Description
This plugin finds remote file inclusion vulnerabilities. Three configurable parameters exist:
- listen_address
- listen_port
- use_w3af_site
There are two ways of running this plugin, the most common one is to use w3af’s site (w3af.sf.net) as the URL to include. This is convenient and requires zero configuration but leaks information about vulnerable sites to w3af.sf.net staff. The second way to configure this plugin runs a webserver on the box running w3af on the IP address and port specified by “listen_address” and “listen_port”. This method requires the target web application to be able to contact the newly created server and will not work unless you also configure your NAT router and firewalls (if any exist).
Plugin type
Options
| Name | Type | Default Value | Description | Help |
| listen_address | string | 10.5.6.13 | IP address that the webserver will use to receive requests | w3af runs a webserver to serve the files to the target web application when doing remote file inclusions. This setting configures where the webserver is going to listen for requests. |
| listen_port | port | 44449 | TCP port that the webserver will use to receive requests | No detailed help available |
| use_w3af_site | boolean | True | Use w3af site to test for remote file inclusion | The plugin can use the w3af site to test for remote file inclusions, which is convenient when you are performing a test behind a NAT firewall. |
Source
For more information about this plugin and the associated tests, there’s always the source code to understand exactly what’s under the hood:
Plugin source code
Unittest source code
Dependencies
This plugin has no dependencies.
