Liffy : Local File Inclusion Exploitation Tool

Liffy is a local file inclusion exploitation tool. A little python tool to perform Local file inclusion.

Liffy-v2.0 is the improved version of it which was originally created by rotlogix/liffy. The latter is no longer available and the former hasn’t seen any development for a long time.

Main feature

  • data:// for code execution
  • expect:// for code execution
  • input:// for code execution
  • filter:// for arbitrary file reads
  • /proc/self/environ for code execution in CGI mode
  • Apache access.log poisoning
  • Linux auth.log SSH poisoning
  • Direct payload delivery with no stager
  • Support for absolute and relative path traversal
  • Support for cookies for authentication

Installation

Make sure you are using python3 for the Installation process. liffy doesn't support python2

  • Clone the repository

git clone http://github.com/mzfr/liffy

  • Make a virtual environment

python3 -m venv Ex: python3 -m venv liffy

  • Activate the venv

source liffy/bin/activate

  • Install dependencies

pip3 install -r requirements.txt

NOTE -It uses msfvenom for generating php payload, So you should have metasploit installed

Also Read – Metabigor : Intelligence Tool But Without API Key

Usage

usage: liffy.py [-h] [-d] [-i] [-e] [-f] [-p] [-a]
[-ns] [-r] [–ssh] [-l LOCATION] [–cookies COOKIES]
url

Positional Arguments:
url URL to test for LFI

Optional Arguments:
-h, –help show this help message and exit
-d, –data Use data:// technique
-i, –input Use input:// technique
-e, –expect Use expect:// technique
-f, –filter Use filter:// technique
-p, –proc Use /proc/self/environ technique
-a, –access access logs technique
-ns, –nostager execute payload directly, do not use stager
-r, –relative use path traversal sequences for attack
–ssh SSH auth log poisoning
-l LOCATION, –location LOCATION
path to the target file (access log, auth log, etc.)
–cookies COOKIES session cookies for authentication

  • Check the URL with data://

Option: -d or --data

Ex: python liffy.py http://example.com/?id= -d

  • Check the URL with input://

Option: -i or --input

Ex: python liffy.py http://example.com/?id= -i

  • Check the URL with expect://

Option: -e or --expect

Ex: python liffy.py http://example.com/?id= -e

  • Check the URL with filter://

Option: -f or --filter

Ex: python liffy.py http://example.com/?id= -f

  • Use /proc/self/environ for code execution

Option: -p or --proc

Ex: python liffy.py http://example.com/?id= -p

  • Using Apache access.log poisoning

Option: -a or --access

Ex: python liffy.py http://example.com/?id= -a

  • Using SSH auth.log poisoning

Option: -s or --ssh

Ex: python liffy.py http://example.com/?id= -s

  • Relatively traverse directories

Option: -r

This option can be used along with other options so relatively traverse the directories.

EX:

python liffy.py http://example.com/?id= -s -r
python liffy.py http://example.com/?id= -p -r
python liffy.py http://example.com/?id= -a -r

  • Specify log path

Option: -l or --location

This option has to be used either with all the log techniques like authlogsshlog

EX:

python liffy.py http://example.com/?id= -s -l /var/auth.log
python liffy.py http://example.com/?id= -a -l /var/apache2/access.log

By default the following location is used:

  • For SSH auth.log – /var/log/auth.log
  • For apache2 access.log – /var/log/apache2/access.log

Credits:

  • All the exploitation techniques are taken from it.
  • Logo for this project is taken from renderforest