Jun 16, 2020

Remote Command Execution

How are you guys, I hope you are enjoying our site.

Did you read sqli tutorials and xss tutorial? In this post I'll show you what is remote command execution.

In some times we call it remote code execution or OS command execution.Any way what's going on hear is same.

We run a shell command through a web application functionality.

First of all we have to understand how is possible to execute a Linux command in a web application.

In PHP we have some functions to do this.Like system(), exec() etc.

Now let's see how these functions work


$cmd = 'uname -a' ;

what this function does is get the command as a parameter and execute it on the Linux server and print the output.


$cmd= 'whoami';

This function also execute the given parameter as a Linux command.But one thin about this function is it'll don't print out the output.If we want to get output we need to use echo command with this function.Like this one.

echo exec($cmd);

Now we learned enough theory so we can go ahead and see what is remote command execution or OS command execution.

Think about following web application.

assume that following is the HTML code for this output.

<form action="ping.php" method="Get">
<input type="text" name="target" >

<input type="submit" value="Submit">

you know that it simply fetch the host name from user as an input and sent it via a get request to back-end script for further handling.

now how back end PHP script handle this input and show the result data to the user?

$host = $_get[target];
system(ping $host -v);

Can you imagine what it does?

it'll take the data which is send by GET method and save that data to a variable called host.

Then give that host to system function as the argument.

Did you notice that PHP script does not check what kind of data is been submitted and it does not filter any thing.

Now, What if I enter http://www.google.com as the input?

Our quarry become.
system(ping http://www.google.com -v);

It's all OK and fine.

Now the time things getting interested.

What if I enter 'whoami' as the input?

(whoami is a Linux command which will give you the user name)

Do you think our second command is executed?

No buddy.

while both ping and whoami are linux commands we can't do this that way.

If we want to combine two linux command we can do it this way.

date && whoami

what && do? If both commands are valid then both off them will get executed and out put the results.

The output will be.

Ok.Now I enter this as input.

http://www.google.com && whoami

Now our query becomes.

system(ping http://www.google.com && whoami  -v);
It's still not working dude!

Did you notice why?

There is no argument called -v for the whoami command. We can try this payload.

http://www.google.com && whoami &

We saw that && let commands run if both of them are valid.But if we use & , we can run them even both of them are not valid.If one is valid then valid command get executed.

Finally our quarry is.

system(ping http://www.google.com && whoami & -v);

So this is the basic theory of how RCE is working.In next tutorials we are going to see what we can do with this vulnerability

Jun 22
Protostar Stack0 walkthrough

Hello there, In this tutorial we are going to learn Linux exploit development. We use protostar....

Apr 16
Wordpress nulled theme checker

We all love free stuff. So many people try to install premium themes and plugins on there WordPress....

Jun 16
sql injection attack example

Hello all, I hope you know how to do a SQL injection and have used it .In this tutorial we are....

Replying to 's comment Cancel reply
Thilan Danushka Dissanayaka

Thilan Dissanayaka

Hi, I'm Thilan from Srilanka. An undergraduate Engineering student of University of Ruhuna. I love to explorer things about CS, Hacking, Reverse engineering etc.