Shell plugin for Burp Suite: from OS Command injection to shell with tab-completion in Burp

edited September 2020 in Tools

I wrote a Burp Suite plugin that offers a Shell-like environment right in burp:

Burp Shell Demo

You can download the plugin here:
https://github.com/gnothiseautonlw/burp-shell-fwd-lfi

If some conditions are met, it will offers tab-completion, command history and persistence... just by leveraging an OS Command injection vulnerability and without the need of uploading a web shell or creating a bind or reverse shell.

I wrote an article on how it can be used. That same article also describes the methods used internally by the the plugin to go from just an OS Command injection that has no persistence and tab-completion, to a shell that offers both. You can find it here:
https://docs.google.com/document/d/1Vk-CPFgylO79IJaSRq930qDs7N-rQnVHpRp2I9ooqR8/edit?usp=sharing

Comments

  • Nice one!

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

Sign In to comment.