Fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in web apps. fimap should be something like sqlmap just for LFI/RFI bugs instead of SQL injection. It’s currently under heavy development but it’s usable. Fimap comes preinstalled in Kali Linux you can run it with the terminal command
fimap -h
Once you hit enter it will show you all the options available which you can use to test the security for LFI and RF. You can try all of them on any local machine because if you try it on the live web it will create huge traffic and it will be illegal to test it without permission for testing purpose you can try any local web for this tutorial I am using metasploitable 2 Linux machine as my target

Open your terminal and type this command to scan a website for vulnerability

fimap -u http://website.com/page1/login.php/


when scannig is compltedit will show you the output for the possible path and if the web is vulnerabile or not.

You can define cookie if the page is behind a login form then it can't scan for the vulnerabilty in that sutuatiion you can define the cookie to bypass the login page with the help of cookie to do that type this command

fimap -u http://192.168.197.130/mutillidae/index.php?page=login.php --cookie=12334556

change the cookie value you got from the website. To get you cookie from the website right click and select inspect option and choose console and type document.cookie and hit enter you will get your cookie which you are using.

You can join our telegram channel for the latest update. You can follow us on Twitter and Instagram.
Share it If you like it