Mar 23, 2024

Remote Command Execution

In this article, we are going to see another interesting topic in web application hacking. This is called remote command execution. the same vulnerability is also known as remote code execution, OS command execution, OS Command Injection, etc. 

Just like most web application vulnerabilities, this vulnerability is also a result of poor input filtering and weak web application logic. We are going to see the theoretical background of the vulnerability and some variations of the attack. The ultimate goal of learning these vulnerabilities as a developer is trying to minimize malicious attacks in web applications. Therefore at the end let's discuss some ways to prevent this remote command execution attack in web applications.

First, let's see how a remote command execution vulnerability can happen in a web application. In many cases, we want to. run some commands in the backend server and produce the result to the front. We may use the user's inputs as the arguments to those executed commands. If we are not careful about validating or filtering user inputs, it may be a great chance for an attacker to execute a remote command execution via our web app.

As the first step, we are going to discuss a PHP environment. In the PHP programming language, we have some functions such as system(), exec(), etc to run a command in the backend server. Let's discuss them one by one to get some understanding of them.

The system() & exec() functions

To execute a shell command and retrieve its output:

$output = system('ls -la');
echo $output;

In this example, the system() function executes the ls -la command in the shell and returns the output, which is then stored in the $output variable and printed to the screen.

To execute a command and store the exit code:

$exit_code = system('ping google.com', $result);
echo "Exit code: " . $exit_code . "\n";

In this example, the system() function executes the ping google.com command and stores the exit code in the $exit_code variable. The second argument to system() is passed by reference and stores the output of the command.

To execute a command and redirect output to a file:

system('ls -la > directory.txt');

In this example, the system() function executes the ls -la command and redirects its output to a file named directory.txt. This is done using the shell redirection operator >.

what this function does is get the command as a parameter and execute it on the Linux server and print the output.

<?php 
$output = exec("ls"); // display the output echo $output;
 ?>

An Example of RCE

Think about the following web application.

assume that the following is the HTML code for this output.



Host:<br />
<input type="text" />
<br />

<input type="submit" value="Submit" />


you know that it simply fetches the hostname from the user as input and sent it via a get request to the back-end script for further handling.

now how back-end PHP script handle this input and show the result data to the user?





Can you imagine what it does?

it'll take the data which is sent by GET method and save that data to a variable called the host.

Then give that host to the system function as the argument.

Did you notice that the PHP script does not check what kind of data is been submitted and it does not filter anything?

Now, What if I enter http://www.google.com as the input?

Our quarry becomes.

system(ping http://www.google.com -v);

It's all OK and fine.

Now time things get interesting.

What if I enter 'whoami' as the input?

(whoami is a Linux command which will give you the user name)

Do you think our second command is executed?

No buddy.

while both ping and whoami are Linux commands we can't do this that way.

If we want to combine two Linux commands we can do it this way.

date && whoami

what && do? If both commands are valid then both of them will get executed and output the results.

The output will be.

Ok. Now I enter this as input.

http://www.google.com && whoami

Now our query becomes.

system(ping http://www.google.com && whoami  -v);

It's still not working dude!

Did you notice why?

There is no argument called -v for the whoami command. We can try this payload.

http://www.google.com && whoami &

We saw that && let commands run if both of them are valid. But if we use &, we can run them even if both of them are not valid. If one is valid then valid command gets executed.

Finally, our quarry is.


system(ping http://www.google.com && whoami & -v);

So this is the basic theory of how RCE works. In the next tutorials, we are going to see what we can do with this vulnerability

ABOUT HACKSLAND

Well explained and interesting cyber security articles and tutorials on the topics such as System exploitation, Web application hacking, exploit development, malwara analysis, Cryptography etc. Let's explorer the awesome world of computer

CATEGORIES
SOCIAL
RANDOM ARTICLES