| Sign in

fimap

A little tool for local and remote file inclusion auditing and exploitation.

Project hosting will be READ-ONLY Wednesday at 8am PST due to brief network maintenance.

Project Home		Downloads		Issues		Source

Summary | Updates | People

Code license:	GNU General Public License v2
Labels:	fimap, localfileinclusion, security, web, http, remotefileinclusion, lfi, rfi, inclusion, injection, python, audit, scanner, pentest

Show all Featured downloads:
fimap_alpha_v07.tar.gz

Links:	fimap on Twitter
Feeds:	Project feeds

Project owners:
	fimap....@gmail.com

Welcome to the fimap project!

fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It's currently under heavy development but it's usable.

The goal of fimap is to improve the quality and security of your website.

Do not use this tool on servers where you don't have permission to pentest!

I am dead serious.

I'm trying twitter right now to announce cool SVN updates.

Feel free to follow: http://twitter.com/fimap

If you don't like twitter like me then keep watching the Quick News below :)

Quick News for SVN and upcoming versions

fimap is included in Backtrack 4! Thanks Backtrack Team especially emgent!

SVN Version Updates(Public Repository - Will be released as the next version)

POST variables can now used to scan and exploit!
Multilanguage scanning and attacking prototype in SVN!

WARNING: Read the README.SVN file inside.
Expect crashes in this version! Please send me an E-Mail or jabber me if you find bugs.

GIT Version Updates (Private Repository - Will be pushed in near future to SVN)

Mutilanguage refining.

What works currently?

Check a Single URL, List of URLs, or Google results fully automaticly.
Can identify and exploit file inclusion bugs.

Relative\Absolute Path Handling.
Tries automaticly to eleminate suffixes with Nullbyte.
Remotefile Injection.
Logfile Injection. (FimapLogInjection)

Test and exploit multiple bugs:

include()
include_once()
require()
require_once()

You always define absolute pathnames in the configs. No monkey like pathes like:

../etc/passwd
../../etc/passwd
../../../etc/passwd
But in cases where the server doesn't print messages you can enable the monkey-like checking with --enable-blind!

Has an interactive exploit mode which...

...can spawn a shell on vulnerable systems.
...can spawn a reverse shell on vulnerable systems.
...can do everything you have added in your payload-dict inside the config.py

Add your own payloads and pathes to the config.py file.
Has a Harvest mode which can collect URLs from a given domain for later pentesting.
Goto FimapHelpPage for all features.
Works also on windows.
Can handle directories in RFI mode like:

<? include ($_GET["inc"] . "/content/index.html"); ?>
<? include ($_GET["inc"] . "_lang/index.html"); ?>
where Null-Byte is not possible.

Can use proxys (experimental).
Scans GET and POST(in SVN) variables.
Has a very small footprint.

What doesn't work yet?

Currently fimap can only scan\attack unix-like servers.
Code is not super-b yet. It's a quick and dirty (but functional) hack currently.
No login stuff, yet.
readfile() bugs will be logged but not exploited (, yet)

Where can I see some examples?

Goto FimapExampleRuns

Whats the quickest way to get fimap running on my machine?

Goto Download Page
Click here if you prefer an SVN Snapshot.

Where is the FAQ?

Goto FrequentlyAskedQuestions

What's coming next?

Goto WorkInProgress

Credits

Main Developer: Iman Karim
Additional thanks goes out to:

Peteris Krumins for xgoogle python module.
Pentestmonkey for php-reverse-shell.
Crummy for BeautifulSoup.

Also thanks to:

The Python Project
The Eclipse Project
The Netbeans Project

Hosted by