Remote code execution via web shell upload

-

Remote Code Execution via Web Shell Upload

Overview of the Lab

This lab demonstrates a remote code execution (RCE) vulnerability through a vulnerable file upload feature, where an attacker is able to upload a malicious PHP file to a web server and execute server-side code. The goal of the lab is to confirm execution by retrieving sensitive server-side data, proving that arbitrary code execution is possible.

In this case, the attack was validated by uploading a PHP payload that reads the contents of the /etc/passwd file:

<?php echo file_get_contents('/etc/passwd'); ?>

When executed on the server, this payload successfully returned the contents of the system’s password file, confirming full server-side code execution.



Understanding Web Shell-Based RCE

A web shell is a malicious script uploaded to a vulnerable web server that allows an attacker to execute system commands remotely through a web interface. Once deployed, it effectively acts as a backdoor into the server, enabling arbitrary command execution, file access, and system control.

In many real-world scenarios, web shells are written in server-side scripting languages such as PHP because they are directly interpreted by the web server. When improperly validated file uploads exist, attackers can bypass restrictions and upload executable scripts instead of legitimate files.

Once uploaded and executed, the web shell becomes a powerful interface between the attacker and the underlying operating system.

PHP is particularly commonly abused in these scenarios because it is widely supported in web hosting environments and executes directly on the server side when requested.

The Vulnerable File Upload Mechanism

The vulnerability in this lab exists in a file upload feature that allows users to upload files to the server. While this is typically intended for images or documents, insufficient validation allows executable PHP files to be uploaded.

Normally, secure file upload mechanisms enforce restrictions such as:

  • File extension validation
  • MIME type checking
  • Content inspection
  • Storage outside web root

However, in this lab scenario, the server accepts the uploaded PHP file and stores it in a publicly accessible directory, making it directly executable via HTTP request.

Once uploaded, the file is interpreted by the server rather than downloaded, which is the key condition for remote code execution.

Execution of the Web Shell

After uploading the payload, the file is accessed via its URL on the server. At this point, the web server processes the file using the PHP interpreter instead of treating it as static content.

The payload:

<?php echo file_get_contents('/etc/passwd'); ?>

executes server-side. The function file_get_contents() reads the contents of a file from the server’s filesystem, and in this case targets /etc/passwd, a standard Linux system file containing user account information.

When the browser requests the uploaded file, the server executes the PHP code and returns the result of the function call. Instead of seeing raw source code, the attacker receives the output of the executed command.

This confirms that the server is:

  • Executing arbitrary PHP code
  • Allowing file system access
  • Running attacker-controlled logic

Why This Results in Remote Code Execution

This vulnerability escalates to remote code execution because the attacker is able to control server-side behavior through uploaded code. Unlike client-side attacks, this executes directly on the backend infrastructure.

Once a web shell is in place, it can typically be extended beyond simple file reads to include:

  • System command execution
  • Database interaction
  • File upload/download
  • Privilege escalation attempts

In real-world attacks, this is often the initial foothold used for full server compromise.

Web shell attacks are especially dangerous because they provide persistent access to the compromised system as long as the file remains accessible.

Security Impact

The impact of this vulnerability is critical because it allows full control over the server. An attacker with web shell access can:

  • Read sensitive files such as configuration files and credentials
  • Execute system commands remotely
  • Modify or delete server content
  • Pivot into internal systems
  • Install persistent backdoors

This effectively transforms a simple file upload feature into a full remote administration interface for the attacker.

Root Cause Analysis

The root cause of this vulnerability is insufficient validation and insecure handling of file uploads. Specifically, the server fails to enforce strict controls over:

  • Allowed file types
  • Execution permissions
  • File storage location
  • Content inspection

By allowing executable PHP files to be uploaded into a web-accessible directory, the application unintentionally enables remote code execution.

Mitigation Strategies

Preventing this type of vulnerability requires multiple layers of defense:

  • Strict allowlisting of file types (only images or expected formats)
  • Server-side validation of MIME types and file contents
  • Renaming uploaded files to non-executable formats
  • Storing uploads outside the web root directory
  • Disabling execution permissions in upload directories
  • Using secure file handling libraries

Additionally, web application firewalls and server hardening can help reduce exposure, but proper input validation remains the most important control.

Comments

Post a Comment

Popular posts from this blog

Linux AAA

-
Image
Linux AAA Authentication What it means: Authentication verifies who the user is . How it works in Linux: When you log in, Linux checks your credentials (usually username + password) against /etc/passwd and /etc/shadow . /etc/passwd stores user information (username, UID, GID, shell, home directory). /etc/shadow stores hashed passwords and password expiration info, readable only by root. Common authentication methods: Local authentication: Using /etc/passwd and /etc/shadow . Remote authentication: Using services like: LDAP (Lightweight Directory Access Protocol) – centralized user management. Kerberos – provides secure, ticket-based authentication. RADIUS – used in network access (VPNs, Wi-Fi, etc.). PAM (Pluggable Authentication Modules) – modular framework used by Linux for integrating different authentication methods. Example PAM file location: /etc/pam.d/ Each service (like SSH, sudo, login) has its own PAM configuration file.
Read more

Peppermint Ticketing Software for help desk technicians.

-
Image
Peppermint Ticketing Peppermint is a modern, open-source help desk and issue tracking system built for IT teams, MSPs, and internal support departments that want a self-hosted, lightweight, and privacy-controlled solution. Peppermint prioritizes: Simplicity and speed Developer freedom Data sovereignty Low infrastructure footprint It’s designed for small to medium-sized teams who want something modern, minimalistic, and powerful — without being locked into enterprise subscriptions or bulky frameworks. Architecture Overview Peppermint’s backend is written primarily in TypeScript (Node.js) , with a PostgreSQL database and a React-based frontend . This makes it modular, fast, and compatible with modern deployment standards such as Docker , Kubernetes , and cloud instances (AWS, Linode, DigitalOcean, etc.). Architecture Components Component Technology / Purpose Backend  => Node.js (Express / Nest-like structure) Database  => PostgreSQL (relational, handles ti...
Read more

What is Osint?

-
 Open-Source Intelligence (OSINT) refers to the process of collecting, analyzing, and utilizing publicly available data from a wide variety of sources to gather intelligence. These sources can range from publicly accessible information on the internet to data from newspapers, government reports, databases, and even geospatial information. The key distinction of OSINT is that it does not involve covert or illegal methods of gathering information but rather focuses on using data that is readily available to the public, sometimes even through commercial or open platforms. Examples of OSINT data can be gathered from a wide array of open and accessible sources. Some key examples include: Social Media: Publicly available posts, images, videos, and profiles from platforms like Facebook, Twitter, LinkedIn, Instagram, and TikTok. These platforms can reveal personal details about individuals, locations, affiliations, and even plans for upcoming events. News Websites and Online Articles: Ne...
Read more