fimap
fimap Package Description
fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of SQL injection. It’s currently under heavy development but it’s usable.
Tools included in the fimap package
fimap – LFI and RFI exploitation tool
root@kali:~# fimap -h
fimap v.1.00_svn (My life for Aiur)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)
Usage: fimap [options]
## Operating Modes:
-s , --single Mode to scan a single URL for FI errors.
Needs URL (-u). This mode is the default.
-m , --mass Mode for mass scanning. Will check every URL
from a given list (-l) for FI errors.
-g , --google Mode to use Google to aquire URLs.
Needs a query (-q) as google search query.
-B , --bing Use bing to get URLs.
Needs a query (-q) as bing search query.
Also needs a Bing APIKey (--bingkey)
-H , --harvest Mode to harvest a URL recursivly for new URLs.
Needs a root url (-u) to start crawling there.
Also needs (-w) to write a URL list for mass mode.
-4 , --autoawesome With the AutoAwesome mode fimap will fetch all
forms and headers found on the site you defined
and tries to find file inclusion bugs thru them. Needs an
URL (-u).
## Techniques:
-b , --enable-blind Enables blind FI-Bug testing when no error messages are printed.
Note that this mode will cause lots of requests compared to the
default method. Can be used with -s, -m or -g.
-D , --dot-truncation Enables dot truncation technique to get rid of the suffix if
the default mode (nullbyte poison) failed. This mode can cause
tons of requests depending how you configure it.
By default this mode only tests windows servers.
Can be used with -s, -m or -g. Experimental.
-M , --multiply-term=X Multiply terminal symbols like '.' and '/' in the path by X.
## Variables:
-u , --url=URL The URL you want to test.
Needed in single mode (-s).
-l , --list=LIST The URL-LIST you want to test.
Needed in mass mode (-m).
-q , --query=QUERY The Google Search QUERY.
Example: 'inurl:include.php'
Needed in Google Mode (-g)
--bingkey=APIKEY This is your the Bing APIKey. You have to set this when you
want to use the BingScanner (-B).
--skip-pages=X Skip the first X pages from the Googlescanner.
-p , --pages=COUNT Define the COUNT of pages to search (-g).
Default is 10.
--results=COUNT The count of results the Googlescanner should get per page.
Possible values: 10, 25, 50 or 100(default).
--googlesleep=TIME The time in seconds the Googlescanner should wait befor each
request to google. fimap will count the time between two requests
and will sleep if it's needed to reach your cooldown. Default is 5.
-w , --write=LIST The LIST which will be written if you have choosen
harvest mode (-H). This file will be opened in APPEND mode.
-d , --depth=CRAWLDEPTH The CRAWLDEPTH (recurse level) you want to crawl your target site
in harvest mode (-H). Default is 1.
-P , --post=POSTDATA The POSTDATA you want to send. All variables inside
will also be scanned for file inclusion bugs.
--cookie=COOKIES Define the cookie which should be send with each request.
Also the cookies will be scanned for file inclusion bugs.
Concatenate multiple cookies with the ';' character.
--ttl=SECONDS Define the TTL (in seconds) for requests. Default is 30 seconds.
--no-auto-detect Use this switch if you don't want to let fimap automaticly detect
the target language in blind-mode. In that case you will get some
options you can choose if fimap isn't sure which lang it is.
--bmin=BLIND_MIN Define here the minimum count of directories fimap should walk thru
in blind mode. The default number is defined in the generic.xml
--bmax=BLIND_MAX Define here the maximum count of directories fimap should walk thru.
--dot-trunc-min=700 The count of dots to begin with in dot-truncation mode.
--dot-trunc-max=2000 The count of dots to end with in dot-truncation mode.
--dot-trunc-step=50 The step size for each round in dot-truncation mode.
--dot-trunc-ratio=0.095 The maximum ratio to detect if dot truncation was successfull.
--dot-trunc-also-unix Use this if dot-truncation should also be tested on unix servers.
--force-os=OS Forces fimap to test only files for the OS.
OS can be 'linux' or 'windows'
## Attack Kit:
-x , --exploit Starts an interactive session where you can
select a target and do some action.
-X Same as -x but also shows not exploitable which might can be
hax0red with plugins.
-T , --tab-complete Enables TAB-Completation in exploit mode. Needs readline module.
Use this if you want to be able to tab-complete thru remote
files\dirs. Eats an extra request for every 'cd' command.
--x-host=HOSTNAME The host to use exploits on. fimap won't prompt you for the domain
in exploit mode if you set this value.
