Pentest Tools mando

Published on January 10th, 2018📅

| 0 Web Command Injection Tool

PHP Command Injection exploitation tool

  1. Exploit web page and upload simple-shell.php (or simply find an existing exploitable command injection).
  2. Execute the controller to exploit the command injection vulnerability. The controller is simply a command injection exploitation tool, and can therefore with a few adjustments be rewritten to exploit already existing vulnerabilities without the need for uploading the ‘simple-shell.php’.
  • Automated exploit-injection via POST or GET (eg. ./ –cookie “security=low;PHPSESSID=DEADBEEFDEADBEEFDEADBEEFDEADBEEF” –url “http://metasploitable:2280/dvwa/vulnerabilities/exec/” –post “{‘submit’:”,’ip’:_INJECT_}”)
  • Encrypted agent communication
  • Meterpreter/Reverse Shell Injection
  • A more user friendly UI
  • Built in post exlpoitation tools (enumeration, privilege escalation etc.)
  • And much more…


git clone


(python) [options]
–help Show this help message and exit
–url Shell interface URL without paramters (e.g. “”)

–post Declare POST data (eg. “{‘submit’:”,’ip’:_INJECT_}”)
–get Declare GET data (eg. “{‘ip’:_INJECT_}”)
–cookies Declare COOKIE data (eg. “PHPSESSID=deadbeefdeadbeefdeadbeefdeadbeef”)
Shell commands:
Commands that are executable while in shell interface


meterpreter Injects a PHP Meterpreter, PHP Reverse TCP Stager (requires a listener for php/meterpreter/reverse_tcp)
upload Upload a file
download Download a file
kill_self Cleans up traces and aborts the shell
exit Exits the shell


Leave a Reply

Back to Top ↑