4wayhandshake / alfie Goto Github PK

View Code? Open in Web Editor NEW

2.0 1.0 0.0 1.59 MB

Automatic Local File Inclusion Enumerator. Scan websites for LFI vulnerabilities and path traversals.

License: GNU Affero General Public License v3.0

Python 100.00%

alfie's Introduction

Scan websites for LFI vulnerabilities and path traversals.

Multi-threaded for max speed, tasteful filters for max precision.

Usage

Good fuzzing requires separating false-positives from the actual results. Start by determining which filters to apply - just like you might do with ffuf or gobuster. Do a verbose run to find some false-positives, for example:

./alfie.py -u http://download.htb/files/download/ -f fuzz-list.txt --max 3 -t 60 --verbose

Any combination of HTTP status codes, word counts, and response sizes can be used as filters.

Next, apply some filters and do a non-verbose run. In this example, the path traversal stands out right away, leading to the hidden files package.json and app.js:

For logging of your results, use the -o or --output argument. The output is a text file with one positive result per line, and can be easily read by other scripts or programs. Here is a sample:

http://download.htb/files/download/%2e%2e%2fpackage.json
http://download.htb/files/download/%2e%2e%2fapp.js
http://download.htb/files/download/..%2fapp.js
http://download.htb/files/download/..%2fpackage.json

Options

By default, Alfie will output any non-default options you provide as arguments:

You can suppress this behavior and hide the banner with the -q or --quiet flag (in case you want to pipe the output to another program).

  --version
	Show the version number and exit

  -h, --help            
	Show this help message and exit

  -v, --verbose         
	Show each requested url, along with the status code, size, and words in the response.
	Use this to help determine your filters.

  -u URL, --url URL     
	Base URI of the target. Ex. "http://mywebsite.htb/index.php?page="

  -f FUZZ_WORDLIST, --fuzz-wordlist FUZZ_WORDLIST
	Wordlist of "interesting" files to check for.
	This wordlist should have one filename per line, with file extensions if applicable.

  -w LFI_WORDLIST, --wordlist LFI_WORDLIST
	Wordlist to use for LFI strings. Default lfi-list.txt.
	(If not using the default, it should be similar format to lfi-list.txt)

  -t THREADS, --threads THREADS
	Number of threads to use for processing.

  --min MIN             
	Minimum number of steps "back" to traverse. Default 1.

  --max MAX             
	Maximum number of steps "back" to traverse. Default 10.

  --timeout TIMEOUT     
	Timeout for each request (in seconds). Default 5s.

  -b COOKIES, --cookies COOKIES
	Cookies to include in each request. Ex. 'key1=value1; key2=value2'.

  -d DATA, --data DATA  
	Data to include in each request. Only applies if using a POST request (see -X option).
    Ex. 'key1=value1; key2=value2'.

  -X REQUEST_TYPE, --request-type REQUEST_TYPE
	Type of HTTP request to use. Ex "POST". Defaults to "GET".

  -fs FILTER_SIZES, --filter-sizes FILTER_SIZES
	Comma-separated list of sizes (in bytes) to filter from the results.

  -fw FILTER_WORDS, --filter-words FILTER_WORDS
	Comma-separated list of word counts to filter from the results.

  -fc FILTER_CODES, --filter-codes FILTER_CODES
	Comma-separated list of HTTP status codes to filter from the results.

  -o OUTPUT, --output OUTPUT
	File to log positive results.

  --quiet
	Don't print the banner or options.

  -nc, --no-color
	Don't ANSII colors in console output.

  -nx, --no-extra-tests
	Don't run the extra LFI tests (only useful for WAF evasion).

  -ne, --no-ending-checks
  	Don't check for null-byte termination (decreases runtime by at least 66%).

Change Log

1.0.0:
- Runs successfully. Mimics behaviour of my LFI-Enumerator bash script.
1.1.0:
- Add a -o switch to output results to a file.
- Include a banner with all non-default options shown
1.2.0:
- Improve parsing of arguments --cookie and --data so that it uses browser-like formatting.
1.3.0:
- Added "extra checks" mechanism to automate tests for things like insecure PHP modules
- Started using semantic versioning
- Updated README and --help to include --no-extra-checks and --version
1.3.1:
- Added additional "extra checks" for other types of LFIs
- Replaced --ending option with --no-ending-checks: it now checks for null-byte termination by default.

To-Do

Figure out why extra tests aren't working
Log errors to a log file instead of the screen
Separate out the PHP-only tests.
- https://www.php.net/manual/en/wrappers.php.php
- https://www.php.net/manual/en/filters.php
Encoding mutations should apply to the whole payload, not just the traversal

Please ⭐ this repo if you found it useful!

Enjoy,

🤝🤝🤝🤝 @4wayhandshake

Recommend Projects

4wayhandshake / alfie Goto Github PK

alfie's Introduction

Usage

Options

Change Log

To-Do

alfie's People

Contributors

Stargazers

Watchers

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent