LFISuite
LFISuite copied to clipboard
D35m0nd142
SSL issue
I encountered the following error when attempting to run the script against a website with a self-signed or expired certificate (redacted the host ip) :
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 112, in post
return request('post', url, data=data, json=json, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 512, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 622, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 511, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='X.X.X.X', port=443): Max retries exceeded with url: /section.php?page=php://input (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
Fixed via adding verify=false on line 1198
r = requests.post(url=url, headers=gen_headers, data=body, verify=False)
A better fix wouldve been to do a try: except, so if the error message is thrown you Pass over the request entirely, simply changing verify=false is a bad idea as it will still spam the failing handshakes, both noisy, and inefficient.
[!] Problem reaching 'https://localhost/section.php?page=/etc/passwd'. [!] Problem connecting to the website
