options.py 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219
  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-"
  3. # vim: set expandtab tabstop=4 shiftwidth=4:
  4. """
  5. This file is part of the XSSer project, https://xsser.03c8.net
  6. Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
  7. xsser is free software; you can redistribute it and/or modify it under
  8. the terms of the GNU General Public License as published by the Free
  9. Software Foundation version 3 of the License.
  10. xsser is distributed in the hope that it will be useful, but WITHOUT ANY
  11. WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  12. FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  13. details.
  14. You should have received a copy of the GNU General Public License along
  15. with xsser; if not, write to the Free Software Foundation, Inc., 51
  16. Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
  17. """
  18. import optparse
  19. import core.fuzzing.vectors
  20. import core.fuzzing.DCP
  21. import core.fuzzing.DOM
  22. import core.fuzzing.HTTPsr
  23. class XSSerOptions(optparse.OptionParser):
  24. def __init__(self, *args):
  25. optparse.OptionParser.__init__(self,
  26. description='Cross Site "Scripter" is an automatic -framework- to detect, exploit and\nreport XSS vulnerabilities in web-based applications.',
  27. prog='XSSer.py',
  28. version='\nXSSer v1.8[3]: "The HiV€!" - (https://xsser.03c8.net) - 2010/2020 -> by psy\n',
  29. usage= '\n\nxsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)]\n[Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous}')
  30. self.set_defaults(verbose=False, threads=5, retries=1, delay=0, timeout=30,
  31. silent=False)
  32. self.disable_interspersed_args()
  33. self.vectors_fuzz = len(core.fuzzing.vectors.vectors)
  34. self.vectors_dcp = len(core.fuzzing.DCP.DCPvectors)
  35. self.vectors_dom = len(core.fuzzing.DOM.DOMvectors)
  36. self.vectors_httpsr = len(core.fuzzing.HTTPsr.HTTPrs_vectors)
  37. self.total_vectors = str(self.vectors_fuzz+self.vectors_dcp+self.vectors_dom+self.vectors_httpsr)
  38. self.add_option("-s", "--statistics", action="store_true", dest="statistics", help="show advanced statistics output results")
  39. self.add_option("-v", "--verbose", action="store_true", dest="verbose", help="active verbose mode output results")
  40. self.add_option("--gtk", action="store_true", dest="xsser_gtk", help="launch XSSer GTK Interface")
  41. #self.add_option("--swarm", action="store_true", dest="xsser_web", help="launch XSSer Swarm daemon(s) + Web-Shell")
  42. self.add_option("--wizard", action="store_true", dest="wizard", help="start Wizard Helper!")
  43. group1 = optparse.OptionGroup(self, "*Special Features*",
  44. "You can set Vector(s) and Bypasser(s) to build complex scripts for XSS code embedded. XST allows you to discover if target is vulnerable to 'Cross Site Tracing' [CAPEC-107]:")
  45. group1.add_option("--imx", action="store", dest="imx", help="IMX - Create an image with XSS (--imx image.png)")
  46. group1.add_option("--fla", action="store", dest="flash", help="FLA - Create a flash movie with XSS (--fla movie.swf)")
  47. group1.add_option("--xst", action="store", dest="xst", help="XST - Cross Site Tracing (--xst http(s)://host.com)")
  48. self.add_option_group(group1)
  49. group2 = optparse.OptionGroup(self, "*Select Target(s)*",
  50. "At least one of these options must to be specified to set the source to get target(s) urls from:")
  51. group2.add_option("--all", action="store", dest="target", help="Automatically audit an entire target")
  52. group2.add_option("-u", "--url", action="store", dest="url", help="Enter target to audit")
  53. group2.add_option("-i", action="store", dest="readfile", help="Read target(s) urls from file")
  54. group2.add_option("-d", action="store", dest="dork", help="Search target(s) using a query (ex: 'news.php?id=')")
  55. group2.add_option("-l", action="store_true", dest="dork_file", help="Search from a list of 'dorks'")
  56. group2.add_option("--De", action="store", dest="dork_engine", help="Use this search engine (default: DuckDuckGo)")
  57. group2.add_option("--Da", action="store_true", dest="dork_mass", help="Search massively using all search engines")
  58. self.add_option_group(group2)
  59. group3 = optparse.OptionGroup(self, "*Select type of HTTP/HTTPS Connection(s)*",
