FUSE is a penetration testing system designed to identify Unrestricted Executable File Upload (UEFU) vulnerabilities. The details of the testing strategy is in our paper, “FUSE: Finding File Upload Bugs via Penetration Testing”, which appeared in NDSS 2020. To see how to configure and execute FUSE, see the followings.
FUSE currently works on Ubuntu 18.04 and Python 2.7.15.
#apt-get install rabbitmq-server
#apt-get install python-pip
#apt-get install git
$ git clone https://github.com/WSP-LAB/FUSE
$ cd FUSE && pip install -r requirements.txt
If you plan to leverage headless browser verification using selenium, please install Chrome and Firefox web driver by refering selenium document.
Usage
$ vim filemonitor.py
…
10 MONITOR_PATH=’/var/www/html/’ <- Web root of the target application
11 MONITOR_PORT=20174 <- Default port of File Monitor
12 EVENT_LIST_LIMITATION=8000 <- Maxium number of elements in EVENT_LIST
…
Execution
$ python framework.py [Path of configuration file]
File Monitor
$ python filemonitor.py
If you find UFU and UEFU bugs and get CVEs by running FUSE, please send a PR for README.md
Application | CVEs |
---|---|
Elgg | CVE-2018-19172 |
ECCube3 | CVE-2018-18637 |
CMSMadeSimple | CVE-2018-19419, CVE-2018-18574 |
CMSimple | CVE-2018-19062 |
Concrete5 | CVE-2018-19146 |
GetSimpleCMS | CVE-2018-19420, CVE-2018-19421 |
Subrion | CVE-2018-19422 |
OsCommerce2 | CVE-2018-18572, CVE-2018-18964, CVE-2018-18965, CVE-2018-18966 |
Monstra | CVE-2018-6383, CVE-2018-18694 |
XE | XEVE-2019-001 |
Burrow is an open source tool for burrowing through firewalls, built by teenagers at Hack Club.…
Simple golang webserver that listens for basic auth or post requests and sends a notification…
Nutek Security Platform for macOS and Linux operating systems. Tools for hackers, bug hunters and…
Welcome to SecureSphere Labs, your go-to destination for a curated collection of powerful hacking tools…
All in one Docker-based workstation with hacking tools for Pentesting and offsec Labs by maintained…
Got it! Below is the updated README.md file with instructions for downloading the project on…