FDsploit – Document Inclusion And Listing Traversal Fuzzing, Enumeration & Exploitation Software

A Document Inclusion & Listing Traversal fuzzing, enumeration & exploitation device.


FDsploit menu:

$ python fdsploit.py -h

_____ ____ _ _ _
| __| ___ ___| |___|_| |_
| __| | |_ -| . | | . | | _|
|__| |____/|___| _|_|___|_|_|
|_|...ver. 1.2
Writer: Christoforos Petrou (game0ver) !

utilization: fdsploit.py [-u | -f ] [-h] [-p] [-d] [-e 0,1,2] [-t] [-b] [-x] [-c]
[-v] [--params [...]] [-k] [-a] [--cmd]
[--lfishell ]

FDsploit.py: Computerized (L|R)FI & listing traversal enumeration & exploitation.

Required (one of the next):
-u , --url Specify a url or
-f , --file Specify a dossier containing urls

Not obligatory:
-h, --help Display this assist message and go out
-p , --payload Specify a payload-file to search for [default None]
-d , --depth Specify max intensity for payload [default 5]< br/> -e 0,1,2, --urlencode 0,1,2
Url-encode the payload [default: False]
-t , --tchar Use a termination personality ('' or '?') [default None]
-b, --b64 Use base64 encoding [default False]
-x , --proxy Specify a proxy to make use of [form: host:port]
-c , --cookie Specify a session-cookie to make use of [default None]
-v , --verb Specify request kind ('GET' or 'POST') [default GET]
--params [ ...] Specify POST parameters to make use of (carried out simplest with POST requests)
Shape: param1:value1,param2:value2,...
-k , --keyword Seek for a undeniable key phrase(s) at the reaction [default: None]
-a, --useragent Use a random user-agent [default user-agent: FDsploit_1.2_agent]
--cmd Check for command execution thru PHP purposes [default command: None]
--lfishell None,easy,be expecting,enter
LFI pseudoshell [default None]

[!] For Extra Main points please learn the README.md dossier!

FDsploit can be utilized to find and exploit Native/Far off Document Inclusion and listing traversal vulnerabilities mechanically. In case an LFI vulnerability is located, --lfishell choice can be utilized to take advantage of it. For now, 3 several types of LFI shells are supported:

  • easy: This sort of shell lets in consumer to learn information simply with no need to kind the url everytime. Additionally it simplest supplies the output of the dossier and no longer the entire html-source code of the web page which makes it very helpful.
  • be expecting: This sort of shell is a semi-interactive shell which permits consumer to execute instructions thru PHP’s be expecting:// wrapper.
  • enter: This sort of shell is a semi-interactive shell which additionally lets in consumer to execute instructions thru PHP’s php://enter circulate.

To this point, there are simplest two lfi-shell integrated instructions:

  • transparent and
  • go out.

Obtain FDsploit