Browse Source

XSSer v1.8.4 - 'The Hiv3' release

psy 3 years ago
parent
commit
d11bb3f65c
11 changed files with 102 additions and 76 deletions
  1. 1 1
      Makefile
  2. 19 17
      core/crawler.py
  3. 59 45
      core/main.py
  4. 2 2
      core/options.py
  5. 2 2
      core/twsupport.py
  6. 6 2
      doc/AUTHOR
  7. 7 1
      doc/CHANGELOG
  8. 1 1
      doc/INSTALL
  9. 1 1
      doc/README
  10. 2 2
      gtk/docs/about.txt
  11. 2 2
      setup.py

+ 1 - 1
Makefile

@@ -4,7 +4,7 @@ PYTHON=`which python`
 DESTDIR=/
 BUILDIR=$(CURDIR)/debian/xsser
 PROJECT=xsser
-VERSION=1.8.3
+VERSION=1.8.4
 
 all:
 	@echo "make source - Create source package"

+ 19 - 17
core/crawler.py

@@ -4,7 +4,7 @@
 """
 This file is part of the XSSer project, https://xsser.03c8.net
 
-Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
+Copyright (c) 2010/2021 | psy <epsylon@riseup.net>
 
 xsser is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -77,7 +77,7 @@ class Crawler(object):
         find parameters in given url.
         """
         parsed = urllib.parse.urlparse(url)
-        if "C=" in parsed.query and "O=" in  parsed.query:
+        if "C=" in parsed.query and "O=" in parsed.query:
             qs = ""
         else:
             qs = urllib.parse.parse_qs(parsed.query)
@@ -215,20 +215,23 @@ class Crawler(object):
             data_len = len(html_data)
         except:
             data_len = html_data
-        while pos < data_len:
-            if len(links)+start > self._max:
-                break
-            pos = html_data.find("href=", pos)
-            if not pos == -1:
-                sep = html_data[pos+5]
-                if sep == "h":
-                    pos -= 1
-                    sep=">"
-                href = html_data[pos+6:html_data.find(sep, pos+7)].split("#")[0]
-                pos = pos+1
-                links.add(href)
-            else:
-                break
+        try:
+            while pos < data_len:
+                if len(links)+start > self._max:
+                    break
+                pos = html_data.find("href=", pos)
+                if not pos == -1:
+                    sep = html_data[pos+5]
+                    if sep == "h":
+                        pos -= 1
+                        sep=">"
+                    href = html_data[pos+6:html_data.find(sep, pos+7)].split("#")[0]
+                    pos = pos+1
+                    links.add(href)
+                else:
+                    break
+        except:
+            pass
         return [{'href': s} for s in links]
 
     def _get_done_dummy(self, request, result):
@@ -278,7 +281,6 @@ class Crawler(object):
                 if pars:
                     links.append({"url":action_path + '?' + urllib.parse.urlencode(pars)})
                 else:
-                    self.report("form with no pars")
                     links.append({"url":action_path})
             links += self._emergency_parse(html_data, len(links))
         if self.verbose == 2:

+ 59 - 45
core/main.py

@@ -4,7 +4,7 @@
 """
 This file is part of the XSSer project, https://xsser.03c8.net
 
-Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
+Copyright (c) 2010/2021 | psy <epsylon@riseup.net>
 
 xsser is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -1531,7 +1531,7 @@ class xsser(EncoderDecoder, XSSerReporter):
             else:
                 self.do_token_check(orig_url, hashing, payload, query_string, dest_url)
 
