Jun 16, 2020

Remote Command Execution

How are you guys, I hope you are enjoying our site.

Did you read sqli tutorials and xss tutorial? In this post I'll show you what is remote command execution.

In some times we call it remote code execution or OS command execution.Any way what's going on hear is same.

We run a shell command through a web application functionality.

First of all we have to understand how is possible to execute a Linux command in a web application.

In PHP we have some functions to do this.Like system(), exec() etc.

Now let's see how these functions work

System()

<?php
$cmd = 'uname -a' ;
system($cmd);
?>

what this function does is get the command as a parameter and execute it on the Linux server and print the output.

exec()

<?php
$cmd= 'whoami';
exec($cmd);
?>

This function also execute the given parameter as a Linux command.But one thin about this function is it'll don't print out the output.If we want to get output we need to use echo command with this function.Like this one.

<?php
$cmd=$_GET['cmd'];
echo exec($cmd);
?>

Now we learned enough theory so we can go ahead and see what is remote command execution or OS command execution.

Think about following web application.

assume that following is the HTML code for this output.

<html>
<body>
<form action="ping.php" method="Get">
Host:<br>
<input type="text" name="target" >
<br>

<input type="submit" value="Submit">
</form>
</body>
</html>

you know that it simply fetch the host name from user as an input and sent it via a get request to back-end script for further handling.

now how back end PHP script handle this input and show the result data to the user?

<?php
$host = $_get[target];
system(ping $host -v);
?>

Can you imagine what it does?

it'll take the data which is send by GET method and save that data to a variable called host.

Then give that host to system function as the argument.

Did you notice that PHP script does not check what kind of data is been submitted and it does not filter any thing.

Now, What if I enter http://www.google.com as the input?

Our quarry become.
system(ping http://www.google.com -v);

It's all OK and fine.

Now the time things getting interested.

What if I enter 'whoami' as the input?

(whoami is a Linux command which will give you the user name)

Do you think our second command is executed?

No buddy.

while both ping and whoami are linux commands we can't do this that way.

If we want to combine two linux command we can do it this way.

date && whoami

what && do? If both commands are valid then both off them will get executed and out put the results.

The output will be.

Ok.Now I enter this as input.

http://www.google.com && whoami

Now our query becomes.

system(ping http://www.google.com && whoami  -v);
It's still not working dude!

Did you notice why?

There is no argument called -v for the whoami command. We can try this payload.

http://www.google.com && whoami &

We saw that && let commands run if both of them are valid.But if we use & , we can run them even both of them are not valid.If one is valid then valid command get executed.

Finally our quarry is.

system(ping http://www.google.com && whoami & -v);

So this is the basic theory of how RCE is working.In next tutorials we are going to see what we can do with this vulnerability

Jun 17
Simple crackme tutorial for beginners - 01

Today I selected a basic crackme to demonstrate crackme solving with GDB. Also, we can solve this....

Jun 09
Functions in python programming

Functions are life savers. Yes they make our life easier. A function is a peace of code and used to....

Aug 12
Variables | Python programming

You know that variable is a memory space ant it contains a value. When we talk in low level that's....

Replying to 's comment Cancel reply
CATEGORIES
ABOUT AUTHER
Thilan Danushka Dissanayaka

Thilan Dissanayaka

Hi, I'm Thilan from Srilanka. An undergraduate Engineering student of University of Ruhuna. I love to explorer things about CS, Hacking, Reverse engineering etc.

SOCIAL
RANDOM ARTICLES