fimap - tool for local and remote file inclusion auditing and exploitation
fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap is similar to sqlmap just for LFI/RFI bugs instead of sql injection. It is currently under heavy development but it’s usable.
Features
- Check a Single URL, List of URLs, or Google results fully automatically.
- Can identify and exploit file inclusion bugs.
- Test and exploit multiple bugs
- Has an interactive exploit mode
- Add your own payloads and patches to the config.py file.
- Has a Harvest mode which can collect URLs from a given domain for later pentesting.
- Can use proxies (experimental).
Changes
- All commands will now be send base64 encoded. So you can use quotes as much as you want.
- php://input detection is now 100% reliable.
- You can now define a POST string for relative and absolute files in the config.py.
- TTL implemented. You can define it with “—ttl “. Default is 30 seconds.
- Experimental HTTP Proxy support. You can define a HTTP(s) proxy with “—http-proxy localhost:8080″.
- Googlescanner can now skip the first X pages. Use “—skip-pages X”.
- Lots of bugfixes and additional regular expressions.
Needs: Python >= 2.4
You can download fimap here:
fimap_alpha_v07.tar.gz
Visit Website :
http://code.google.com/p/fimap/
For More Information -
http://www.hackersonlineclub.com/lfi-rfi
http://securitytroubleshooting.blogspot.in/2011/06/fimap-remote-local-file-inclusion.html
http://securitytube-tools.net/index.php?title=Fimap
Video
http://www.youtube.com/watch?v=eUcq8moRT88&feature=player_embedded