  60. "These options can be used to specify which parameter(s) we want to use as payload(s). Set 'XSS' as keyword on the place(s) that you want to inject:")
  61. group3.add_option("-g", action="store", dest="getdata", help="Send payload using GET (ex: '/menu.php?id=XSS')")
  62. group3.add_option("-p", action="store", dest="postdata", help="Send payload using POST (ex: 'foo=1&bar=XSS')")
  63. group3.add_option("-c", action="store", dest="crawling", help="Number of urls to crawl on target(s): 1-99999")
  64. group3.add_option("--Cw", action="store", dest="crawler_width", help="Deeping level of crawler: 1-5 (default: 2)")
  65. group3.add_option("--Cl", action="store_true", dest="crawler_local", help="Crawl only local target(s) urls (default: FALSE)")
  66. self.add_option_group(group3)
  67. group4 = optparse.OptionGroup(self, "*Configure Request(s)*",
  68. "These options can be used to specify how to connect to the target(s) payload(s). You can choose multiple:")
  69. group4.add_option("--head", action="store_true", dest="nohead", help="Send a HEAD request before start a test")
  70. group4.add_option("--cookie", action="store", dest="cookie", help="Change your HTTP Cookie header")
  71. group4.add_option("--drop-cookie", action="store_true", dest="dropcookie", help="Ignore Set-Cookie header from response")
  72. group4.add_option("--user-agent", action="store", dest="agent", help="Change your HTTP User-Agent header (default: SPOOFED)")
  73. group4.add_option("--referer", action="store", dest="referer", help="Use another HTTP Referer header (default: NONE)")
  74. group4.add_option("--xforw", action="store_true", dest="xforw", help="Set your HTTP X-Forwarded-For with random IP values")
  75. group4.add_option("--xclient", action="store_true", dest="xclient", help="Set your HTTP X-Client-IP with random IP values")
  76. group4.add_option("--headers", action="store", dest="headers", help="Extra HTTP headers newline separated")
  77. group4.add_option("--auth-type", action="store", dest="atype", help="HTTP Authentication type (Basic, Digest, GSS or NTLM)")
  78. group4.add_option("--auth-cred", action="store", dest="acred", help="HTTP Authentication credentials (name:password)")
  79. #group4.add_option("--auth-cert", action="store", dest="acert", help="HTTP Authentication certificate (key_file,cert_file)")
  80. group4.add_option("--check-tor", action="store_true", dest="checktor", help="Check to see if Tor is used properly")
  81. group4.add_option("--proxy", action="store", dest="proxy", help="Use proxy server (tor: http://localhost:8118)")
  82. group4.add_option("--ignore-proxy", action="store_true", dest="ignoreproxy", help="Ignore system default HTTP proxy")
  83. group4.add_option("--timeout", action="store", dest="timeout", type="int", help="Select your timeout (default: 30)")
  84. group4.add_option("--retries", action="store", dest="retries", type="int", help="Retries when connection timeout (default: 1)")
  85. group4.add_option("--threads", action="store", dest="threads", type="int", help="Maximum number of concurrent requests (default: 5)")
  86. group4.add_option("--delay", action="store", dest="delay", type="int", help="Delay in seconds between each request (default: 0)")
  87. group4.add_option("--tcp-nodelay", action="store_true", dest="tcp_nodelay", help="Use the TCP_NODELAY option")
  88. group4.add_option("--follow-redirects", action="store_true", dest="followred", help="Follow server redirections (default: FALSE)")
  89. group4.add_option("--follow-limit", action="store", dest="fli", type="int", help="Set limit for redirection requests (default: 50)")
  90. self.add_option_group(group4)
  91. group5 = optparse.OptionGroup(self, "*Checker Systems*",
  92. "These options are useful to know if your target is using filters against XSS attacks:")
  93. group5.add_option("--hash", action="store_true", dest="hash", help="Send a hash to check if target is repeating content")
  94. group5.add_option("--heuristic", action="store_true", dest="heuristic", help="Discover parameters filtered by using heuristics")
  95. group5.add_option("--discode", action="store", dest="discode", help="Set code on reply to discard an injection")
  96. group5.add_option("--checkaturl", action="store", dest="alt", help="Check reply using: <alternative url> [aka BLIND-XSS]")
  97. group5.add_option("--checkmethod", action="store", dest="altm", help="Check reply using: GET or POST (default: GET)")
  98. group5.add_option("--checkatdata", action="store", dest="ald", help="Check reply using: <alternative payload>")
