Saturday, October 2, 2010

Metasploit and local file inclusion

I am not a super skilled hacker (probably I am the opposite ), but one thing I have is the mindset. Whenever I read something interesting,  I want to go beyond and I keep thinking about it until I come up with something.

Long time ago I read about an interesting project called  FIMAP that is meant to exploit LFI (Local File Inclusions) in web servers, mainly PHP.

I thought that would be nice to integrate it somehow with Metaspoit because it is the framework that many people is using nowadays. It took me some time to write a Python wrapper that creates/encodes payloads and communicates with Metasploit using XMLRPC.


As a result, we have a Fimap plugin that interacts with a running Metasploit console and pops up  a reverse shell, for Windows and Unix. I had to make some changes with their help because I am not a skilled programmer and I didn't know how to implement a plugin system. I think it was a great experience!

The original code in my subversion repository.

No comments:

Post a Comment