Question

Be extra cautious when escalating RCE vulnerabilities. Most companies would prefer that you don’t try to escalate them at all because they don’t want someone poking around systems that contain confidential data. During a typical penetration test, a hacker will often try to figure out the privileges of the current user and attempt privilege-escalation attacks after they gain RCE. But in a bug bounty context, this isn’t appropriate. You might accidentally read sensitive information about customers or cause damage to the systems by modifying a critical file. It’s important that you carefully read the bounty program rules so you don’t cross the lines.

在升级 RCE 漏洞时要格外小心。大多数公司都希望您根本不要尝试升级它们，因为他们不希望有人在含机密数据的系统中进行探测。在典型的渗透测试中，黑客经常会尝试弄清当前用户的特权，并在获得 RCE 后尝试特权升级攻击。但在漏洞赏金的情况下，这是不合适的。您可能会意外读取客户的敏感信息，或通过修改关键文件来损坏系统。重要的是，您仔细阅读赏金计划规则，以免越界。

For classic RCEs, create a proof of concept that executes a harmless command like whoami or ls . You can also prove you’ve found an RCE by reading a common system file such as /etc/passwd . You can use the cat command to read a system file:

针对经典的远程代码执行（RCE）漏洞，需创建一个可执行无害命令（如 whoami 或 ls）的概念证明。也可通过读取常见系统文件（如/etc/passwd）来验证是否发现了 RCE 漏洞。可以使用 cat 命令来读取系统文件。

cat /etc/passwd

On Linux systems, the /etc/passwd file contains a list of the system’s accounts and their user IDs, group IDs, home directories, and default shells. This file is usually readable without special privileges, so it’s a good file to try to access first.

在 Linux 系统中，/etc/passwd 文件包含系统帐户及其用户 ID、组 ID、主目录和默认 Shell 的列表。这个文件通常可以在没有特殊权限的情况下进行读取，因此它是一个首要尝试访问的好文件。

Finally, you can create a file with a distinct filename on the system, such as rce_by_YOUR_NAME.txt so it’s clear that this file is a part of your POC. You can use the touch command to create a file with the specified name in the current directory:

最后，您可以在系统上创建一个具有不同文件名的文件，例如 rce_by_YOUR_NAME.txt，以便清楚表明该文件是您的 POC 的一部分。您可以使用 touch 命令在当前目录中创建具有指定名称的文件：

touch rce_by_YOUR_NAME.txt

For blind RCEs, create a POC that executes the sleep command. You can also create a reverse shell on the target machine that connects back to your system for a more impactful POC. However, this is often against program rules, so be sure to check with the program beforehand.

针对盲目 RCE 漏洞，请创建一个执行睡眠命令的 POC。你也可以在目标机器上创建一个反向 shell，使其连接回你的系统，以创建一个更有影响力的 POC。但是，这通常违反程序规则，所以请提前与程序确认。

It’s easy to step over the bounds of the bounty policy and cause unintended damage to the target site when creating POCs for RCE vulnerabilities. When you create your POC, make sure that your payload executes a harmless command and that your report describes the steps needed to achieve RCE. Often, reading a nonsensitive file or creating a file under a random path is enough to prove your findings.

在创建用于 RCE 漏洞的 POC 时，容易超出赏金政策的限制并对目标站点造成意外损害。创建您的 POC 时，请确保您的负载执行无害命令，并且您的报告描述了实现 RCE 的步骤。通常，阅读非敏感文件或在随机路径下创建文件就足以证明您的发现。