--x-vuln=VULNNUMBER The vulnerability ID you want to use. It's the same number you type
into the exploit mode where you choose the vulnerable script.
--x-cmd=CMD The CMD you want to execute on the vulnerable system. Use this parameter
more than once to execute commands one after another.
Remember that each command opens a new shell and closes it after execution.
## Disguise Kit:
-A , --user-agent=UA The User-Agent which should be sent.
--http-proxy=PROXY Setup your proxy with this option. But read this facts:
* The googlescanner will ignore the proxy to get the URLs,
but the pentest\attack itself will go thru proxy.
* PROXY should be in format like this: 127.0.0.1:8080
* It's experimental
--show-my-ip Shows your internet IP, current country and user-agent.
Useful if you want to test your vpn\proxy config.
## Plugins:
--plugins List all loaded plugins and quit after that.
-I , --install-plugins Shows some official exploit-mode plugins you can install
and\or upgrade.
## Other:
--update-def Checks and updates your definition files found in the
config directory.
--test-rfi A quick test to see if you have configured RFI nicely.
--merge-xml=XMLFILE Use this if you have another fimap XMLFILE you want to
include to your own fimap_result.xml.
-C , --enable-color Enables a colorful output. Works only in linux!
--force-run Ignore the instance check and just run fimap even if a lockfile
exists. WARNING: This may erase your fimap_results.xml file!
-v , --verbose=LEVEL Verbose level you want to receive.
LEVEL=3 -> Debug
LEVEL=2 -> Info(Default)
LEVEL=1 -> Messages
LEVEL=0 -> High-Level
--credits Shows some credits.
--greetings Some greetings ;)
-h , --help Shows this cruft.
## Examples:
1. Scan a single URL for FI errors:
fimap -u 'http://localhost/test.php?file=bang&id=23'
2. Scan a list of URLS for FI errors:
fimap -m -l '/tmp/urllist.txt'
3. Scan Google search results for FI errors:
fimap -g -q 'inurl:include.php'
4. Harvest all links of a webpage with recurse level of 3 and
write the URLs to /tmp/urllist
fimap -H -u 'http://localhost' -d 3 -w /tmp/urllist
fimap v.1.00_svn (My life for Aiur)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)
Usage: fimap [options]
## Operating Modes:
-s , --single Mode to scan a single URL for FI errors.
Needs URL (-u). This mode is the default.
-m , --mass Mode for mass scanning. Will check every URL
from a given list (-l) for FI errors.
-g , --google Mode to use Google to aquire URLs.
Needs a query (-q) as google search query.
-B , --bing Use bing to get URLs.
Needs a query (-q) as bing search query.
Also needs a Bing APIKey (--bingkey)
-H , --harvest Mode to harvest a URL recursivly for new URLs.
Needs a root url (-u) to start crawling there.
Also needs (-w) to write a URL list for mass mode.
-4 , --autoawesome With the AutoAwesome mode fimap will fetch all
forms and headers found on the site you defined
and tries to find file inclusion bugs thru them. Needs an
URL (-u).
## Techniques:
-b , --enable-blind Enables blind FI-Bug testing when no error messages are printed.
Note that this mode will cause lots of requests compared to the
default method. Can be used with -s, -m or -g.
-D , --dot-truncation Enables dot truncation technique to get rid of the suffix if
the default mode (nullbyte poison) failed. This mode can cause
tons of requests depending how you configure it.
By default this mode only tests windows servers.
Can be used with -s, -m or -g. Experimental.
-M , --multiply-term=X Multiply terminal symbols like '.' and '/' in the path by X.
## Variables:
-u , --url=URL The URL you want to test.
Needed in single mode (-s).
-l , --list=LIST The URL-LIST you want to test.
Needed in mass mode (-m).
-q , --query=QUERY The Google Search QUERY.
Example: 'inurl:include.php'
Needed in Google Mode (-g)
--bingkey=APIKEY This is your the Bing APIKey. You have to set this when you
want to use the BingScanner (-B).
--skip-pages=X Skip the first X pages from the Googlescanner.
-p , --pages=COUNT Define the COUNT of pages to search (-g).
Default is 10.
--results=COUNT The count of results the Googlescanner should get per page.
Possible values: 10, 25, 50 or 100(default).
--googlesleep=TIME The time in seconds the Googlescanner should wait befor each
request to google. fimap will count the time between two requests
and will sleep if it's needed to reach your cooldown. Default is 5.
-w , --write=LIST The LIST which will be written if you have choosen
harvest mode (-H). This file will be opened in APPEND mode.
