Find places that allow uploading, based on the language the website is made in, and upload the file type that is appropriate for that language.
{% embed url="https://book.hacktricks.xyz/pentesting-web/file-upload" %} view that {% endembed %}
Check if the website uses any technology, CMS, or plugins that lead to RCE.
{% embed url="https://github.com/p0dalirius/Awesome-RCE-techniques" %} awesome RCE {% endembed %}
Dependency confusion vulnerability refers to an error when the project uses an external library:
- Importing the wrong library name (requests -> request) the attacker creates a library named request
- Importing an internal library that does not exist: when the internal library does not exist the program will check the public repository, somehow the attacker knows to create a library with the same name in the public repository
- Using an old library in the public repository, but it has been deleted here and the attacker creates a library with the same name as the old one but with a higher version, when updating the library, the program automatically updates the version with the higher version.
{% embed url="https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610" %} main {% endembed %}
{% embed url="https://deephunt3r.medium.com/dependency-confusion-4d675eb36e0f" %}
I see most often from SQL injection error turned into RCE
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md" %}
In some special cases, LFI vulnerability can lead to RCE.
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#lfi-to-rce-via-procfd" %}
{% embed url="https://medium.com/@josewice7/lfi-to-rce-via-log-poisoning-db3e0e7a1cf1" %}
{% embed url="https://medium.com/@josewice7/lfi-to-rce-via-log-poisoning-db3e0e7a1cf1" %}