A tools listicle is only useful if the author actually uses the tools. This is the short list of local file inclusion and path traversal tools I have spent real engagement hours with in 2026, ranked by how often I reach for each one, with honest notes on where each fits and where each falls short.
If you want the underlying mechanics first, the path traversal deep dive covers the variants and the web application security vulnerabilities taxonomy puts LFI in the broader map. This article is for the choice of which tool to run.
The decision matrix
| Tool | Licence | Language | Maintained | Best for | Interface | Stars (May 2026) |
|---|---|---|---|---|---|---|
| LFImap | Apache-2.0 | Python | Active (pre-alpha) | The modern default. Wrapper chains, RCE detection, clean output | CLI | 300+ |
| LFISuite | GPLv3 | Python | Stale but functional | PHP wrapper exploitation, log poisoning, RFI tunneling | CLI | 2k+ |
| dotdotpwn | GPLv3 | Perl | Stale (last release 2016) | Fuzzing path traversal across HTTP, FTP, TFTP, payload OS variants | CLI | 1k+ |
| ffuf + SecLists | MIT | Go | Active (no ffuf release since Sept 2023) | Wordlist-driven discovery; the workhorse I run daily | CLI | 16k+ |
| Burp Suite (Pro) | Commercial | Java | Active | Manual workflow, Intruder grids, request shaping | GUI + CLI | n/a |
| kadimus | MIT | C | Archived (Oct 2020) | Fast php://filter source disclosure and known-good RCE paths | CLI | 500+ |
| PayloadsAllTheThings | MIT | Markdown | Very active | The canonical payload reference; not a tool, but indispensable | Web/Repo | 64k+ |
A quick read of the table: LFImap is the modern default, LFISuite is the older bag of tricks that still wins for PHP wrappers and log poisoning, ffuf with the SecLists LFI wordlists is what I actually run on every engagement, and PayloadsAllTheThings is the lookup I keep open in another tab the whole time.
1. LFImap
Repo: github.com/hansmach1ne/lfimap
The modern default. If you only learn one LFI scanner, learn this one.
LFImap automates the LFI detection and exploitation lifecycle the way sqlmap automates SQLi: parameter discovery against GET and POST, traversal variants (encoded, double-encoded, null-byte where the target still tolerates it), PHP wrapper chains (php://filter, php://input, data://, expect://), log-poisoning probes, and a clean reporting mode. It is the closest thing to a 2024 to 2026 successor in active maintenance after the LFISuite cadence slowed.
What I like:
- Wrapper support is first-class.
php://filter/convert.base64-encode/resource=chains are one flag, not a copy-paste from a payload list. - Output is grep-friendly. Detection hits print the exact request and the exact response marker.
- Sensible defaults. The first run does not blast 4,000 payloads at the target; you opt into intensity.
- Active maintainer. Bugs filed in the last twelve months actually get fixed.
What I do not like:
- Smaller community than the sqlmap-class tools. Fewer blog posts to copy a working command from.
- Some flags overlap confusingly with each other on first read; the README is the canonical reference.
- No proper tamper-script ecosystem yet. WAF evasion is currently a manual exercise of encoding tricks.
When to use it. Start here. If LFImap finds the inclusion at a reasonable intensity, you are done. If it does not, drop to LFISuite for the older wrapper tricks, or to ffuf for raw discovery.
Deeper dives on the techniques it automates: php://filter source disclosure, php://input LFI to RCE, LFI log poisoning.
2. LFISuite
Repo: github.com/D35m0nd142/LFISuite
The bag of tricks. Older codebase, still useful for the techniques LFImap does not yet cover.
LFISuite is a multi-technique LFI exploiter written in Python. It bundles scanner, exploiter, and a tunnel mode that turns a confirmed inclusion into a pseudo-shell over HTTP. The wrapper coverage is broad: php://filter, php://input, data://, expect://, phar://, plus log poisoning against Apache, Nginx, SSH, and mail logs, plus remote file inclusion when allow_url_include is on.
What I like:
- The "exploiter" mode walks you through wrapper chains step by step. Good for learning, good for stubborn targets.
- The HTTP tunnel after a successful inclusion is genuinely useful when you cannot get a clean RCE.
- Covers techniques that simply do not appear in newer scanners (
expect://,/proc/self/environ, mail-log poisoning).
What I do not like:
- Python 2 era code in places. Expect to fight the install on a modern distro; a venv with
python3 -m pip installof the listed dependencies usually works. - Maintenance is slow. Issues sit. PRs sit.
- Output is interactive and harder to script around than LFImap's flag-driven mode.
When to use it. When LFImap detected an inclusion but cannot turn it into useful disclosure, or when the target is clearly old PHP and you want the full wrapper menu in one place. The two tools complement each other; do not pick one and uninstall the other.
