This tool is designed to identify and exploit potential Local File Inclusion (LFI) vulnerabilities in web applications. It automates testing for file inclusion by appending common file paths to a base URL.
- Customizable URL and file paths: Test any URL and use a file containing paths for exploration.
- Default file paths: Includes a comprehensive list of commonly targeted files.
- Directory traversal: Easily prepend traversal strings (e.g.,
../../../) to file paths. - Multithreading: Speed up requests with configurable thread usage.
- Timeouts: Set a timeout for each request to handle slow responses.
- Verbose output: Enable detailed logs of requests and responses.
- Python 3.6 or higher
requestsmodule
Install dependencies using:
pip install requests argformatIf there is restrictions on installing packages globally, creating a virtual environment is the best option.
Create a Virtual Environment:
python3 -m venv myenvActivate the Virtual Environment:
source myenv/bin/activateInstall argformat within the Virtual Environment:
pip install requests argformatpython3 lfi-fuzzer.py -h
usage: lfi-fuzzer.py [-h] -u URL [-f FILE] [--traversal TRAVERSAL] [--timeout TIMEOUT] [-v] [-t THREADS]
Fetch and display content from a URL with potential LFI. For more information, visit:
https://book.hacktricks.xyz/pentesting-web/file-inclusion
options:
-h, --help show this help message and exit
-u URL, --url URL Base URL (e.g., 'http://dev.site/script.php?page=')
-f FILE, --file FILE File containing paths to be appended to the base URL
--traversal TRAVERSAL Directory traversal string to prepend to paths (e.g., '../../../')
--timeout TIMEOUT Timeout for each request in seconds (default: 10)
-v, --verbose Enable verbose output
-t, --threads THREADS Number of threads to use (default: 10)The default pathlist is already included in the tool (for linux only). For more exhaustive pathlists visit the following links:
- The script supports multithreading, but using too many threads may cause server bans or performance issues.
- Always test on authorized targets. Unauthorized testing is illegal.
The use of code contained in this repository, either in part or in its totality, for engaging targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for misuses or damages caused by any code contained in this repository in any event that, accidentally or otherwise, it comes to be utilized by a threat agent or unauthorized entity as a means to compromise the security, privacy, confidentiality, integrity, and/or availability of systems and their associated resources. In this context the term "compromise" is henceforth understood as the leverage of exploitation of known or unknown vulnerabilities present in said systems, including, but not limited to, the implementation of security controls, human- or electronically-enabled.
The use of this code is only endorsed by the developers in those circumstances directly related to educational environments or authorized penetration testing engagements whose declared purpose is that of finding and mitigating vulnerabilities in systems, limiting their exposure to compromises and exploits employed by malicious agents as defined in their respective threat models.
This project is licensed under the MIT License 2.0 - see the LICENSE file for details.