hansmach1ne / lfimap Goto Github PK
View Code? Open in Web Editor NEWLocal File Inclusion discovery and exploitation tool
License: Apache License 2.0
Local File Inclusion discovery and exploitation tool
License: Apache License 2.0
Implement automatic token refresh for requests.
lfimap.py: error: unrecognized arguments: --url http://testphp.vulnweb.com/showimage.php?file=PWN
The issue is that /etc/passwd might be blocked by waf, so try to include modality that will use 'silent' payloads and include different files to confirm the vulnerability.
Also Java tends to not allow path traversal outside the web root, so implement something like /WEB-INF/web.xml or alike method of discovery...
Create easy pip install module.
Hello, thank you for your project, it seems very promising.
I get the following error while trying to run it.
C:\tools\LFImap>python lfimap.py -U "http://testphp.vulnweb.com/showimage.php?file=php://filter/convert.base64-encode/resource=showimage.php" -C "asdasd" -a
Traceback (most recent call last):
File "C:\tools\LFImap\lfimap.py", line 1799, in <module>
main()
File "C:\tools\LFImap\lfimap.py", line 1442, in main
r,_ = REQUEST(url, headers, postTest, proxies, "test", "test")
File "C:\tools\LFImap\lfimap.py", line 255, in REQUEST
if(tOut is not None): res = requests.request(args.method, url, data=postData.encode("utf-8"), headers=headersData, proxies=proxy, verify=False, timeout=tOut)
File "C:\Python310\lib\site-packages\requests\api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
File "C:\Python310\lib\site-packages\requests\sessions.py", line 562, in request
method=method.upper(),
AttributeError: 'NoneType' object has no attribute 'upper'
I am using Python 3.10.6.
Any idea?
Problematic if user wants to test for example specific part of the request that contains binary data
Ability to detect second order LFI/LFR, stored xss
The args.method
is undefined if -M
is not specified and the placeholder (--placeholder
, args.param
) is not part of the URL. This causes the application to crash.
The issue lies in the following lines:
Lines 1623 to 1632 in 436ea01
One possible solution would be setting default method in the optionsGroup.add_argument
call or rewriting the code in this fashion:
if (args.url and args.param in args.url): args.method = "GET"
Implement false positive check that will try to include a different file to confirm the vulnerability.
Add support for endpoints that use JSON as the Content-Type.
This is partially supported now, by using placeholder PWN as the injection point, however parameters won't be parsed and tested 1 by 1 automatically.
Not clear how to use long.txt wordlist instead of short.txt, can you add it to instructions?
Also need some bypass techniques for waf like urlencode
In case of WAF presence, reduce the number of payloads, test only with silent ones
Implement ability to RCE with reverse shell for all attack techniques in case of a true positive
└─# python3.9 lfimap.py --all -F /WhiteyCookie/Github/ParamSpider/paramspider/results/redacted.com.txt -v
[i] Session information is not provided. LFImap might have troubles finding vulnerabilities if testing endpoint requires authentication.
[i] Parsing URL [1/279]: 'https://www.redacted.com/path/to/news?cHash=PWN'
[i] Preparing to test GET 'cHash' parameter...
[i] Preparing to test misc issues using heuristics...
[.] Testing for XSS...
[.] Testing for CRLF...
[.] Testing for error-based info leak...
[.] Testing for open redirect...
[i] Testing with filter wrapper...
[i] Testing with input wrapper...
Traceback (most recent call last):
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 375, in
main()
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 111, in main
test_input(url, "")
File "/WhiteyCookie/Github/LFImap/src/attacks/input.py", line 16, in test_input
if(args.is_tested_param_post):
AttributeError: 'Namespace' object has no attribute 'is_tested_param_post'
whoami :)
└─# python3.9 lfimap.py --t -F /WhiteyCookie/Github/ParamSpider/paramspider/results/redacted.com.txt --use-long -v
[i] Session information is not provided. LFImap might have troubles finding vulnerabilities if testing endpoint requires authentication.
[i] Parsing URL [1/279]: 'https://www.redacted.com/path/to/news?cHash=PWN'
[i] Preparing to test GET 'cHash' parameter...
[i] Testing path truncation using '/WhiteyCookie/Github/LFImap/src/wordlists/long.txt' wordlist...
Traceback (most recent call last):
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 375, in
main()
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 164, in main
print(colors.red("[-]") + " GET parameter '" + get_params_with_param(url, args.param) + "' doesn't seem to be vulnerable.\n")
TypeError: get_params_with_param() takes 1 positional argument but 2 were given
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.