LFI/RFI Testing and Exploiting with fimap

Fimap is a little python tool which can find, prepare, audit, exploit and even Google automatically for local and remote file inclusion bugs in webapps. Fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s currently under heavy development but it’s usable.

Open your backtrack terminal & Type

 cd /pentest/web/fimap

Scan a single URL for FI errors

./fimap -u http://www.example.com/test.php?file=bang&id=23

Scan Google search results for FI errors

./fimap.py  -g  -q  inurl:include.php

Harvest all links of a webpage

./fimap.py –H  -u  http://example.com–d 3 –w /tmp/urllist

  • -m is for mass scanning
  • -l is for list
  • Scan websites using google dorks
  • .fimap.py -g -q ‘inurl:include.php’
  • -g for searching from google
  • -q stands for the query which is to be searched in google.

Website: http://fimap.googlecode.com

3 Comments LFI/RFI Testing and Exploiting with fimap

Leave a Reply

Your email address will not be published. Required fields are marked *