Sec-88
  • 🧑Whoami
  • 🕸️Web-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
  • ✉️API-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • 📱Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
  • 📶Network-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • 💻Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
  • 👨‍💻Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • 🖥️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Web-AppSec

Remote Code Execution (RCE)

  • Remote Code/Command Execution (RCE) Checklist

    • Server Side Request Forgery (SSRF) to RCE:

    • File Upload to RCE:

    • Dependency Confusion Attack:

    • Server Side Template Injection (SSTI) to RCE:

    • SQL Injection To RCE:

    • Latex Injection To RCE:

    • Local File Inclusion (LFI) to RCE:

    • Insecure deserialization to RCE:

  • Top RCE reports from HackerOne:

    1. RCE on Steam Client via buffer overflow in Server Info to Valve - 1254 upvotes, $18000

    2. Potential pre-auth RCE on Twitter VPN to Twitter - 1157 upvotes, $20160

    3. RCE via npm misconfig -- installing internal libraries from the public registry to PayPal - 797 upvotes, $30000

    4. H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products to Shopify - 791 upvotes, $15000

    5. Remote Code Execution on www.semrush.com/my_reports on Logo upload to Semrush - 788 upvotes, $10000

    6. Git flag injection - local file overwrite to remote code execution to GitLab - 759 upvotes, $12000

    7. RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/ to Starbucks - 538 upvotes, $4000

    8. Remote Code Execution in Slack desktop apps + bonus to Slack - 481 upvotes, $1750

    9. RCE when removing metadata with ExifTool to GitLab - 476 upvotes, $20000

    10. SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution to QIWI - 465 upvotes, $5500

    11. RCE via unsafe inline Kramdown options when rendering certain Wiki pages to GitLab - 408 upvotes, $20000

    12. Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message to Valve - 407 upvotes, $9000

    13. Remote code execution on Basecamp.com to Basecamp - 400 upvotes, $5000

    14. Multiple bugs leads to RCE on TikTok for Android to TikTok - 359 upvotes, $11214

    15. RCE on shared.mail.ru due to "widget" plugin to Mail.ru - 359 upvotes, $10000

    16. RCE on build server via misconfigured pip install to Yelp - 346 upvotes, $15000

    17. [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File to Mail.ru - 340 upvotes, $4000

    18. RCE via npm misconfig -- installing internal libraries from the public registry to Uber - 313 upvotes, $9000

    19. RCE on TikTok Ads Portal to TikTok - 301 upvotes, $12582

    20. RCE via the DecompressedArchiveSizeValidator and Project BulkImports (behind feature flag) to GitLab - 243 upvotes, $33510

    21. RCE via github import to GitLab - 233 upvotes, $33510

    22. Unchecked weapon id in WeaponList message parser on client leads to RCE to Valve - 226 upvotes, $3000

    23. Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg to Starbucks - 225 upvotes, $5600

    24. RCE by command line argument injection to gm convert in /edit/process?a=crop to Imgur - 223 upvotes, $5000

    25. Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice to Starbucks - 217 upvotes, $4000

    26. Unauthenticated SSRF in jira.tochka.com leading to RCE in confluence.bank24.int to QIWI - 217 upvotes, $1000

    27. RCE using bash command injection on /system/images (toimitilat.lahitapiola.fi) to LocalTapiola - 207 upvotes, $6800

    28. OOB reads in network message handlers leads to RCE to Valve - 205 upvotes, $7500

    29. Debug Mode Leak Critical Information [ AWS Keys , SMTP , Database , Django Secret Key ( RCE ) , Dodoc , Telegram , Twilio .. ] to Mail.ru - 203 upvotes, $7500

    30. Test-scripts for postgis in mason-repository using unsafe unzip of content from unclaimed bucket creates potential RCE-issues to Mapbox - 200 upvotes, $12500

    31. RCE on CS:GO client using unsanitized entity ID in EntityMsg message to Valve - 198 upvotes, $9000

    32. Remote Code Execution on contactws.contact-sys.com via SQL injection in TCertObject operation "Delete" to QIWI - 193 upvotes, $1000

