Skip to content
/ LFIter2 Public
forked from 3mrgnc3/LFIter2

LFIter2 Local File Include (LFI) Tool - Auto File Extractor & Username Bruteforcer

License

GPL-3.0 license
0 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

marcosnk/LFIter2

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

bsd-fpaths.txt

bsd-fpaths.txt

 
 

lfiter2.png

lfiter2.png

 
 

lfitr2.py

lfitr2.py

 
 

linux-fpaths-small.txt

linux-fpaths-small.txt

 
 

linux-fpaths.txt

linux-fpaths.txt

 
 

nix-fpaths.txt

nix-fpaths.txt

 
 

win-fpaths-alt.txt

win-fpaths-alt.txt

 
 

win-fpaths-small.txt

win-fpaths-small.txt

 
 

win-fpaths.txt

win-fpaths.txt

 
 

Repository files navigation

LFIter2 (Currently in Alpha)

LFIter2 Local File Include (LFI) MultiTool - Auto File Extractor & Username Bruteforcer

SCREENSHOT

Many Web Servers are vulnerable to remote directory traversal      
attacks.                                                           
                                                                   
I created this tool to automatically extract a list of known        
interesting files based on a wordlist and be able to bruteforce
usernames on an affected system [still to do :P].                             
                                                                   
   FEATURES:
   
    1. Support For Multiple Server Types.
    2. Print Remote Files in local Terminal.
    3. Batch Extract Files Using A Wordlist.
    4. Brute Force Usernames Using A Wordlist. [TO DO!]             
                                                                   
I hope others may find this usefull during pentests. I have 
chosen to use subprocess to call curl to perform web requests. 
I Initially tried to use python-requests and libcurl, but was 
having major issues getting self signed certs for https & socks 
proxies working using these. 
                                                                  
Curl just works :D As long as its installed and working you 
should be able to run this script.
                                                                   
Collected Files Are Saved In the ./[host-ip]-files/ Directory      
--------------------------------------------------------------            
 ref:                                                              
 https://owasp.org/index.php/Testing_for_Local_File_Inclusion      
--------------------------------------------------------------     
                                                                   
TARGETS: (-trgt)                                                   
                                                                   
    [ zervit = Zervit 0.4 for Windows ]
    [ cuppa  = CUPPA CMS vb.0..1 for FreeBSD ]
    [ wbm128 = Webmin 1.28 for Fedora Core 4 ]                     

===Examples===================================================     
lfitr2.py 172.16.10.1 -list win-paths.txt                          
lfitr2.py 172.16.10.1 -path /windows/system32/drivers/etc/hosts    
lfitr2.py 172.16.10.1 -list win-paths.txt -port 8008               
lfitr2.py 172.16.10.1 -path /BOOT.INI -out /root/report/host       
==============================================================

Asciinema Demo

asciicast

About

LFIter2 Local File Include (LFI) Tool - Auto File Extractor & Username Bruteforcer

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%