Uniscan: An RFI, LFI, and RCE Vulnerability Scanner

Play

Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version. When scanning remote hosts and web applications, the danger of file inclusion attacks is an important consideration, particularly when dealing with web applications that support plugins such as WordPress. An RFI, or remote file inclusion attack, targets web applications that make use of includes via external scripts (commonly known as application plugins), hooks, themes, anything that is dynamically included in the web application during runtime. If these includes contain vulnerabilities, it's highly likely that exploiting the includes can lead to the main web application being exploitable. That's why today we’ll take a look at the Uniscan project. In the project's own words, Uniscan is a simple Remote File Include, Local File Include, and Remote Command Execution vulnerability scanner. Installation We recommend using Kali Linux for Uniscan as it is available for easy installation via the package manager. Installing Uniscan on Kali Linux is relatively straightforward, as it can be installed directly via the APT package manager and does not need compiling from source. First, we update our APT package manager information with the following command. Next, we proceed to install Uniscan. To verify a successful Uniscan installation, let's run the following command. This should then return the following output, which displays the options/flags Uniscan has available. Configuration Uniscan can run with minimal configuration as well, but it does allow for a good amount of customization: -h — The -h flag shows us all the options available under Uniscan. -u — The -u flag is used to specify the URL being scanned, for example: www.example.com . -f — If you wish to scan a list of URLs, you can input them into a text file and reference them with the -f flag as well. -b — Scans can take a while to complete if you have multiple URLs to scan. Using the -b flag pushes Uniscan to run in the background; alternatively, you can run Uniscan under a "screen" session as well under Linux. -q — The -q flag enables Directory-based checks for the target being scanned. -w — The "-w" flag enables Uniscan to check for files present on the remote host being scanned. -e — The "-e" flag enables Uniscan to check for robots.txt and sitemap.xml, which can further help identify the type of script/web application running on the target host. -d — The "-d" flag enables Dynamic checks within Uniscan to check for any dynamic file includes. -s — The "-s" flag enables Static checks within Uniscan to check for any static file includes. -r — The "-r" flag enables stress checks to be run on the target being scanned. -i and -o flags perform Bing and Google searches for dorks related to the target being scanned. -g — The "-g" flag is used for web fingerprinting, this helps identify what web application is running on the web server, what plugins are enabled (for example, in WordPress), what version of WordPress is running on the server, and more. -j — The "-j" flag is used to enable the server fingerprint check/listing, which allows for identification of the server software. This performs actions such as ping, N map, traceroute, and listing of the web server and operating system running. Testing and results To run a basic scan on a web app, we use the flags "qweds" which instruct Uniscan to perform the following: Directory checks (q). File checks (w). Robots/sitemap checks (e). Dynamic file include checks (d). Static file include checks (s). The checks performed by the flags "qweds" can all be performed in the same run, with the command. Note: Replace with the actual URL you wish to scan. Which then returns to us the following output. As seen above, when Directory and File checks are being performed, Uniscan will find and list directories as well as files seen on the target being scanned. Next, Uniscan performs checks on the robot.txt, sitemap, and begins enumerat...