Arbitrary JSP File Upload and RCE in OpenPLC ScadaBR

This repository contains a single Python script (CVE-2021-26828) that exploits an authenticated remote code execution vulnerability in ScadaBR (CVE-2021-26828). The exploit targets ScadaBR instances running on both Linux and Windows platforms (prior to version 1.1.01). The script requires valid credentials to authenticate to the ScadaBR web interface, uploads a platform-specific JSP web shell, and provides multiple post-exploitation features: reverse shell (Linux), arbitrary command execution (Windows), environment variable dumping, and a kill/cleanup switch to remove the shell. The script supports proxying, webhook notifications, and post-exploitation chaining. The main attack vector is network-based, targeting the HTTP interface of ScadaBR. The endpoints involved are the user-supplied ScadaBR URL and the path to the uploaded web shell. The payloads are JSP web shells embedded in the script. The repository is operational and provides a functional exploit with post-exploitation capabilities.

This repository contains 'ScadaFlare', an advanced exploit toolkit targeting CVE-2021-26828 in ScadaBR versions prior to 1.1.0. The main file, 'scadaflare.py', is a Python 3 script that automates authenticated remote code execution by uploading a weaponized JSP web shell via the 'view_edit.shtm' endpoint. The exploit supports both Linux and Windows targets, with payloads tailored for each OS. Features include reverse shell triggering (with configurable IP/port), command execution (Windows), environment variable dumping, webhook-based exfiltration (Slack/Discord), proxy support, and cleanup (shell removal). The toolkit is modular, supporting post-exploitation enumeration and integration into red team workflows. The README provides detailed usage instructions and highlights enhancements over the original PoC. The only code file is 'scadaflare.py'; the other files are documentation and license. The exploit requires valid credentials and network access to the ScadaBR web interface. No hardcoded IPs or domains are present, but the main fingerprintable endpoint is the 'view_edit.shtm' upload handler.

This repository contains two Python exploit scripts (LinScada_RCE.py for Linux targets and WinScada_RCE.py for Windows targets) and a README file. Both scripts exploit CVE-2021-26828, an authenticated arbitrary file upload vulnerability in ScadaBR (versions 1.0, 1.1CE, and 1.12.4CE). The exploit works by authenticating to the ScadaBR web interface, uploading a malicious JSP webshell via the vulnerable 'view_edit.shtm' endpoint, and then accessing the uploaded shell in the 'uploads' directory. The Linux version uploads a JSP that provides a reverse shell to the attacker's machine, while the Windows version uploads a JSP that allows arbitrary command execution via HTTP requests. The README provides usage instructions and references. The main attack vector is network-based, requiring valid credentials to the ScadaBR web interface. The endpoints involved are the login page, the file upload page, and the uploads directory where the webshell is placed.