Remote Code Execution Vs Command Execution

Hi! Bug hunters, I am back with another writeup. I will try to simplify Remote Code Execution and Command Execution. Many people think both are the same vulnerability but it’s not.

Image for post
Image for post

Don’t be confused! Code Evaluation, Arbitrary Code Injection, and Code Execution are synonyms of Code Injection. OS injection, Command Injection, and Arbitrary Command Execution are synonyms of Command Execution.

Code injection allows the attacker to inject his own code that is executed by the application. In Command Injection, the attacker extends the default functionality of the application, which executes system commands. Let's describe both one by one.

Remote Code Execution (Code Injection)

According to OWASP, Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation. RCE stands for Remote Code Execution. That allows an attacker to inject their own code remotely on the target application. It totally depends on backend technologies. PHP, JAVA, ASP.NET, Python is the most popular backend technologies.

Example

If an application passes a parameter sent via a GET request to the PHP include() function with no input validation, the attacker may try to execute code other than what the developer had in mind.

The URL below passes a page name to the phpinfo() function.

Image for post
Image for post

The phpinfo() function which is useful for gaining information about the configuration of the environment in which the web service runs.

Remote Command Execution (Command injection)

According to OWASP, Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. An ability to run system commands remotely on the vulnerable application called Remote command execution.

Some useful system commands (Linux)

id — Print user information
ls — Directory Listing
ps — Print current process
w — Display current user
whoami— Show information about the user

Image for post
Image for post

The above request and response is an example of a successful attack:

References :

Security Researcher | Bug Bounty Hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store