  99. group5.add_option("--reverse-check", action="store_true", dest="reversecheck", help="Establish a reverse connection from target to XSSer")
  100. self.add_option_group(group5)
  101. group6 = optparse.OptionGroup(self, "*Select Vector(s)*",
  102. "These options can be used to specify injection(s) code. Important if you don't want to inject a common XSS vector used by default. Choose only one option:")
  103. group6.add_option("--payload", action="store", dest="script", help="OWN - Inject your own code")
  104. group6.add_option("--auto", action="store_true", dest="fuzz", help="AUTO - Inject a list of vectors provided by XSSer")
  105. self.add_option_group(group6)
  106. group14 = optparse.OptionGroup(self, "*Select Payload(s)*",
  107. "These options can be used to set the list of vectors provided by XSSer. Choose only if required:")
  108. group14.add_option("--auto-set", action="store", dest="fzz_num", help="ASET - Limit of vectors to inject (default: "+str(self.vectors_fuzz)+")")
  109. group14.add_option("--auto-info", action="store_true", dest="fzz_info", help="AINFO - Select ONLY vectors with INFO (default: FALSE)")
  110. group14.add_option("--auto-random", action="store_true", dest="fzz_rand", help="ARAND - Set random to order (default: FALSE)")
  111. self.add_option_group(group14)
  112. group13 = optparse.OptionGroup(self, "*Anti-antiXSS Firewall rules*",
  113. "These options can be used to try to bypass specific WAF/IDS products and some anti-XSS browser filters. Choose only if required:")
  114. group13.add_option("--Phpids0.6.5", action="store_true", dest="phpids065", help="PHPIDS (0.6.5) [ALL]")
  115. group13.add_option("--Phpids0.7", action="store_true", dest="phpids070", help="PHPIDS (0.7) [ALL]")
  116. group13.add_option("--Imperva", action="store_true", dest="imperva", help="Imperva Incapsula [ALL]")
  117. group13.add_option("--Webknight", action="store_true", dest="webknight", help="WebKnight (4.1) [Chrome]")
  118. group13.add_option("--F5bigip", action="store_true", dest="f5bigip", help="F5 Big IP [Chrome + FF + Opera]")
  119. group13.add_option("--Barracuda", action="store_true", dest="barracuda", help="Barracuda WAF [ALL]")
  120. group13.add_option("--Modsec", action="store_true", dest="modsec", help="Mod-Security [ALL]")
  121. group13.add_option("--Quickdefense", action="store_true", dest="quickdefense", help="QuickDefense [Chrome]")
  122. group13.add_option("--Sucuri", action="store_true", dest="sucuri", help="SucuriWAF [ALL]")
  123. group13.add_option("--Firefox", action="store_true", dest="firefox", help="Firefox 12 [& below]")
  124. group13.add_option("--Chrome", action="store_true", dest="chrome", help="Chrome 19 & Firefox 12 [& below]")
  125. group13.add_option("--Opera", action="store_true", dest="opera", help="Opera 10.5 [& below]")
  126. group13.add_option("--Iexplorer", action="store_true", dest="iexplorer", help="IExplorer 9 & Firefox 12 [& below]")
  127. self.add_option_group(group13)
  128. group7 = optparse.OptionGroup(self, "*Select Bypasser(s)*",
  129. "These options can be used to encode vector(s) and try to bypass possible anti-XSS filters. They can be combined with other techniques:")
  130. group7.add_option("--Str", action="store_true", dest="Str", help="Use method String.FromCharCode()")
  131. group7.add_option("--Une", action="store_true", dest="Une", help="Use Unescape() function")
  132. group7.add_option("--Mix", action="store_true", dest="Mix", help="Mix String.FromCharCode() and Unescape()")
  133. group7.add_option("--Dec", action="store_true", dest="Dec", help="Use Decimal encoding")
  134. group7.add_option("--Hex", action="store_true", dest="Hex", help="Use Hexadecimal encoding")
  135. group7.add_option("--Hes", action="store_true", dest="Hes", help="Use Hexadecimal encoding with semicolons")
  136. group7.add_option("--Dwo", action="store_true", dest="Dwo", help="Encode IP addresses with DWORD")
  137. group7.add_option("--Doo", action="store_true", dest="Doo", help="Encode IP addresses with Octal")
  138. group7.add_option("--Cem", action="store", dest="Cem", help="Set different 'Character Encoding Mutations' (reversing obfuscators) (ex: 'Mix,Une,Str,Hex')")
  139. self.add_option_group(group7)
  140. group8 = optparse.OptionGroup(self, "*Special Technique(s)*",
  141. "These options can be used to inject code using different XSS techniques and fuzzing vectors. You can choose multiple:")
