Liffy : Local File Inclusion Exploitation Tool

Liffy is a local file inclusion exploitation tool. A little python tool to perform Local file inclusion.

Liffy-v2.0 is the improved version of it which was originally created by rotlogix/liffy. The latter is no longer available and the former hasn’t seen any development for a long time.

Main feature

• data:// for code execution
• expect:// for code execution
• input:// for code execution
• filter:// for arbitrary file reads
• /proc/self/environ for code execution in CGI mode
• Apache access.log poisoning
• Linux auth.log SSH poisoning
• Direct payload delivery with no stager
• Support for absolute and relative path traversal
• Support for cookies for authentication

Installation

Make sure you are using python3 for the Installation process. liffy doesn't support python2

• Clone the repository

git clone http://github.com/mzfr/liffy

• Make a virtual environment

python3 -m venv Ex: python3 -m venv liffy

• Activate the venv

source liffy/bin/activate

• Install dependencies

pip3 install -r requirements.txt

NOTE -It uses msfvenom for generating php payload, So you should have metasploit installed

Also Read – Metabigor : Intelligence Tool But Without API Key

Usage

usage: liffy.py [-h] [-d] [-i] [-e] [-f] [-p] [-a]
[-ns] [-r] [–ssh] [-l LOCATION] [–cookies COOKIES]
url

Positional Arguments:
url URL to test for LFI

Optional Arguments:
-h, –help show this help message and exit
-d, –data Use data:// technique
-i, –input Use input:// technique
-e, –expect Use expect:// technique
-f, –filter Use filter:// technique
-p, –proc Use /proc/self/environ technique
-a, –access access logs technique
-ns, –nostager execute payload directly, do not use stager
-r, –relative use path traversal sequences for attack
–ssh SSH auth log poisoning
-l LOCATION, –location LOCATION
path to the target file (access log, auth log, etc.)
–cookies COOKIES session cookies for authentication

• Check the URL with data://

Option: -d or --data

Ex: python liffy.py http://example.com/?id= -d

• Check the URL with input://

Option: -i or --input

Ex: python liffy.py http://example.com/?id= -i

• Check the URL with expect://

Option: -e or --expect

Ex: python liffy.py http://example.com/?id= -e

• Check the URL with filter://

Option: -f or --filter

Ex: python liffy.py http://example.com/?id= -f

• Use /proc/self/environ for code execution

Option: -p or --proc

Ex: python liffy.py http://example.com/?id= -p

• Using Apache access.log poisoning

Option: -a or --access

Ex: python liffy.py http://example.com/?id= -a

• Using SSH auth.log poisoning

Option: -s or --ssh

Ex: python liffy.py http://example.com/?id= -s

• Relatively traverse directories

Option: -r

This option can be used along with other options so relatively traverse the directories.

EX:

python liffy.py http://example.com/?id= -s -r
python liffy.py http://example.com/?id= -p -r
python liffy.py http://example.com/?id= -a -r

• Specify log path

Option: -l or --location

This option has to be used either with all the log techniques like authlog, sshlog

EX:

python liffy.py http://example.com/?id= -s -l /var/auth.log
python liffy.py http://example.com/?id= -a -l /var/apache2/access.log

By default the following location is used:

• For SSH auth.log – /var/log/auth.log
• For apache2 access.log – /var/log/apache2/access.log

Credits:

• All the exploitation techniques are taken from it.
• Logo for this project is taken from renderforest