Commit 48877761 authored by Anthony Cozamanis's avatar Anthony Cozamanis

Update README.md

parent e959e3b4
......@@ -3,6 +3,7 @@ Welcome to the fimap project!
fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like [sqlmap](http://sqlmap.sourceforge.net) just for LFI/RFI bugs instead of sql injection. It's currently under heavy development but it's usable.
The goal of fimap is to improve the quality and security of **your** website.
**Do not use this tool on servers where you don't have permission to pentest!**
......@@ -13,10 +14,13 @@ I am dead serious.
I'm trying twitter right now to announce cool SVN updates.
Feel free to follow: [http://twitter.com/fimap](http://twitter.com/fimap)
If you don't like twitter like me then keep watching the Quick News below :)
## Quick News for SVN and upcoming versions
* <span style="text-decoration: line-through">Bing searching module implemented in SVN!</span> Currently broken :-O
......@@ -30,20 +34,25 @@ If you don't like twitter like me then keep watching the Quick News below :)
* Check a Single URL, List of URLs, or Google results fully automaticly.
* Can identify and exploit file inclusion bugs.
* Relative\Absolute Path Handling.
* Tries automaticly to eleminate suffixes with Nullbyte and other methods like Dot-Truncation.
* Remotefile Injection.
* Logfile Injection.
* Test and exploit multiple bugs:
* include()
* include_once()
* require()
* require_once()
* You always define absolute pathnames in the configs. No monkey like redundant pathes like:
* ../etc/passwd
* ../../etc/passwd
* ../../../etc/passwd
......@@ -51,25 +60,30 @@ If you don't like twitter like me then keep watching the Quick News below :)
* Has a Blind Mode (--enable-blind) for cases when the server has disabled error messages.
* Has an interactive exploit mode which...
* ...can spawn a shell on vulnerable systems.
* ...can spawn a reverse shell on vulnerable systems.
* ...can do everything you have added in your_payload-dict_ inside the_config.py_
* Add your own payloads and pathes to the config.py file.
* Has a Harvest mode which can collect URLs from a given domain for later pentesting.
* Works also on windows.
* Can handle directories in RFI mode like:
* <tt><? include ($_GET["inc"] . "/content/index.html"); ?></tt>
* <tt><? include ($_GET["inc"] . "_lang/index.html"); ?></tt>
* where Null-Byte is not possible.
* Can use proxys.
* Scans and exploits GET, POST and Cookies.
* Has a very small footprint. (No senseless bruteforcing of pathes - unless you need it.)
* Can attack also windows servers!
* Has a tiny plugin interface for writing exploitmode plugins
* Non Interactive Exploiting
## What doesn't work yet?
......@@ -82,26 +96,26 @@ If you don't like twitter like me then keep watching the Quick News below :)
## Credits
* Main Developer:[Iman Karim](mailto:fimap.dev@gmail.com)
* Main Developer: [Iman Karim](mailto:fimap.dev@gmail.com)
* Trusted Plugins:
* Metasploit binding by[Xavier Garcia](mailto:xavi.garcia(atom)gmail(dot)com)
* Weevily Injector by[Darren "Infodox" Martyn](mailto:infodox(atom)insecurety(dot)net) from[http://insecurety.net/](http://insecurety.net/)
* AES Reverse Shell by[Darren "Infodox" Martyn](mailto:infodox(atom)insecurety(dot)net) from[http://insecurety.net/](http://insecurety.net/)
* Metasploit binding by [Xavier Garcia](mailto:xavi.garcia(atom)gmail(dot)com)
* Weevily Injector by [Darren "Infodox" Martyn](mailto:infodox(atom)insecurety(dot)net) from [http://insecurety.net/](http://insecurety.net/)
* AES Reverse Shell by [Darren "Infodox" Martyn](mailto:infodox(atom)insecurety(dot)net) from [http://insecurety.net/](http://insecurety.net/)
* Additional thanks goes out to:
* Peteris Krumins for[xgoogle](http://www.catonmat.net/blog/python-library-for-google-search/) python module.
* Pentestmonkey for[php-reverse-shell](http://pentestmonkey.net/tools/php-reverse-shell/).
* Crummy for[BeautifulSoup](http://www.crummy.com/software/BeautifulSoup/).
* Zeth0 from[commandline.org.uk](http://commandline.org.uk/) for ssh.py.
* Peteris Krumins for [xgoogle](http://www.catonmat.net/blog/python-library-for-google-search/) python module.
* Pentestmonkey for [php-reverse-shell](http://pentestmonkey.net/tools/php-reverse-shell/).
* Crummy for [BeautifulSoup](http://www.crummy.com/software/BeautifulSoup/).
* Zeth0 from [commandline.org.uk](http://commandline.org.uk/) for ssh.py.
* Also thanks to:
* The[Python](http://python.org) Project
* The[Eclipse](http://eclipse.org) Project
* The[Netbeans](http://netbeans.org) Project
* The [Python](http://python.org) Project
* The [Eclipse](http://eclipse.org) Project
* The [Netbeans](http://netbeans.org) Project
* * *
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment