关联漏洞
介绍
> Seems broken for now will update later
# Exploit Script for CSRF and Reverse Shell Attack
This script automates a CSRF (Cross-Site Request Forgery) exploit to upload a PHP reverse shell on a target's web server and execute it. The reverse shell is delivered as a ZIP file via a crafted CSRF payload, which is triggered when a privileged user interacts with a specific endpoint. The script requires a listening Netcat instance to capture the reverse shell connection.
## Requirements
- **Netcat**: Ensure Netcat is installed and can listen on a specified port (default: 9001).
- **Python 3**: Used to serve files over HTTP.
- **Curl & JQ**: Used to fetch and handle HTTP requests and JSON parsing.
## Usage
```bash
./exploit.sh <target_url> <admin_endpoint> <admin_email> <attacker_ip>
```
### Arguments
- `target_url`: Base URL of the target (e.g., `https://example.com`).
- `admin_endpoint`: Path to the admin theme import endpoint.
- `admin_email`: Email address of an administrator (to spoof for the payload).
- `attacker_ip`: IP address where the reverse shell listener will receive the connection.
### Example
```bash
./exploit.sh https://victim.com /admin-panel admin@victim.com 192.168.1.10
```
### Exploit Workflow
1. **Reverse Shell Creation**: Generates a PHP reverse shell using [revshells.com](https://www.revshells.com) with the provided `attacker_ip` and port `9001`.
2. **ZIP Packaging**: The reverse shell script (`love.php`) is compressed into `Love-exploit.zip`.
3. **CSRF Token Fetch**: Retrieves the CSRF token from the target to authorize the theme import request.
4. **HTML Payload Construction**: Builds an HTML payload (`csrf_payload.html`) containing a JavaScript script to automatically submit a malicious request to the target's admin panel to import the reverse shell.
5. **HTTP Server Setup**: A temporary HTTP server on port `8000` serves `Love-exploit.zip` for the target to import.
6. **XSS Upload and CSRF Trigger**: The CSRF payload is uploaded to the target’s contact page. When accessed, it triggers the CSRF attack.
7. **Reverse Shell Listener**: The attacker monitors incoming connections from the victim using Netcat.
## Execution Steps
1. Start a Netcat listener on your machine:
```bash
nc -nvlp 9001
```
2. Run the script:
```bash
./exploit.sh https://victim.com /admin-panel admin@victim.com 192.168.1.10
```
3. Wait for the target to execute the CSRF payload and receive the reverse shell connection.
## Output
The script outputs the following information during execution:
- CSRF token retrieval status.
- Status of reverse shell creation and packaging.
- Status of payload delivery and HTTP server status.
## Important Notes
- **Permissions**: This script requires permission to execute on the target server. Unauthorized use is illegal and punishable by law.
- **Testing Environment**: Use in a controlled, authorized environment only, such as a cybersecurity lab.
- **Port Conflicts**: Ensure ports `8000` (HTTP server) and `9001` (Netcat listener) are free before running the script.
---
### Example Output
```plaintext
[*] Ensure Netcat is listening: nc -nvlp 9001
[*] Awaiting netcat listener...
[*] Creating PHP reverse shell...
[*] Packaging shell as Love-exploit.zip...
[*] Fetching CSRF token...
[+] CSRF token retrieved: <token_value>
[*] Building HTML payload for CSRF...
[*] Converting HTML to PNG...
[*] Checking for existing HTTP server on port 8000...
[*] Starting new HTTP server on port 8000 for payload delivery...
[*] Uploading XSS payload to trigger CSRF...
[*] Keeping script running to monitor for incoming connections...
```
This document is intended for use by penetration testers and cybersecurity researchers in controlled environments. Misuse of this tool for unauthorized purposes is strictly prohibited.
---
### Disclaimer
This script is for educational purposes and legal cybersecurity assessments only. Unauthorized use against a system without permission is illegal and against ethical guidelines.
文件快照
[4.0K] /data/pocs/a8b176686e4c62482da3bf0314e9e99134f1b60d
├── [5.3K] CVE-2024-34716
└── [3.9K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。