This topic contains 3 replies, has 2 voices, and was last updated by 
-
Posts
-
Hi everyone,
After learning some scanning tools that can scan Remote File Inclusion vulnerability (fimap, w3af, uniscan, etc), I decided to draw a diagram to show the mechanism. So here is the picture.
Note: if you cannot see the picture, please find at attachment
Little description:
Attacker box: the person can scan and exploit the RFI vulnerability. Some tool offer exploit mode to get victim shell in their tool; therefore, I decided to put it in.Variable setting box: allow the user to set parameter.
Victim Server box: normal stuff inside a server
Is it the right way to draw how scanning tool work? Is there some specific part that i need to modify?
Feel free to post your opinion so I can learn from everyone and draw the right diagram. 🙂
Thanks
-
Hi fly,
I think you have demoed that there was a script that you used as payload, so that the attacker can control the victim. The picture need to be updated with the payload.The “Return Shell” looks ambiguous… Is the shell actually the effect of what the payload does? In that case the payload goes on to one direction, and the returned shell should be showing the other direction.
-
@erwinadi wrote:
Hi fly,
I think you have demoed that there was a script that you used as payload, so that the attacker can control the victim. The picture need to be updated with the payload.The “Return Shell” looks ambiguous… Is the shell actually the effect of what the payload does? In that case the payload goes on to one direction, and the returned shell should be showing the other direction.
Hi Erwin,
Thanks for the input.
Yes, the “Return Shell” pipe is the result of what the payload does so let me revised the diagram a little bit.
Cheers ;D
-
In that case, perhaps a revised picture would help.
You must be logged in to reply to this topic.
