Comments (3)
Hello, thank you for taking an interest in the LFImap.
The program for now will not do automatic parameter check. So the way to specify the parameter that you would want to test is with 'PWN' keyword. I am currently coding new features and am planning to implement automatic parameter recognition when user doesn't specify one.
To solve the issue try specifying the url as either:
-U http://testphp.vulnweb.com/showimage.php?file=PWN -a
or
-U http://testphp.vulnweb.com/showimage.php?file=php://filter/convert.base64-encode/resource=PWN -t
If web app supports filter wrapper, it should find the vulnerability this way, as the base64 encoded '/etc/passwd' in response should be recognized by the tool.
Edit: I am pretty sure that website is no longer vulnerable to filter wrapper file read, because looks like they changed configuration. I recommend testing this on some other vulnerable application like DVWA, as vulnweb's file read vulnerability is created to be very limited to only a few files.
from lfimap.
@analyserdmz Implemented automatic parameter recognition in the new commit a64cfbe.
Could you please do a git pull and check if there are still any issues persisting?
from lfimap.
I reopened this issue, because I noticed a few edge cases bugs with -R, -F modules. Will be fixing asap and test thoroughly new automatic parameter recognition feature, together with custom parameter specification with 'PWN'.
from lfimap.
Related Issues (15)
- how can fix this issue ? HOT 4
- TODO: pip package HOT 1
- Not clear instructions HOT 5
- Bug: uncaught exception -- args.method is None HOT 4
- AttributeError HOT 3
- Detected by antivirus
- TODO: second order vulnerability detection/support
- TODO: CSRF token handling /support HOT 1
- TODO: Implement WAF detection, silent payloads
- TODO: Revise all exploitation modules HOT 1
- AttributeError: 'Namespace' object has no attribute 'is_tested_param_post' HOT 4
- TypeError: get_params_with_param() takes 1 positional argument but 2 were given HOT 6
- TODO: Try including different files
- -R doesn't accept unicode character HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lfimap.