When 404 code is expected response, LFImap just stops. Testing request fails to notice alive endpoint.

hansmach1ne / LFImap

Local File Inclusion discovery and exploitation tool

Apache License 2.0

197 stars 29 forks source link

When 404 code is expected response, LFImap just stops. Testing request fails to notice alive endpoint. #57

Closed hansmach1ne closed 1 month ago

hansmach1ne commented 1 month ago

└─$ python3 lfimap.py -U "https://mach1ne.org/a/PWN"

[-] Something unexpected has happened, initial testing response is not clearly received. Please check your switches and url endpoint(s). Exiting...

nrathaus commented 1 month ago

"Problematic" code is here:

        r,_ = REQUEST(config.url, headers, config.postreq, config.proxies, "test", "test", exploit = False, followRedirect = True, isCsrfRequest = False)
        if(not args.http_valid): args.http_valid = [200, 204, 301, 302, 303]

        if(not r):
            print(colors.red("[-]") + " Something unexpected has happened, initial testing response is not clearly received. Please check your switches and url endpoint(s). Exiting...")
            sys.exit(-1)

Using the http_valid arg, you can override this list to include 404 - is a fix really needed?

hansmach1ne commented 1 month ago

@nrathaus I am aware of the --http-ok flag, it is built exactly for this kind of situation, however yes the fix is needed as initial response has 404 HTTP code, if(r) yields in false. I will fix some of the issues probably next week. Cheers!

nrathaus commented 1 month ago

I can provide a fix if you want - just say the word

hansmach1ne commented 1 month ago

lfimap.py: L287.

if(not r) changed to if(not r.text), in case of 404 status code, if block yields correctly.

└─$ python3 lfimap.py -U "https://mach1ne.org/a/PWN"                    

[i] Testing GET '' parameter...
[-] GET parameter '' doesn't seem to be vulnerable....

----------------------------------------
LFImap finished with execution.
Parameters tested: 1
Requests sent: 53
Vulnerabilities found: 0

nrathaus commented 1 month ago

It is not a good idea to do it this way: if not r.text:

Makes you think that r.text is boolean, even Python doesn't like it:

  File "lfimap.py", line 738, in <module>
    main()
  File "lfimap.py", line 390, in main
    if not r.text:
AttributeError: 'bool' object has no attribute 'text'

In addition, REQUEST returns bool in some cases:

    except requests.exceptions.InvalidSchema:
        if not args.no_stop:
            print(
                colors.red("[-]")
                + " Previous request caused InvalidSchema exception. Try specifying '--no-stop' to continue testing even if errors occurred..."
            )
        else:
            print(
                colors.red("[-]")
                + " InvalidSchema exception detected. Server cannot parse the parameter URI. Try proxying requests to see exactly what happened..."
            )
        return False, False

nrathaus commented 1 month ago

I suggest to standardize the return response of REQUEST so that the variables returned are always same time

Something like: return success, response, doContinue

Where success is True/False