Mass Scanning a Website for File Inclusion Vulnerabilities using Fimap and Metasploitable

Fimap by Iman Karim (https://tha-imax.de/git/root/fimap) is a great tool to scan a website for File Inclusion vulnerabilities. In this short tutorial I show how to scan the entire Metasploitable2 Purposefully Vulnerable VM with Fimap and spawn a remote shell!

Mass Scanning

Fimap can scan a target website and harvest links from it and store them so they can be used as input to its mass scan feature. Simply run fimap and use the “-H” switch to tell it to harvest links, “-u” to tell it the target website IP, “-d [x]” to tell it how deep to look for links and finally “-w [outputdirectory]” to tell it where to store the links, like so:

fimap scan one

Now that we have a list of target links stored in the “/tmp/urllist” file, we simply feed this back into Fimap to look for vulnerabilities:

fimap -m -l ‘/tmp/urllist’

This will take forever to run as I told it to pretty much harvest the links from the entire Metasploitable VM in the previous command, but check out the results:

fimap scan metasploitable

Holy cats, 688 possible File Inclusion vulnerabilities!

Exploiting via Remote Shell

One of the great things about Fimap is its ability to create a remote shell with the vulnerable page. So let’s try it with one of the 688 vulnerable pages. To do so, we simply run “fimap” with the “-x” switch:

  1. Type “fimap -x”
  2. A list of scanned domains will appear, select the the one (“1”) we just scanned.
  3. A huge list of vulnerable pages will appear, so let’s select say, “100”.
  4. Now at the Available Attacks screen, select “#2 – Spawn Pentestmonkey’s reverse shell”

RFI LFI Fimap

It will then tell you to open another terminal and run Netcat (netcat -v -l -p 4444). Then just hit enter in fimap and you have a remote Netcat shell!

fimap reverse shell

As you can see we have opened a remote shell through on of the vulnerable pages, nice! Now let’s try the other 588 possibilities. Well, maybe not, lol!

Conclusion

File Inclusion vulnerabilities are becoming more and more rare with current coding practices, but hopefully this shows that File Inclusion coding errors can be exploited for detrimental results. Companies need to be sure to use secure coding practices and test their websites for common vulnerabilities.

If you liked the tutorial, and want to learn more about ethical hacking, check out my book, “Basic Security Testing with Kali Linux“.

~ by D. Dieterle on May 15, 2015.

One Response to “Mass Scanning a Website for File Inclusion Vulnerabilities using Fimap and Metasploitable”

  1. Thank you, short and functional.

    Louis

    On Fri, May 15, 2015 at 10:08 AM, CYBER ARMS – Computer Security wrote:

    > D. Dieterle posted: “Fimap by Iman Karim ( > https://tha-imax.de/git/root/fimap) is a great tool to scan a website for > File Inclusion vulnerabilities. In this short tutorial I show how to scan > the entire Metasploitable2 Purposefully Vulnerable VM with Fimap and spawn > a remote sh”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: