Joomla Mass LFI Scanner (70+ Exploit)
Joomla Mass LFI Scanner (Auto Download Configuration.php And Try Connect DB) (70+ Exploit)
Joomla Mass LFI Scanner is a multi-threaded, automated tool for hunting Local File Inclusion (LFI) vulnerabilities on Joomla-powered sites.
It uses 70+ public LFI vectors (paths hidden in this public version), attempts to auto-download the legendary configuration.php, extracts credentials, and even tries to connect to the remote MySQL DB if found.
Fast, loud, and pure hacker energy.
🔥 Features
- Ultra-fast mass scan (threaded, suitable for 1000+ sites)
- 70+ LFI vectors (pool hidden for sharing — use your own for max pwnage)
- Auto parses Joomla config.php and extracts DB, FTP, secret, etc.
- Attempts remote MySQL connect with found creds
- Logs both all results and only vulnerable sites separately
- Clean console & file output — easy for parsing or automation
- Hacker-themed banners & warnings everywhere
🧰 Requirements
- Python 3.8+ (tested on Python 3.8/3.9/3.10/3.11)
- Install dependencies with:
pip install requests pymysql urllib3
Optional (for max speed): Linux or Unix environment, fast connection, large site lists.
💀 Always hack responsibly!
🛠️ Usage
python3 joomscan.py lfi sites.txt
python3 joomscan.py lfi http://target-joomla-site.com
- sites.txt = list of target sites (one per line)
- Or scan a single site directly
📝 Output Example
http://site.com | Joomla LFI Multi-Path | lfi | VULNERABLE | http://site.com/index.php?... | db_user:root|db_pass:hackme|db_host:127.0.0.1|db_name:joomla_db|REMOTEDB:YES
- All results →
results_joomla.txt - Only vulnerable sites →
success_joomla.txt
