Download Shellfire Apk
Apolito Leyva
I'm not going to tread deep into the woods on determining what parameters are exploitable (that's a topic for another article), but let's say you fiddled with the path variable a bit and have determined that it's vulnerable to RFI. Huzzah! Let's fire up shellfire!
Once started, you will be dropped into the interactive shell. Similar to sqlite3, you preface shellfire commands with a dot. Anything else will be sent to your target. You can type .help at any time for a list of available commands, or append the command you want to know more information about to help for specific details. For example .help http.
Since this is an RFI, we are going to need to host our exploit code somewhere for the vulnerable target to include. Fortunately, shellfire supports a built-in web server to do this! (At the moment, this web server only serves PHP exploit code, but it should be trivial to add additional target languages in the future.)
Finally, we just need to tell shellfire what the target we are going to exploit is. In this case, we enter the URL for our vulnerable site, but replace the value of our vulnerable path variable with the address of our shellfire exploit web server:
760c119bf3