appsec.fyi

A somewhat curated list of links to various topics in application security.

Remote Code Execution (RCE)

LinkExcerptWord Count
XSS and RCERCE (Remote Code Execution) is a critical vulnerability which usually is the final goal of an attack. With code execution, it’s possible to compromise servers, clients and entire networks.578
From LFI to RCE in phpEveryone knows about the (hopefully dead) /proc/self/environ and /var/log/apache2/error.log tricks to get a shell from a LFI, but it seems that only a few people knows about the tmp_name one.237
opsxcq/exploit-CVE-2016-10033PHPMailer is the world's most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily. Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more PHPMailer before its version 5.2.1430
How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!Hi, it’s been a long time since my last blog post. In the past few months, I spent lots of time preparing for the talk of Black Hat USA 2017 and DEF CON 25. Being a Black Hat and DEFCON speaker is part of my life goal ever. This is also my first English talk in such formal conferences.1354
Oops...you've unearthed some outdated content!Check out our latest blog posts instead or get to know the people behind the cloud. Latest Posts View All0
#BugBountyThis vulnerability blog is about when Apache struts2 CVE-2013–2251 went viral and was getting highly exploited because of the impact of vulnerability which was leading to execution of remote commands.909
#BugBountyThis vulnerability blog is about when Apache struts2 CVE-2013–2251 went viral and was getting highly exploited because of the impact of vulnerability which was leading to execution of remote commands.909
VBScriptPop up a calculator - tested on non updated Internet Explorer 11 Windows 7 64/32 Pop up a calculator - tested on non updated Internet Explorer 11 Windows 7-10 (a bit slow on win10)27
Latex to RCE, Private Bug Bounty ProgramI had participated in a private bug bounty program about one year ago, I want to publish what I’ve learned from. The CMS was a journal site giving service to authors, editors and etc. I accomplished to get editor account by an XSS which I’m not going through with this story.233
How I Chained 4 Bugs (Features?) into RCE on Amazon Collaboration SystemIn past two years, I started to pay more attention on the “inconsistency” bug. What’s that? It’s just like my SSRF talk in Black Hat and GitHub SSRF to RCE case last year, finding inconsistency between the URL parser and the URL fetcher that leads to whole SSRF bypass!1968
Ruby 2.x Universal RCE Deserialization Gadget ChainThis blog post details exploitation of arbitrary deserialization for the Ruby programming language and releases the first public universal gadget chain to achieve arbitrary command execution for Ruby 2.x.3596
WRITE UP – Private bug bounty $$,$$$ USD: “RCE as root on Marathon-Mesos instance”Introduction: Hi everyone It’s been a while since my last post but I’m back, I want to tell you a short story about why your professional background mather when you do bug bounties (in my case my job as DevOps engineer) if you know how something works, you might be able to break it.491
Remote Code Execution explained with real life bug bounty reportsWhile reading about RCE last week and searching through Zerodium and why it's so heavily paid, found this : https://www.youtube.com/watch?v=649Nb0YFOi57
Just Gopher It: Escalating a Blind SSRF to RCE for $15kTypically for a wide scope bug bounty program I’ll start with subdomain enumeration to increase my attack surface, but in this case I was going after a single web application on my target (Yahoo Mail).1583
Chaining an Blind SSRF bug to Get an RCEMy name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be discussing how I was able to get RCE by using Blind SSRF.192
👩‍💻IW Weekly #39 : $10,000 Bounty, Zero-click Account Takeover, Stored XSS, Open Redirection Vulnerability, SQL Injection, RCE, Reconnaissance Techniques, and much more…Welcome to the #IWWeekly39 - the Monday newsletter that brings the best in Infosec straight to your inbox. IWCON2022 finally came to a glorious end ❤️ Thank you for joining us.657