    33. Git flag injection leading to file overwrite and potential remote code execution to GitLab - 168 upvotes, $3500

    34. [Portal 2] Remote Code Execution via voice packets to Valve - 167 upvotes, $5000

    35. RCE as Admin defeats WordPress hardening and file permissions to WordPress - 158 upvotes, $800

    36. Path traversal, SSTI and RCE on a MailRu acquisition to Mail.ru - 152 upvotes, $2000

    37. Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution to Valve - 149 upvotes, $12500

    38. MobileIron Unauthenticated RCE on mdm.qiwi.com with WAF bypass to QIWI - 147 upvotes, $3500

    39. Path traversal, to RCE to GitLab - 136 upvotes, $12000

    40. Remote Code Execution via Extract App Plugin to Nextcloud - 121 upvotes, $0

    41. Remote Code Execution on Git.imgur-dev.com to Imgur - 117 upvotes, $2500

    42. SQL injection on contactws.contact-sys.com in TRateObject.AddForOffice in USER_ID parameter leads to remote code execution to QIWI - 117 upvotes, $1000

    43. Possible RCE through Windows Custom Protocol on Windows client to Nord Security - 117 upvotes, $500

    44. Urgent: Server side template injection via Smarty template allows for RCE to Unikrn - 117 upvotes, $400

    45. Apache Flink RCE via GET jar/plan API Endpoint to Aiven Ltd - 112 upvotes, $6000

    46. Read files on application server, leads to RCE to GitLab - 111 upvotes, $0

    47. Remote Code Execution (Reverse Shell) - File Manager to Concrete CMS - 111 upvotes, $0

    48. Specially Crafted Closed Captions File can lead to Remote Code Execution in CS:GO and other Source Games to Valve - 107 upvotes, $7500

    49. uber.com may RCE by Flask Jinja2 Template Injection to Uber - 96 upvotes, $10000

    50. User-assisted RCE in Slack for macOS (from official site) due to improper quarantine meta-attribute handling for downloaded files to Slack - 94 upvotes, $750

    51. Remote Code Execution in ██████ to U.S. Dept Of Defense - 93 upvotes, $0

    52. Tricking the "Create snippet" feature into displaying the wrong filetype can lead to RCE on Slack users to Slack - 92 upvotes, $1500

    53. XXE in DoD website that may lead to RCE to U.S. Dept Of Defense - 89 upvotes, $0

    54. Privilege Escalation via REST API to Administrator leads to RCE to WordPress - 86 upvotes, $1125

    55. Remote Unrestricted file Creation/Deletion and Possible RCE. to Twitter - 85 upvotes, $0

    56. Remote Code Execution on contactws.contact-sys.com via SQL injection in TAktifBankObject.GetOrder in parameter DOC_ID to QIWI - 84 upvotes, $2500

    57. Vanilla Forums AddonManager getSingleIndex Directory Traversal File Inclusion Remote Code Execution Vulnerability to Vanilla - 84 upvotes, $900

    58. Remote Code Execution (RCE) in a DoD website to U.S. Dept Of Defense - 83 upvotes, $0

    59. [app-01.youdrive.club] RCE in CI/CD via dependency confusion to Mail.ru - 82 upvotes, $3000

    60. File writing by Directory traversal at actionpack-page_caching and RCE by it to Ruby on Rails - 79 upvotes, $1000

    61. Remote Code Execution on Proxy Service (as root) to ██████ - 79 upvotes, $0

    62. Pre-auth Remote Code Execution on multiple Uber SSL VPN servers to Uber - 72 upvotes, $2000

    63. Nextcloud Desktop Client RCE via malicious URI schemes to Nextcloud - 72 upvotes, $1000

    64. RCE on facebooksearch.algolia.com to Algolia - 72 upvotes, $500

    65. Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE to Lob - 68 upvotes, $1500

