LfiDump is a Python-based Local File Inclusion (LFI) vulnerability scanner that helps security professionals detect potential LFI vulnerabilities in web applications. This tool uses a set of predefined payloads to manipulate URLs and checks for vulnerable file inclusion points that could potentially be exploited. The scanner uses multithreading for efficient scanning of multiple URLs simultaneously and provides a detailed output of the results.
lfi download lfi files and convert to json
https://github.com/emadshanab/LFI-Payload-List
https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt
- LFI Vulnerability Testing: Detects LFI vulnerabilities by injecting payloads into URL parameters.
- Multithreading Support: Fast testing of multiple URLs in parallel with adjustable thread count.
- Payloads from JSON File: Easily load custom payloads from a JSON file to target specific vulnerabilities.
- Results Logging: Detected vulnerabilities are saved in
LFi.txt, while errors are logged inerrors.log. - Customizable URL Testing: Choose between using a single URL or a list of URLs to scan.
To get started with LfiDump, clone the repository to your local machine:
git clone https://github.com/HackfutSec/LfiDump.git
cd LfiDumpMake sure you have Python 3.x installed. You can install the required dependencies using pip:
pip install -r requirements.txtBefore running the script, make sure you have a valid payloads.json file. This file contains the payloads that will be used for testing LFI vulnerabilities.
Example of payloads.json format:
[
"../etc/passwd",
"/proc/self/environ",
"/var/log/apache2/access.log"
]After cloning the repository and installing dependencies, run the LfiDump.py script:
python LfiDump.pyThe script will prompt you to choose several options during execution:
-
Select URL Input Type:
- Option 1: Enter a single URL.
- Option 2: Provide a file containing a list of URLs (one URL per line).
-
Choose URL Option:
- Option 1: Keep the original URL structure.
- Option 2: Replace the URL with
?file=.
-
Set Number of Threads:
- Set the number of threads to run concurrently (default is 10).
[✘] Do you want to test:
(1) Single URL
(2) List of URLs
[<<] Choose (1/2): 1
[✘] Enter the single URL to test: http://example.com/page?id=1
[✓] Choose option:
1: Keep URL
2: Replace with ?file=
[<<] Your choice: 1
[✓] Number of Threads (default 10): 10- LFi.txt: This file contains the URLs that are vulnerable to LFI.
- errors.log: This file logs any errors that occurred during the requests.
Example of a vulnerable URL:
[>>] http://example.com/page?id=../../../../etc/passwd --> [Vuln]Example of a non-vulnerable URL:
[x] http://example.com/page?id=1 --> [Not Vuln]Let's test the following URLs from a list:
python lfi.py- URLs File:
urls.txtcontaining a list of URLs:
http://example.com/page?id=1
http://example.com/page?id=2
http://example.com/page?id=3The tool will automatically test all URLs with the configured payloads and display results in the terminal.
LfiDump is intended for ethical hacking and security testing only. Ensure you have explicit permission to test the websites or applications you're scanning. Unauthorized access to computer systems is illegal and unethical.
We welcome contributions to LfiDump. If you find any bugs or have suggestions for new features, feel free to open an issue or submit a pull request.
LfiDump is open-source software licensed under the MIT License.
For any questions or assistance, feel free to reach out to us:
- Telegram: @HackfutSec
- GitHub: https://github.com/HackfutSec/LfiDump
If you find this tool useful, consider starring the repository and sharing it with others in the security community. Thank you!