Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/EnableSecurity/Webapp-Exploit-Payloads

a collection of payloads for common webapps
https://github.com/EnableSecurity/Webapp-Exploit-Payloads

Last synced: 3 months ago
JSON representation

a collection of payloads for common webapps

Awesome Lists containing this project

README 

        
# Webapp Exploit Payloads



A collection of payloads for common webapps and a tool to help

generate them.



## Usage:



To list the available payloads:



	$ ./genpayload.py -L 



To generate one big JavaScript file called `out.js`:



	$ ./genpayload.py -p wordpress/newadmin -o out.js



To list valid parameters:



	$ ./genpayload.py -p wordpress/newadmin -H



To pass the parameters through command line:



	$ ./genpayload.py -p wordpress/newadmin -P usernewpage=http://victimsite/blog/wp-admin/user-new.php



To generate payload for crossdomain.xml exploitation:



	$ ./genpayload.py -p wordpress/newadmin -t swf -P usernewpage=http://victimsite/blog/wp-admin/user-new.php



To generate payload with an html file:



	$ ./genpayload.py -p wordpress/newadmin -t htmljs -P usernewpage=http://victimsite/blog/wp-admin/user-new.php



## Payload types



### JS



Outputs a single JavaScript file that contains all the necessary libraries, such as 

jQuery. This can then be included in your XSS. Can also be compressed if need be. 



### HTMLJS



Creates a directory containing `index.html` and the included libraries. The html

file contains the payload JavaScript. 



### SWF



Creates a directory containing `index.html` and all libraries, including the

files needed for flXHR.



### HTML5CORS



Similar to HTMLJS but makes the code work cross-domain thanks to HTML5 

cross origin resource sharing. The victim server needs to trust the attacker server

through the `Access-Control-Allow-Origin: http://attackersite` header and also the header

`Access-Control-Allow-Credentials: true` needs to be set.



## Directory structure



### /bin



This is where `genpayload.py` resides.



### /src



This is where all the code is generated from. 



#### /src/config



A directory containing general configuration files. The file

`settings.ini` is used to store one `statusurl` for all.  



#### /src/includes



A directory containing files that are included by the payloads. For example,

jquery and its plugins are stored here. There is also a common.js which 

contains functions that are commonly used across most payloads. 



#### /src/payloads



This directory contains all the payloads. The subdirectories under this one

are named after the product that they exploit, for example, wordpress. 

There is one directory called generic where generic payloads are stored. 



Each payload has to contain a `config.ini` file that specifies the filename

of the payload, other dependencies and default variable values. 



## Configuration files



Each `config.ini` has the following sections:



- `[config]` where all variables that do not fit anywhere else and their values are stored 

- `[locations]` where all URLs are stored .. these URLs become variables within the payload 

- `[dependencies]` which contains the following options:

	- `script` which is the filename of the payload

	- `jquery` which is the filename of the jquery script

	- `include` which is any other JavaScript files to be included in the final payload

- `[about]` which contains information about the script including:

	- `description` which is a summary of what the payload does

- `[includes]` which contains variable names whose values include filenames for files 

  that are read by the payload generator and then their contents end up a JavaScript 

  string in the payload. Useful for placing that backdoor php code