-d , --depth=CRAWLDEPTH The CRAWLDEPTH (recurse level) you want to crawl your target site
in harvest mode (-H). Default is 1.
-P , --post=POSTDATA The POSTDATA you want to send. All variables inside
will also be scanned for file inclusion bugs.
--cookie=COOKIES Define the cookie which should be send with each request.
Also the cookies will be scanned for file inclusion bugs.
Concatenate multiple cookies with the ';' character.
--ttl=SECONDS Define the TTL (in seconds) for requests. Default is 30 seconds.
--no-auto-detect Use this switch if you don't want to let fimap automaticly detect
the target language in blind-mode. In that case you will get some
options you can choose if fimap isn't sure which lang it is.
--bmin=BLIND_MIN Define here the minimum count of directories fimap should walk thru
in blind mode. The default number is defined in the generic.xml
--bmax=BLIND_MAX Define here the maximum count of directories fimap should walk thru.
--dot-trunc-min=700 The count of dots to begin with in dot-truncation mode.
--dot-trunc-max=2000 The count of dots to end with in dot-truncation mode.
--dot-trunc-step=50 The step size for each round in dot-truncation mode.
--dot-trunc-ratio=0.095 The maximum ratio to detect if dot truncation was successfull.
--dot-trunc-also-unix Use this if dot-truncation should also be tested on unix servers.
--force-os=OS Forces fimap to test only files for the OS.
OS can be 'linux' or 'windows'
## Attack Kit:
-x , --exploit Starts an interactive session where you can
select a target and do some action.
-X Same as -x but also shows not exploitable which might can be
hax0red with plugins.
-T , --tab-complete Enables TAB-Completation in exploit mode. Needs readline module.
Use this if you want to be able to tab-complete thru remote
files\dirs. Eats an extra request for every 'cd' command.
--x-host=HOSTNAME The host to use exploits on. fimap won't prompt you for the domain
in exploit mode if you set this value.
--x-vuln=VULNNUMBER The vulnerability ID you want to use. It's the same number you type
into the exploit mode where you choose the vulnerable script.
--x-cmd=CMD The CMD you want to execute on the vulnerable system. Use this parameter
more than once to execute commands one after another.
Remember that each command opens a new shell and closes it after execution.
## Disguise Kit:
-A , --user-agent=UA The User-Agent which should be sent.
--http-proxy=PROXY Setup your proxy with this option. But read this facts:
* The googlescanner will ignore the proxy to get the URLs,
but the pentest\attack itself will go thru proxy.
* PROXY should be in format like this: 127.0.0.1:8080
* It's experimental
--show-my-ip Shows your internet IP, current country and user-agent.
Useful if you want to test your vpn\proxy config.
## Plugins:
--plugins List all loaded plugins and quit after that.
-I , --install-plugins Shows some official exploit-mode plugins you can install
and\or upgrade.
## Other:
--update-def Checks and updates your definition files found in the
config directory.
--test-rfi A quick test to see if you have configured RFI nicely.
--merge-xml=XMLFILE Use this if you have another fimap XMLFILE you want to
include to your own fimap_result.xml.
-C , --enable-color Enables a colorful output. Works only in linux!
--force-run Ignore the instance check and just run fimap even if a lockfile
exists. WARNING: This may erase your fimap_results.xml file!
-v , --verbose=LEVEL Verbose level you want to receive.
LEVEL=3 -> Debug
LEVEL=2 -> Info(Default)
LEVEL=1 -> Messages
LEVEL=0 -> High-Level
--credits Shows some credits.
--greetings Some greetings ;)
-h , --help Shows this cruft.
## Examples:
1. Scan a single URL for FI errors:
fimap -u 'http://localhost/test.php?file=bang&id=23'
2. Scan a list of URLS for FI errors:
fimap -m -l '/tmp/urllist.txt'
3. Scan Google search results for FI errors:
fimap -g -q 'inurl:include.php'
4. Harvest all links of a webpage with recurse level of 3 and
write the URLs to /tmp/urllist
fimap -H -u 'http://localhost' -d 3 -w /tmp/urllist
fimap Usage Example
Scan the web application (-u “http://192.168.1.202/index.php”) for file inclusion issues:
root@kali:~# fimap -u "http://192.168.1.202/index.php"
fimap v.09 (For the Swarm)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)
SingleScan is testing URL: 'http://192.168.1.202/index.php'
fimap v.09 (For the Swarm)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)
SingleScan is testing URL: 'http://192.168.1.202/index.php'
No comments