Fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in web apps. fimap should be something like sqlmap just for LFI/RFI bugs instead of SQL injection. It’s currently under heavy development but it’s usable. Fimap comes preinstalled in Kali Linux you can run it with the terminal command
fimap -h
Once you hit enter it will show you all the options available which you can use to test the security for LFI and RF. You can try all of them on any local machine because if you try it on the live web it will create huge traffic and it will be illegal to test it without permission for testing purpose you can try any local web for this tutorial I am using metasploitable 2 Linux machine as my target
Open your terminal and type this command to scan a website for vulnerability
fimap -u http://website.com/page1/login.php/
when scannig is compltedit will show you the output for the possible path and if the web is vulnerabile or not.
You can define cookie if the page is behind a login form then it can’t scan for the vulnerabilty in that sutuatiion you can define the cookie to bypass the login page with the help of cookie to do that type this command
fimap -u http://192.168.197.130/mutillidae/index.php?page=login.php --cookie=12334556
change the cookie value you got from the website. To get you cookie from the website right click and select inspect option and choose console and type document.cookie and hit enter you will get your cookie which you are using.