Liffy is a local file inclusion exploitation tool. A little python tool to perform Local file inclusion.
Liffy-v2.0 is the improved version of it which was originally created by rotlogix/liffy. The latter is no longer available and the former hasn’t seen any development for a long time.
Installation
Make sure you are using python3
for the Installation process. liffy doesn't support python2
git clone http://github.com/mzfr/liffy
python3 -m venv Ex: python3 -m venv liffy
source liffy/bin/activate
pip3 install -r requirements.txt
NOTE -It uses msfvenom for generating php payload, So you should have metasploit installed
Also Read – Metabigor : Intelligence Tool But Without API Key
Usage
usage: liffy.py [-h] [-d] [-i] [-e] [-f] [-p] [-a]
[-ns] [-r] [–ssh] [-l LOCATION] [–cookies COOKIES]
url
Positional Arguments:
url URL to test for LFI
Optional Arguments:
-h, –help show this help message and exit
-d, –data Use data:// technique
-i, –input Use input:// technique
-e, –expect Use expect:// technique
-f, –filter Use filter:// technique
-p, –proc Use /proc/self/environ technique
-a, –access access logs technique
-ns, –nostager execute payload directly, do not use stager
-r, –relative use path traversal sequences for attack
–ssh SSH auth log poisoning
-l LOCATION, –location LOCATION
path to the target file (access log, auth log, etc.)
–cookies COOKIES session cookies for authentication
Option: -d
or --data
Ex: python liffy.py http://example.com/?id= -d
Option: -i
or --input
Ex: python liffy.py http://example.com/?id= -i
Option: -e
or --expect
Ex: python liffy.py http://example.com/?id= -e
Option: -f
or --filter
Ex: python liffy.py http://example.com/?id= -f
Option: -p
or --proc
Ex: python liffy.py http://example.com/?id= -p
Option: -a
or --access
Ex: python liffy.py http://example.com/?id= -a
Option: -s
or --ssh
Ex: python liffy.py http://example.com/?id= -s
Option: -r
This option can be used along with other options so relatively traverse the directories.
EX:
python liffy.py http://example.com/?id= -s -r
python liffy.py http://example.com/?id= -p -r
python liffy.py http://example.com/?id= -a -r
Option: -l
or --location
This option has to be used either with all the log techniques like authlog
, sshlog
EX:
python liffy.py http://example.com/?id= -s -l /var/auth.log
python liffy.py http://example.com/?id= -a -l /var/apache2/access.log
By default the following location is used:
/var/log/auth.log
/var/log/apache2/access.log
Credits:
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…