Shell plugin for Burp Suite: from OS Command injection to shell with tab-completion in Burp
I wrote a Burp Suite plugin that offers a Shell-like environment right in burp:
You can download the plugin here:
https://github.com/gnothiseautonlw/burp-shell-fwd-lfi
If some conditions are met, it will offers tab-completion, command history and persistence... just by leveraging an OS Command injection vulnerability and without the need of uploading a web shell or creating a bind or reverse shell.
I wrote an article on how it can be used. That same article also describes the methods used internally by the the plugin to go from just an OS Command injection that has no persistence and tab-completion, to a shell that offers both. You can find it here:
https://docs.google.com/document/d/1Vk-CPFgylO79IJaSRq930qDs7N-rQnVHpRp2I9ooqR8/edit?usp=sharing
Quick Links
Categories
- 3.7K All Categories
- 2.6K Discussion
- 1.3K Machines
- 488 Challenges
- 26 RastaLabs
- 140 Exploits
- 40 Programming
- 633 Off-topic
- 1.1K Tutorials
- 568 Writeups
- 96 Video Tutorials
- 174 Tools
- 215 Other
- 29 Links
- 29 News
Comments
Nice one!
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.