A somewhat curated list of links to various topics in application security.

Remote Code Execution (RCE)

LinkExcerptWord Count
👩‍💻IW Weekly #39 : $10,000 Bounty, Zero-click Account Takeover, Stored XSS, Open Redirection Vulnerability, SQL Injection, RCE, Reconnaissance Techniques, and much more…Welcome to the #IWWeekly39 - the Monday newsletter that brings the best in Infosec straight to your inbox. IWCON2022 finally came to a glorious end ❤️ Thank you for joining us.657
The Tale Of SSRF To RCE on .GOV DomainWelcome back, I hope everyone is well. Without further hesitation let’s dive into it! What is SSRF? SSRF is Server Side Request Forgery. This is a high/critical vulnerability when demonstrated with impact.423
Chaining an Blind SSRF bug to Get an RCEMy name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be Discussing how I was able to get RCE by using Blind SSRF. But still there is a chance that will will missing some url.603
Just Gopher It: Escalating a Blind SSRF to RCE for $15kThe bug bounty program which this vulnerability was discovered on has not allowed for public disclosure, therefore I will not be directly naming the program involved. What I can say — this was discovered on the main scope of one of Hackerone’s longest-running, largest bug bounty programs.1685
Learn About Command Injection AttacksRemote code execution vulnerabilities are a class of vulnerabilities that happen when attackers can execute their code on your machine. One of the ways this can happen is through command injection vulnerabilities.862
Remote Code Execution explained with real life bug bounty reportsMight help other people.57
How I found RCE But Got DuplicatedSo first of All i can not show You the Name Of the Site Because Of security Issue But Let me tell You How Was I am able to bypass the file Upload functionality to Upload a shell to the website.500
SQL injection to RCEIn the next lines I will expose a case that I experimented in a customer penetration testing days ago, in my opinion was interest how I needed concatenate a few factors to get the RCE. For obvious reasons, some customer data will be anonymized.673
Diving into unserialize(): More than RCELast time, we talked about how PHP’s unserialize leads to vulnerabilities, and how an attacker can utilize it to achieve RCE. Today, let’s discuss some of the different ways that an attacker can exploit an unserialize() vulnerability.821
WRITE UP – Private bug bounty $$,$$$ USD: “RCE as root on Marathon-Mesos instance”Hi everyone It’s been a while since my last post but I’m back, I want to tell you a short story about why your professional background mather when you do bug bounties (in my case my job as DevOps engineer) if you know how something works, you might be able to break it.478
Jenkins RCE PoC or simple pre-auth remote code execution on the Server.Once upon a time, a friend of mine asked me a question — "Do you know any fresh RCE for the Jenkins environment ?". I was informed already about some old RCE PoC's but that was not what we need at that time. It was a fresh Jenkins environment.760
Two Easy RCE in Atlassian ProductsIt was a long time from my last article. It was so many interesting results in my work. Seems that it's right time to share my knowledge and experience with you. But first, I wanna inform that two issues in that article well known. And both of that have CVE numbers with patches and software updates.824
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!As far as I can tell this vulnerability also impacts Ringcentral. Ringcentral for their web conference system is a white labeled Zoom system. This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.1252
From SSRF To RCE in PDFReacterWhat is PDFReacter? - PDFReacter is a parser which parses HTML content from HTML to PDF. While testing an application I have identified that an application is using the PDFReacter parser.331
Ruby 2.x Universal RCE Deserialization Gadget ChainThis blog post details exploitation of arbitrary deserialization for the Ruby programming language and releases the first public universal gadget chain to achieve arbitrary command execution for Ruby 2.x.3616
How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration SystemIn past two years, I started to pay more attention on the “inconsistency” bug. What's that? It’s just like my SSRF talk in Black Hat and GitHub SSRF to RCE case last year, finding inconsistency between the URL parser and the URL fetcher that leads to whole SSRF bypass!1891
Latex to RCE, Private Bug Bounty ProgramI had participated in a private bug bounty program about one year ago, I want to publish what I’ve learned from. The CMS was a journal site giving service to authors, editors and etc. I accomplished to get editor account by an XSS which I’m not going through with this story.223
How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!Hi, it’s been a long time since my last blog post. In the past few months, I spent lots of time preparing for the talk of Black Hat USA 2017 and DEF CON 25. Being a Black Hat and DEFCON speaker is part of my life goal ever. This is also my first English talk in such formal conferences.1228
RCE by uploading a web.configBy uploading a web.config I was able to bypass the blacklist, which blocks files with an executable extension (such as ‘.asp’ and ‘.aspx’). After setting execution rights to ‘.config’ and then adding asp code in the web.config I was able to execute code….45
XSS and RCERCE (Remote Code Execution) is a critical vulnerability which usually is the final goal of an attack. With code execution, it’s possible to compromise servers, clients and entire networks.578
Windows-RCE-exploitsThe exploit samples database is a repository for RCE (remote code execution) exploits and Proof-of-Concepts for WINDOWS, the samples are uploaded for education purposes for red and blue teams.170
How I found 2.9 RCE at Yahoo! Bug Bounty programHi. I’m kedrisec and I want to describe 3 vulnerabilities that I found as part of the security research at Yahoo Bug Bounty program. So, lets begin. The Yahoo’s Bug Bounty program include a lot of services and I decided to work around Brightroll.839
#BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get root user account!This vulnerability blog is about when Apache struts2 CVE-2013–2251 went viral and was getting highly exploited because of the impact of vulnerability which was leading to execution of remote commands.856
#BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get root user account!This vulnerability blog is about when Apache struts2 CVE-2013–2251 went viral and was getting highly exploited because of the impact of vulnerability which was leading to execution of remote commands.856
LFI to RCE via access_log injectionJust wanna share a trick from Local File Inclusion/File Path Traversal to Remote Code Execution by injecting the access_log. I have a target and it’s vulnerable to LFI/FPT. It’s a live website. Inject the target with ../../../../../../../../..295
Meraki RCE: When Red Team and Vulnerability Research Fell in LoveWhen I joined Salesforce, before moving over to vulnerability research, I worked in the Red Team. Our mission was to strengthen Salesforce’s security posture by acting as an external attacker. In one assessment, I installed a pwnplug inside a meeting room.766
Taking note: XSS to RCE in the Simplenote Electron clientOriginally released in 2013, Electron is a framework for creating native desktop products with JavaScript, HTML, and CSS. Since then, companies such as Microsoft and Slack have built Electron into their development process.760
Leading the Blind to Light! - A Chain to RCELet's take a breath for a moment, it is 2017. And Still SQL Injection, 17-18 years since its inception is an issue!1073
PHPMailer < 5.2.18 Remote Code ExecutionPHPMailer is the world's most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily. Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more PHPMailer before its version 5.2.1454
From LFI to RCE in phpEveryone knows about the (hopefully dead) /proc/self/environ and /var/log/apache2/error.log tricks to get a shell from a LFI, but it seems that only a few people knows about the tmp_name one.237