-    def create_headless_embed_browser(self):
+    def create_headless_embed_browser(self): # selenium + firefox + gecko(bin)
         agents = [] # user-agents
         self.cookie_set_flag = False # used for cookie
         f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
@@ -1541,10 +1541,14 @@ class xsser(EncoderDecoder, XSSerReporter):
             agent = random.choice(agents).strip() # set random user-agent
         except:
             agent = "Privoxy/1.0" # set static user-agent
-        try: # selenium + firefox + gecko(bin)
+        try:
             from selenium import webdriver
             from selenium.webdriver.firefox.options import Options as FirefoxOptions
             from selenium.common.exceptions import UnexpectedAlertPresentException as UnexpectedAlertPresentException # used for search alert dialogs at DOM
+        except:
+            print("\n[Error] Importing: selenium lib. \n\n To install it on Debian based systems:\n\n $ 'sudo apt-get install python3-selenium'\n")
+            sys.exit(2)
+        try:
             self.dom_browser_alert = UnexpectedAlertPresentException
             profile = webdriver.FirefoxProfile()
             profile.set_preference("general.useragent.override", str(agent)) # set Firefox (profile) - random user-agent
@@ -2231,13 +2235,14 @@ class xsser(EncoderDecoder, XSSerReporter):
             self.report("\n[Info] The following actions will be performed at the end:\n")
             self.report("  1- Output with detailed statistics\n")
             self.report("  2- Export results to files: \n\n     - a) XSSreport.raw \n     - b) XSSer_<target>_<datetime>.xml\n")
-            self.options.crawling = "99999" # set max num of urls to crawl
-            self.options.crawler_width = "5" # set max num of deeping levels
+            self.options.crawling = 99999 # set max num of urls to crawl
+            self.options.crawler_width = 5 # set max num of deeping levels
+            self.options.crawler_local = True # set crawlering range to local only
             self.options.statistics = True # detailed output
-            self.options.timeout = "60" # timeout
-            self.options.retries = "2" # retries  
-            self.options.delay = "5" # delay
-            self.options.threads = "10" # threads
+            self.options.timeout = 60 # timeout
+            self.options.retries = 2 # retries  
+            self.options.delay = 5 # delay
+            self.options.threads = 10 # threads
             self.options.followred = True # follow redirs
             self.options.nohead = False # HEAD check
             self.options.reversecheck = True # try to establish a reverse connection 
@@ -2432,8 +2437,12 @@ class xsser(EncoderDecoder, XSSerReporter):
                     self.options.crawler_width = 2 # default crawlering-width
             if self.options.crawler_local == None:
                 self.options.crawler_local = False # default crawlering to LOCAL
+            if self.options.crawling > 100:
+                warning_text = " -> (WARNING: It can take long time...)"
+            else:
+                warning_text = ""
             for url in set(urls):
-                self.report("\n[Info] Crawlering TARGET:", url, "\n\n   - Max. limit: "+ str(self.options.crawling)+ " \n   - Deep level: "+ str(options.crawler_width))
+                self.report("\n[Info] Crawlering TARGET:", url, "\n\n   - Max. limit: "+ str(self.options.crawling)+warning_text+ " \n   - Deep level: "+ str(options.crawler_width))
             crawler = Crawler(self, Curl, all_crawled,
                               self.pool)
             crawler.set_reporter(self)
@@ -2464,17 +2473,17 @@ class xsser(EncoderDecoder, XSSerReporter):
             # report parsed crawled urls
             self.report("\n" + "-"*25)
             self.report("\n[Info] Mosquitoes have found: [ " + str(len(self.crawled_urls)) + " ] possible attacking vector(s)")
-            if self.options.verbose:
+            if self.crawled_urls:
                 self.report("")
                 for u in self.crawled_urls:
                     if '/XSS' in u:
                         u = u.replace("/XSS", "")
-                    print(" - " + str(u))
-            if len(self.crawled_urls) > 0:
-                self.report("")
-            else:
-                self.report("-"*25)
+                    self.report("   - " + str(u))
+            if not len(self.crawled_urls) > 0:
+                self.report("\n" + "-"*25)
                 self.report("\n[Error] XSSer (or your TARGET) is not working properly...\n\n - Wrong URL\n - Firewall\n - Proxy\n - Target offline\n - [?] ...\n")
+            else:
+                self.report("")
             return self.crawled_urls
 