3. dotdotpwn
Repo: github.com/wireghoul/dotdotpwn
The traversal fuzzer. Different shape from the LFI scanners, complementary.
dotdotpwn is a Perl fuzzer focused on the path traversal half of the family. It generates a large permutation set of ../ sequences with encoding variants (URL, double URL, UTF-8 overlong, backslash, null-byte), targets OS-specific file paths (/etc/passwd, boot.ini, win.ini), and runs them across HTTP, FTP, TFTP, and a few other protocols. The Perl shows its age, but the payload variety is still the broadest I have seen in a single tool.
What I like:
- Protocol coverage beyond HTTP. The only tool in this list that fuzzes FTP and TFTP traversal out of the box.
- The payload generator is the real value. You can dump the payload list and pipe it into ffuf or Burp Intruder if you prefer their request shapes.
- OS-aware targeting picks the right "interesting file" set based on a detected or declared platform.
What I do not like:
- Perl. The dependency dance on a fresh Kali install is not always smooth.
- Generates a lot of traffic by default; tune the depth and the wordlist before pointing it at production.
- Reporting is basic. You will end up grepping the output.
When to use it. Pure path-traversal targets, especially non-HTTP services, or when you want to generate a high-variety wordlist to feed into ffuf.
4. ffuf with SecLists LFI wordlists
Repo: github.com/ffuf/ffuf
The workhorse. Not an LFI tool per se, but the discovery layer for every LFI engagement.
ffuf is a fast Go-based HTTP fuzzer. Pair it with the LFI wordlists from SecLists (Fuzzing/LFI/) and you have a portable, scriptable, dead-reliable way to discover and confirm file inclusion across a target's parameter surface. The combination has no opinion about PHP versus other stacks, which is why I reach for it on every engagement first, before the LFI-specific scanners.
What I like:
- Speed. The Go concurrency model is the right shape for fuzzing.
- Compose well. ffuf's request templating supports headers, cookies, POST bodies, JSON; it slots into any pipeline.
- Filter language. Filter by status code, response size, word count, regex match. False positives drop fast.
- SecLists is curated and maintained. The
LFI-LFISuite-pathtotest-huge.txtandLFI-Jhaddix.txtfiles are still the right starting wordlists.
What I do not like:
- It is not an LFI scanner. You have to know what an LFI looks like to filter the noise.
- No wrapper logic. ffuf will not chain
php://filterfor you; you supply the payload, it sends the request. - The output format is a deliberate choice. Pretty by default, JSON for piping; do not expect HTML reports.
When to use it. Every engagement, for the discovery phase. Then hand off to LFImap or LFISuite for the exploitation phase.
Typical command:
ffuf -u 'https://target.example.com/page.php?file=FUZZ' \
-w /usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt \
-mc 200 -fs 0 -recursion -recursion-depth 15. Burp Suite Intruder
Site: portswigger.net/burp
Not an LFI tool; the platform every LFI engagement runs on.
For LFI work Burp plays three roles:
- Repeater. When the scanner finds a maybe-inclusion and you need to confirm it by changing one byte at a time, you live in Repeater.
- Intruder (Pro only). Payload-list driven request grids are the manual answer to ffuf. Slower than ffuf but tighter integration with the rest of Burp.
- Collaborator (Pro only). The only realistic listener for out-of-band exfiltration when an inclusion chains into a server-side request.
What I like:
- The manual workflow is unmatched. Drop a request, change
?file=index.htmlto?file=../../../../etc/passwd, see the diff, repeat. - Match-and-replace rules can normalise paths or auto-inject prefixes across every request in a session.
- The Logger and proxy history together give you a complete record of what the scanner did.
What I do not like:
- Pro licence is around 500 USD per user per year. Worth it; do not pretend it is not money.
- Community Intruder is rate-limited to the point of uselessness for real fuzzing.
- The CLI exists but is awkward; ffuf wins for headless automation.
When to use it. Always running in the background. Capture there, then export to LFImap or ffuf, or stay in Repeater for the manual cases.
6. kadimus
Repo: github.com/P0cL4bs/Kadimus
Old but still earns a slot for php://filter chains.
kadimus is a C-based LFI scanner that predates the current generation. The repo has been archived since October 2020, but the core feature set, the php://filter/convert.base64-encode chain and a handful of known RCE paths (data, input, /proc/self/environ), still works against the older PHP stacks that show up on legacy engagements.
What I like:
- Fast. C, single binary, no Python or Perl install dance.
- The base64-encode-then-decode-on-disclosure flow runs in one shot. One command, one decoded source file.
- Small, focused, easy to drop on a constrained jump host.
