CIP Cyber

Log In
Menu
Log In
  • Opinion
  • Product Reviews
  • Industrial Cybersecurity
  • Videos

fimap RFI & LFI Scanner – Exploitation

Table of Contents

fimap is a little python tool which can find, prepare, audit, exploit
and even google automaticly for local and remote file inclusion bugs in
webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s currently under heavy development but it’s usable. 


  • Check a Single URL, List of URLs, or Google results fully automaticly.
  • Can identify and exploit file inclusion bugs.
    • RelativeAbsolute Path Handling.
    • Tries automaticly to eleminate suffixes with Nullbyte and other methods like Dot-Truncation.
    • Remotefile Injection.
    • Logfile Injection. (FimapLogInjection)
  • Test and exploit multiple bugs:
    • include()
    • include_once()
    • require()
    • require_once()
  • You always define absolute pathnames in the configs. No monkey like redundant pathes like:
    • ../etc/passwd
    • ../../etc/passwd
    • ../../../etc/passwd
  • Has a Blind Mode (–enable-blind) for cases when the server has disabled error messages. BlindMode
  • Has an interactive exploit mode which…
    • …can spawn a shell on vulnerable systems.
    • …can spawn a reverse shell on vulnerable systems.
    • …can do everything you have added in your payload-dict inside the config.py
  • Add your own payloads and pathes to the config.py file.
  • Has a Harvest mode which can collect URLs from a given domain for later pentesting.
  • Goto FimapHelpPage for all features.
  • Works also on windows.
  • Can handle directories in RFI mode like:
    • <? include ($_GET[“inc”] . “/content/index.html”); ?>
    • <? include ($_GET[“inc”] . “_lang/index.html”); ?>
    • where Null-Byte is not possible.
  • Can use proxys.
  • Scans and exploits GET, POST and Cookies.
  • Has a very small footprint. (No senseless bruteforcing of pathes – unless you need it.) 

Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.
CIP Cyber Staff

CIP Cyber Staff

CIP Cyber Staff comprises CIP cybersecurity experts committed to delivering comprehensive information on critical infrastructure protection. The content covers diverse topics, equipping professionals to defend organizations and communities in an ever-evolving cyber landscape.

Most popular

Opinion

Password Cyberattack: Everything You Need to Know

November 7, 2023

Industrial Cybersecurity

Cybersecurity Awareness Month: Spotlight on ICS/OT Security

September 28, 2023

Opinion

How to Protect IoT Devices in Critical Infrastructure Networks

September 15, 2023

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings

Choose Training

Related Articles

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings

Choose Training