         if not options.imx or not options.flash or not options.xsser_gtk or not options.update:
@@ -2529,27 +2538,24 @@ class xsser(EncoderDecoder, XSSerReporter):
         agent = random.choice(agents).strip() # set random user-agent
         referer = '127.0.0.1'
         import subprocess, shlex
-        self.report('='*75)
-        self.report("\n[Info] Trying method: Cross Site Tracing (XST)\n")
+        if not self.options.xst:
+            self.report("-"*25 + "\n")
+        self.report("[Info] REQUEST: Cross Site Tracing (XST) Vulnerability...\n")
         if self.options.xst:
-            xst = subprocess.Popen(shlex.split('curl -q -s -i -m 30 -A ' + agent + ' -e ' + referer + ' -X TRACE ' + self.options.xst), stdout=subprocess.PIPE)
+            xst = subprocess.Popen(shlex.split('curl -q -s -i -m 30 -A ' + agent + ' -e ' + referer + ' -X TRACE -N ' + self.options.xst), stdout=subprocess.PIPE)
         if self.options.target:
-            xst = subprocess.Popen(shlex.split('curl -q -s -i -m 30 -A ' + agent + ' -e ' + referer + ' -X TRACE ' + self.options.target), stdout=subprocess.PIPE)
-        line1 = xst.stdout.readline()
+            xst = subprocess.Popen(shlex.split('curl -q -s -i -m 30 -A ' + agent + ' -e ' + referer + ' -X TRACE -N ' + self.options.target), stdout=subprocess.PIPE)
+        line1 = xst.stdout.read().decode('utf-8')
         if self.options.verbose:
-            print("-"*25 + "\n")
-            while True:
-                line = xst.stdout.readline()
-                if line != '':
-                    print(line.rstrip())
-                else:
-                    break
+            if line1 != '':
+               self.report("[Info] Reply:", line1.rstrip())
             self.report("")
-        self.report('-'*50+"\n")
-        if "200 OK" in line1.rstrip():
-            print("[Info] Target is vulnerable to XST! (Cross Site Tracing) ;-)\n")
+        if "405 Not Allowed" in line1.rstrip() or "405 Method Not Allowed" in line1.rstrip():
+            self.report("[Info] REPLY: Target is NOT vulnerable...\n")
+        elif "TRACE / HTTP" in line1.rstrip():
+            self.report("[Info] REPLY: Target is vulnerable to XST!\n")
         else:
-            print("[Info] Target is NOT vulnerable to XST (Cross Site Tracing) ;-(\n")
+            self.repot("[Info] REPLY: Target is NOT vulnerable...\n")
         if self.options.target:
             self.report('='*75)
  
@@ -2897,12 +2903,17 @@ class xsser(EncoderDecoder, XSSerReporter):
                 self.report('='*75)
                 self.report(str(p.version))
                 self.report('='*75)
-                self.report("[XST Attack!] checking for HTTP TRACE method ...")
-                self.report('='*75)
+                self.report("[XST Attack!] Checking for -HTTP TRACE- method ...")
+                self.report('='*75+"\n")
             self.check_trace()
- 
+
         if self.options.reversecheck or self.options.dom: # generate headless embed web browser
             self.driver = self.create_headless_embed_browser()
+            if self.driver == None:
+                print("\n[Error] Importing: firefoxdriver lib. \n\n To install it on Debian based systems:\n\n $ 'sudo apt-get install firefoxdriver'")
+                print("\n[Error] Options: '--reverse-check' and '--Dom' will be aborted...\n")
+                self.options.reversecheck = None # aborting '--reverse-check' connection 
+                self.options.dom = None # aborting '--Dom' injections
 
         if options.checktor:
             url = self.check_tor_url # TOR status checking site
@@ -2953,12 +2964,12 @@ class xsser(EncoderDecoder, XSSerReporter):
             reporter.report_state('scanning')
         
         # step 1: get urls
-        urls = self.try_running(self._get_attack_urls, "\n[Error] Internal error getting -targets-\n")
+        urls = self.try_running(self._get_attack_urls, "\n[Error] WARNING: Some internal errors getting -targets-\n")
         for reporter in self._reporters:
             reporter.report_state('arming')
         
         # step 2: get payloads
-        payloads = self.try_running(self.get_payloads, "\n[Error] Internal error getting -payloads-\n")
+        payloads = self.try_running(self.get_payloads, "\n[Error] WARNING: Some internal errors getting -payloads-\n")
         for reporter in self._reporters:
             reporter.report_state('cloaking')
         if options.Dwo:
@@ -2969,7 +2980,7 @@ class xsser(EncoderDecoder, XSSerReporter):
             reporter.report_state('locking targets')
 
