A remote code execution (RCE) vulnerability occurs when an application uses usercontrolled input without sanitizing it. RCE is typically exploited in one of two ways. The first is by executing shell commands. The second is by executing functions in the programming language that the vulnerable application uses or relies on.
Executing Shell Commands
This RCE vulnerability occurs because user input is passed directly into PHP's shell_exec() without sanitization. By appending commands like ;id, an attacker can execute arbitrary shell commands on the server. The impact depends on the server user's permissions and could allow file access or data theft. Using functions like escapeshellcmd() helps mitigate the risk, but preventing RCE requires careful input validation.
Executing Functions
This type of RCE happens when user input is passed directly into a function like PHP's call_user_func() without validation. If the action parameter controls which function is executed, an attacker can supply dangerous functions such as file_get_contents to read sensitive files like /etc/passwd. In more severe cases, they could call functions like system or shell_exec to run shell commands. Without strict filtering of allowed functions, this can lead to full server compromise.
Strategies for Escalating Remote Code Execution
RCE can allow attackers to run application functions or full shell commands, potentially compromising the entire server. The impact depends on user permissions and possible local privilege escalation (LPE). Common red flags include parameters controlling system commands, dynamic function calls, or unrestricted file uploads that execute on the server.
Polyvore ImageMagick
Difficulty: Medium
URL: Polyvore.com (Yahoo! acquisition)
Source: http://nahamsec.com/exploiting-imagemagick-on-yahoo/
Date reported: May 5, 2016 Bounty paid: $2,000
In 2016, a critical ImageMagick vulnerability ("ImageTragick") allowed RCE through malicious image files. Because user input wasn't properly sanitized, attackers could upload crafted MVG or SVG files that executed shell commands when processed. Researchers proved this by triggering commands like id on vulnerable servers and receiving the output remotely.
Takeaways
Stay aware of publicly disclosed vulnerabilities and test whether websites are running unpatched versions — while respecting program rules about reporting timelines.
Algolia RCE on facebooksearch.algolia.com
Difficulty: High
URL: facebooksearch.algolia.com
Date reported: April 25, 2016 Bounty paid: $500
Michiel Prins discovered that Algolia had exposed its Rails secret_key_base in a public repository. Because this secret signs session cookies, an attacker could forge valid cookies, and unsafe deserialization of that data could potentially lead to RCE.
Note:
To learn more about deserialization, see these two great resources: Matthias Kaiser's "Exploiting Deserialization Vulnerabilities in Java" talk at https://www.youtube .com/watch?v=VviY3O-euVQ/ and Alvaro Muñoz and Alexandr Mirosh's "Friday the 13th JSON attacks" talk at https://www.youtube.com/watch?v =ZBfBYoK_Wr0/).
Takeaways
Automated recon tools can uncover exposed secrets in public repositories. Although deserialization exploits are complex, tools like Rapid7's Rails Secret Deserialization and ysoserial can help generate payloads and simplify testing.
RCE Through SSH
Difficulty: High
URL: N/A
Source: blog.jr0ch17.com/2018/No-RCE-then-SSH-to-the-box/
Date reported: Fall 2017 Bounty paid: Undisclosed
When given a large scope, automate asset discovery and look for subtle red flags. Jasmin Landry enumerated subdomains and used screenshot tools to spot an outdated CMS with default credentials. After finding multiple minor flaws, he discovered an API endpoint that allowed arbitrary file writes via path traversal. By writing his own SSH public key into /root/.ssh/authorized_keys, he gained root SSH access—achieving full remote code execution.
Takeaways
Enumerate subdomains to expand scope. Small bugs can lead to bigger ones, keep digging and show full impact for better rewards.
Summary
RCE often happens when user input isn't properly sanitized. One case involved ImageMagick passing unescaped input to system commands, another exposed a secret used to forge signed cookies, and a third allowed arbitrary file writes to overwrite SSH keys. Different paths, but all exploited unsafe handling of user-controlled input.
See you in next chapter!