appsec.fyi

A somewhat curated list of links to various topics in application security.

Remote Code Execution (RCE)

LinkExcerpt
Learn About Command Injection AttacksRemote code execution vulnerabilities are a class of vulnerabilities that happen when attackers can execute their code on your machine. One of the ways this can happen is through command injection vulnerabilities.
Remote Code Execution explained with real life bug bounty reportsMight help other people.
How I found RCE But Got DuplicatedSo first of All i can not show You the Name Of the Site Because Of security Issue But Let me tell You How Was I am able to bypass the file Upload functionality to Upload a shell to the website.
SQL injection to RCEIn the next lines I will expose a case that I experimented in a customer penetration testing days ago, in my opinion was interest how I needed concatenate a few factors to get the RCE. For obvious reasons, some customer data will be anonymized.
Diving into unserialize(): More than RCELast time, we talked about how PHP’s unserialize leads to vulnerabilities, and how an attacker can utilize it to achieve RCE. Today, let’s discuss some of the different ways that an attacker can exploit an unserialize() vulnerability.
WRITE UP – Private bug bounty $$,$$$ USD: “RCE as root on Marathon-Mesos instance”Hi everyone It’s been a while from my last post but I’m back, I want to tell you a short story about why your profesional background mathers when you do bug bounties (in my case my job as devops engineer), if you know how something works, you might be able to break it.
Jenkins RCE PoC or simple pre-auth remote code execution on the Server.Once upon a time, a friend of mine asked me a question — "Do you know any fresh RCE for the Jenkins environment ?". I was informed already about some old RCE PoC's but that was not what we need at that time. It was a fresh Jenkins environment.
Two Easy RCE in Atlassian ProductsIt was a long time from my last article. It was so many interesting results in my work. Seems that it's right time to share my knowledge and experience with you. But first, I wanna inform that two issues in that article well known. And both of that have CVE numbers with patches and software updates.
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!As far as I can tell this vulnerability also impacts Ringcentral. Ringcentral for their web conference system is a white labeled Zoom system. This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.
From SSRF To RCE in PDFReacterWhat is PDFReacter? - PDFReacter is a parser which parses HTML content from HTML to PDF. While testing an application I have identified that an application is using the PDFReacter parser.
Ruby 2.x Universal RCE Deserialization Gadget ChainThis blog post details exploitation of arbitrary deserialization for the Ruby programming language and releases the first public universal gadget chain to achieve arbitrary command execution for Ruby 2.x.
How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration SystemIn past two years, I started to pay more attention on the “inconsistency” bug. What's that? It’s just like my SSRF talk in Black Hat and GitHub SSRF to RCE case last year, finding inconsistency between the URL parser and the URL fetcher that leads to whole SSRF bypass!
Latex to RCE, Private Bug Bounty ProgramI had participated in a private bug bounty program about one year ago, I want to publish what I’ve learned from. The CMS was a journal site giving service to authors, editors and etc. I accomplished to get editor account by an XSS which I’m not going through with this story.
How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!Hi, it’s been a long time since my last blog post. In the past few months, I spent lots of time preparing for the talk of Black Hat USA 2017 and DEF CON 25. Being a Black Hat and DEFCON speaker is part of my life goal ever. This is also my first English talk in such formal conferences.
RCE by uploading a web.configBy uploading a web.config I was able to bypass the blacklist, which blocks files with an executable extension (such as ‘.asp’ and ‘.aspx’). After setting execution rights to ‘.config’ and then adding asp code in the web.config I was able to execute code….
XSS and RCERCE (Remote Code Execution) is a critical vulnerability which usually is the final goal of an attack. With code execution, it’s possible to compromise servers, clients and entire networks.
Windows-RCE-exploitsThe exploit samples database is a repository for RCE (remote code execution) exploits and Proof-of-Concepts for WINDOWS, the samples are uploaded for education purposes for red and blue teams.
How I found 2.9 RCE at Yahoo! Bug Bounty programHi. I’m kedrisec and I want to describe 3 vulnerabilities that I found as part of the security research at Yahoo Bug Bounty program. So, lets begin. The Yahoo’s Bug Bounty program include a lot of services and I decided to work around Brightroll.
#BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get root user account!This vulnerability blog is about when Apache struts2 CVE-2013–2251 went viral and was getting highly exploited because of the impact of vulnerability which was leading to execution of remote commands.
#BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get root user account!This vulnerability blog is about when Apache struts2 CVE-2013–2251 went viral and was getting highly exploited because of the impact of vulnerability which was leading to execution of remote commands.
LFI to RCE via access_log injectionJust wanna share a trick from Local File Inclusion/File Path Traversal to Remote Code Execution by injecting the access_log. I have a target http://proqualitycontrol.com/index.php?page=aboutus and it’s vulnerable to LFI/FPT. It’s a live website. Inject the target with ../../../../../../../../.
Meraki RCE: When Red Team and Vulnerability Research Fell in LoveWhen I joined Salesforce, before moving over to vulnerability research, I worked in the Red Team. Our mission was to strengthen Salesforce’s security posture by acting as an external attacker. In one assessment, I installed a pwnplug inside a meeting room.
Taking note: XSS to RCE in the Simplenote Electron clientOriginally released in 2013, Electron is a framework for creating native desktop products with JavaScript, HTML, and CSS. Since then, companies such as Microsoft and Slack have built Electron into their development process.
Leading the Blind to Light! - A Chain to RCELet's take a breath for a moment, it is 2017. And Still SQL Injection, 17-18 years since its inception is an issue!
PHPMailer < 5.2.18 Remote Code ExecutionPHPMailer is the world's most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily. Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more PHPMailer before its version 5.2.
From LFI to RCE in phpEveryone knows about the (hopefully dead) /proc/self/environ and /var/log/apache2/error.log tricks to get a shell from a LFI, but it seems that only a few people knows about the tmp_name one.