What I do not like:
- Maintenance is effectively stopped. No new wrappers, no new techniques.
- Compiles cleanly on most modern distros but expect the occasional patch on a recent glibc.
- Coverage is narrow next to LFImap or LFISuite.
When to use it. Quick source disclosure against PHP targets you already suspect are vulnerable, when you want a single C binary and nothing else.
7. PayloadsAllTheThings (the canonical lookup)
Site: swisskyrepo.github.io/PayloadsAllTheThings
Not a tool. The reference every other tool in this list quietly copies from.
PayloadsAllTheThings is a community-maintained payload bible covering every major web vulnerability class. The File Inclusion section is the canonical lookup for wrapper variants, encoding bypasses, log-poisoning vectors, and known interesting paths on Linux and Windows. When a scanner does not have the trick I want, this is where I find it.
What I like:
- Active maintenance. Pull requests merge quickly. New techniques appear within weeks of being published.
- The structure is consistent across vulnerability classes. Once you know the layout, you can navigate any section in seconds.
- MIT-licensed. Quote it, fork it, embed it in internal training.
What I do not like:
- Markdown. You will still have to paste into a tool to actually run the payloads.
- A few entries are dated. Cross-check anything that has not been touched in two years against a recent CTF writeup.
When to use it. Keep it open in a tab the whole engagement. When a scanner misses, this is the next stop.
What I do not recommend
Random PHP "LFI scanner" scripts on GitHub
Search "LFI scanner" on GitHub and you will get hundreds of short PHP and Python scripts that wrap a curl loop around a payload list. Most of them are unmaintained, none of them handle wrappers properly, and several of the ones with download numbers contain dubious telemetry. Use ffuf with a SecLists wordlist instead; it does the same job, faster, with a known-good codebase.
Abandoned Perl LFI tools
A generation of LFI tools were written in Perl during the 2010s and have not had a real commit since. The payload generators inside some of them are still useful (dotdotpwn included), but for end-to-end scanning the Python and Go generation is meaningfully ahead. Skip the ones that look like single-author final commits from 2017.
"All-in-one pentest GUIs" that bundle LFI
Several commercial bundles advertise LFI detection as one feature among many. In practice they wrap an old scanner with a UI on top. The UI is usually less productive than the underlying CLI, the bundled scanner is months out of date, and you lose the wrapper flexibility. If you want LFImap, run LFImap.
Tools I dropped from this year's list
- Old "fimap"-class scanners. Useful in their day; effectively unmaintained now. LFImap has taken over the niche cleanly.
- Standalone log-poisoning helpers. The technique still works (see LFI log poisoning), but every modern LFI scanner now bundles the payloads. A dedicated tool is no longer worth the install.
- Random Perl one-shots. The community has moved on; the abandoned scripts have not.
Which tool should I use? (Decision tree)
A short flow for the common cases:
- Is this discovery, where you do not yet know whether an inclusion exists?
- Yes. ffuf with the SecLists LFI wordlists, against every parameter you can find.
- Did discovery surface a candidate parameter?
- Yes. LFImap against that parameter. If it confirms, drive it to disclosure or RCE.
- Did LFImap confirm an inclusion but cannot reach useful disclosure?
- Yes. LFISuite for the older wrapper menu (
expect://, mail logs,/proc/self/environ) and for the HTTP tunnel mode.
- Yes. LFISuite for the older wrapper menu (
- Is the target non-HTTP (FTP, TFTP) or a path-traversal-only context?
- Yes. dotdotpwn.
- Are you working a manual edge case where the scanners are confused?
- Yes. Burp Repeater with PayloadsAllTheThings open in the next tab.
- Do you need fast
php://filtersource disclosure on a legacy PHP target?- Yes. kadimus for the one-shot, or LFImap if you want the rest of the workflow integrated.
A note on the year stamp
I will refresh this list every twelve months. The slug stays stable (best-lfi-tools-2026 is a redirect target you can rely on; future years update the H1 and title). Tools added, dropped, and re-ranked here will appear in the next refresh with a short changelog at the top.
Where to go next
- Path traversal: variants, exploitation, and defence for the underlying mechanics
- php://filter source disclosure for the wrapper chain that turns inclusion into source dump
- php://input LFI to RCE for the inclusion-to-code-execution pivot
- LFI log poisoning for the classic Apache/Nginx/SSH log path
- Web application security vulnerabilities taxonomy for the broader map
Sources
Authoritative references this article was fact-checked against.
- LFISuite, official repositorygithub.com
- LFImap, official repositorygithub.com
- dotdotpwn, official repositorygithub.com
- ffuf, official repositorygithub.com
- PayloadsAllTheThings, File Inclusion sectionswisskyrepo.github.io
