Local and Remote file inclusion

fimap – A little open source tool for local and remote file inclusion auditing and exploitation. It is published under GNU GPLv2.

fimap is awritten in python and can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s currently under heavy development but it’s usable. The goal of fimap is to improve the quality and security of your website.
Do not use this tool on servers where you don’t have permission to pentest!

Download fimap

Download Source code

What works currently?
Check a Single URL, List of URLs, or Google results fully automaticly.
Can identify and exploit file inclusion bugs.
Relative\Absolute Path Handling.
Tries automaticly to eleminate suffixes with Nullbyte and other methods like Dot-Truncation.
Remotefile Injection.
Logfile Injection. (FimapLogInjection)
Test and exploit multiple bugs:
You always define absolute pathnames in the configs. No monkey like redundant pathes like:
Has a Blind Mode (–enable-blind) for cases when the server has disabled error messages. BlindMode
Has an interactive exploit mode which…
…can spawn a shell on vulnerable systems.
…can spawn a reverse shell on vulnerable systems.
…can do everything you have added in your payload-dict inside the config.py
Add your own payloads and pathes to the config.py file.
Has a Harvest mode which can collect URLs from a given domain for later pentesting.
Goto FimapHelpPage for all features.
Works also on windows.
Can handle directories in RFI mode like:
<? include ($_GET[“inc”] . “/content/index.html”); ?>
<? include ($_GET[“inc”] . “_lang/index.html”); ?>
where Null-Byte is not possible.
Can use proxys.
Scans and exploits GET, POST and Cookies.
Has a very small footprint. (No senseless bruteforcing of pathes – unless you need it.)
Can attack also windows servers! (WindowsAttack)
Has a tiny plugin interface for writing exploitmode plugins (PluginDevelopment)
Check out the PHPInfo() Exploit plugin: FimapPhpInfoExploit
Non Interactive Exploiting (FimapNonInteractiveExec)


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s