fimap – Remote & Local File Inclusion (RFI/LFI) Scanner


fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap is similar to sqlmap just for LFI/RFI bugs instead of sql injection. It is currently under heavy development but it’s usable.

Features

  • Check a Single URL, List of URLs, or Google results fully automatically.
  • Can identify and exploit file inclusion bugs.
  • Test and exploit multiple bugs
  • Has an interactive exploit mode
  • Add your own payloads and patches to the config.py file.
  • Has a Harvest mode which can collect URLs from a given domain for later pentesting.
  • Can use proxies (experimental).

Changes

  • All commands will now be send base64 encoded. So you can use quotes as much as you want.
  • php://input detection is now 100% reliable.
  • You can now define a POST string for relative and absolute files in the config.py.
  • TTL implemented. You can define it with “—ttl “. Default is 30 seconds.
  • Experimental HTTP Proxy support. You can define a HTTP(s) proxy with “—http-proxy localhost:8080”.
  • Googlescanner can now skip the first X pages. Use “—skip-pages X”.
  • Lots of bugfixes and additional regular expressions.

Requirements

  • Needs: Python >= 2.4

You can download fimap here:

fimap_alpha_v07.tar.gz

Or read more here.

Posted in: Exploits/Vulnerabilities, Hacking Tools, Web Hacking

, , , , , , ,


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.


3 Responses to fimap – Remote & Local File Inclusion (RFI/LFI) Scanner

  1. SnApO January 5, 2010 at 2:13 pm #

    Wow…. thats amazing ;=)
    would give it a try todays afternoon ;=)))))

    cheers and good luck.

    And a Compliment to the Writer of this Blog, Clear and good searched Content. I wish you much readers in the future……….

  2. SYN - syntex January 12, 2010 at 4:02 pm #

    thats amazing , good luck

  3. Dozzyjean DOzie February 5, 2010 at 11:24 pm #

    Wooooooooooooo cool also, i love these more than rfiscan.py very simple to use and understand, perfect a very big thanks to you brain.