Many websites have file inclution vulnerability issues, this vulnerability is categorized as critical, because with the File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
FDsploit is a File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.
FDsploit can be used to discover and exploit Local/Remote File Inclusion and directory traversal vulnerabilities automatically. In case an LFI vulnerability is found,
--lfishell option can be used to exploit it. For now, 3 different types of LFI shells are supported:
simple: This type of shell allows user to read files easily without having to type the url everytime. Also it only provides the output of the file and not the whole html-source code of the page which makes it very useful.
expect: This type of shell is a semi-interactive shell which allows user to execute commands through PHP’s
input: This type of shell is a semi-interactive shell which also allows user to execute commands through PHP’s
So far, there are only two lfi-shell built-in commands:
- The LFI-shell interface provides only the output of the file readed or the command issued and not all the html code.
- 3 different types of LFI-shells can be specified.
- Both GET/POST requests are supported.
- Automatic detection of GET parameters.
- Certain parameters can be specified for testing using wildcards (
- Optional session cookies can be specified and used.
- Automatic check for RCE using PHP functions can be performed.
- Additional use of sha-256 hash is used to identify the potential vulnerabilities.
- base64/urlencoding support.
From the below output it seems that the
directory parameter is probably vulnerable to directory traversal vulnerability since every request with
../ as payload produces a different sha-256 hash. Also the content-length is different for every request:
2. LFI vulnerability discovery:
Again, the language parameter seems vulnerable to LFI since using
../etc/passwd etc.. as payload, every request being colored with green produces a different hash, a different content-length from the initial, and the keyword specified is found in the response:
3. LFI exploitation using simple shell:
Exploiting the above LFI using
POSTverb is used,
--paramsoption must also be specified.
- To test for Directory Traversal vulnerability the
--payloadoption must be left to default value (None).
--fileoptions is used for multiple-urls testing, then only GET request is supported.
- When both
--cookieoptions are set then since only one cookie can be specified each time the urls must refer on the same domain or be accessible without a cookie (that’s is going to be fixed in a future update).
inputshell is not compatible with
Note: To install the requirements:
- Fix note 4 from above and make
--filealso work with POST parameters and cookies, using probably a
jsonetc… file as input.
- Add more built-in commands to
--lfishelle.g. history etc…
This tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes! It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this tool and software in general.