Liffy - Local File Inclusion Exploitation Tool
Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included. The vulnerability is also due to the use of user-supplied input without proper validation.
This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.
Current features include:
In order to host the payload you may use Node's HTTP server: https://github.com/nodeapps/http-server
Or you can simply spawn python's SimpleHTTPServer in /tmp on port 8000. Further development of the tool will eventually include spawning a built-in web server in order to download, for now you can adjust the location and port in the source code for your needs. These can be changed in core.py under the execute functions.
Download & Reference
This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.
What is Liffy ?
Liffy is a tool written in Python designed to exploit local file inclusion vulnerabilities using three different techniques that will get you a working web shell. The first two make use of the built-in PHP wrappers php://input and data://. The third makes use of the process control extension called 'expect'.Current features include:
- data:// for code execution
- expect:// for code execution
- input:// for code execution
- filter:// for arbitrary file reads
- /proc/self/environ for code execution in CGI mode
- Apache access.log poisoning
- Linux auth.log SSH poisoning
- Direct payload delivery with no stager
- Support for absolute and relative paths
- Support for cookies
How to Install Liffy
Liffy requires the following libraries: requests, argparse, blessings, urlparseIn order to host the payload you may use Node's HTTP server: https://github.com/nodeapps/http-server
Or you can simply spawn python's SimpleHTTPServer in /tmp on port 8000. Further development of the tool will eventually include spawning a built-in web server in order to download, for now you can adjust the location and port in the source code for your needs. These can be changed in core.py under the execute functions.
Download & Reference
