fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection.
- Check a Single URL, List of URLs, or Google results fully automaticly.
- Can identify and exploit file inclusion bugs.
- Test and exploit multiple bugs.
- You always define absolute pathnames in the configs. No monkey like redundant pathes.
- Has a Blind Mode (–enable-blind) for cases when the server has disabled error messages.
- Has an interactive exploit mode.
- Add your own payloads and pathes to the xml files or go ahead and write a new plugin.
- Has a Harvest mode which can collect URLs from a given domain for later pentesting.
- Works also on windows.
- Can handle directories in RFI mode.
- Can use proxys.
- Scans and exploits GET, POST and Cookies.
- Has a very small footprint. (No senseless bruteforcing of pathes – unless you need it.)
- Can attack also windows servers!
- Has a tiny plugin interface for writing exploitmode plugins.
- Non Interactive Exploiting.
Download from here.
git clone https://tha-imax.de/git/root/fimap.git /opt/fimap