         # step 3: get query string
-        query_string = self.try_running(self.get_query_string, "\n[Error] Internal problems getting query -string-\n")
+        query_string = self.try_running(self.get_query_string, "\n[Error] WARNING: Some internal problems getting query -string-\n")
         for reporter in self._reporters:
             reporter.report_state('sanitize')
         urls = self.sanitize_urls(urls)
@@ -2977,7 +2988,7 @@ class xsser(EncoderDecoder, XSSerReporter):
             reporter.report_state('attack')
 
         # step 4: perform attack
-        self.try_running(self.attack, "\n[Error] Internal problems running attack...\n", (urls, payloads, query_string))
+        self.try_running(self.attack, "\n[Error] WARNING: Some internal problems running attack...\n", (urls, payloads, query_string))
         for reporter in self._reporters:
             reporter.report_state('reporting')
         if len(self.final_attacks):
@@ -3141,7 +3152,7 @@ class xsser(EncoderDecoder, XSSerReporter):
         """
         Generate a real attack url using data from a successful test.
 
-	    This method also applies DOM stealth mechanisms.
+	This method also applies DOM stealth mechanisms.
         """
         user_attack_payload = payload['payload']
         if self.options.finalpayload:
@@ -3578,10 +3589,10 @@ class xsser(EncoderDecoder, XSSerReporter):
         if self.options.fileoutput:
             fout.close()
         if self.options.fileoutput and not self.options.filexml:
-           self.report("[Info] Generating report: [ XSSreport.raw ]\n")
+           self.report("\n[Info] Generating report: [ XSSreport.raw ]\n")
            self.report("-"*25+"\n")
         if self.options.fileoutput and self.options.filexml:
-           self.report("[Info] Generating report: [ XSSreport.raw ] | Exporting results to: [ " + str(self.options.filexml) + " ] \n")
+           self.report("\n[Info] Generating report: [ XSSreport.raw ] | Exporting results to: [ " + str(self.options.filexml) + " ] \n")
            self.report("-"*25+"\n")
         if len(self.hash_found) > 10 and not self.options.fileoutput: # write results fo file when large output (white magic!)
             if not self.options.filexml: 
@@ -3777,8 +3788,11 @@ class xsser(EncoderDecoder, XSSerReporter):
                     mana = mana + 100
                 if self.options.proxy:
                     mana = mana + 100
-                if self.options.threads > 9:
-                    mana = mana + 100
+                try:
+                    if self.options.threads > 9:
+                        mana = mana + 100
+                except:
+                    pass
                 if self.options.heuristic:
                     mana = mana + 100
                 if self.options.finalpayload or self.options.finalremote:
@@ -3859,7 +3873,7 @@ class xsser(EncoderDecoder, XSSerReporter):
             if len(self.hash_found) + len(self.hash_notfound) == 0 and not Exception:
                 self.report("\n[Error] XSSer cannot send any data... maybe -something- is blocking connection(s)!?\n")
             if len(self.hash_found) + len(self.hash_notfound) == 0 and self.options.crawling:
-                if self.options.xsser_gtk:
+                if self.options.xsser_gtk or self.options.target:
                     self.report('='*75)
                 self.report("\n[Error] Not any feedback from crawler... Aborting! :(\n")
                 self.report('='*75 + '\n')

+ 2 - 2
core/options.py

@@ -4,7 +4,7 @@
 """
 This file is part of the XSSer project, https://xsser.03c8.net
 
-Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
+Copyright (c) 2010/2021 | psy <epsylon@riseup.net>
 
 xsser is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -30,7 +30,7 @@ class XSSerOptions(optparse.OptionParser):
         optparse.OptionParser.__init__(self, 
                            description='Cross Site "Scripter" is an automatic -framework- to detect, exploit and\nreport XSS vulnerabilities in web-based applications.',
                            prog='XSSer.py',
-			   version='\nXSSer v1.8[3]: "The HiV€!" - (https://xsser.03c8.net) - 2010/2020 -> by psy\n',
+			   version='\nXSSer v1.8[4]: "The HiV€!" - (https://xsser.03c8.net) - 2010/2021 -> by psy\n',
                            usage= '\n\nxsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)]\n[Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous}')
         self.set_defaults(verbose=False, threads=5, retries=1, delay=0, timeout=30,
                           silent=False)

