search

kurobeats / fimap

fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.
GNU General Public License v2.0
521 stars 99 forks source link

Bing Scanner Broken #70

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
[BEFOR REPORTING CHECK OUT THE SVN VERSION AND TEST IF IT'S ALREADY FIXED -
THANKS - REMOVE THIS LINE]

On which URL this error occures? (Important!)

Which version of fimap you are using? (You can see that in the very first
line)
fimap v.1.00_svn (Uitmuntende programmatuur alleen voor jij!)

On what operating system?
Debian GNU/Linux 6.0

Please provide any additional information below.
./fimap.py -B -q 'inurl:index.php?id="' -b -D --bmin=4 --bmax=9
fimap v.1.00_svn (Uitmuntende programmatuur alleen voor jij!)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

Overwriting 'blind_min' setting to 4...
Overwriting 'blind_max' setting to 9...
Blind FI-error checking enabled.
BingScanner is searching for Query: 'inurl:index.php?id="'
Querying Bing Search: 'inurl:index.php?id="' with max pages 10...

========= CONGRATULATIONS! =========
You have just found a bug!
If you are cool, send the following stacktrace to the bugtracker on 
http://fimap.googlecode.com/
Please also provide the URL where fimap crashed.
Push enter to see the stacktrace...
cut here %<--------------------------------------------------------------
Exception: 'Web'
Traceback (most recent call last):
  File "./fimap.py", line 741, in <module>
    b.startGoogleScan()
  File "/home/carlos/fimap/src/bingScan.py", line 65, in startGoogleScan
    results = resp['SearchResponse']['Web']['Results']
KeyError: 'Web'

Original issue reported on code.google.com by cmendoza...@gmail.com on 1 Oct 2012 at 5:24

GoogleCodeExporter commented 9 years ago 
Also i just want to ask you where i can find docs or related info about the 
PHPinfo exploit

Original comment by cmendoza...@gmail.com on 1 Oct 2012 at 5:25

GoogleCodeExporter commented 9 years ago 
Hi!

Thanks for this bugreport.
I can clearly reproduce it.
I checked a bit what the issue is and it looks like bing completly got a new 
API.
So I have either to write my own bing api wrapper or search for a new one...

About the PHPInfo glitch:
You can read pretty much everything about it on this site: 
http://www.insomniasec.com/publications/LFI%20With%20PHPInfo%20Assistance.pdf

The plugin I wrote is based on that paper I linked to you.
I will make a video tutorial which explains how to do that with fimap when I 
have some spare time.

-imax.

Original comment by fimap....@gmail.com on 5 Oct 2012 at 10:42

GoogleCodeExporter commented 9 years ago 
Thanks, that video would be a great help to use that plugin

Original comment by cmendoza...@gmail.com on 5 Oct 2012 at 3:30

GoogleCodeExporter commented 9 years ago 
cmendozabenitez -  the phpinfo exploit and video is shown here: 
http://insecurety.net/?p=687 (if the sites down its cos I am moving webhost, 
but video is also here: http://www.youtube.com/watch?v=D6L5MUj53Vc

Original comment by the.info...@gmail.com on 26 Jan 2013 at 11:11