Remote Code Execution (RCE)

• Remote Code/Command Execution (RCE) Checklist

  • Server Side Request Forgery (SSRF) to RCE:

    • if you found an SSRF try to escalate it to RCE by interacting with internal services, to do this you can craft a Gopher payload to interact with services like MySQL, you can use Gopherus

  • File Upload to RCE:

    • if you found an unrestricted file upload vulnerability try to upload a malicious file to get a reverse shell

  • Dependency Confusion Attack:

    • Search for packages that may be used internally by your target, then register a malicious public package with the same name, you can use confused tool

  • Server Side Template Injection (SSTI) to RCE:

    • if you found and SSTI you can exploit it with tplmap to get an RCE

  • SQL Injection To RCE:

    • if you found an SQL injection, you can craft a special query to write an arbitrary file on the system, SQL Injection shell

  • Latex Injection To RCE:

    • if you found a web-based Latex Compiler, test If it is vulnerable to RCE, Latex to command execution

  • Local File Inclusion (LFI) to RCE:

    • if you found an LFI try to escalate it to RCE via these methods and you can automate the process using liffy

  • Insecure deserialization to RCE:

    • check if the application is vulnerable to Insecure deserialization

    • how to identify if the app is vulnerable:

    • check this cheatsheet

    • Java Deserialization Scanner : a Burp Suite plugin to detect and exploit Java deserialization vulnerabilities

• Top RCE reports from HackerOne:

  1. RCE on Steam Client via buffer overflow in Server Info to Valve - 1254 upvotes, $18000

  2. Potential pre-auth RCE on Twitter VPN to Twitter - 1157 upvotes, $20160

  3. RCE via npm misconfig -- installing internal libraries from the public registry to PayPal - 797 upvotes, $30000

  4. H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products to Shopify - 791 upvotes, $15000

  5. Remote Code Execution on www.semrush.com/my_reports on Logo upload to Semrush - 788 upvotes, $10000

  6. Git flag injection - local file overwrite to remote code execution to GitLab - 759 upvotes, $12000

  7. RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/ to Starbucks - 538 upvotes, $4000

  8. Remote Code Execution in Slack desktop apps + bonus to Slack - 481 upvotes, $1750

  9. RCE when removing metadata with ExifTool to GitLab - 476 upvotes, $20000

  10. SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution to QIWI - 465 upvotes, $5500

  11. RCE via unsafe inline Kramdown options when rendering certain Wiki pages to GitLab - 408 upvotes, $20000

  12. Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message to Valve - 407 upvotes, $9000

  13. Remote code execution on Basecamp.com to Basecamp - 400 upvotes, $5000

  14. Multiple bugs leads to RCE on TikTok for Android to TikTok - 359 upvotes, $11214

  15. RCE on shared.mail.ru due to "widget" plugin to Mail.ru - 359 upvotes, $10000

  16. RCE on build server via misconfigured pip install to Yelp - 346 upvotes, $15000

  17. [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File to Mail.ru - 340 upvotes, $4000

  18. RCE via npm misconfig -- installing internal libraries from the public registry to Uber - 313 upvotes, $9000

  19. RCE on TikTok Ads Portal to TikTok - 301 upvotes, $12582

  20. RCE via the DecompressedArchiveSizeValidator and Project BulkImports (behind feature flag) to GitLab - 243 upvotes, $33510

  21. RCE via github import to GitLab - 233 upvotes, $33510

  22. Unchecked weapon id in WeaponList message parser on client leads to RCE to Valve - 226 upvotes, $3000

  23. Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg to Starbucks - 225 upvotes, $5600

  24. RCE by command line argument injection to gm convert in /edit/process?a=crop to Imgur - 223 upvotes, $5000

  25. Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice to Starbucks - 217 upvotes, $4000

  26. Unauthenticated SSRF in jira.tochka.com leading to RCE in confluence.bank24.int to QIWI - 217 upvotes, $1000

  27. RCE using bash command injection on /system/images (toimitilat.lahitapiola.fi) to LocalTapiola - 207 upvotes, $6800

  28. OOB reads in network message handlers leads to RCE to Valve - 205 upvotes, $7500

  29. Debug Mode Leak Critical Information [ AWS Keys , SMTP , Database , Django Secret Key ( RCE ) , Dodoc , Telegram , Twilio .. ] to Mail.ru - 203 upvotes, $7500

