search

hansmach1ne / LFImap

Local File Inclusion discovery and exploitation tool
Apache License 2.0
194 stars 29 forks source link

Missing files causing false negative #99

Closed nrathaus closed 1 week ago

nrathaus commented 1 week ago

The rfi.py refers to these URLs:

    pylds.append(
        "https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.php"
    )
    pylds.append(
        "https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.jsp"
    )
    pylds.append(
        "https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.html"
    )
    pylds.append(
        "https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.gif"
    )
    pylds.append(
        "https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.png"
    )

Which decode results in:

    pylds.append(
        "https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.php"
    )
    pylds.append(
        "https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.jsp"
    )
    pylds.append(
        "https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.html"
    )
    pylds.append(
        "https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.gif"
    )
    pylds.append(
        "https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.png"
    )

None of these URLs exist :(

Is this intentional? looks like a mishap

nrathaus commented 1 week ago

If the right URLs are to be used, this is the expected structure: https://raw.githubusercontent.com/hansmach1ne/LFImap/main/src/exploits/ysvznc.html

nrathaus commented 1 week ago

I would recommend to also use requests.utils.requote_uri(input_string) and store in Python the URLs not in their encoded form

i.e.

pylds.append(
   requests.utils.requote_uri(
     'https://raw.githubusercontent.com/hansmach1ne/LFImap/main/src/exploits/ysvznc.html'
   )
)
nrathaus commented 1 week ago 
    base_uri = "https://raw.githubusercontent.com/hansmach1ne/LFImap/main/src/exploits/"
    pylds = []
    pylds.append(
        requests.utils.requote_uri(f"{base_uri}ysvznc.php")
    )
    pylds.append(
        requests.utils.requote_uri(f"{base_uri}ysvznc.jsp")
    )
    pylds.append(
        requests.utils.requote_uri(f"{base_uri}ysvznc.html")
    )
    pylds.append(
        requests.utils.requote_uri(f"{base_uri}ysvznc.gif")
    )
    pylds.append(
        requests.utils.requote_uri(f"{base_uri}ysvznc.png")
    )
nrathaus commented 1 week ago

Maybe the right function to use is test = urllib.parse.quote_plus(test)