记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

Damn Small FI Scanner

2014-12-25 16:45

Damn Small FI Scanner

https://github.com/stamparm/DSFS

Damn Small FI Scanner (DSFS) is a fully functional File inclusion vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code.

Vulnerable

As of optional settings it supports HTTP proxy together with HTTP header values User-Agent, Referer and Cookie.

dsfs_py

Sample runs

$ python dsfs.py -h
Damn Small FI Scanner (DSFS) < 100 LoC (Lines of Code) #v0.1b
 by: Miroslav Stampar (@stamparm)

Usage: dsfs.py [options]

Options:
  --version          show program's version number and exit
  -h, --help         show this help message and exit
  -u URL, --url=URL  Target URL (e.g. "http://www.target.com/page.php?id=1")
  --data=DATA        POST data (e.g. "query=test")
  --cookie=COOKIE    HTTP Cookie header value
  --user-agent=UA    HTTP User-Agent header value
  --random-agent     Use randomly selected HTTP User-Agent header value
  --referer=REFERER  HTTP Referer header value
  --proxy=PROXY      HTTP proxy address (e.g. "http://127.0.0.1:8080")

 

python dsfs.py -u "http://fidemo.cu.cc/fi.php?f=https://raw.githubusercontent.com/stamparm/DSFS/master/files/config.php"
Damn Small FI Scanner (DSFS) < 100 LoC (Lines of Code) #v0.1e
 by: Miroslav Stampar (@stamparm)

* scanning GET parameter 'f'
 (i) GET parameter 'f' appears to be (R)FI vulnerable (e.g.: 'http://fidemo.cu.cc/fi.php?f=https%3A%2F%2Fraw.githubusercontent.com%2Fstamparm%2FDSFS%2Fmaster%2Ffiles%2Fconfig.php')
  (!) content seems to be dynamically evaluated
 (i) GET parameter 'f' appears to be (L)FI vulnerable (e.g.: 'http://fidemo.cu.cc/fi.php?f=..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshells')
 (i) GET parameter 'f' appears to be (S)FI vulnerable (e.g.: 'http://fidemo.cu.cc/fi.php?f=data%3A%2F%2Ftext%2Fplain%3Bbase64%2CPD9waHAgZWNobyBiYXNlNjRfZGVjb2RlKCdUR1ZuWVd3Z1pHbHpZMnhoYVcxbGNqbz0nKTs%2FPg%3D%3D')
  (!) content seems to be dynamically evaluated

scan results: possible vulnerabilities found

 

Requirements

Python version 2.6.x or 2.7.x is required for running this program.

 

 

转载请注明:安全脉搏 » Damn Small FI Scanner

知识来源: www.secpulse.com/archives/3526.html
想收藏或者和大家分享这篇好文章→复制链接地址

“Damn Small FI Scanner”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云