A Story of an Epic Blind Remote Code Execution(RCE)

Hello everyone, I’m Akash Solanki, a Cyber Security Researcher from India. This blog will explain how I found a Blind Remote Code Execution(RCE) vulnerability and how it was exploited.

So what is Blind RCE?

The Blind RCE vulnerability occurs when an attacker executes malicious commands on a target web application, and the attacker cannot see the output of the command that ran on the server or machine.

How it all started!

So on a fine evening, I was sitting and having my chai, scrolling through the programs list, and I found a target to hack. Let’s call it redacted.com for the sake of it. Started normal recon processes like Google Dorking, Content Discovery using dirsearch, etc.

python3 dirsearch.py -u https://redacted.com -e .* -t 50

I stopped for a while and thought of going for the main website for mapping out the attack surface and functionalities. I tried injecting XSS payloads! No pop-up happened :(, tested for SQL Injections, SSRF, etc. By this time, I looked back at the output of dirsearch, and it had found a unique folder redacted. 

python3 dirsearch.py -e php,html,js -u https://redacted.com/redacted

So I tried fuzzing at this unique folder using dirsearch again, and it gave me a lot of PHP files.

The next task was to find hidden parameters of these PHP files. A few good tools help you do this, like Arjun, para-miner, and Paramspider.

I just ran Paramspider.

python3 paramspider.py -d https://redacted.com/

https://redacted.com/redacted/dynamic.php?dcbName=Fuzz caught my attention because I read it as db Name at first glance.

It was time to fuzz this endpoint, tried XSS, SQL Injection, SSTI, etc. What happened next was something I didn’t expect to happen, even in my dream. 

When Fuzzing the parameter for blind command injection, I got a hit, and my heart started pumping fast!

The payload for Pingback test was something like this:- 



Response we got:

We can trigger an OOB network interaction with an external server such as Burp Collaborator to exfiltrate information. We can exfiltrate the output of your command using a payload similar to the following:

 Payload :- 



Response we got:

Here you can see that as we used nslookup so these are the DNS requests. In the description, you can see that the value of the currently logged-in user is appended to it apache

After seeing apache in the collaborator client

Reference :- 

If you enjoyed reading the blog, follow me on twitter


Post a Comment

Previous Post Next Post