fimap – Remote & Local File Inclusion (RFI/LFI) Scanner

Use Netsparker


fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap is similar to sqlmap just for LFI/RFI bugs instead of sql injection. It is currently under heavy development but it’s usable.

Features

  • Check a Single URL, List of URLs, or Google results fully automatically.
  • Can identify and exploit file inclusion bugs.
  • Test and exploit multiple bugs
  • Has an interactive exploit mode
  • Add your own payloads and patches to the config.py file.
  • Has a Harvest mode which can collect URLs from a given domain for later pentesting.
  • Can use proxies (experimental).

Changes

  • All commands will now be send base64 encoded. So you can use quotes as much as you want.
  • php://input detection is now 100% reliable.
  • You can now define a POST string for relative and absolute files in the config.py.
  • TTL implemented. You can define it with “—ttl “. Default is 30 seconds.
  • Experimental HTTP Proxy support. You can define a HTTP(s) proxy with “—http-proxy localhost:8080”.
  • Googlescanner can now skip the first X pages. Use “—skip-pages X”.
  • Lots of bugfixes and additional regular expressions.

Requirements

  • Needs: Python >= 2.4

You can download fimap here:

fimap_alpha_v07.tar.gz

Or read more here.

Posted in: Exploits/Vulnerabilities, Hacking Tools, Web Hacking

, , , , , , ,


Latest Posts:


airgeddon - Wireless Security Auditing Script airgeddon – Wireless Security Auditing Script
Airgeddon is a Bash powered multi-use Wireless Security Auditing Script for Linux systems with an extremely extensive feature list.
Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.
CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.
Yahoo! Fined 35 Million USD For Late Disclosure Of Hack Yahoo! Fined 35 Million USD For Late Disclosure Of Hack
Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 year delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public.


3 Responses to fimap – Remote & Local File Inclusion (RFI/LFI) Scanner

  1. SnApO January 5, 2010 at 2:13 pm #

    Wow…. thats amazing ;=)
    would give it a try todays afternoon ;=)))))

    cheers and good luck.

    And a Compliment to the Writer of this Blog, Clear and good searched Content. I wish you much readers in the future……….

  2. SYN - syntex January 12, 2010 at 4:02 pm #

    thats amazing , good luck

  3. Dozzyjean DOzie February 5, 2010 at 11:24 pm #

    Wooooooooooooo cool also, i love these more than rfiscan.py very simple to use and understand, perfect a very big thanks to you brain.