Most common theorical Web RCE's with some exploits and PoC's to practise with (not real CVE's)
PYTHON:
1.Unsafe Deserialization of untrusted input data:
a. Pickle.load(): RCE through Deserialization Using uncontrolled Pickle.load Funtion
2.Command Injection and Argument Injection:
Dangerous Functions:
#Three ways to invoke commands in Python
os.system(payload)
os.popen(payload)
subprocess.call(payload,shell=True)
subprocess.call(payload,shell=False) --> Careful with tokenize strings with userInput Data
Defense:
Escape bash special chars and spaces,using pipes.quote()/shlex.quote(). Take care of tokenization.
==> Passing a String from userInputs to these functions without escaping could be lethal.In this PoC I will try to create a real use case where we can play with these functions and realise the problems involved.
JAVA:
1.Unsafe Deserialization of untrusted input data:
a. readObject(): RCE through Deserialization Using uncontrolled input in .readObject() method of a serializable class. Control over this object atributes with combination of the existence of Dangerous Invocation Handlers make possible the reproduction of this vulnerability. Beanshell is included in this PoC (CVE-2016-2510)
2. Command Injection and Argument Injection:
Dangerous Functions:
Runtime.getRuntime().exec(
new ProcessBuilder(cmd).start();
Defense:
Not calling directly bash/sh/cmd as process
Using String[] instead of normal String craft for Runtime or using ProcessBuilder
PHP:
1.Command Injection and Argument Injection:
Dangerous Functions:
popen(
shell_exec(
exec(
passthru(
system(
proc_open(
`command`
Defense:
escapeshellcmd()
escapeshellarg()
==> Passing a String from userInputs to these functions without escaping could be lethal.In this PoC I will try to create a real use case where we can play with these functions and realise the problems involved.
RUBY:
1.Command Injection and Argument Injection:
Dangerous Functions:
#Kernel Module
system("#{payload}")
#Finish the server
exec("#{payload}")
#Doesn't leave trace in server log?
`#{payload}`
%x( #{payload} )
%x{ #{payload} }
%x[ #{payload} ]
%x< #{payload} >
#This one is special, we should have control over the entire string, and start with "|" plus commands
open("#{payload}")
Process Module
spawn("#{payload}")
IO Module
IO.popen("#{payload}")
Defense:
Escape bash special chars and spaces,using Shellwords.escape(). Take care of tokenization.
==> Passing a String from userInputs to these functions without escaping could be lethal.In this PoC I will try to create a real use case where we can play with these functions and realise the problems involved.