Metasploit and local file inclusion
I am not a super skilled hacker (probably I am the opposite ), but one thing I have is the mindset. Whenever I read something interesting, I want to go beyond and I keep thinking about it until I come up with something.
Long time ago I read about an interesting project called FIMAP that is meant to exploit LFI (Local File Inclusions) in web servers, mainly PHP.
I thought that would be nice to integrate it somehow with Metaspoit because it is the framework that many people is using nowadays. It took me some time to write a Python wrapper that creates/encodes payloads and communicates with Metasploit using XMLRPC.
As a result, we have a Fimap plugin that interacts with a running Metasploit console and pops up a reverse shell, for Windows and Unix. I had to make some changes with their help because I am not a skilled programmer and I didn’t know how to implement a plugin system. I think it was a great experience!
The original code in my subversion repository.