parameter and execute it on the Linux server and print the output.
<?php $cmd= 'whoami'; exec($cmd); ?>
This function also execute the given parameter as a Linux command.But one thin about this function is it'll don't print out the output.If we want to get output we need to use echo command with this function.Like this one.
<?php $cmd=$_GET['cmd']; echo exec($cmd); ?>
Now we learned enough theory so we can go ahead and see what is remote command execution or OS command execution.
Think about following web application.
assume that following is the HTML code for this output.
<html> <body> <form action="ping.php" method="Get"> Host:<br> <input type="text" name="target" > <br> <input type="submit" value="Submit"> </form> </body> </html>
you know that it simply fetch the host name from user as an input and sent it via a get request to back-end script for further handling.
now how back end PHP script handle this input and show the result data to the user?
<?php $host = $_get[target]; system(ping $host -v); ?>
Can you imagine what it does?
it'll take the data which is send by GET method and save that data to a variable called host.
Then give that host to system function as the argument.
Did you notice that PHP script does not check what kind of data is been submitted and it does not filter any thing.
Now, What if I enter http://www.google.com as the input?Our quarry become.
system(ping http://www.google.com -v);
It's all OK and fine.
Now the time things getting interested.
What if I enter 'whoami' as the input?(whoami is a Linux command which will give you the user name)
Do you think our second command is executed?
while both ping and whoami are linux commands we can't do this that way.
If we want to combine two linux command we can do it this way.
date && whoami
what && do? If both commands are valid then both off them will get executed and out put the results.
The output will be.
Ok.Now I enter this as input.http://www.google.com && whoami
Now our query becomes.
It's still not working dude!
system(ping http://www.google.com && whoami -v);
Did you notice why?
There is no argument called -v for the whoami command. We can try this payload.http://www.google.com && whoami &
We saw that && let commands run if both of them are valid.But if we use & , we can run them even both of them are not valid.If one is valid then valid command get executed.
Finally our quarry is.
system(ping http://www.google.com && whoami & -v);
So this is the basic theory of how RCE is working.In next tutorials we are going to see what we can do with this vulnerability