Skip to content

Upgrading LFITester#17

Open
brzeszczu wants to merge 3 commits intokostas-pa:mainfrom
brzeszczu:main
Open

Upgrading LFITester#17
brzeszczu wants to merge 3 commits intokostas-pa:mainfrom
brzeszczu:main

Conversation

@brzeszczu
Copy link
Copy Markdown

@brzeszczu brzeszczu commented Nov 21, 2023

The final result of the changes would be a program that is server-type independent for log poisoning vuln (all types of web servers will be served, not only nginx and apache), error handling, little changes in Crawler, more available payloads to chech from external file etc.

Current changes: little change in Crawler, server type independence for log poisoning (not fully ready yet).

@brzeszczu
Update Crawler.py
6324032 
check tags in the code:
# UPGRADE: when in URL exist only "?" (no "=") then do nothing (don't add payloads to that URL after
@brzeszczu
Update PayloadManager.py
94df2ca 
check comments in code:
# UPGRADE: deleted check if server leaks a Server Header. 
# UPGRADE: deleted in order to perform Log Poisoning for every type of webservers
@brzeszczu
File with results
826d6c6
@Konstantinos-Papanagnou
Copy link
Copy Markdown
Collaborator

Konstantinos-Papanagnou commented Dec 9, 2023

Hello @brzeszczu ,

First of, thanks for your diligence and contribution to this project.
I am reviewing your commits now and I have a few questions.

(Disclaimer, I didn't test this yet, just read the code)

The crawler seems great, nice addition in capturing the URLs from the img tags.

Regarding the platform dependent update, I'll note first how this was conceived and developed. The idea is that every different underlying infrastructure (i.e. Apache2, nginx, etc) have their own unique (sometimes) location to store the logs. If you take a close look at the function definitions of nginx and apache log poisoning, it contains the most common directories where potentially poison-able logs reside on the system. That's why we currently have different definitions for different underlying infra.
Additionally, to avoid detection, it's a good idea to not brute force every single possibility, and that's another reason why it was broken down to header checks first and then poisoning the server. Now, a lot of seemingly different software for web servers can be a variation of either apache2 or nginx as I've encountered before (like litespeed is a variation of apache2). So we can add them as apache2 or nginx. For entirely different type of underlying infra, we can add a new function for it. If the web server is not validated, the user can choose to still attack using one of the known methods until one works.

That said, can you describe in more detail your exact expectations of the log poisoning module? Maybe it also makes more sense what we intend on doing at the given point of time.

Looking forward for your response,
Konstantinos

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brzeszczu @Konstantinos-Papanagnou