RCE Options

Plugin Upload

Some applications offer plugin uploads which can be levereged into running the reverse shell payload.

Macro add / uplaod

Enterprise platforms (ERP/CRM/Office-like tools) sometimes allow uploading “macros” or add-ins, which execute on the server.

File Upload with Server Parsing

Classic webshell strategy.

Deserialization Gadgets

Leverage the unsecure deserialization into passing the object which will give us access to the system level commands.

Templates

Web application can use templates in Admin Panel which can be used to inject malicious code.

Debug Console / Sandbox Escape

Apps sometimes expose debug consoles (Django, Rails, etc.), leading to command execution.

Custom Script Upload (Automation Rules)

Jira, Confluence, or CRM systems allow “groovy scripts,” “JS rules,” or “workflow automation” that can lead to execution.

SQL Injection

If the database is configured in insecure manner it can give us access to execute os commands.

API Import / Export Functionality

Some apps allow importing “data” via scripts (JSON, YAML, XML with entities → XXE → RCE).

Batch Scripts

Web application can use Batch Scripts / Run other OS level scripts in its day to day functionality. We can point to malicious .bat script in order to acheive RCE.

Dynamic Code Execution Flows

Input passed to dangerous functions (eval(), exec(), create_function, assert in PHP).

Command Injection via Wrappers

Code uses OS commands to manipulate files (system, exec, Runtime.getRuntime().exec).