  30. Test-scripts for postgis in mason-repository using unsafe unzip of content from unclaimed bucket creates potential RCE-issues to Mapbox - 200 upvotes, $12500

  31. RCE on CS:GO client using unsanitized entity ID in EntityMsg message to Valve - 198 upvotes, $9000

  32. Remote Code Execution on contactws.contact-sys.com via SQL injection in TCertObject operation "Delete" to QIWI - 193 upvotes, $1000

  33. Git flag injection leading to file overwrite and potential remote code execution to GitLab - 168 upvotes, $3500

  34. [Portal 2] Remote Code Execution via voice packets to Valve - 167 upvotes, $5000

  35. RCE as Admin defeats WordPress hardening and file permissions to WordPress - 158 upvotes, $800

  36. Path traversal, SSTI and RCE on a MailRu acquisition to Mail.ru - 152 upvotes, $2000

  37. Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution to Valve - 149 upvotes, $12500

  38. MobileIron Unauthenticated RCE on mdm.qiwi.com with WAF bypass to QIWI - 147 upvotes, $3500

  39. Path traversal, to RCE to GitLab - 136 upvotes, $12000

  40. Remote Code Execution via Extract App Plugin to Nextcloud - 121 upvotes, $0

  41. Remote Code Execution on Git.imgur-dev.com to Imgur - 117 upvotes, $2500

  42. SQL injection on contactws.contact-sys.com in TRateObject.AddForOffice in USER_ID parameter leads to remote code execution to QIWI - 117 upvotes, $1000

  43. Possible RCE through Windows Custom Protocol on Windows client to Nord Security - 117 upvotes, $500

  44. Urgent: Server side template injection via Smarty template allows for RCE to Unikrn - 117 upvotes, $400

  45. Apache Flink RCE via GET jar/plan API Endpoint to Aiven Ltd - 112 upvotes, $6000

  46. Read files on application server, leads to RCE to GitLab - 111 upvotes, $0

  47. Remote Code Execution (Reverse Shell) - File Manager to Concrete CMS - 111 upvotes, $0

  48. Specially Crafted Closed Captions File can lead to Remote Code Execution in CS:GO and other Source Games to Valve - 107 upvotes, $7500

  49. uber.com may RCE by Flask Jinja2 Template Injection to Uber - 96 upvotes, $10000

  50. User-assisted RCE in Slack for macOS (from official site) due to improper quarantine meta-attribute handling for downloaded files to Slack - 94 upvotes, $750

  51. Remote Code Execution in ██████ to U.S. Dept Of Defense - 93 upvotes, $0

  52. Tricking the "Create snippet" feature into displaying the wrong filetype can lead to RCE on Slack users to Slack - 92 upvotes, $1500

  53. XXE in DoD website that may lead to RCE to U.S. Dept Of Defense - 89 upvotes, $0

  54. Privilege Escalation via REST API to Administrator leads to RCE to WordPress - 86 upvotes, $1125

  55. Remote Unrestricted file Creation/Deletion and Possible RCE. to Twitter - 85 upvotes, $0

  56. Remote Code Execution on contactws.contact-sys.com via SQL injection in TAktifBankObject.GetOrder in parameter DOC_ID to QIWI - 84 upvotes, $2500

  57. Vanilla Forums AddonManager getSingleIndex Directory Traversal File Inclusion Remote Code Execution Vulnerability to Vanilla - 84 upvotes, $900

  58. Remote Code Execution (RCE) in a DoD website to U.S. Dept Of Defense - 83 upvotes, $0

  59. [app-01.youdrive.club] RCE in CI/CD via dependency confusion to Mail.ru - 82 upvotes, $3000

  60. File writing by Directory traversal at actionpack-page_caching and RCE by it to Ruby on Rails - 79 upvotes, $1000

  61. Remote Code Execution on Proxy Service (as root) to ██████ - 79 upvotes, $0

  62. Pre-auth Remote Code Execution on multiple Uber SSL VPN servers to Uber - 72 upvotes, $2000

  63. Nextcloud Desktop Client RCE via malicious URI schemes to Nextcloud - 72 upvotes, $1000

  64. RCE on facebooksearch.algolia.com to Algolia - 72 upvotes, $500

  65. Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE to Lob - 68 upvotes, $1500

