Comments (4)
Thank You very much for these test cases and for the verbose output.
I have identified the issue in the code. The problem is present because of the previous code restructure changes and is present in some other functionalities and in the exploitation parts (exploit to reverse shell).
I will fix those as a part of the upcoming update.
from lfimap.
For the debugging purposes, could You please provide a sample of URLS you used from a file? You can redact the hostnames and parameters.
from lfimap.
Sure, ill provide few here that caused the "AttributeError: 'Namespace' object has no attribute 'is_tested_param_post'" :
└─# python3.9 lfimap.py -v -i -F /WhiteyCookie/Github/ParamSpider/paramspider/results/example.com.txt
[i] Session information is not provided. LFImap might have troubles finding vulnerabilities if testing endpoint requires authentication.
[i] Parsing URL [1/277]: 'https://www.example.com/index.php?id=PWN&publish%5Bid%5D=FUZZ'
[i] Preparing to test GET 'id' parameter...
[i] Testing with input wrapper...
Traceback (most recent call last):
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 375, in
main()
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 133, in main
test_input(url, "")
File "/WhiteyCookie/Github/LFImap/src/attacks/input.py", line 16, in test_input
if(args.is_tested_param_post):
AttributeError: 'Namespace' object has no attribute 'is_tested_param_post'
BUT, there are urls in my file which are producing valid output, here an example (with error at very last lol)
└─# python3.9 lfimap.py -v --all -F /WhiteyCookie/Github/ParamSpider/paramspider/results/example.de.txt
[i] Session information is not provided. LFImap might have troubles finding vulnerabilities if testing endpoint requires authentication.
[i] Parsing URL [1/188]: 'http://example.de/suchen.php?q=PWN' <-- (sidenote here "PWN" initially "FUZZ", guess LFImap replaced it?)
[-] URL 'http://example.de/suchen.php?q=test' is not accessible. HTTP code 404. Skipping...
[i] Try specifying parameter --http-ok 404
[i] Parsing URL [3/122]: 'https://www.example.de/rathaus-service/stadtverwaltung/verwaltung-ansprechpartner/?tsaid_p020e01=PWN&tsaid_c=FUZZ&tsaid_s=FUZZ&tsaid_tId02=FUZZ&tsaid_tSt02=FUZZ&tsaid_mode=FUZZ&tsaid_p021601=FUZZ'
[i] Preparing to test GET 'tsaid_p020e01' parameter...
[i] Preparing to test misc issues using heuristics...
[.] Testing for XSS...
[.] Testing for CRLF...
[.] Testing for error-based info leak...
[.] Testing for open redirect...
[i] Testing with filter wrapper...
[i] Testing with input wrapper...
Traceback (most recent call last):
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 375, in
main()
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 111, in main
test_input(url, "")
File "/WhiteyCookie/Github/LFImap/src/attacks/input.py", line 16, in test_input
if(args.is_tested_param_post):
AttributeError: 'Namespace' object has no attribute 'is_tested_param_post'
For simplification, from here only hostnames + parameters (identical Traceback):
[i] Parsing URL [7/115]: 'http://example.de/?m=PWN&%3Bj=FUZZ'
[i] Preparing to test GET 'm' parameter...
[i] Parsing URL [4/107]: 'https://www.example.de/leben-wohnen/leben-in-apolda/senioren?sortDirection=PWN&sortType=FUZZ'
[i] Preparing to test GET 'sortDirection' parameter...
[i] Parsing URL [1/102]: 'https://example.de/index.php?id=PWN&publish%5Bid%5D=FUZZ'
[i] Preparing to test GET 'id' parameter...
[i] Parsing URL [4/76]: 'http://example.de/?mt=PWN&j=FUZZ'
[i] Preparing to test GET 'mt' parameter...
Hope that helps! Can provide full urls.txt if needed, too!
from lfimap.
@WhiteyCookie Could you try git pull and check if it is ok now. Among other thing this bug should be fixed.
I haven't tested this with a huge wordlist, like you did. but with the following and it looks fine.
https://mach1ne.org/?parameterwithkeyword=PWN
https://invalidhost/?aaa=rf&dfjeijfe=rfjirjf
invalidprotocol://test.com/?a=a
not-an-url-at-all
http://mach1ne.org/suchen.php?q=PWN
http://mach1ne.org/?m=PWN&%3Bj=FUZZ
https://mach1ne.org/index.php?id=PWN&publish%5Bid%5D=FUZZ
http://mach1ne.org/?mt=PWN&j=FUZZ
https://mach1ne.org/?1=a&2=b&3=c&4=d&5=e
from lfimap.
Related Issues (20)
- Detected by antivirus
- TODO: second order vulnerability detection/support
- TODO: CSRF token handling /support HOT 1
- TODO: Implement WAF detection, silent payloads
- TODO: Revise all exploitation modules HOT 1
- TypeError: get_params_with_param() takes 1 positional argument but 2 were given HOT 6
- TODO: Try including different files
- -R doesn't accept unicode character HOT 1
- TODO: JSON POST parameter parsing support
- TODO: Check for false positives
- Output of script not being saved to file or piped HOT 11
- 'black' linter HOT 2
- When 404 code is expected response, LFImap just stops. Testing request fails to notice alive endpoint. HOT 6
- Circular dependency in code HOT 3
- RCE false positive when parameter is vulnerable to XSS HOT 2
- Unhandled Exception when command injection is possible + '-x' for reverse shell HOT 1
- Multiple fixes to `src/utils/parseurl.py` HOT 2
- Move global `args` to a class/object/non-global HOT 5
- Lack of `timeout` in requests calls HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lfimap.