3

I think I am losing my marbles. I am doing a practice lab, and the machine has a server hosting a site with a RFI vulnerability.

I host a malicious php file in my /var/www/html and start the apache2 service, and then navigate to:

/index.php?path=/evil.php

I have already set up a listener in metasploit. The payload executes and I get a session, but when I drop into a shell on the session, the IP address given is that of the attack box?

Am I missing something super obvious? It seems the victim server is simply executing the php script on my attack box that is serving it, rather than including it and running it on the victim server?!

I am sorry, I'm fairly new to Web App stuff, and I'm sure I am just not seeing the wood for the trees.

Cheers in advance.

user3046771
  • 165
  • 2
  • 11

1 Answers1

3

By hosting it as a php file your attacker server will execute the code when apache receives a web request. This is why you get a shell from the wrong IP. Try hosting it as a .txt file instead or remove the .php binding so Apache serves the php source instead of executing it.

wireghoul
  • 5,745
  • 2
  • 17
  • 26