Getting Started With SnappingTurtle

Overview |  Getting Started |  Documentation |  Download |  Changelog


SnappingTurtle has only one requirement: Python 2.7. Other version may work, but are not officially supported. If Python isn't already installed, the official releases can be found on python.org.

Once Python is installed, SnappingTurtle can be downloaded and run.


SnappingTurtle was designed to be entirely portable, with no explicit setup. To install it, download the latest version from GitHub. Once the latest archive has been downloaded, extract st.py to the preferred installation directory. For this documentation, st.py was extracted to c:\tools on a Windows 10 machine.

Once Python 2.7 has been installed and st.py extracted, SnappingTurtle can be run.

Running SnappingTurtle For The First Time

SnappingTurtle can be run with a command like the following:

C:\tools>python st.py

When run without command-line arguments, SnappingTurtle displays an overview of its settings.

The output should like something like the sample below.

C:\tools>python st.py
SnappingTurtle Web Exploitation Tool 0.1.0324.1445

python st.py [exploitation strategy] [url] [inputs]

# Exploitation Strategies

  lfi                Local file inclusion. Injection is performed using the $lfi token.

  sqli {options}     SQL injection. Injection is performed using the $sqli token.

    If used, one of two options must be specified:

    list             Dumps a list of databases and tables.
    table {name}     Dumps a database table.

  xss {server ip}    Cross-site scripting. Injection is performed using the $xss token.

    If used, a target accessible server IP must be specified for listening.

  upload             Arbitrary upload. Write data to the server using the -f option.

    If used, at least one file must be specified using the -f option.
    Built-in shells can be injected using the $php token.

  shell {shell url}  Connects to a previously created shell.

# Url

  The url to exploit. Can be injected into using tokens.

# Inputs

  -g {GET name} {GET value}          GET data in key/value format.
  -p {POST name} {POST value}        POST data in key/value format.
  --g {GET data}                     GET data in Python map format.
  --p {POST data}                    POST data in Python map format.
  -f {name} {filename} {file data}   POST data as a file.

# Examples

  python st.py lfi http://localhost/lfiTest.php?theme=$lfi

  python st.py lfi http://localhost/lfiTest.php -g theme $lfi

  python st.py lfi http://localhost/lfiTest.php?theme=$lfi%00

  python st.py lfi http://localhost/postTest.php --p "{'theme':'$lfi'}"

  python st.py sqli list http://localhost/sqliTest.php -g email $sqli

  python st.py sqli table sqlitest.users http://localhost/sqliTest.php -g email $sqli

  python st.py xss -g search $xss

  python st.py upload -f file shell.php $php

  python st.py shell

Now it is time to exploit a target. Head over to Local File Inclusion To Remote Code Execution

Copyright © 2018 AutoSec Tools LLC