Remote Command Execution
In this. article we are going to see another interesting topic in web application hacking. This is called remote command execution. the same vulnerability is also known as remote code execution or OS command execution, OS Command Injection, etc.
This vulnerability is also a result of poor input filtering and weak logic of a web application. So we are going to see the theoretical background of the vulnerability and some variations of the attack. Also, let's discuss some ways to prevent this remote command execution attack in web applications.
The theoretical background of RCE
First of all, let's see how a remote command execution vulnerability can happen in a web application. In many cases, we want to. run some commands in the backend server and produce the result to the frontend. We may use the user's inputs as the arguments to those executed commands.
In this tutorial, we are only considering PHP backends. In PHP programming language we have some functions such as system(), exec(), etc to run a command in the backend server. Let's discuss them one by one to get some understanding about those.
The system() function
what this function does is get the command as a parameter and execute it on the Linux server and print the output.
The exec() function
This function also executes the given parameter as a Linux command. But one thing about this function is it'll don't print out the output. If we want to get the output we need to use the echo command with this function.Like this one.
Now we learned enough theory so we can go ahead and see what is remote command execution or OS command execution.
A Practical example of RCE
Think about the following web application.
assume that following is the HTML code for this output.
you know that it simply fetch the hostname from the user as input and sent it via a get request to the back-end script for further handling.
now how back-end PHP script handle this input and show the result data to the user?
Can you imagine what it does?
it'll take the data which is sent by GET method and save that data to a variable called the host.
Then give that host to system function as the argument.
Did you notice that the PHP script does not check what kind of data is been submitted and it does not filter anything?
Now, What if I enter http://www.google.com as the input?
Our quarry become.
system(ping http://www.google.com -v);
It's all OK and fine.
Now time things get interesting.
What if I enter 'whoami' as the input?
(whoami is a Linux command which will give you the user name)
Do you think our second command is executed?
while both ping and whoami are Linux commands we can't do this that way.
If we want to combine two Linux commands we can do it this way.
date && whoami
what && do? If both commands are valid then both of them will get executed and out-put the results.
The output will be.
Ok. Now I enter this as input.
http://www.google.com && whoami
Now our query becomes.
system(ping http://www.google.com && whoami -v);
It's still not working dude!
Did you notice why?
There is no argument called -v for the whoami command. We can try this payload.
http://www.google.com && whoami &
We saw that && let commands run if both of them are valid. But if we use &, we can run them even both of them are not valid. If one is valid then valid command gets executed.
Finally, our quarry is.
system(ping http://www.google.com && whoami & -v);
So this is the basic theory of how RCE is working. In the next tutorials, we are going to see what we can do with this vulnerability
Hi, I'm Thilan from Srilanka. An undergraduate Engineering student of University of Ruhuna. I love to explorer things about CS, Hacking, Reverse engineering etc.