Windows/Linux LFI/RFI + MSF + Fimap = call me tons of fun

Hey guys, as promised I wanted to do something a little different. I made a sample video of Fimap, which is a tool to find and exploit Local and Remote File Inclusion bugs. If you aren’t familiar with the tool you can check it out here.

File inclusion(FI) happens when an attacker can include files through a web script or an improperly coded page. You can learn more about LFI/RFI here. Most people confuse LFI/RFI with browser traversal, while both are bad, LFI/RFI can lead to fun times for a pentester.

When looking for FI bugs, I attempt to see if the php code uses commonly vulnerable functions (e.g. include_once, fopen, file_get_contents, etc.). In the example that I will be attacking, the page uses the “include” function. Some of these functions can be manipulated in the “php.ini” file. More info can be found here and here.

You will normally see code like this:

$incfile = $_REQUEST["page"];
include($incfile.".php");

In this example, the potentially vulnerable parameter is “page” because of the way the file ($incfile) is being “included”.

Scenario: We are attacking two machines (Linux and Windows). I wanted to show the versatility of the tool and how easy it is to go from identifying the bug to Admin/Root.

[youtube=http://www.youtube.com/watch?v=AIigCni-bJI&w=420&h=315]

Sorry for the delay, I guess things went crazy. Ahwell!!! Hope you enjoy!

Now that I sort of worked out the video issue, I am going to do a mini-series on Exploit Dev. This series will cover setting up the lab environment, writing our exploits in python and ruby(MSF) to semi-advanced software protection bypass.

Leave a Reply