Professional Documents
Culture Documents
com/learn/application-security/remote-code-execution/
Exploit Techniques
There are two primary methods for performing RCE: remote code evaluation and stored code
evaluation.
Code evaluation occurs when functions that evaluate code accept user input. For example, some
applications allow users to generate variable names using their usernames—the users control their
usernames, so they can create a username including malicious code, and influence applications that
enable input evaluation for a certain programming language.
This method differs from standard remote code evaluation because it relies on the interpreter
parsing files rather than specific language functions. The interpreter should not execute files with
user input. Web applications often have an upload functionality but do not sufficiently validate the
files.
For example, an application might have a control panel for each user with specific language variable
settings, which it stores in a config file. Attackers can modify the language parameter to inject code
into the configuration file, allowing them to execute arbitrary commands.
---
During a web shell attack, a cybercriminal injects a malicious file into a target web server's directory
and then executes that file from their web browser.
After launching a successful web shell attack, cybercriminals could gain access to sensitive resources,
recruit the target system into a botnet, or create pathways for malware or ransomware injections.
Bind shell:
https://www.youtube.com/watch?v=TWbl-1BlBM0
Bind Shells have the listener In the reverse shell, the attacker
running on the target and the has the listener running on his/her
attacker connects to the machine and the target connects
listener in order to gain to the attacker with a shell. So that
remote access to the target attacker can access the target
1. system. system.
The attacker must know the The attacker doesn’t need to know
IP address of the victim the IP address of the victim,
before launching the Bind because the attacker is going to
3. Shell. connect to our open port.