    66. RCE, SQLi, IDOR, Auth Bypass and XSS at [staff.███.edu.eg ] to ██████ - 68 upvotes, $0

    67. RCE on █████ via CVE-2017-10271 to U.S. Dept Of Defense - 68 upvotes, $0

    68. GMP Deserialization Type Confusion Vulnerability [MyBB <= 1.8.3 RCE Vulnerability] to Internet Bug Bounty - 67 upvotes, $1500

    69. Grafana RCE via SMTP server parameter injection to Aiven Ltd - 66 upvotes, $5000

    70. CS:GO Server -> Client RCE through OOB access in CSVCMsg_SplitScreen + Info leak in HTTP download to Valve - 61 upvotes, $7500

    71. Remote Code Execution at http://tw.corp.ubnt.com to Ubiquiti Inc. - 61 upvotes, $5000

    72. Remote Code Execution (upload) to Legal Robot - 59 upvotes, $120

    73. [Source Engine] Material path truncation leads to Remote Code Execution to Valve - 58 upvotes, $2500

    74. Store Development Resource Center was vulnerable to a Remote Code Execution - Unauthenticated Remote Command Injection (CVE-2019-0604) to Starbucks - 57 upvotes, $4000

    75. Ability to access all user authentication tokens, leads to RCE to GitLab - 56 upvotes, $0

    76. Remote Code Execution through DNN Cookie Deserialization to U.S. Dept Of Defense - 56 upvotes, $0

    77. CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example to Internet Bug Bounty - 54 upvotes, $4000

    78. Remote Code Execution on contactws.contact-sys.com via SQL injection in TPrabhuObject.BeginOrder in parameter DOC_ID to QIWI - 52 upvotes, $2500

    79. Remote code execution on rubygems.org to RubyGems - 49 upvotes, $1500

    80. WordPress SOME bug in plupload.flash.swf leading to RCE to Automattic - 49 upvotes, $1337

    81. LFI with potential to RCE on ██████ using CVE-2019-3396 to U.S. Dept Of Defense - 49 upvotes, $0

    82. Remote Code Execution (RCE) at "juid" parameter in /get_zip.php (printshop.engelvoelkers.com) to Engel & Völkers Technology GmbH - 49 upvotes, $0

    83. Java Deserialization RCE via JBoss on card.starbucks.in to Starbucks - 48 upvotes, $0

    84. RCE in 'Copy as Node Request' BApp via code injection to PortSwigger Web Security - 48 upvotes, $0

    85. Remote Code Execution at https://169.38.86.185/ (edst.ibm.com) to IBM - 48 upvotes, $0

    86. Log4Shell: RCE 0-day exploit on █████████ to U.S. Dept Of Defense - 48 upvotes, $0

    87. [CS:GO] Unchecked texture file name with TEXTUREFLAGS_DEPTHRENDERTARGET can lead to Remote Code Execution to Valve - 47 upvotes, $2500

    88. [Kafka Connect] [JdbcSinkConnector][HttpSinkConnector] RCE by leveraging file upload via SQLite JDBC driver and SSRF to internal Jolokia to Aiven Ltd - 46 upvotes, $5000

    89. RCE via WikiCloth markdown rendering if the rubyluabridge gem is installed to GitLab - 46 upvotes, $3000

    90. SMB SSRF in emblem editor exposes taketwo domain credentials, may lead to RCE to Rockstar Games - 46 upvotes, $1500

    91. Remote Code Execution in Basecamp Windows Electron App to Basecamp - 45 upvotes, $1250

    92. [3DS][SSL][SDK] Unchecked number of audio channels in Mobiclip SDK leads to RCE in eShop movie player to Nintendo - 43 upvotes, $3200

    93. RCE via Local File Read -> php unserialization-> XXE -> unpickling to h1-5411-CTF - 43 upvotes, $0

    94. F5 BIG-IP TMUI RCE - CVE-2020-5902 (██.packet8.net) to 8x8 - 42 upvotes, $0

    95. RCE which may occur due to ActiveSupport::MessageVerifier or ActiveSupport::MessageEncryptor (especially Active storage) to Ruby on Rails - 41 upvotes, $1500