  66. RCE, SQLi, IDOR, Auth Bypass and XSS at [staff.███.edu.eg ] to ██████ - 68 upvotes, $0

  67. RCE on █████ via CVE-2017-10271 to U.S. Dept Of Defense - 68 upvotes, $0

  68. GMP Deserialization Type Confusion Vulnerability [MyBB <= 1.8.3 RCE Vulnerability] to Internet Bug Bounty - 67 upvotes, $1500

  69. Grafana RCE via SMTP server parameter injection to Aiven Ltd - 66 upvotes, $5000

  70. CS:GO Server -> Client RCE through OOB access in CSVCMsg_SplitScreen + Info leak in HTTP download to Valve - 61 upvotes, $7500

  71. Remote Code Execution at http://tw.corp.ubnt.com to Ubiquiti Inc. - 61 upvotes, $5000

  72. Remote Code Execution (upload) to Legal Robot - 59 upvotes, $120

  73. [Source Engine] Material path truncation leads to Remote Code Execution to Valve - 58 upvotes, $2500

  74. Store Development Resource Center was vulnerable to a Remote Code Execution - Unauthenticated Remote Command Injection (CVE-2019-0604) to Starbucks - 57 upvotes, $4000

  75. Ability to access all user authentication tokens, leads to RCE to GitLab - 56 upvotes, $0

  76. Remote Code Execution through DNN Cookie Deserialization to U.S. Dept Of Defense - 56 upvotes, $0

  77. CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example to Internet Bug Bounty - 54 upvotes, $4000

  78. Remote Code Execution on contactws.contact-sys.com via SQL injection in TPrabhuObject.BeginOrder in parameter DOC_ID to QIWI - 52 upvotes, $2500

  79. Remote code execution on rubygems.org to RubyGems - 49 upvotes, $1500

  80. WordPress SOME bug in plupload.flash.swf leading to RCE to Automattic - 49 upvotes, $1337

  81. LFI with potential to RCE on ██████ using CVE-2019-3396 to U.S. Dept Of Defense - 49 upvotes, $0

  82. Remote Code Execution (RCE) at "juid" parameter in /get_zip.php (printshop.engelvoelkers.com) to Engel & Völkers Technology GmbH - 49 upvotes, $0

  83. Java Deserialization RCE via JBoss on card.starbucks.in to Starbucks - 48 upvotes, $0

  84. RCE in 'Copy as Node Request' BApp via code injection to PortSwigger Web Security - 48 upvotes, $0

  85. Remote Code Execution at https://169.38.86.185/ (edst.ibm.com) to IBM - 48 upvotes, $0

  86. Log4Shell: RCE 0-day exploit on █████████ to U.S. Dept Of Defense - 48 upvotes, $0

  87. [CS:GO] Unchecked texture file name with TEXTUREFLAGS_DEPTHRENDERTARGET can lead to Remote Code Execution to Valve - 47 upvotes, $2500

  88. [Kafka Connect] [JdbcSinkConnector][HttpSinkConnector] RCE by leveraging file upload via SQLite JDBC driver and SSRF to internal Jolokia to Aiven Ltd - 46 upvotes, $5000

  89. RCE via WikiCloth markdown rendering if the rubyluabridge gem is installed to GitLab - 46 upvotes, $3000

  90. SMB SSRF in emblem editor exposes taketwo domain credentials, may lead to RCE to Rockstar Games - 46 upvotes, $1500

  91. Remote Code Execution in Basecamp Windows Electron App to Basecamp - 45 upvotes, $1250

  92. [3DS][SSL][SDK] Unchecked number of audio channels in Mobiclip SDK leads to RCE in eShop movie player to Nintendo - 43 upvotes, $3200

