From crafting code to securing its secrets, I'm a developer with a hacker mindset
mzfr / liffy Goto Github PK
View Code? Open in Web Editor NEWLocal file inclusion exploitation tool
License: GNU General Public License v3.0
Local file inclusion exploitation tool
License: GNU General Public License v3.0
From crafting code to securing its secrets, I'm a developer with a hacker mindset
There should be an option to test for directory traversal while taking payload from a file.
Hey !
I'm a newbie and not able to run the tool. I got an error. Here is what I'm trying
python version:3.7
liffy version: 2.0
command:
python3 liffy.py http://namal.edu.pk/?id= -d
[~] Checking Target: namal.edu.pk
[~] Testing with data://
[?] Host For Callbacks: 172.16.13.243
[?] Port For Callbacks: 5050
[~] Generating PHP listener
[+] Success!
[~] listener: /tmp/shell.php
[~] Start your listener by running nc -ntlp 5050
[~] Starting Web Server ...
I'm totally not able to understand which IP and port should I enter in Host For Callbacks and Ports for Callbacks respectively.
I didn't find any reading about this on your repo.
Then I also unable to understand what's the purpose of running nc -ntlp port-no
Here is the Error I got:
Traceback (most recent call last):
File "/home/salman/Desktop/FYP2022Secuirty/FYP-Directory/FYP2022Security/Live_Assets/liffy/core/Server.py", line 11, in <module>
httpd = socketserver.TCPServer(("0.0.0.0", 8080), handler)
File "/usr/lib/python3.9/socketserver.py", line 452, in __init__
self.server_bind()
File "/usr/lib/python3.9/socketserver.py", line 466, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in use
[?] Press Enter To Continue When Your netcat listener is Running ...
[!] Unexpected HTTP Response
(liffy) [user@host ~/liffy ]$ python liffy.py "http://xxxxx:49768/?file=" -a -l /var/apache2/access.log
_ _ __ __ ___ ___
| | (_)/ _|/ _| |__ \ / _ \
| | _| |_| |_ _ _ __ __ ) || | | |
| | | | _| _| | | | \ \ / // / | | | |
| |____| | | | | | |_| | \ V // /_ | |_| |
|______|_|_| |_| \__, | \_/|____(_)___/
__/ |
|___/
[~] Checking Target: xxxxxxx:49768
[~] Testing for Apache access.log poisoning
Traceback (most recent call last):
File "/home/user/liffy/liffy.py", line 131, in <module>
main()
File "/home/user/liffy/liffy.py", line 102, in main
a = accesslog(url, l, nostager, relative, cookies)
TypeError: 'module' object is not callable
$ python --version
Python 3.9.2
It would be nice if we can perform LFI testing without having to give a shell back. Just to shell if any parameter is vulnerable or not
Right now we use msfvenom to generate payload and then use msfconsole to listen for the reverse shell. It would be nice if we can generate our own payload and then either listen with something like nc -nlvp PORT
or run our own listener.
In a server that is self-signed certificate the program raises a SSLError exception.
[SSL: CERTIFICATE_VERIFY_FAILED]
.
Maybe put an exception for this situation or ignore to verify the cert.
using python its showing like this but with python3 its interface working but output not giving
> Traceback (most recent call last):
> File "liffy.py", line 7, in <module>
> import urllib.parse
> ImportError: No module named parse
I'm execute this command
python3 liffy.py http://206.209.126.5/includes/header.php?systempath= -d -e -i
Liffy v2.0
[] Checking Target: 206.209.126.5] Testing with data://
[
[?] Host For Callbacks: 192.168.1.54
[?] Port For Callbacks: 4444
[] Generating PHP listener] listener: /tmp/shell.php
[+] Success!
[
[] Start your listener by running nc -ntlp 4444] Starting Web Server ...
[
Traceback (most recent call last):
File "/home/king/liffy/core/server.py", line 11, in
import socketserver
ImportError: No module named socketserver
[?] Press Enter To Continue When Your netcat listener is Running ...
I got The Error No module named socketserver
Please resolve my problem as soon as possiable
I have a question..how to use this
[?] Host For Callbacks:
[?] Port For Callbacks:
Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.
An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.
More details about features here.
Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.
Mainly because this is giving visibility to your tool and improve its referencing.
The badge shows to your community that your are inventoried. It looks good but also shows you care about your project, that your tool is referenced.
Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.
If you want to thank us, you can help make our open project better known by tweeting about it! For example:
That's all, this message is just to notify you if you care. Else you can close this issue.
http://www.codercaste.com/2009/10/03/the-null-byte-poisoning-attack-explained/
https://web.archive.org/web/20170617080614/hakipedia.com/index.php/Poison_Null_Byte
Showcased on OWASP Juice shop: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/appendix/solutions.html#access-a-developers-forgotten-backup-file
The module python-daemons
defined under requirements.txt doesn't seem to be used and trying to install it with pip throws an error.
I think authlog.py is supposed to be accesslog, as it poisins the useragent column in http access logs.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.