fimap v0.7a released

fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s is currently under heavy development but it’s usable.

Version 0.7 Alpha:

  • All commands will now be send base64 encoded. So you can use quotes as much as you want.
  • php://input detection is now 100% reliable. (it produced some false positives befor)
  • You can now define a POST string for relative and absolute files in the
  • Two placeholders can be used for the POST- and the find-string.
    • __PHP_QUIZ__ which will generate a little random PHP testing code.
    • __PHP_ANSWER__ which is the answer of the PHP testing code.
  • Experimental blindmode implemented. It will try to get the path with "/.." "/../.." "/../../..". Also known as monkey mode. It will only try blindly if the default mode failed and you have enabled it with "—enable-blind". This mode will cause a lots of request!
  • TTL implemented. You can define it with "—ttl ". Default is 30 seconds.
  • Experimental HTTP Proxy support. You can define a HTTP(s) proxy with "—http-proxy localhost:8080".
  • Show-my-ip added. Use "—show-my-ip" if you want to see your current Internet-IP, Country and User-Agent. Useful to test your proxy or vpn!
  • Googlescanner can now skip the first X pages. Use "—skip-pages X".
  • Exploit mode will now extract the first time you connect to a server the kernel version and store it. Next time you start the exploit mode, the kernel version will be printed right after the domain name.
  • Lot’s of bugfixes and additional regular expressions.
JPEG - 3.7 kb

What works currently?

  • Check a Single URL, List of URLs, or Google results fully automaticly.
  • Can identify and exploit file inclusion bugs.
    • Relative\Absolute Path Handling.
    • Tries automaticly to eleminate suffixes with Nullbyte.
    • Remotefile Injection.
    • Logfile Injection. (FimapLogInjection)
  • Test and exploit multiple bugs:
    • include()
    • include_once()
    • require()
    • require_once()
  • You always define absolute pathnames in the configs. No monkey like pathes like:
    • ../etc/passwd
    • ../../etc/passwd
    • ../../../etc/passwd
    • But in cases where the server doesn’t print messages you can enable the monkey-like checking with —enable-blind!
  • Has an interactive exploit mode which...
    • ...can spawn a shell on vulnerable systems.
    • ...can spawn a reverse shell on vulnerable systems.
    • ...can do everything you have added in your payload-dict inside the
  • Add your own payloads and pathes to the file.
  • Has a Harvest mode which can collect URLs from a given domain for later pentesting.
  • Goto FimapHelpPage for all features.
  • Works also on windows.
  • Can handle directories in RFI mode like:
    • where Null-Byte is not possible.

      <? include ($_GET["inc"] . "/content/index.html"); ?>

<? include ($_GET["inc"] . "_lang/index.html"); ?>

  • Can use proxys (experimental).


  • Needs: Python >= 2.4
  • Read the FAQ

More information: here

Post scriptum

Compliance Mandates

  • Application Scanner :

    PCI/DSS 6.3, SOX A12.4, GLBA 16 CFR 314.4(b) and (2), HIPAA 164.308(a)(1)(i), FISMA RA-5, SA-11, SI-2, ISO 27001/27002 12.6, 15.2.2

  • Penetration testing & Ethical Hacking :

    PCI DSS 11.3, SOX A13.3, GLBA 16 CFR Part 314.4 (c), HIPAA 164.308(a)(8), FISMA RA-5, SI-2, ISO 27001/27002 12.6, 15.2.2

  • Vulnerability Scanner :

    PCI DSS 11.2, 6.6, SOX A13.3, GLBA 16CFR Part 314.4(c), HIPAA 164.308(a)(8), FISMA RA-5, SI-2, ISO 27001-27002 12.6, 15.2.2


Related Articles

Application Scanner
Configurations checks
Penetration testing & Ethical Hacking
Vulnerability Scanner