created a tamper script for URL encoding, created tamper warnings, minor update to search.py, bumped version number

This commit is contained in:
ekultek 2017-09-29 10:21:26 -05:00
parent 9de772204e
commit 024e660853
4 changed files with 71 additions and 9 deletions

View file

@ -0,0 +1,42 @@
# coding=utf-8
def tamper(payload, **kwargs):
encodings = {
" ": "%20", "!": "%21", '"': "%22", "#": "%23", "$": "%24", "%": "%25", "&": "%26", "'": "%27",
"(": "%28", ")": "%29", "*": "%2A", "+": "%2B", ",": "%2C", "-": "%2D", ".": "%2E", "/": "%2F",
"0": "%30", "1": "%31", "2": "%32", "3": "%33", "4": "%34", "5": "%35", "6": "%36", "7": "%37",
"8": "%38", "9": "%39", ":": "%3A", ";": "%3B", "<": "%3C", "=": "%3D", ">": "%3E", "?": "%3F",
"@": "%40", "A": "%41", "B": "%42", "C": "%43", "D": "%44", "E": "%45", "F": "%46", "G": "%47",
"H": "%48", "I": "%49", "J": "%4A", "K": "%4B", "L": "%4C", "M": "%4D", "N": "%4E", "O": "%4F",
"P": "%50", "Q": "%51", "R": "%52", "S": "%53", "T": "%54", "U": "%55", "V": "%56", "W": "%57",
"X": "%58", "Y": "%59", "Z": "%5A", "[": "%5B", "\\": "%5C", "]": "%5D", "^": "%5E", "a": "%61",
"b": "%62", "c": "%63", "d": "%64", "e": "%65", "f": "%66", "g": "%67", "h": "%68", "i": "%69",
"j": "%6A", "k": "%6B", "l": "%6C", "m": "%6D", "n": "%6E", "o": "%6F", "p": "%70", "q": "%71",
"r": "%72", "s": "%73", "t": "%74", "u": "%75", "v": "%76", "w": "%77", "x": "%78", "y": "%79",
"z": "%7A", "{": "%7B", "|": "%7C", "}": "%7D", "~": "%7E", "`": "%80", "": "%81", "": "%82",
"ƒ": "%83", "": "%84", "": "%85", "": "%86", "": "%87", "ˆ": "%88", "": "%89", "Š": "%8A",
"": "%8B", "Œ": "%8C", "Ž": "%8E", "": "%91", "": "%92", "": "%93", "": "%94", "": "%95",
"": "%96", "": "%97", "˜": "%98", "": "%99", "š": "%9A", "": "%9B", "œ": "%9C", "ž": "%9E",
"Ÿ": "%9F", "¡": "%A1", "¢": "%A2", "£": "%A3", "¤": "%A4", "¥": "%A5", "¦": "%A6", "§": "%A7",
"¨": "%A8", "©": "%A9", "ª": "%AA", "«": "%AB", "¬": "%AC", "­": "%AD", "®": "%AE", "¯": "%AF",
"°": "%B0", "±": "%B1", "²": "%B2", "³": "%B3", "´": "%B4", "µ": "%B5", "": "%B6", "·": "%B7",
"¸": "%B8", "¹": "%B9", "º": "%BA", "»": "%BB", "¼": "%BC", "½": "%BD", "¾": "%BE", "¿": "%BF",
"À": "%C0", "Á": "%C1", "Â": "%C2", "Ã": "%C3", "Ä": "%C4", "Å": "%C5", "Æ": "%C6", "Ç": "%C7",
"È": "%C8", "É": "%C9", "Ê": "%CA", "Ë": "%CB", "Ì": "%CC", "Í": "%CD", "Î": "%CE", "Ï": "%CF",
"Ð": "%D0", "Ñ": "%D1", "Ò": "%D2", "Ó": "%D3", "Ô": "%D4", "Õ": "%D5", "Ö": "%D6", "×": "%D7",
"Ø": "%D8", "Ù": "%D9", "Ú": "%DA", "Û": "%DB", "Ü": "%DC", "Ý": "%DD", "Þ": "%DE", "ß": "%DF",
"à": "%E0", "á": "%E1", "â": "%E2", "ã": "%E3", "ä": "%E4", "å": "%E5", "æ": "%E6", "ç": "%E7",
"è": "%E8", "é": "%E9", "ê": "%EA", "ë": "%EB", "ì": "%EC", "í": "%ED", "î": "%EE", "ï": "%EF",
"ð": "%F0", "ñ": "%F1", "ò": "%F2", "ó": "%F3", "ô": "%F4", "õ": "%F5", "ö": "%F6", "÷": "%F7",
"ø": "%F8", "ù": "%F9", "ú": "%FA", "û": "%FB", "ü": "%FC", "ý": "%FD", "þ": "%FE", "ÿ": "%FF"
}
retval = ""
if isinstance(payload, unicode):
payload = str(payload)
for char in payload:
try:
retval += encodings[char]
except KeyError:
retval += char
return retval

