fimap : tool for exploiting Remote/Local File Inclusion vulnerability | LFI Attacks

fimap is an LFI/RFI detection and exploitation tool written in python which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap is something like sqlmap just for LFI/RFI bugs instead of SQL injection. The download link is given below :

        https://github.com/crunchsec/fimap/archive/master.zip

Now lets see some example of uses fimap.

For help menu :

 ./fimap.py -h

Now lets first try it with Web4Pentest VM's File Inclusion Pages.

Simple Scan :

 ./fimap.py -u http://192.168.56.103/fileincl/example1.php?page=

Output :

as we can see the 'page' parameter is vulnerable. Scanning the second example :

 ./fimap.py -u http://192.168.56.103/fileincl/example2.php?page=

Output :

Scanning with harvest mode : -H

This mode harvest all urls from a given root url of a server and save it to a file.

 ./fimap.py -H -u root_url -w output_file_name

Example :

 ./fimap.py -H -u http://192.168.56.103/ -w op.txt

The output will be saved on op.txt

Now we can use that output file as input for scanning each url with fimap, with using mass scan option (-m)

 ./fimap.py -m -l op.txt

Interactive mode :

'-x' flag is used to start interactive mode in fimap. It lists all vulnerable targets based on previous scan results and gives the option to perform exploitation attempts against them. Example of interactive mode :

 ./fimap.py -x

Links to other Posts :

• Introduction to LFI Attack
• Exploiting Local File Inclusion (LFI ) vulnerability with /proc/self/environ method
• Introduction to RFI Attack

References  :
https://github.com/crunchsec/fimap/
https://www.exploit-db.com/papers/12872
http://kaoticcreations.blogspot.com/2011/08/automated-lfirfi-scanning-exploiting.html