  93. RCE via Local File Read -> php unserialization-> XXE -> unpickling to h1-5411-CTF - 43 upvotes, $0

  94. F5 BIG-IP TMUI RCE - CVE-2020-5902 (██.packet8.net) to 8x8 - 42 upvotes, $0

  95. RCE which may occur due to ActiveSupport::MessageVerifier or ActiveSupport::MessageEncryptor (especially Active storage) to Ruby on Rails - 41 upvotes, $1500

  96. Java Deserialization RCE via JBoss JMXInvokerServlet/EJBInvokerServlet on card.starbucks.in to Starbucks - 41 upvotes, $0

  97. Remote Code Execution via Insecure Deserialization in Telerik UI to U.S. Dept Of Defense - 41 upvotes, $0

  98. RCE due to ImageTragick v2 to pixiv - 40 upvotes, $2000

  99. CVE-2019-11043: a buffer underflow in fpm_main.c can lead to RCE in php-fpm to Internet Bug Bounty - 40 upvotes, $1500

  100. Log4j RCE on https://judge.me/reviews to Judge.me - 40 upvotes, $50

• ==Remote Code Execution (RCE) Write_ups==

  • Microsoft RCE bugbounty

  • OTP bruteforce account takeover

  • Attacking helpdesk RCE chain on deskpro with bitdefender

  • Remote image upload leads to RCE inject malicious code

  • Finding a p1 in one minute with shodan.io RCE

  • From recon to optimizing RCE results simple story with one of the biggest ICT company

  • Uploading backdoor for fun and profit RCE DB creds P1

  • Responsible Disclosure breaking out of a sandboxed editor to perform RCE

  • Wordpress design flaw leads to woocommerce RCE

  • Path traversal while uploading results in RCE

  • RCE jenkins instance

  • Traversing the path to RCE

  • RCE due to showexceptions

  • Yahoo luminate RCE

  • Latex to RCE private bug bounty program

  • How I got hall of fame in two fortune 500 companies an RCE story

  • RCE by uploading a web config

  • 36k Google app engine RCE

  • How I found 2.9 RCE at yahoo

  • Bypass firewall to get RCE

  • RCE in duolingos tinycards app from android

  • Unrestricted file upload to RCE

  • Getting a RCE (CTF WAY)

  • RCE starwars

  • How I got 5500 from yahoo for RCE

  • RCE in Addthis

  • Paypal RCE

  • My First RCE (Stressed Employee gets me 2x bounty)

  • Abusing ImageMagick to obtain RCE

  • How Snapdeal Kept their Users Data at Risk!

  • RCE via ImageTragick

  • How I Cracked 2FA with Simple Factor Brute-force!

  • Found RCE but got Duplicated

  • “Recon” helped Samsung protect their production repositories of SamsungTv, eCommerce eStores

  • IDOR to RCE

  • RCE on AEM instance without JAVA knowledge

  • RCE with Flask Jinja tempelate Injection

  • Race Condition that could result to RCE

  • Chaining Two 0-Days to Compromise An Uber Wordpress

  • Oculus Identity Verification bypass through Brute Force

  • Used RCE as Root on marathon Instance

  • Two easy RCE in Atlassian Products

  • RCE in Ruby using mustache templates

  • About a Sucuri RCE…and How Not to Handle Bug Bounty Reports

  • Source code disclosure vulnerability

  • Bypassing custom Token Authentication in a Mobile App

  • Facebook’s Burglary Shopping List

  • From SSRF To RCE in PDFReacter

  • Apache strust RCE

  • Dell KACE K1000 Remote Code Execution

  • Leaked Salesforce API access token at IKEA.com

  • Zero Day RCE on Mozilla's AWS Network

  • Escalating SSRF to RCE

  • Fixed : Brute-force Instagram account’s passwords

  • Bug Bounty 101 — Always Check The Source Code

  • ASUS RCE vulnerability on rma.asus-europe.eu

  • Magento – RCE & Local File Read with low privilege admin rights

  • RCE in Nokia.com

  • Two RCE in SharePoint

  • Token Brute-Force to Account Take-over to Privilege Escalation to Organization Take-Over

  • Github Desktop RCE

  • eBay Source Code leak

  • Facebook source code disclosure in ads API

  • [XS-Searching Google’s bug tracker to find out vulnerable source code](https://medium.com/@luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-