  142. group8.add_option("--Coo", action="store_true", dest="coo", help="COO - Cross Site Scripting Cookie injection")
  143. group8.add_option("--Xsa", action="store_true", dest="xsa", help="XSA - Cross Site Agent Scripting")
  144. group8.add_option("--Xsr", action="store_true", dest="xsr", help="XSR - Cross Site Referer Scripting")
  145. group8.add_option("--Dcp", action="store_true", dest="dcp", help="DCP - Data Control Protocol injections")
  146. group8.add_option("--Dom", action="store_true", dest="dom", help="DOM - Document Object Model injections")
  147. group8.add_option("--Ind", action="store_true", dest="inducedcode", help="IND - HTTP Response Splitting Induced code")
  148. self.add_option_group(group8)
  149. group9 = optparse.OptionGroup(self, "*Select Final injection(s)*",
  150. "These options can be used to specify the final code to inject on vulnerable target(s). Important if you want to exploit 'on-the-wild' the vulnerabilities found. Choose only one option:")
  151. group9.add_option("--Fp", action="store", dest="finalpayload", help="OWN - Exploit your own code")
  152. group9.add_option("--Fr", action="store", dest="finalremote", help="REMOTE - Exploit a script -remotely-")
  153. self.add_option_group(group9)
  154. group10 = optparse.OptionGroup(self, "*Special Final injection(s)*",
  155. "These options can be used to execute some 'special' injection(s) on vulnerable target(s). You can select multiple and combine them with your final code (except with DCP exploits):")
  156. group10.add_option("--Anchor", action="store_true", dest="anchor", help="ANC - Use 'Anchor Stealth' payloader (DOM shadows!)")
  157. group10.add_option("--B64", action="store_true", dest="b64", help="B64 - Base64 code encoding in META tag (rfc2397)")
  158. group10.add_option("--Onm", action="store_true", dest="onm", help="ONM - Use onMouseMove() event")
  159. group10.add_option("--Ifr", action="store_true", dest="ifr", help="IFR - Use <iframe> source tag")
  160. group10.add_option("--Dos", action="store_true", dest="dos", help="DOS - XSS (client) Denial of Service")
  161. group10.add_option("--Doss", action="store_true", dest="doss", help="DOSs - XSS (server) Denial of Service")
  162. self.add_option_group(group10)
  163. group11 = optparse.OptionGroup(self, "*Reporting*")
  164. group11.add_option("--save", action="store_true", dest="fileoutput", help="Export to file (XSSreport.raw)")
  165. group11.add_option("--xml", action="store", dest="filexml", help="Export to XML (--xml file.xml)")
  166. self.add_option_group(group11)
  167. group12 = optparse.OptionGroup(self, "*Miscellaneous*")
  168. group12.add_option("--silent", action="store_true", dest="silent", help="Inhibit console output results")
  169. group12.add_option("--alive", action="store", dest="isalive", type="int", help="Set limit of errors before check if target is alive")
  170. group12.add_option("--update", action="store_true", dest="update", help="Check for latest stable version")
  171. self.add_option_group(group12)
  172. def get_options(self, user_args=None):
  173. (options, args) = self.parse_args(user_args)
  174. if (not options.url and not options.readfile and not options.dork and not options.dork_file and not options.imx and not options.flash and not options.update and not options.xsser_gtk and not options.wizard and not options.xst and not options.target and not options.checktor):
  175. print("\n"+ '='*75)
  176. print(self.version)
  177. print("-----------", "\n")
  178. print(self.description, "\n")
  179. print('='*75)
  180. print("")
  181. print(" \\ \\ LulZzzz! /\ ")
  182. print("Project site:"," && \\ \\ /\())\ % % ")
  183. print("https://xsser.03c8.net &&&& \\_\\ (())\\)) % % % ")
  184. print(" \/ ( \033[1;31m@\033[1;m.\033[1;31m@\033[1;m) * //\\//\\% % %")
  185. print(" || == < == * * \\//))//) BBzzzzz! ")
  186. print("Forum: ||]~~/ \~~[ * (())//)) ")
  187. print("irc.freenode.net -> #xsser || (') \/())/ ")
  188. print(" || / / \/ ")
  189. print("")
  190. print('='*75)
  191. print("Total vectors:", self.total_vectors + " = XSS: " + str(self.vectors_fuzz) + " + DCP: " + str(self.vectors_dcp) + " + DOM: " + str(self.vectors_dom) + " + HTTPsr: " + str(self.vectors_httpsr))
  192. print('='*75)
  193. print("\n-> For HELP use: -h or --help")
  194. print("\n-> For GTK interface use: --gtk\n")
  195. print('='*55, "\n")
  196. return False
  197. return options