search

kurobeats / fimap

fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.
GNU General Public License v2.0
521 stars 99 forks source link

unable to exploit #80

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Hi, I'm using kali 1.1 trying out fimap in the mutillidae in the another vmware 
with ubuntu 14.04 server. Here, fimap can detect the LFI vulnerability with 
after use of -b parameter but its unable to exploit it with -x parameter. There 
is no list of domain to choose from. What might be an issue here? I'm I using 
is wrong?

Original issue reported on code.google.com by think.sa...@gmail.com on 25 Feb 2015 at 9:02

Attachments:

GoogleCodeExporter commented 9 years ago 
Hi Dude,

Can you show me which files fimap has found?
If fimap has only found i.e. /etc/passwd there is no way to automaticly attack 
the target.

Greetings,
-imax.

Original comment by fimap....@gmail.com on 25 Feb 2015 at 3:19

GoogleCodeExporter commented 9 years ago 
hi,
The output is like this:

fimap v.09 (For the Swarm)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

Blind FI-error checking enabled.
SingleScan is testing URL: '
http://192.168.153.132/index.php?page=upload-file.php'
[07:55:34] [OUT] Inspecting URL '
http://192.168.153.132/index.php?page=upload-file.php'...
[07:55:34] [INFO] Fiddling around with URL...
[07:55:55] [INFO] Sniper failed. Going blind...
[07:55:55] [OUT] Possible file inclusion found blindly! -> '
http://192.168.153.132/index.php?page=/etc/passwd' with Parameter 'page'.
[07:55:55] [OUT] Identifying Vulnerability '
http://192.168.153.132/index.php?page=upload-file.php' with Parameter
'page' blindly...
[07:55:55] [WARN] Unknown language - Autodetecting...
[07:55:55] [INFO] Autodetect thinks this could be a PHP-Script...
[07:55:55] [INFO] If you think this is wrong start fimap with
--no-auto-detect
[07:55:55] [INFO] Testing file '/etc/passwd'...
[07:55:55] [INFO] Testing file '/proc/self/environ'...
[07:55:55] [INFO] Testing file 'php://input'...
[07:55:55] [INFO] Testing file '/var/log/apache2/access.log'...
[07:55:55] [INFO] Testing file '/var/log/apache/access.log'...
[07:55:55] [INFO] Testing file '/var/log/httpd/access.log'...
[07:55:55] [INFO] Testing file '/var/log/apache2/access_log'...
[07:55:55] [INFO] Testing file '/var/log/apache/access_log'...
[07:55:55] [INFO] Testing file '/var/log/httpd/access_log'...
[07:55:55] [INFO] Testing file 'http://www.phpbb.de/index.php'...
##########################################################################
#[1] Possible PHP-File Inclusion                                         #
##########################################################################
#::REQUEST                                                               #
#  [URL]        http://192.168.153.132/index.php?page=upload-file.php    #
#  [HEAD SENT]                                                           #
#::VULN INFO                                                             #
#  [GET PARAM]  page                                                     #
#  [PATH]       Not received (Blindmode)                                 #
#  [OS]         Unix                                                     #
#  [TYPE]       Blindly Identified                                       #
#  [TRUNCATION] Not tested.                                              #
#  [READABLE FILES]                                                      #
#                   [0] /etc/passwd                                      #
##########################################################################

As you said, the only readable file seems to be /etc/passwd.
But I can manually do LFI to /tmp/ and call a php-reverse-shell. Can you
tell me the minimum conditions required to lunch automated attack through
FImap?
Thanks for your quick reply.

Original comment by think.sa...@gmail.com on 26 Feb 2015 at 8:06

GoogleCodeExporter commented 9 years ago 
Hi dude,

Yes if there is only /etc/passwd found this is a *confirmed* file-inclusion 
vulnerability. But since fimap has not discovered any other 'dynamic' file 
which accepts userdata to inject (php-)code there is no automated way to do it.

If you want to know how exactly fimap identifies those files,
you might want to take a look at the files in the /config dir.

In particular:
https://code.google.com/p/fimap/source/browse/trunk/src/config/generic.xml
https://code.google.com/p/fimap/source/browse/trunk/src/config/php.xml

The relative-\absolute-\log- and remote-file segments are your friend :-)

If you have more questions about this feel free to ask.

I had planned to implement the possibilty to let an user define a custom 
injection point
like you said with your /tmp/rev-shell...
But I mean, if you gone already through the hassle to upload a shell to the 
server, I highly doubt that fimap is still needed in such cases :) 

Greetings,
-imax.

Original comment by fimap....@gmail.com on 26 Feb 2015 at 9:26

GoogleCodeExporter commented 9 years ago 
hi,

I looked into those files, cool work. Beside a custom injection point may
be you can also implement an automated check for file upload features. Here
in my test web application, vulnerability lies in arbitrary file upload
feature which can be further exploited by LFI attack.
Thanks for reply. Good luck :)

Original comment by think.sa...@gmail.com on 26 Feb 2015 at 10:49

GoogleCodeExporter commented 9 years ago

Original comment by fimap....@gmail.com on 27 Feb 2015 at 12:31