hansmach1ne / lfimap Goto Github PK

Implement automatic token refresh for requests.

lfimap.py: error: unrecognized arguments: --url http://testphp.vulnweb.com/showimage.php?file=PWN

The issue is that /etc/passwd might be blocked by waf, so try to include modality that will use 'silent' payloads and include different files to confirm the vulnerability.

Also Java tends to not allow path traversal outside the web root, so implement something like /WEB-INF/web.xml or alike method of discovery...

Create easy pip install module.

Hello, thank you for your project, it seems very promising.

I get the following error while trying to run it.

C:\tools\LFImap>python lfimap.py -U "http://testphp.vulnweb.com/showimage.php?file=php://filter/convert.base64-encode/resource=showimage.php" -C "asdasd" -a

Traceback (most recent call last):
  File "C:\tools\LFImap\lfimap.py", line 1799, in <module>
    main()
  File "C:\tools\LFImap\lfimap.py", line 1442, in main
    r,_ = REQUEST(url, headers, postTest, proxies, "test", "test")
  File "C:\tools\LFImap\lfimap.py", line 255, in REQUEST
    if(tOut is not None): res = requests.request(args.method, url, data=postData.encode("utf-8"), headers=headersData, proxies=proxy, verify=False, timeout=tOut)
  File "C:\Python310\lib\site-packages\requests\api.py", line 59, in request
    return session.request(method=method, url=url, **kwargs)
  File "C:\Python310\lib\site-packages\requests\sessions.py", line 562, in request
    method=method.upper(),
AttributeError: 'NoneType' object has no attribute 'upper'

I am using Python 3.10.6.

Any idea?

Problematic if user wants to test for example specific part of the request that contains binary data

Ability to detect second order LFI/LFR, stored xss

The args.method is undefined if -M is not specified and the placeholder (--placeholder, args.param) is not part of the URL. This causes the application to crash.

The issue lies in the following lines:

One possible solution would be setting default method in the optionsGroup.add_argument call or rewriting the code in this fashion:

if (args.url and args.param in args.url): args.method = "GET" 

Implement false positive check that will try to include a different file to confirm the vulnerability.

Add support for endpoints that use JSON as the Content-Type.

This is partially supported now, by using placeholder PWN as the injection point, however parameters won't be parsed and tested 1 by 1 automatically.

all requirements are installed but there is a problem with the tool

Not clear how to use long.txt wordlist instead of short.txt, can you add it to instructions?

Also need some bypass techniques for waf like urlencode

In case of WAF presence, reduce the number of payloads, test only with silent ones

Implement ability to RCE with reverse shell for all attack techniques in case of a true positive

└─# python3.9 lfimap.py --all -F /WhiteyCookie/Github/ParamSpider/paramspider/results/redacted.com.txt -v

[i] Session information is not provided. LFImap might have troubles finding vulnerabilities if testing endpoint requires authentication.

[i] Parsing URL [1/279]: 'https://www.redacted.com/path/to/news?cHash=PWN'
[i] Preparing to test GET 'cHash' parameter...

[i] Preparing to test misc issues using heuristics...
[.] Testing for XSS...
[.] Testing for CRLF...
[.] Testing for error-based info leak...
[.] Testing for open redirect...
[i] Testing with filter wrapper...
[i] Testing with input wrapper...
Traceback (most recent call last):
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 375, in
main()
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 111, in main
test_input(url, "")
File "/WhiteyCookie/Github/LFImap/src/attacks/input.py", line 16, in test_input
if(args.is_tested_param_post):
AttributeError: 'Namespace' object has no attribute 'is_tested_param_post'

whoami :)

└─# python3.9 lfimap.py --t -F /WhiteyCookie/Github/ParamSpider/paramspider/results/redacted.com.txt --use-long -v

[i] Session information is not provided. LFImap might have troubles finding vulnerabilities if testing endpoint requires authentication.

[i] Parsing URL [1/279]: 'https://www.redacted.com/path/to/news?cHash=PWN'
[i] Preparing to test GET 'cHash' parameter...
[i] Testing path truncation using '/WhiteyCookie/Github/LFImap/src/wordlists/long.txt' wordlist...
Traceback (most recent call last):
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 375, in
main()
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 164, in main
print(colors.red("[-]") + " GET parameter '" + get_params_with_param(url, args.param) + "' doesn't seem to be vulnerable.\n")
TypeError: get_params_with_param() takes 1 positional argument but 2 were given