Skip to content
Mehtab Zafar edited this page Jun 8, 2019 · 3 revisions
usage: liffy.py [-h]  [-d] [-i] [-e] [-f] [-p] [-a]
                [-ns] [-r] [--ssh] [-l LOCATION] [--cookies COOKIES]
                url

positional arguments:
  url                   URL to test for LFI

optional arguments:
  -h, --help            show this help message and exit
  -d, --data            Use data:// technique
  -i, --input           Use input:// technique
  -e, --expect          Use expect:// technique
  -f, --filter          Use filter:// technique
  -p, --proc            Use /proc/self/environ technique
  -a, --access          access logs technique
  -ns, --nostager       execute payload directly, do not use stager
  -r, --relative        use path traversal sequences for attack
  --ssh                 SSH auth log poisoning
  -l LOCATION, --location LOCATION
                        path to the target file (access log, auth log, etc.)
  --cookies COOKIES     session cookies for authentication

Check the URL with data://

Option: -d or --data

Ex: python liffy.py http://example.com/?id= -d

Check the URL with input://

Option: -i or --input

Ex: python liffy.py http://example.com/?id= -i

Check the URL with expect://

Option: -e or --expect

Ex: python liffy.py http://example.com/?id= -e

Check the URL with filter://

Option: -f or --filter

Ex: python liffy.py http://example.com/?id= -f

Use /proc/self/environ for code execution

Option: -p or --proc

Ex: python liffy.py http://example.com/?id= -p

Using Apache access.log poisoning

Option: -a or --access

Ex: python liffy.py http://example.com/?id= -a

Using SSH auth.log poisoning

Option: -s or --ssh

Ex: python liffy.py http://example.com/?id= -s

Relatively traverse directories

Option: -r

This option can be used along with other options so relatively traverse the directories.

EX:

- python liffy.py http://example.com/?id= -s -r

- python liffy.py http://example.com/?id= -p -r

- python liffy.py http://example.com/?id= -a -r

Specify log path

Option: -l or --location

This option has to be used either with all the log techniques like authlog, sshlog

EX:

- python liffy.py http://example.com/?id= -s -l /var/auth.log

- python liffy.py http://example.com/?id= -a -l /var/apache2/access.log

By default the following location is used:

  • For SSH auth.log - /var/log/auth.log
  • For apache2 access.log - /var/log/apache2/access.log