kurobeats / fimap

fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.
GNU General Public License v2.0
514 stars 99 forks source link

Reproducable Crash When Scanning .cgi with Parameter 'db' #59

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
[BEFOR REPORTING CHECK OUT THE SVN VERSION AND TEST IF IT'S ALREADY FIXED -
THANKS - REMOVE THIS LINE]

On which URL this error occures? (Important!)
[xx:xx:xx] [OUT] [Perl] Identifying Vulnerability 
'http://www.mx5mart.co.nz/db.cgi?db=mart&uid=default&id=25&ww=on&view_records2=1
' with Parameter 'db'...

Which version of fimap you are using? (You can see that in the very first
line)
fimap v.09_svn

On what operating system?
backtrack

Please provide any additional information below.

Exception: no such group
Traceback (most recent call last):
  File "./fimap.py", line 568, in <module>
    m.startMassScan()
  File "/pentest/web/fimap/massScan.py", line 49, in startMassScan
    single.scan()
  File "/pentest/web/fimap/singleScan.py", line 48, in scan
    res = t.testTargetVuln()
  File "/pentest/web/fimap/targetScanner.py", line 190, in testTargetVuln
    self.analyzeURL(ret, k, v, self.config["p_post"], False)
  File "/pentest/web/fimap/targetScanner.py", line 112, in analyzeURL
    rep = self.identifyVuln(self.Target_URL, self.params, k, post, lang)
  File "/pentest/web/fimap/targetScanner.py", line 298, in identifyVuln
    script = s.group('script')
IndexError: no such group

Original issue reported on code.google.com by androidb...@gmail.com on 21 Aug 2011 at 9:09

GoogleCodeExporter commented 9 years ago
Hi man!

Thank you for your excellent bug report.
Will check it and see what's wrong there!

-imax.

Original comment by fimap....@gmail.com on 24 Aug 2011 at 6:28

GoogleCodeExporter commented 9 years ago
Greetings.

Long time no see!
I am very busy in reallife because I have to finish my study :D
But good news is that I have found the problem and fixed it.

I noticed that the perl engine is not so good. So I have to rework that one.
The crash you have reported is fixed however.

Thank you very much!

-imax.

Original comment by fimap....@gmail.com on 10 Oct 2011 at 2:34

GoogleCodeExporter commented 9 years ago
This issue was closed by revision r297.

Original comment by fimap....@gmail.com on 10 Oct 2011 at 2:43

GoogleCodeExporter commented 9 years ago
My Pleasure.

Thank you very much for looking into this issue though. This bug would
essentially render my usage pointless whenever I started up a job that
needed to be run for more than a couple hours. I thought about using perl to
communicate with the single scan mode but that just seemed ridiculous.

I've recently started to develop in python and would like to get better with
it. I can see it's got some very distinct advantages over some other
languages. I also really like this program and would be happy to help out if
there are any improvements or ideas you've had for it but haven't had the
time to put into developing it.

Any thoughts?

Original comment by androidb...@gmail.com on 18 Oct 2011 at 5:26

GoogleCodeExporter commented 9 years ago
Greetings!

Sure there are alot of stuff I wanted to implement.
Like the ability to change the directory of the fimap_result.xml file and so on.
Currently it's hardcored to "~".
But since some guys have a problem with it it would be great to be able to 
configure that one.
Other than that the Perl engine needs a a little buff since in its current 
status it's unable to detect FI bugs in most cases. :(

Well if you think you have enough skills to help out and want to join the fimap 
development team I would be more than happy to put you on the contributors list 
so you can fix this or that :)

Please drop me an email at fimap.dev@gmail.com if you want to help out :)
-imax.

Original comment by fimap....@gmail.com on 19 Oct 2011 at 5:15