    96. Java Deserialization RCE via JBoss JMXInvokerServlet/EJBInvokerServlet on card.starbucks.in to Starbucks - 41 upvotes, $0

    97. Remote Code Execution via Insecure Deserialization in Telerik UI to U.S. Dept Of Defense - 41 upvotes, $0

    98. RCE due to ImageTragick v2 to pixiv - 40 upvotes, $2000

    99. CVE-2019-11043: a buffer underflow in fpm_main.c can lead to RCE in php-fpm to Internet Bug Bounty - 40 upvotes, $1500

    100. Log4j RCE on https://judge.me/reviews to Judge.me - 40 upvotes, $50

  • ==Remote Code Execution (RCE) Write_ups==

    • Microsoft RCE bugbounty

    • OTP bruteforce account takeover

    • Attacking helpdesk RCE chain on deskpro with bitdefender

    • Remote image upload leads to RCE inject malicious code

    • Finding a p1 in one minute with shodan.io RCE

    • From recon to optimizing RCE results simple story with one of the biggest ICT company

    • Uploading backdoor for fun and profit RCE DB creds P1

    • Responsible Disclosure breaking out of a sandboxed editor to perform RCE

    • Wordpress design flaw leads to woocommerce RCE

    • Path traversal while uploading results in RCE

    • RCE jenkins instance

    • Traversing the path to RCE

    • RCE due to showexceptions

    • Yahoo luminate RCE

    • Latex to RCE private bug bounty program

    • How I got hall of fame in two fortune 500 companies an RCE story

    • RCE by uploading a web config

    • 36k Google app engine RCE

    • How I found 2.9 RCE at yahoo

    • Bypass firewall to get RCE

    • RCE in duolingos tinycards app from android

    • Unrestricted file upload to RCE

    • Getting a RCE (CTF WAY)

    • RCE starwars

    • How I got 5500 from yahoo for RCE

    • RCE in Addthis

    • Paypal RCE

    • My First RCE (Stressed Employee gets me 2x bounty)

    • Abusing ImageMagick to obtain RCE

    • How Snapdeal Kept their Users Data at Risk!

    • RCE via ImageTragick

    • How I Cracked 2FA with Simple Factor Brute-force!

    • Found RCE but got Duplicated

    • “Recon” helped Samsung protect their production repositories of SamsungTv, eCommerce eStores

    • IDOR to RCE

    • RCE on AEM instance without JAVA knowledge

    • RCE with Flask Jinja tempelate Injection

    • Race Condition that could result to RCE

    • Chaining Two 0-Days to Compromise An Uber Wordpress

    • Oculus Identity Verification bypass through Brute Force

    • Used RCE as Root on marathon Instance

    • Two easy RCE in Atlassian Products

    • RCE in Ruby using mustache templates

    • About a Sucuri RCE…and How Not to Handle Bug Bounty Reports

    • Source code disclosure vulnerability

    • Bypassing custom Token Authentication in a Mobile App

    • Facebook’s Burglary Shopping List

    • From SSRF To RCE in PDFReacter

    • Apache strust RCE

    • Dell KACE K1000 Remote Code Execution

    • Leaked Salesforce API access token at IKEA.com

    • Zero Day RCE on Mozilla's AWS Network

    • Escalating SSRF to RCE

    • Fixed : Brute-force Instagram account’s passwords

    • Bug Bounty 101 — Always Check The Source Code

    • ASUS RCE vulnerability on rma.asus-europe.eu

    • Magento – RCE & Local File Read with low privilege admin rights

    • RCE in Nokia.com

    • Two RCE in SharePoint

    • Token Brute-Force to Account Take-over to Privilege Escalation to Organization Take-Over

    • Github Desktop RCE

    • eBay Source Code leak

    • Facebook source code disclosure in ads API

    • [XS-Searching Google’s bug tracker to find out vulnerable source code](https://medium.com/@luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-

PreviousRegistration & Takeover BugsNextSession Fixation

Last updated 1 year ago

Was this helpful?

🕸️