Hacking Tutorials

Remote Command Execution (RCE) Explained Tutorial

Hello guys! Today we are gonna talk about the basics of a common vulnerability named Remote Command Execution (RCE).

In simple words, if an attacker is able to run system commands on a remote server then its called Remote Command Execution.
RCE vulnerabilities can be divided roughly into two categories:

  1. If a service running on a server allows an attacker to execute system commands, we can call it a system based RCE vulnerability.
  2. If a web app has a vulnerability which lets an attacker execute system commands on the web server, we can call it a web based RCE vulnerability.

For today, our topic of interest is web based RCE vulnerabilities. Lets get started!

Here’s a really simple php script:
RCE Example
Now lets say a webpage example.com/vulnerable.php contains this code. Lets break down things,

$ cmd : A variable
$ _GET[‘command’] : Here $ _GET is PHP function used to make GET Requests while command is the input submitted by the user.
system($ cmd) : system() is a php function which is used to run commands on the web server while $cmd is the variable we discussed above which contains user input from a GET Request.

So if we want to execute a command on the web server, all we have to do is to make a valid GET Request to the vulnerable web page like this

example.com/vulnerable.php?cmd=evil_command

Pretty easy right? Well real life scenarios are a bit complicated.
Now lets say there’s website pinger.rs which lets you ping domains or IP addresses. Here’s its code:
Remote Command Execution Tutorial
It takes user input and runs this command on the web server

ping example.com

What if I directly inject the command? It won’t work because the web server is going to run this command

ping evil_command

So the web server is just going to ping the user input i.e. our command and it won’t work. But if you have experience with terminal you should know that we can chain multiple commands using some operators like &, &&, ; , | and ||
So we can inject google.com; evil_command,so it will ping google and then our evil command will be executed.
Here’s a list of what these operators do:

;At least one of the supplied commands
need to be valid
&At least one of the supplied commands
need to be valid
&&Both commands need to be valid
otherwise no execution will occur
|At least one of the supplied commands
need to be valid.
||Both commands need to be valid
otherwise no execution will occur

Lets say there’s website which runs the following command on web server

dig user_input MX

Any idea how can you inject a command in there?
Well its easy
wrap your command between & operand like this & command &
So the resulting command would be

dig & whoami & MX

It will work because & operator expects at least one command to be valid. Easy right?
Alright! Enough easy stuff. Lets see some hardcore stuff now.

So there’s website which records some of your info and stores it in a file named info.php
Here’s the code of info.php:
RCE Beginners explained
What can go wrong with this? Answer is, a lot.
All the info which gets stored here contains variables like User Agent, Referrer and IP Address. So if we can craft these variables according to our will and inject some malicious code into this file that can turn out to be great.
Well we can’t change our IP Address and website’s configuration might not let us change the user agent but we can easily change our referrer. But what changes? Any ideas?
Alright let me show you how to get it done. I will set my referrer to ‘;system($ _GET[‘cmd’]);’ which will close the current tags without breaking the context. Here’s how its going to be stored:
RCE tutorial
Here’s a cleaner view:
See? Our evil referrer became part of the info.php and now we can run our desired command by visiting

example.com/info.php?cmd=evil_command

Enough for now!
Wait wait wait. Let me show you how RCE looks in real life.
Here’s an innocent query
hack website with rce
and here’s the expected result
remote command execution attack
Now lets add our evil command
RCE attack
And here’s our desired result which contains output of the ls command

There’s more to web base Remote Command Execution (RCE) but the aim of this article was to introduce you and nothing else.
There are some tricks that can help you out with RCE and there is a lot more to discuss but we will do that in part 2.
See ya!

Also Read: Cross Site Request Forgery (CSRF) Explained For Beginners


Browse Categories:

Subscribe Now

Get the latest post directly into your inbox.

Thank you for subscribing.

Something went wrong.