View file

@ -9,7 +9,8 @@ from lib.errors import InvalidTamperProvided
from lib.attacks.tamper_scripts import (
unicode_encode,
base64_encode,
hex_encode
hex_encode,
url_encode
)
from lib.settings import (
logger,
@ -18,9 +19,23 @@ from lib.settings import (
proxy_string_to_dict,
DBMS_ERRORS,
create_tree,
prompt
)
def __tamper_warnings(script):
warn_msg = ""
if script == "hex":
warn_msg += "hex tamper script may increase risk of false positives..."
elif script == " base64":
warn_msg += "base64 tamper script may increase risk of not finding a vulnerability..."
else:
pass
logger.warning(set_color(
warn_msg, level=30
))
def list_tamper_scripts(path="{}/lib/attacks/tamper_scripts"):
retval = set()
exclude = ["__init__.py", ".pyc"]
@ -39,6 +54,8 @@ def __tamper_payload(payload, tamper_type):
return unicode_encode.tamper(payload)
elif tamper_type == "hex":
return hex_encode.tamper(payload)
elif tamper_type == "url":
return url_encode.tamper(payload)
else:
return base64_encode.tamper(payload)
else:
@ -60,7 +77,7 @@ def create_urls(url, payload_list, tamper=None):
for payload in payload_list:
if tamper:
payload = __tamper_payload(payload, tamper_type=tamper)
loaded_url = "{}{}\n".format(url, payload)
loaded_url = "{}{}\n".format(url.strip(), payload.strip())
tmp.write(loaded_url)
return tf_name
@ -94,6 +111,7 @@ def main_xss(start_url, verbose=False, proxy=None, agent=None, tamper=None):
logger.info(set_color(
"tampering payloads with '{}'...".format(tamper)
))
__tamper_warnings(tamper)
find_xss_script(start_url)
logger.info(set_color(
"loading payloads..."
@ -156,4 +174,9 @@ def main_xss(start_url, verbose=False, proxy=None, agent=None, tamper=None):
else:
logger.error(set_color(
"host '{}' does not appear to be vulnerable to XSS attacks...".format(start_url)
))
))
save = prompt(
"would you like to keep the URL's saved for further testing", opts="yN"
)
if save.lower().startswith("n"):
os.remove(filename)

View file

@ -22,7 +22,7 @@ except NameError:
# clone link
CLONE = "https://github.com/ekultek/zeus-scanner.git"
# current version <major.minor.commit.patch ID>
VERSION = "1.0.19.174a"
VERSION = "1.0.20"
# colors to output depending on the version
VERSION_TYPE_COLORS = {"dev": 33, "stable": 92, "other": 30}
# version string formatting

View file

@ -56,9 +56,6 @@ def get_urls(query, url, verbose=False, warning=True, user_agent=None, proxy=Non
Bypass Google captchas and Google API by using selenium-webdriver to gather
the Google URL. This will open a robot controlled browser window and attempt
to get a URL from Google that will be used for scraping afterwards.
Only downside to this method is that your IP and user agent will be visible
until the application pulls the URL.
"""
if verbose:
logger.debug(set_color(
@ -144,7 +141,7 @@ def get_urls(query, url, verbose=False, warning=True, user_agent=None, proxy=Non
)
if verbose:
logger.debug(set_color(
"found current URL from selenium browser '{}'...".format(retval), level=10
"found current URL from selenium browser...", level=10
))
logger.info(set_color(
"closing the browser and continuing process.."
@ -248,7 +245,7 @@ def parse_search_results(
url = str(url).encode("utf-8")
if verbose:
logger.debug(set_color(
"found '{}'...".format(url), level=10
"found '{}'...".format(url.split("&amp;")[0]), level=10
))
retval.add(url.split("&amp;")[0])
logger.info(set_color(