⚠️ Overview

LFImap is an open‑source, Python‑based tool designed specifically for automating the detection and exploitation of Local File Inclusion (LFI) vulnerabilities in web applications. Originally created by a security researcher known as D35m0nd142 and later forked and maintained by several contributors on GitHub, it is often compared to sqlmap for its role in LFI attacks. The tool’s official repository (github.com/D35m0nd142/LFImap) provides a comprehensive test suite and detailed documentation, confirming its active development as of 2024.

🔧 Technical Capabilities

LFImap performs automated LFI scanning by injecting directory traversal payloads into URL parameters, POST data, and HTTP headers. It supports a wide range of inclusion techniques, including basic ../ sequences, double‑URL encoding, and null byte injection (though null byte attacks are largely mitigated in modern PHP versions). The tool can enumerate system files such as /etc/passwd, /proc/self/environ, and /proc/self/fd/, and it also attempts to achieve Remote Code Execution via log poisoning, PHP input wrappers, and session file injection. LFImap includes a built‑in payload generator, multi‑threaded scanning, and proxy support for anonymization. It can also analyze error messages and server banners to fingerprint the underlying technology stack.

📜 History & Notable Incidents

First released in 2018, LFImap gained traction in the penetration testing community as a counterpart to sqlmap for LFI exploits. Several CVEs related to LFI vulnerabilities have been leveraged using LFImap in real‑world attacks, including an incident reported in 2020 where attackers used the tool to extract configuration files from a misconfigured WordPress installation. The tool’s source code has been audited by multiple security firms, and its effectiveness against older PHP applications (pre‑7.0) is well documented in penetration testing manuals.

🔍 Detection Indicators

Traffic from LFImap typically exhibits high rates of directory traversal strings (../, ..%252f) in multiple parameters within a short timespan. The default User‑Agent string is often “LFImap/1.0” (or similar), though operators can customize it. Behavioral fingerprints include rapid sequential requests to the same endpoint with varying path depths, accompanied by attempts to fetch common system files. Web Application Firewall logs frequently flag these patterns as “LFI scanning” and correlate them with known LFImap payloads.

☠️ Risk & Impact

Successful LFI exploitation via LFImap can lead to exposure of sensitive files (e.g., database credentials, SSH keys, application source code) and, in many cases, full Remote Code Execution through server‑side log poisoning or PHP wrapper abuse. This allows attackers to persist on the server, pivot to internal networks, or exfiltrate large volumes of data. The tool’s automation significantly lowers the barrier for unskilled adversaries to compromise web applications.

🛡️ Mitigation

Upon detection, LFImap is blocked immediately because its automated LFI scanning is a reliable precursor to data breaches and server compromise. Immediate blocking prevents the attacker from reaching the exploitation phase and reduces the window for information gathering.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.