fimap : tool for exploiting Remote/Local File Inclusion vulnerability | LFI Attacks

fimap is an LFI/RFI detection and exploitation tool written in python which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap is something like sqlmap just for LFI/RFI bugs instead of SQL injection. The download link fimap.

Now lets see some example of uses fimap. For help menu :

 ./fimap.py -h

Now lets first try it with Web4Pentest VM’s File Inclusion Pages.

Simple Scan :

./fimap.py -u http://192.168.56.103/fileincl/example1.php?page=

Output :

As we can see the ‘page’ parameter is vulnerable. Scanning the second example :

./fimap.py -u http://192.168.56.103/fileincl/example2.php?page=

Output :

Scanning with harvest mode : -H

This mode harvest all urls from a given root url of a server and save it to a file.

./fimap.py -H -u root_url -w output_file_name

Example :

./fimap.py -H -u http://192.168.56.103/ -w op.txt

The output will be saved on op.txt

Now we can use that output file as input for scanning each url with fimap, with using mass scan option (-m)

./fimap.py -m -l op.txt

Interactive mode :

‘-x’ flag is used to start interactive mode in fimap. It lists all vulnerable targets based on previous scan results and gives the option to perform exploitation attempts against them. Example of interactive mode :

./fimap.py -x

Resources

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.