loading
loading
Vulnerabilities
Discover and exploit Local/Remote File Inclusion and directory traversal vulnerabilities automatically.
overview
fdsploit automates the search for and exploitation of file inclusion and path traversal bugs. Point it at a URL and it works through a payload set, adjusting depth and encoding, to find where an application reads attacker-controlled paths and then pulls back the files it can reach. It handles both GET and POST flows and can target a specific parameter.
It is built for the messy reality of these bugs. You can base64-encode or URL-encode payloads to slip past filters, add a null byte or other termination character to defeat extension appending, search responses for a keyword to confirm a hit, and even test for command execution through vulnerable PHP functions. A custom user-agent and session cookie keep requests looking legitimate.
On Trickest, fdsploit is a Vulnerabilities node that takes a URL or a file of URLs and writes a folder and a file. Run it after discovery and parameter mining have surfaced candidate endpoints, so it focuses its payloads on the parameters most likely to include files.
use cases
Run fdsploit against a candidate URL so it works through inclusion and traversal payloads automatically and reports which paths it can read.
Apply base64 or URL encoding and a termination character so payloads slip past naive input filters and extension-appending logic.
Search responses for a known string so a successful inclusion is confirmed by content rather than guessed from status codes.
Use the command option to test whether a vulnerable PHP function turns file inclusion into remote command execution.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | Target URL to test. |
| target-urls | FILE | --file | File containing URLs to test. |
| param | STRING | --params | POST parameters to use (param1:value1,param2:value2,...). |
| request-type | STRING | --verb | Request type, GET or POST (default GET). |
| depth | STRING | --depth | Maximum traversal depth for the payload (default 5). |
| keyword | STRING | --keyword | Search for a keyword in the response to confirm success. |
| cmd-to-execute | STRING | --cmd | Test for command execution through vulnerable PHP functions. |
| termination-character | STRING | --tchar | Termination character ('%00' or '?') to defeat extension appending. |
Showing key inputs. fdsploit exposes 13 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | Target URL to test. |
| depth | STRING | --depth | Maximum traversal depth for the payload (default 5). |
| param | STRING | --params | POST parameters to use, as param1:value1,param2:value2 (POST requests only). |
| keyword | STRING | --keyword | Keyword to search for in the response to confirm a hit (default none). |
| payload | STRING | --payload | Payload file of paths to look for. |
| b64-encode | BOOLEAN | --b64 | Base64-encode the payload (default false). |
| url-encode | STRING | -e | URL-encode the payload (default false). |
| user-agent | STRING | --useragent | Use a random user-agent (default FDsploit_1.2_agent). |
| target-urls | FILE | --file | File containing URLs to test. |
| request-type | STRING | --verb | Request type, GET or POST (default GET). |
| cmd-to-execute | STRING | --cmd | Command to test for execution through vulnerable PHP functions (default none). |
| specify-cookie | STRING | --cookie | Session cookie to send with each request (default none). |
| termination-character | STRING | --tchar | Termination character ('%00' or '?') to defeat extension appending (default none). |
example
# automated LFI/traversal test, confirm the hit with a keywordFDsploit.py --url "http://example.com/index.php?page=home" --depth 6 --keyword "root:x:" --tchar '%00'[i] Analysing url: http://example.com/index.php?page=home[i] Testing LFI/traversal payloads (max depth: 6) ...[+] LFI found -> page=../../../../../../etc/passwd%00[+] Keyword 'root:x:' matched in responseroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin[i] Results saved to output/example.com/guidance
Use fdsploit to test and exploit file inclusion and traversal on candidate endpoints you have already found. It is focused on LFI, RFI, and traversal, so for broad vulnerability coverage run nuclei, and for SQL injection use sqlmap.
Automates server-side template injection. A sibling exploitation tool for a different injection class.
Automates command-injection discovery and exploitation. Overlaps where fdsploit probes PHP command execution.
Tests many issue types via templates. fdsploit goes deeper on inclusion and traversal specifically.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
A list of candidate URLs feeds fdsploit, which tests file-inclusion and traversal payloads and writes the confirmed findings as output.
Facts on this page come from the live Trickest tool library.