SSRFmap
SSRFmap SSRFmap is the automated fuzzer for SSRF vulns, chaining payloads to internal services like metadata endpoints for exploitation and port scanning via vulnerable params. Run its Python script on requests with -r for replay, escalating to Redis or AWS buckets. Open-source from 0xInfection, it's the SSRF escalator for pentesters templating internal pivots from external flaws.
Explore →Gopherus
Gopherus Gopherus crafts gopher:// payloads for SSRF exploitation, tunneling requests to internal URIs like Redis or SMTP for RCE or data exfil in protocol-specific attacks. Generate via Python with targets, encoding for URL injection in params. Open-source from tarunkant, it's the gopher guide for SSRF wizards chaining protocols into command chains.
Explore →Kadimus
Kadimus Kadimus is the LFI/RFI specialist that probes file inclusion paths for local reads or remote fetches, escalating to RCE via log poisoning or proc/self/environ tricks. Run its PHP CLI on params with -b for blind tests, dumping /etc/passwd or uploading shells. Open-source from timstark, it's the inclusion infiltrator for pentesters templating file traversal exploits.
Explore →LFI Suite
LFI Suite LFI Suite is the comprehensive toolkit for local file inclusion testing, automating log poisoning, env var reads, and RCE chains with wrappers for common vectors. Launch its Python scripts on vulns, escalating to shells via /proc or PHP filters. Open-source from community, it's the LFI ladder for auditors climbing from inclusion to command execution.
Explore →Interactsh
Interactsh Interactsh generates unique DNS/HTTP payloads for blind SSRF/LFI detection, polling callbacks to confirm out-of-band interactions in non-reflective vulns. Deploy its Go server, embed polls in tests, and monitor hits for validation. Open-source from projectdiscovery, it's the OOB oracle for pentesters templating indirect exploit confirmations.
Explore →ssrf-lfi-fuzzer
SSRF/LFI Fuzzer ssrf-lfi-fuzzer mutates params with internal IPs, file paths, and gopher payloads, detecting SSRF via port bumps or LFI via error leaks in responses. Configure via Python with wordlists, running against endpoints for hit logs. Open-source from frikilnik, it's the hybrid hammer for web pentesters fuzzing inclusion vectors simultaneously.
Explore →nuclei-ssrf-templates
Nuclei SSRF Templates nuclei-ssrf-templates uses YAML rules to probe for SSRF sinks with internal fetches, matching redirects or errors for confirmation in scalable scans. Clone the pack, run via Nuclei CLI on scopes for severity alerts with payloads. Open-source from projectdiscovery, it's the template tracker for bulk SSRF/LFI hunts across web apps.
Explore →Commix
Commix Commix's file inclusion mode tests LFI/RFI for command injection chains, uploading wrappers or poisoning logs to escalate to shells in web backends. Launch its Python CLI with --file-include for reads, customizing techniques for blind spots. Open-source from commix, it's the command conjurer for pentesters templating RCE from inclusions.
Explore →lfi-rfi-tester
LFI/RFI Tester lfi-rfi-tester fuzzes inclusion params with local paths and remote URLs, validating via error patterns or file reads for traversal or fetch vulns. Script its Python tool with dicts, running on forms for confirmation logs. Open-source from community, it's the inclusion inspector for auditors templating path-based exploits.
Explore →gopher-lfi