05 January 2010 | 16,907 views

fimap – Remote & Local File Inclusion (RFI/LFI) Scanner

Cyber Raptors Hunting Your Data?

fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap is similar to sqlmap just for LFI/RFI bugs instead of sql injection. It is currently under heavy development but it’s usable.


  • Check a Single URL, List of URLs, or Google results fully automatically.
  • Can identify and exploit file inclusion bugs.
  • Test and exploit multiple bugs
  • Has an interactive exploit mode
  • Add your own payloads and patches to the config.py file.
  • Has a Harvest mode which can collect URLs from a given domain for later pentesting.
  • Can use proxies (experimental).


  • All commands will now be send base64 encoded. So you can use quotes as much as you want.
  • php://input detection is now 100% reliable.
  • You can now define a POST string for relative and absolute files in the config.py.
  • TTL implemented. You can define it with “—ttl “. Default is 30 seconds.
  • Experimental HTTP Proxy support. You can define a HTTP(s) proxy with “—http-proxy localhost:8080”.
  • Googlescanner can now skip the first X pages. Use “—skip-pages X”.
  • Lots of bugfixes and additional regular expressions.


  • Needs: Python >= 2.4

You can download fimap here:


Or read more here.


Recent in Exploits/Vulnerabilities:
- The Jeep HACK – What You Need To Know
- Dharma – Generation-based Context-free Grammar Fuzzing Tool
- Hacking Team Hacked – What You Need To Know

Related Posts:
- LFIMAP – Scan For Files Vulnerable To LFI (Local File Inclusion)
- FIS [File Inclusion Scanner] v0.1 – PHP Vulnerability
- inspathx – Tool For Finding Path Disclosure Vulnerabilities

Most Read in Exploits/Vulnerabilities:
  • Learn to use Metasploit – Tutorials, Docs & Videos - 231,338 views
  • AJAX: Is your application secure enough? - 119,636 views
  • eEye Launches 0-Day Exploit Tracker - 85,264 views

  • Low-cost VPS Hosting

    3 Responses to “fimap – Remote & Local File Inclusion (RFI/LFI) Scanner”

    1. SnApO 5 January 2010 at 2:13 pm Permalink

      Wow…. thats amazing ;=)
      would give it a try todays afternoon ;=)))))

      cheers and good luck.

      And a Compliment to the Writer of this Blog, Clear and good searched Content. I wish you much readers in the future……….

    2. SYN - syntex 12 January 2010 at 4:02 pm Permalink

      thats amazing , good luck

    3. Dozzyjean DOzie 5 February 2010 at 11:24 pm Permalink

      Wooooooooooooo cool also, i love these more than rfiscan.py very simple to use and understand, perfect a very big thanks to you brain.