Skip to content
/ WebRCEPoCs Public

Most common theorical Web RCE's with some "testing code" and PoC's to practise with (not real CVE's)

1 star 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rebujacker/WebRCEPoCs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits

java

java

 
 

javascript/jscommandi

javascript/jscommandi

 
 

php/PHPCommandIPoC

php/PHPCommandIPoC

 
 

python

python

 
 

ruby/CommandArgI

ruby/CommandArgI

 
 

README.md

README.md

 
 

Repository files navigation

Web-RCE-PoC-s

Most common theorical Web RCE's with some exploits and PoC's to practise with (not real CVE's)

PYTHON:

1.Unsafe Deserialization of untrusted input data:

	a. Pickle.load(): RCE through Deserialization Using uncontrolled Pickle.load Funtion

2.Command Injection and Argument Injection:

	Dangerous Functions:
	#Three ways to invoke commands in Python
	os.system(payload)
	os.popen(payload)
	subprocess.call(payload,shell=True)
	subprocess.call(payload,shell=False) --> Careful with tokenize strings with userInput Data

	Defense:
	Escape bash special chars and spaces,using pipes.quote()/shlex.quote(). Take care of tokenization.

	==> Passing a String from userInputs to these functions without escaping could be lethal.In this PoC I will try to create a real use case where we can play with these functions and realise the problems involved.

JAVA:

1.Unsafe Deserialization of untrusted input data:

	a. readObject(): RCE through Deserialization Using uncontrolled input in .readObject() method of a serializable class. Control over this object atributes with combination of the existence of Dangerous Invocation Handlers make possible the reproduction of this vulnerability. Beanshell is included in this PoC (CVE-2016-2510)

2. Command Injection and Argument Injection:

	Dangerous Functions:
	Runtime.getRuntime().exec(
	new ProcessBuilder(cmd).start();

	Defense:
	Not calling directly bash/sh/cmd as process
	Using String[] instead of normal String craft for Runtime or using ProcessBuilder

PHP:

1.Command Injection and Argument Injection:

	Dangerous Functions:
	popen(
	shell_exec(
	exec(
	passthru(
	system(
	proc_open(
	`command`
				
	Defense:
	escapeshellcmd()
	escapeshellarg()

	==> Passing a String from userInputs to these functions without escaping could be lethal.In this PoC I will try to create a real use case where we can play with these functions and realise the problems involved.

RUBY:

1.Command Injection and Argument Injection:

	Dangerous Functions:
	#Kernel Module
	system("#{payload}")
	#Finish the server
	exec("#{payload}")

	#Doesn't leave trace in server log?
	`#{payload}`
	%x( #{payload} )
	%x{ #{payload} }
	%x[ #{payload} ]
	%x< #{payload} >
		
	#This one is special, we should have control over the entire string, and start with "|" plus commands
	open("#{payload}")
	Process Module
	spawn("#{payload}")
	IO Module
	IO.popen("#{payload}")
				
	Defense:
	Escape bash special chars and spaces,using Shellwords.escape(). Take care of tokenization.

	==> Passing a String from userInputs to these functions without escaping could be lethal.In this PoC I will try to create a real use case where we can play with these functions and realise the problems involved.

About

Most common theorical Web RCE's with some "testing code" and PoC's to practise with (not real CVE's)

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages