{"id":13539203,"url":"https://github.com/kurobeats/fimap","last_synced_at":"2025-04-02T06:30:32.359Z","repository":{"id":29434797,"uuid":"32970833","full_name":"kurobeats/fimap","owner":"kurobeats","description":"fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.","archived":false,"fork":false,"pushed_at":"2022-09-12T03:50:58.000Z","size":373,"stargazers_count":515,"open_issues_count":18,"forks_count":99,"subscribers_count":15,"default_branch":"master","last_synced_at":"2024-11-03T04:32:20.438Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kurobeats.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-03-27T06:11:25.000Z","updated_at":"2024-10-31T10:22:54.000Z","dependencies_parsed_at":"2023-01-14T14:55:20.201Z","dependency_job_id":null,"html_url":"https://github.com/kurobeats/fimap","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kurobeats%2Ffimap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kurobeats%2Ffimap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kurobeats%2Ffimap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kurobeats%2Ffimap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kurobeats","download_url":"https://codeload.github.com/kurobeats/fimap/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246767515,"owners_count":20830505,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:21.700Z","updated_at":"2025-04-02T06:30:31.959Z","avatar_url":"https://github.com/kurobeats.png","language":"Python","readme":"Welcome to the fimap project!\n=============================\n\nfimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap should be something like [sqlmap](http://sqlmap.sourceforge.net) just for LFI/RFI bugs instead of sql injection.\n\nOriginally, this tool was created by [this very awesome fellow](https://tha-imax.de/git/root/fimap/tree/master) but there hasn't been a lot of movement on the project since porting to github.\n\n* * *\n\n## What works currently?\n\n*   Check a Single URL, List of URLs, or Google results fully automaticly.\n*   Can identify and exploit file inclusion bugs.\n\n*   Relative\\Absolute Path Handling.\n*   Tries automaticly to eleminate suffixes with Nullbyte and other methods like Dot-Truncation.\n*   Remotefile Injection.\n*   Logfile Injection.\n\n*   Test and exploit multiple bugs:\n\n*   include()\n*   include_once()\n*   require()\n*   require_once()\n\n*   You always define absolute pathnames in the configs. No monkey like redundant pathes like:\n\n*   ../etc/passwd\n*   ../../etc/passwd\n*   ../../../etc/passwd\n\n*   Has a Blind Mode (--enable-blind) for cases when the server has disabled error messages.\n*   Has an interactive exploit mode which...\n\n*   ...can spawn a shell on vulnerable systems.\n*   ...can spawn a reverse shell on vulnerable systems.\n*   ...can do everything you have added in your_payload-dict_ inside the_config.py_\n\n*   Add your own payloads and pathes to the config.py file.\n*   Has a Harvest mode which can collect URLs from a given domain for later pentesting.\n*   Works also on windows.\n*   Can handle directories in RFI mode like:\n\n*   \u003ctt\u003e\u003c? include ($_GET[\"inc\"] . \"/content/index.html\"); ?\u003e\u003c/tt\u003e\n*   \u003ctt\u003e\u003c? include ($_GET[\"inc\"] . \"_lang/index.html\"); ?\u003e\u003c/tt\u003e\n*   where Null-Byte is not possible.\n\n*   Can use proxys.\n*   Scans and exploits GET, POST and Cookies.\n*   Has a very small footprint. (No senseless bruteforcing of pathes - unless you need it.)\n*   Can attack also windows servers! \n*   Has a tiny plugin interface for writing exploitmode plugins \n\n*   Non Interactive Exploiting\n\n## What doesn't work yet?\n\n*   Other languages than PHP (even if engine is ready for others as well.)\n\n## Is there a How To?\n\n*   Check out [this](http://kaoticcreations.blogspot.com/2011/08/automated-lfirfi-scanning-exploiting.html) post by HR from [Kaotic Creations](http://kaoticcreations.blogspot.com) which explains fimap really good :) It's a tutorial for windows but I think unix heads should understand it as well.\n\n## Credits\n\n*   Main Developer: [Iman Karim](mailto:fimap.dev@gmail.com)\n\n*   Trusted Plugins:\n\n*   Metasploit binding by [Xavier Garcia](mailto:xavi.garcia(atom)gmail(dot)com)\n*   Weevily Injector by [Darren \"Infodox\" Martyn](mailto:infodox(atom)insecurety(dot)net) from [http://insecurety.net/](http://insecurety.net/)\n*   AES Reverse Shell by [Darren \"Infodox\" Martyn](mailto:infodox(atom)insecurety(dot)net) from [http://insecurety.net/](http://insecurety.net/)\n\n*   Additional thanks goes out to:\n\n*   Peteris Krumins for [xgoogle](http://www.catonmat.net/blog/python-library-for-google-search/) python module.\n*   Pentestmonkey for [php-reverse-shell](http://pentestmonkey.net/tools/php-reverse-shell/).\n*   Crummy for [BeautifulSoup](http://www.crummy.com/software/BeautifulSoup/).\n*   Zeth0 from [commandline.org.uk](http://commandline.org.uk/) for ssh.py.\n\n*   Also thanks to:\n\n*   The [Python](http://python.org) Project\n*   The [Eclipse](http://eclipse.org) Project\n*   The [Netbeans](http://netbeans.org) Project\n","funding_links":[],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing","Tools","Web Exploitation","Web"],"sub_categories":["\u003ca id=\"41ae40ed61ab2b61f2971fea3ec26e7c\"\u003e\u003c/a\u003e漏洞利用","Web Exploitation","Penetration Testing Report Templates","Web file inclusion tools","Web File Inclusion Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkurobeats%2Ffimap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkurobeats%2Ffimap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkurobeats%2Ffimap/lists"}