Welcome to the fimap project!

fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It's currently under heavy development but it's usable.

The goal of fimap is to improve the quality and security of your website.

Do not use this tool on servers where you don't have permission to pentest!

I am dead serious.

I'm trying twitter right now to announce cool SVN updates.

Feel free to follow: http://twitter.com/fimap

If you don't like twitter like me then keep watching the Quick News below :)

Quick News for SVN and upcoming versions

Bing searching module implemented in SVN! To use it please fill your ID in bingScan.py (Soon there will be an option - Yes I was lazy.)
SSH-Logfiles can now be scanned and exploited through SSH username!

What works currently?

Check a Single URL, List of URLs, or Google results fully automaticly.
Can identify and exploit file inclusion bugs.

Relative\Absolute Path Handling.
Tries automaticly to eleminate suffixes with Nullbyte and other methods like Dot-Truncation.
Remotefile Injection.
Logfile Injection. (FimapLogInjection)

Test and exploit multiple bugs:

include()
include_once()
require()
require_once()

You always define absolute pathnames in the configs. No monkey like redundant pathes like:

../etc/passwd
../../etc/passwd
../../../etc/passwd

Has a Blind Mode (--enable-blind) for cases when the server has disabled error messages. BlindMode
Has an interactive exploit mode which...

...can spawn a shell on vulnerable systems.
...can spawn a reverse shell on vulnerable systems.
...can do everything you have added in your payload-dict inside the config.py

Add your own payloads and pathes to the config.py file.
Has a Harvest mode which can collect URLs from a given domain for later pentesting.
Goto FimapHelpPage for all features.
Works also on windows.
Can handle directories in RFI mode like:

<? include ($_GET["inc"] . "/content/index.html"); ?>
<? include ($_GET["inc"] . "_lang/index.html"); ?>
where Null-Byte is not possible.

Can use proxys.
Scans GET and POST variables.
Has a very small footprint. (No senseless bruteforcing of pathes - unless you need it.)
Can attack also windows servers! (WindowsAttack)
Has a tiny plugin interface for writing exploitmode plugins (PluginDevelopment)
Cookie and Header scanning and exploiting.

What doesn't work yet?

Other languages than PHP (even if engine is ready for others as well.)

Where can I see some examples?

Goto FimapExampleRuns

Whats the quickest way to get fimap running on my machine?

Goto Download Page
Click here if you prefer an SVN Snapshot.
If you have BackTrack you have it already! (/pentest/web/fimap)

Where is the FAQ?

Goto FrequentlyAskedQuestions

What's coming next?

Goto WorkInProgress

Is there a How To?

Check out this post by HR from Kaotic Creations which explains fimap really good :) It's a tutorial for windows but I think unix heads should understand it as well.

Other Stuff

Credits

Main Developer: Iman Karim

Trusted Plugins:

Metasploit binding by Xavier Garcia

Additional thanks goes out to:

Peteris Krumins for xgoogle python module.
Pentestmonkey for php-reverse-shell.
Crummy for BeautifulSoup.
Zeth0 from commandline.org.uk for ssh.py.

Also thanks to:

The Python Project
The Eclipse Project
The Netbeans Project

OFFTOPIC

Tools and Sites I really like

http://aluigi.org Luigi Auriemma
http://debian.org Debian
http://sikuli.org Sikuli
http://eu.battle.net/sc2/en Starcraft 2 - I really like Starcraft :)
http://sqlmap.sourceforge.net sqlmap
http://yakuake.kde.org Yakuake
http://virtualbox.org Virtual Box

Links to Friends

Very good music by Dextrous aka. Duckstrous! Check it out and give him love! http://www.duckstrous.com