https://www.imperva.

com/learn/application-security/remote-code-execution/

Exploit Techniques

There are two primary methods for performing RCE: remote code evaluation and stored code
evaluation.

Remote Code Evaluation

Code evaluation occurs when functions that evaluate code accept user input. For example, some
applications allow users to generate variable names using their usernames—the users control their
usernames, so they can create a username including malicious code, and influence applications that
enable input evaluation for a certain programming language.

Stored Code Evaluation

This method differs from standard remote code evaluation because it relies on the interpreter
parsing files rather than specific language functions. The interpreter should not execute files with
user input. Web applications often have an upload functionality but do not sufficiently validate the
files.

For example, an application might have a control panel for each user with specific language variable
settings, which it stores in a config file. Attackers can modify the language parameter to inject code
into the configuration file, allowing them to execute arbitrary commands.

Examples of Known Remote

---

Web shell: https://www.upguard.com/blog/what-are-web-shell-attacks

During a web shell attack, a cybercriminal injects a malicious file into a target web server's directory
and then executes that file from their web browser.

After launching a successful web shell attack, cybercriminals could gain access to sensitive resources,
recruit the target system into a botnet, or create pathways for malware or ransomware injections.
Bind shell:
https://www.youtube.com/watch?v=TWbl-1BlBM0
Attacker initiates connection after sending shell on the target.
Reverse shell: most commonly used
Target initiates connection.
Bind Shell
S.NO.
Bind Shells have the listener
running on the target and the
attacker connects to the
listener in order to gain
remote access to the target
1. system.
In Bind shell, the attacker
finds an open port on the
server/ target machine and
then tries to bind his shell to
2. that port.
The attacker must know the
IP address of the victim
before launching the Bind
3. Shell.
In Bind shell, the listener is
ON on the target machine
and the attacker connects to
4. it.
Bind Shell sometimes will fail,
because modern firewalls
don’t allow outsiders to
5. connect to open ports.
Reverse Shell
In the reverse shell, the attacker
has the listener running on his/her
machine and the target connects
to the attacker with a shell. So that
attacker can access the target
system.
In the reverse shell, the attacker
opens his own port. So that victim
can connect to that port for
successful connection.
The attacker doesn’t need to know
the IP address of the victim,
because the attacker is going to
connect to our open port.
The Reverse shell is opposite of
the Bind Shell, in the reverse shell,
the listener is ON on the Attacker
machine and the target machine
connects to it.
Reverse Shell can bypass the
firewall issues because this target
machine tries to connect to the
attacker, so the firewall doesn’t
bother checking packets.