Playing with Remote File Inclusion in Metasploit
Exploiting Remote File Inclusion (RFI) through Metasploit is a kid game. The 29 January 2010, RSnake has release a database of more than 2000 Remote File Inclusion vulnerable URL’s. This RFI vulnerable database was compiled mainly from Milw0rm and OSVDB, and integrated the 15 February 2010 by HD Moore into Metasploit with the objective to be integrated into the already existing “php_include” exploit.
All the URLs present into the database are finished with “XXpathXX” how will execute the desired payload, for example “reverse_php“.
If you don’t specify any specific RFI target the RFI database will be used by default. To focus on a specific URL, just set PHPURI to the desired URL and finish they with “XXpathXX“. For example :
set PHPURI /index.php?COLOR=XXpathXX
When you check the HTTP Server log, you will see the related RFI attempts, but no way to distinguish RFI bot scan to Metasploit scan, no specific user agent by default is provided by Metasploit for “php_include” exploit. You can configure one, by setting the advanced configurations of the exploit (show advanced). To setup a specific user agent is interesting to create specific IDS rules in order to detect the tool how has create theses attempts during an QA for example.
The RFI database integrated into Metasploit is actually 3 months old, and don’t represent any more the existing exploits, but you have the facility to create your own database and use it.