SyLFI - Simple LFI Tester with Login Support
A simple local file inclusion (LFI) vulnerability tester with user login support.
Made with Python 3
Usage
pip install -r requirements.txt
| CLI Flags | Information |
|---|---|
| -h, --help | show this help message and exit |
| -u, --url | specify target URL in quotes |
| -p, --parameter | specify known LFI parameter in quotes (?[file/page/path/site]=) |
| -d, --dir-depth | specify maximum directory traversal depth (default = 5) |
| -l, --login-url | specify login URL in quotes |
With Known LFI Parameter (faster)
sylfi.py -u 'http://<domain_name>:<port>/file_name.php' -p '?file='
OR
python3 sylfi.py -u 'http://<domain_name>:<port>/file_name.php' -p '?file='
Without Specified LFI Parameter (slower/brute force)
Might get you blocked for brute forcing.
sylfi.py -u 'http://<domain_name>:<port>/file_name.php'
This will try all the parameters specified in the sylfi.py file in parameters variable.
Login Support if Webpage Needs the User to Log In
You will need to edit the script file sylfi.py. Edit the credentials parameters username and password and their values as per your webpage login POST request inside the variable login_payload in the login function.
sylfi.py -u 'http://<domain_name>:<port>/file_name.php' -l 'http://<domain_name>:<port>/login_url' -p '?file='