Remote Command Execution

HacksLand | The computer science playground

Posted by Thilan Dissanayaka on Aug 16, 2019

How are you guys, I hope you are enjoying our site.

Did you read sqli tutorials and xss tutorial? In this post I'll show you what is remote command execution.

In some times we call it remote code execution or OS command execution.Any way what's going on hear is same.

We run a shell command through a web application functionality.

First of all we have to understand how is possible to execute a Linux command in a web application.

In PHP we have some functions to do this.Like system(), exec() etc.

Now let's see how these functions work


$cmd = 'uname -a' ;

what this function does is get the command as a parameter and execute it on the Linux server and print the output.


$cmd= 'whoami';

This function also execute the given parameter as a Linux command.But one thin about this function is it'll don't print out the output.If we want to get output we need to use echo command with this function.Like this one.

echo exec($cmd);

Now we learned enough theory so we can go ahead and see what is remote command execution or OS command execution.

Think about following web application.

assume that following is the HTML code for this output.

<form action="ping.php" method="Get">
<input type="text" name="target" >

<input type="submit" value="Submit">

you know that it simply fetch the host name from user as an input and sent it via a get request to back-end script for further handling.

now how back end PHP script handle this input and show the result data to the user?

$host = $_get[target];
system(ping $host -v);

Can you imagine what it does?

it'll take the data which is send by GET method and save that data to a variable called host.

Then give that host to system function as the argument.

Did you notice that PHP script does not check what kind of data is been submitted and it does not filter any thing.

Now, What if I enter as the input?

Our quarry become.
system(ping -v);

It's all OK and fine.

Now the time things getting interested.

What if I enter 'whoami' as the input?

(whoami is a Linux command which will give you the user name)

Do you think our second command is executed?

No buddy.

while both ping and whoami are linux commands we can't do this that way.

If we want to combine two linux command we can do it this way.

date && whoami

what && do? If both commands are valid then both off them will get executed and out put the results.

The output will be.

Ok.Now I enter this as input. && whoami

Now our query becomes.

system(ping && whoami  -v);
It's still not working dude!

Did you notice why?

There is no argument called -v for the whoami command. We can try this payload. && whoami &

We saw that && let commands run if both of them are valid.But if we use & , we can run them even both of them are not valid.If one is valid then valid command get executed.

Finally our quarry is.

system(ping && whoami & -v);

So this is the basic theory of how RCE is working.In next tutorials we are going to see what we can do with this vulnerability

Hi, I'm Thilan. An engineering student from SriLanka. I love to code with Python, JavaScript PHP and C.

Also read

Apr 12
C programming variables explained

In computer science you may heard about virtual memory model. In this model computer memory is....

Aug 12
Remote File Inclusion [RFI]

Remote File Inclusion or RFI is a vulnerability occurs in web applications. We use a Linux....

Aug 12
Protostar Stack0 walkthrough

Hello there, In this tutorial we are going to learn Linux exploit development. We use protostar....