FDSploit is a file Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool. It can be used to discover and exploit Local/Remote File Inclusion and directory traversal vulnerabilities automatically.
In case an LFI vulnerability is found, –lfishell option can be used to exploit it. For now, 3 different types of LFI shells are supported:
So far, there are only two lfi-shell built-in commands:
Also Read – SysAnalyzer : Automated Malcode Analysis System
Features
Some Examples
./fdsploit.py -u ‘http://127.0.0.1:8888/test/bWAPP/bWAPP/directory_traversal_2.php?directory=documents’ -c ‘PHPSESSID=7acf1c5311fee614d0eb40d7f3473087; security_level=0’ -d 8
2. LFI vulnerability discovery:
Again, the language parameter seems vulnerable to LFI since using ../etc/passwd etc.. as payload, every request being colored with green produces a different hash, a different content-length from the initial, and the keyword specified is found in the response:
./fdsploit.py -u ‘http://127.0.0.1:8888/test/bWAPP/bWAPP/rlfi.php?language=*&action=go’ -c ‘PHPSESSID=7acf1c5311fee614d0eb40d7f3473087; security_level=0’ -d 7 -k root -p /etc/passwd
3. LFI exploitation using simple shell:
Exploiting the above LFI using simple shell:
Notes
Requirements:
Note: To install the requirements:
pip install -r requirements.txt –upgrade –user
Disclaimer
This tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes! It is the end user’s responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this tool and software in general.
SpyAI is a sophisticated form of malware that leverages advanced technologies to capture and analyze…
The Proxmark3 is a versatile, open-source tool designed for radio-frequency identification (RFID) security analysis, research,…
The "Awesome Solana Security" collection is a comprehensive resource designed to help developers build more…
The "IngressNightmare" vulnerabilities, disclosed in March 2025, represent a critical set of security issues affecting…
AdaptixC2 is an advanced post-exploitation and adversarial emulation framework designed specifically for penetration testers. It…
Bincrypter is a powerful Linux binary runtime crypter written in BASH. It is designed to…