+ 2 - 2
core/twsupport.py

@@ -4,7 +4,7 @@
 """
 This file is part of the XSSer project, https://xsser.03c8.net
 
-Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
+Copyright (c) 2010/2021 | psy <epsylon@riseup.net>
 
 xsser is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -33,7 +33,7 @@ except:
     orbited_main = None
     traceback.print_exc()
 
-print("\nXSSer v1.8[3]: 'The HiV€'\n")
+print("\nXSSer v1.8[4]: 'The HiV€'\n")
 print("Daemon(s): ready!", "//" , "Interfaz: ready!\n")
 print("Connect to http://127.0.0.1:19084/static/ via Web or Telnet to manage your swarm\n")
 print("Listening...")

+ 6 - 2
doc/AUTHOR

@@ -43,8 +43,12 @@
 
 =======================
 
- BTC: 
+ bitcoin (BTC): 
 
-  19aXfJtoYJUoXEZtjNwsah2JKN9CK5Pcjw
+ - 19aXfJtoYJUoXEZtjNwsah2JKN9CK5Pcjw
+
+ ecoin (ECO):
+
+ - ETsRCBzaMawx3isvb5svX7tAukLdUFHKze
 
 ========================

+ 7 - 1
doc/CHANGELOG

@@ -1,7 +1,13 @@
 ================================================================
-Changelog: XSSer v1.8.3 (https://xsser.03c8.net)
+Changelog: XSSer v1.8.4 (https://xsser.03c8.net)
 ==============================
 
+=================
+March 6, 2021:
+=================
+
+- Bugfixing
+
 =================
 March 3, 2020:
 =================

+ 1 - 1
doc/INSTALL

@@ -8,7 +8,7 @@ Cross Site "Scripter" is an automatic -framework- to detect, exploit and report
 Current Version:
 ==============================
 
-XSSer v1.8[3]: "The Hiv€!" (2010/2030) // [https://xsser.03c8.net]
+XSSer v1.8[4]: "The Hiv€!" (2010/2021) // [https://xsser.03c8.net]
 
 ================================================================
 + INSTALL: AUTO

+ 1 - 1
doc/README

@@ -8,7 +8,7 @@ Cross Site "Scripter" is an automatic -framework- to detect, exploit and report
 Current Version:
 ==============================
 
-XSSer v1.8[3]: "The Hiv€!" (2010/2020) // [https://xsser.03c8.net]
+XSSer v1.8[4]: "The Hiv€!" (2010/2021) // [https://xsser.03c8.net]
 
 ================================================================
 Options and features:

+ 2 - 2
gtk/docs/about.txt

@@ -4,7 +4,7 @@
                                                                     `.`                   ..              
             Welcome to XSSer ....                       `-:`              .-`               
                                                                         `/-     -      +`                                        
-                                                                          o     +      /                                  v1.8[3] -> "The Hiv€!"
+                                                                          o     +      /                                  v1.8[4] -> "The Hiv€!"
                                                                           ./   -Ny    /.                                         
                                                              `::-`       :--yMN:--.      `.....                      
                                          `mMMMMMmdhysoooosMyoo+oyhdmNMMMMMMMs       
@@ -16,7 +16,7 @@
                                                                   .::`     h`  o-  o.    :+.                       
                        GPLv3                                .--.        :o      y       :/.          
                                                                ``            h      .s         -:.        
-                                                                              :/       o.          ``                2010/2020 - by psy
+                                                                              :/       o.          ``                2010/2021 - by psy
                                                                             .o         o                   
                                                                              o          ./                  
                                                                             +`           :.                 

+ 2 - 2
setup.py

@@ -4,7 +4,7 @@
 """
 This file is part of the XSSer project, https://xsser.03c8.net
 
-Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
+Copyright (c) 2010/2021 | psy <epsylon@riseup.net>
 
 xsser is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -39,7 +39,7 @@ gtk_files = ['gtk/xsser.ui']
 gtk_app_files = ['gtk/xsser.desktop']
 setup(
     name = "xsser",
-    version = "1.8.3",
+    version = "1.8.4",
     packages = ['core', 'core.fuzzing', 'core.post', 'core.driver'],
     data_files = [('/usr/share/doc/xsser/', doc_files), 
                   ('/usr/share/xsser/gtk/images/', data_files),