fimap – Remote & Local File Inclusion (RFI/LFI) Scanner
fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap is similar to sqlmap just for LFI/RFI bugs instead of sql injection. It is currently under heavy development but it’s usable.
- Check a Single URL, List of URLs, or Google results fully automatically.
- Can identify and exploit file inclusion bugs.
- Test and exploit multiple bugs
- Has an interactive exploit mode
- Add your own payloads and patches to the config.py file.
- Has a Harvest mode which can collect URLs from a given domain for later pentesting.
- Can use proxies (experimental).
- All commands will now be send base64 encoded. So you can use quotes as much as you want.
- php://input detection is now 100% reliable.
- You can now define a POST string for relative and absolute files in the config.py.
- TTL implemented. You can define it with “—ttl “. Default is 30 seconds.
- Experimental HTTP Proxy support. You can define a HTTP(s) proxy with “—http-proxy localhost:8080″.
- Googlescanner can now skip the first X pages. Use “—skip-pages X”.
- Lots of bugfixes and additional regular expressions.
- Needs: Python >= 2.4
You can download fimap here:
Or read more here.