WebRaider

Sat, 27 Feb 2010 - by Ferruh Mavituna

WebRaider is a proof of concept tool to get reverse shell from an SQL Injection with one request, without using any extra channels such as TFTP or FTP to upload the initial payload.

One Click Ownage

Idea of this attack is very simple. Getting a reverse shell from an SQL Injection with one request without using an extra channel such as TFTP, FTP to upload the initial payload.

  • It's only one request therefore faster,
  • Simple, you don't need a tool you can do it manually by using your browser or a simple MITM proxy,
  • just copy paste the payload,
  • CSRF(able), It's possible to craft a link and carry out a CSRF attack that will give you a reverse shell
  • It's not fixed, you can change the payload,
  • It's short, Generally not more than 3.500 characters,
  • Doesn't require any application on the target system like FTP, TFTP or debug.exe
  • Easy to automate.

Download One Click Ownage White Paper

Presentation

Download WebRaider Tool

WebRaider written for fun as a weekend project by Ferruh Mavituna and Mesut Timur, it's a PoC tool, code is messy and expect many bugs. You've been warned :)

WebRaider