Usage

LFIMap Command-Line Interface

Use ‘FUZZ’ as a placeholder in the URL or POST data for the LFI payload.

lfimap --help

Example output:

usage: lfimap [-h] [-u URL | -f LOAD_FILE | --wizard] [-D | -d]
              [-m {basic,php-filter,log-poisoning,session-poisoning,proc-self-environ,data-uri,timing-based,exec-wrapper,file-wrapper,wrapper-phar,wrapper-zip,wrapper-glob,proc-symlink,rfi,wrapper-phpinput,wrapper-ftp,wrapper-gopher,race-condition-lfi,all} |
              -T {basic,php-filter,log-poisoning,session-poisoning,proc-self-environ,data-uri,timing-based,exec-wrapper,file-wrapper,wrapper-phar,wrapper-zip,wrapper-glob,proc-symlink,rfi,wrapper-phpinput,wrapper-ftp,wrapper-gopher,race-condition-lfi,all}]
              [--method-type {GET,POST}]
              [--post-data POST_DATA] [-w WORDLIST] [-o OUTPUT]
              [--proxy PROXY] [--user-agent USER_AGENT]
              [--mobile]
              [--browser-user-agent {chrome,firefox,brave,safari,opera}]
              [--cookies COOKIES] [--headers HEADERS]
              [--timeout TIMEOUT] [--retries RETRIES]
              [--no-ssl-verify] [--all] [-v]
              [--ignore-server-error]
              [--os {unix,osx/macos,windows}]
              [-eT [{basic,php-filter,log-poisoning,session-poisoning,proc-self-environ,data-uri,timing-based,exec-wrapper,file-wrapper,wrapper-phar,wrapper-zip,wrapper-glob,proc-symlink,rfi,wrapper-phpinput,wrapper-ftp,wrapper-gopher,race-condition-lfi} ...]]
              [--ignore-set-cookie] [--ignore-redirects]
              [--referer REFERER] [-p PARAM]
              [-sp [SKIP_PARAM ...]]
              [--http-version {1.0,1.1,2}]
              [--plugin [{403,xforwardedfor,questionmark,doubleslash2slash,unicodetrick,spoofhost-header,extra-dot,semicolon-injection,path-normalization,base64-in-path,case-variation,multi-encoding,iis-double-slash,wrapper-phar,wrapper-zip,wrapper-glob,wrapper-data,proc-symlink,session-id-bruteforce,exfil-data,race-condition-lfi,waf-detection,lfi-error-fingerprint,mimetype-check,tab-trick,comment-trick,dotdot-trick,fat-dot,utf7-bypass,clrf-injection,rate-limit-adapter} ...]]
              [--list-plugins] [--auth-user AUTH_USER]
              [--auth-pass AUTH_PASS]
              [--auth-type {basic,ntlm}]
              [--ntlm-domain NTLM_DOMAIN]
              [--php-filter-file PHP_FILTER_FILE]
              [--php-filter-custom PHP_FILTER_CUSTOM]
              [--injection-string INJECTION_STRING]
              [--cmd-param CMD_PARAM] [--command COMMAND]
              [--log-file LOG_FILE] [--session-id SESSION_ID]
              [--expected-delay EXPECTED_DELAY] [--encode-url]
              [--encode-double-url] [--encode-triple-url]
              [--null-byte] [--path-truncation]
              [--directory-traversal-variations] [--fuzz-param]

LFIMap: A Powerful LFI Exploitation Tool
Use 'FUZZ' as a placeholder in the URL or --post-data for the LFI payload.

Options

Basic Options

  • -u, –url Target URL with ‘FUZZ’ placeholder for LFI payload e.g., http://example.com/index.php?file=FUZZ

  • -f, –load-file Load target URLs from a file (one per line). Overrides -u/–url.

  • –wizard Start interactive wizard for beginners.

  • -D, –check-depends Check dependencies.

  • -d, –list-depends List dependencies and status.

  • -m, –method LFI exploitation method to use (see below).

  • -T, –technique Alias for -m/–method.

  • –method-type HTTP method to use (GET or POST). Default: GET.

  • –post-data POST data with ‘FUZZ’ placeholder.

  • -w, –wordlist Path to wordlist for enumeration.

  • -o, –output Save results to file.

  • –proxy HTTP/S proxy URL.

  • –user-agent Custom User-Agent string.

  • –mobile Use common mobile User-Agent.

  • –browser-user-agent Choose browser (chrome, firefox, brave, safari, opera) for random User-Agent.

  • –cookies Custom cookies (e.g., ‘PHPSESSID=abc; user=admin’).

  • –headers Custom headers (e.g., ‘X-Forwarded-For:127.0.0.1;Referer:example.com’).

  • –timeout Request timeout in seconds (default 10).

  • –retries Retry count for failed requests (default 3).

  • –no-ssl-verify Disable SSL verification.

  • –all Continue scanning after first hit.

  • -v, –verbose Verbose output.

  • –ignore-server-error Continue on server errors/timeouts.

  • –os Target OS (unix, osx/macos, windows).

  • -eT, –exclude-technique Exclude one or more techniques.

  • –ignore-set-cookie Ignore ‘Set-Cookie’ headers.

  • –ignore-redirects Do not follow redirects.

  • –referer Custom Referer header.

  • -p, –param Test a single parameter, overrides FUZZ.

  • -sp, –skip-param Skip parameters during fuzzing.

  • –http-version HTTP version (1.0, 1.1, 2).

Plugin Options

  • –plugin Enable specific plugins for bypasses (see full list in help).

  • –list-plugins List all available plugins.

Authentication Options

  • –auth-user, –auth-pass Auth credentials.

  • –auth-type basic or ntlm.

  • –ntlm-domain NTLM domain.

PHP Filter Options

  • –php-filter-file File to read with PHP filters (default: index.php).

  • –php-filter-custom Custom PHP filter (e.g., convert.base64-decode|string.rot13).

Poisoning & Command Execution Options

  • –injection-string PHP code for poisoning (default: <?php system($_GET[‘cmd’]); ?>).

  • –cmd-param GET parameter name for command execution (default: cmd).

  • –command Command to run after poisoning.

  • –log-file Log file path for log poisoning.

  • –session-id PHP session ID for session poisoning (manual injection required).

Timing-Based LFI Options

  • –expected-delay Delay in seconds for timing LFI (default: 5).

Payload Encoding & Obfuscation

  • –encode-url, –encode-double-url, –encode-triple-url URL encoding variations.

  • –null-byte Append null byte.

  • –path-truncation Use path truncation payloads.

  • –directory-traversal-variations Test directory traversal variants.

Parameter Fuzzing

  • –fuzz-param Auto fuzz common param names unless –param specified.

Full usage and details available by running:

lfimap --help