search

alfredleo / fimap

Automatically exported from code.google.com/p/fimap
0 stars 1 forks source link

It is not detecting the bug . #64

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
OK I have site ,

Suppose the site is http://www.mysite.com/index.php?page=bug.php
If i directly request http://www.mysite.com/index.php?page=/etc/passwd

The it output the file ... That is nice.

And fimap detected with this command ./fimap.py -b -u 
"http://www.mysite.com/index.php?page=bug.php/index.php?page=bug.php" 

But what about if the site is like : 
http://www.mysite.com/wp-includes/ms-settings.php 

And there is a error : 

Warning: require(ABSPATHWPINC/ms-load.php) [function.require]: failed to open 
stream: No such file or directory in 
/home/name/public_html/wp-includes/ms-settings.php on line 18

 Warning: require(ABSPATHWPINC/ms-load.php) [function.require]: failed to open stream: No such file or directory in /home/name/public_html/wp-includes/ms-settings.php on line 18

 Fatal error: require() [function.require]: Failed opening required 'ABSPATHWPINC/ms-load.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/name/public_html/wp-includes/ms-settings.php on line 18

Is it not exploitable for FI?

Fimap will not exploit it?

I tested but fimap did not detected the error.

(I know fimap take the parameter but if it is File inclusion vulnerable should 
it not be exploitable?)

Any advice ?

Original issue reported on code.google.com by murder.n...@gmail.com on 8 Dec 2011 at 2:32

GoogleCodeExporter commented 9 years ago 
Hi!

To be honest I don't understand 100% what you mean.

But if I understand you correctly fimap is detecting the bug in the url 
"http://www.mysite.com/index.php?page=bug.php/index.php?page=bug.php" 
but *not* in "http://www.mysite.com/wp-includes/ms-settings.php"?

If you mean that I am pretty sure that your second URL is not exploitable.
It looks like a static inclusion where we have no control over it.

I might be wrong. Please clairify me and if you can send me an realworld URL so 
I can test whats wrong. Feel free to drop me an email to fimap.dev@gmail.com
if you don't want to send the URLs to the public ;)

-imax.

Original comment by fimap....@gmail.com on 9 Dec 2011 at 4:28

GoogleCodeExporter commented 9 years ago

Original comment by fimap....@gmail.com on 21 Jan 2012 at 8:39