Closed WhiteyCookie closed 7 months ago
For the debugging purposes, could You please provide a sample of URLS you used from a file? You can redact the hostnames and parameters.
Sure, ill provide few here that caused the "AttributeError: 'Namespace' object has no attribute 'is_tested_param_post'" :
└─# python3.9 lfimap.py -v -i -F /WhiteyCookie/Github/ParamSpider/paramspider/results/example.com.txt
[i] Session information is not provided. LFImap might have troubles finding vulnerabilities if testing endpoint requires authentication.
[i] Preparing to test GET 'id' parameter...
[i] Testing with input wrapper...
Traceback (most recent call last):
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 375, in
BUT, there are urls in my file which are producing valid output, here an example (with error at very last lol) └─# python3.9 lfimap.py -v --all -F /WhiteyCookie/Github/ParamSpider/paramspider/results/example.de.txt
[i] Session information is not provided. LFImap might have troubles finding vulnerabilities if testing endpoint requires authentication.
[i] Parsing URL [1/188]: 'http://example.de/suchen.php?q=PWN' <-- (sidenote here "PWN" initially "FUZZ", guess LFImap replaced it?) [-] URL 'http://example.de/suchen.php?q=test' is not accessible. HTTP code 404. Skipping... [i] Try specifying parameter --http-ok 404
[i] Preparing to test GET 'tsaid_p020e01' parameter...
[i] Preparing to test misc issues using heuristics...
[.] Testing for XSS...
[.] Testing for CRLF...
[.] Testing for error-based info leak...
[.] Testing for open redirect...
[i] Testing with filter wrapper...
[i] Testing with input wrapper...
Traceback (most recent call last):
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 375, in
For simplification, from here only hostnames + parameters (identical Traceback):
[i] Preparing to test GET 'm' parameter...
[i] Preparing to test GET 'sortDirection' parameter...
[i] Preparing to test GET 'id' parameter...
[i] Preparing to test GET 'mt' parameter...
Hope that helps! Can provide full urls.txt if needed, too!
Thank You very much for these test cases and for the verbose output.
I have identified the issue in the code. The problem is present because of the previous code restructure changes and is present in some other functionalities and in the exploitation parts (exploit to reverse shell).
I will fix those as a part of the upcoming update.
@WhiteyCookie Could you try git pull and check if it is ok now. Among other thing this bug should be fixed.
I haven't tested this with a huge wordlist, like you did. but with the following and it looks fine.
https://mach1ne.org/?parameterwithkeyword=PWN
https://invalidhost/?aaa=rf&dfjeijfe=rfjirjf
invalidprotocol://test.com/?a=a
not-an-url-at-all
http://mach1ne.org/suchen.php?q=PWN
http://mach1ne.org/?m=PWN&%3Bj=FUZZ
https://mach1ne.org/index.php?id=PWN&publish%5Bid%5D=FUZZ
http://mach1ne.org/?mt=PWN&j=FUZZ
https://mach1ne.org/?1=a&2=b&3=c&4=d&5=e
└─# python3.9 lfimap.py --all -F /WhiteyCookie/Github/ParamSpider/paramspider/results/redacted.com.txt -v
[i] Session information is not provided. LFImap might have troubles finding vulnerabilities if testing endpoint requires authentication.
[i] Preparing to test GET 'cHash' parameter...
[i] Preparing to test misc issues using heuristics... [.] Testing for XSS... [.] Testing for CRLF... [.] Testing for error-based info leak... [.] Testing for open redirect... [i] Testing with filter wrapper... [i] Testing with input wrapper... Traceback (most recent call last): File "/WhiteyCookie/Github/LFImap/lfimap.py", line 375, in
main()
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 111, in main
test_input(url, "")
File "/WhiteyCookie/Github/LFImap/src/attacks/input.py", line 16, in test_input
if(args.is_tested_param_post):
AttributeError: 'Namespace' object has no attribute 'is_tested_param_post'