From 024e660853c97fa097c6bd90412d338f18a5ffda Mon Sep 17 00:00:00 2001 From: ekultek Date: Fri, 29 Sep 2017 10:21:26 -0500 Subject: [PATCH] created a tamper script for URL encoding, created tamper warnings, minor update to search.py, bumped version number --- lib/attacks/tamper_scripts/url_encode.py | 42 ++++++++++++++++++++++++ lib/attacks/xss_scan/__init__.py | 29 ++++++++++++++-- lib/settings.py | 2 +- var/google_search/search.py | 7 ++-- 4 files changed, 71 insertions(+), 9 deletions(-) create mode 100644 lib/attacks/tamper_scripts/url_encode.py diff --git a/lib/attacks/tamper_scripts/url_encode.py b/lib/attacks/tamper_scripts/url_encode.py new file mode 100644 index 0000000..d4c88d7 --- /dev/null +++ b/lib/attacks/tamper_scripts/url_encode.py @@ -0,0 +1,42 @@ +# coding=utf-8 + + +def tamper(payload, **kwargs): + encodings = { + " ": "%20", "!": "%21", '"': "%22", "#": "%23", "$": "%24", "%": "%25", "&": "%26", "'": "%27", + "(": "%28", ")": "%29", "*": "%2A", "+": "%2B", ",": "%2C", "-": "%2D", ".": "%2E", "/": "%2F", + "0": "%30", "1": "%31", "2": "%32", "3": "%33", "4": "%34", "5": "%35", "6": "%36", "7": "%37", + "8": "%38", "9": "%39", ":": "%3A", ";": "%3B", "<": "%3C", "=": "%3D", ">": "%3E", "?": "%3F", + "@": "%40", "A": "%41", "B": "%42", "C": "%43", "D": "%44", "E": "%45", "F": "%46", "G": "%47", + "H": "%48", "I": "%49", "J": "%4A", "K": "%4B", "L": "%4C", "M": "%4D", "N": "%4E", "O": "%4F", + "P": "%50", "Q": "%51", "R": "%52", "S": "%53", "T": "%54", "U": "%55", "V": "%56", "W": "%57", + "X": "%58", "Y": "%59", "Z": "%5A", "[": "%5B", "\\": "%5C", "]": "%5D", "^": "%5E", "a": "%61", + "b": "%62", "c": "%63", "d": "%64", "e": "%65", "f": "%66", "g": "%67", "h": "%68", "i": "%69", + "j": "%6A", "k": "%6B", "l": "%6C", "m": "%6D", "n": "%6E", "o": "%6F", "p": "%70", "q": "%71", + "r": "%72", "s": "%73", "t": "%74", "u": "%75", "v": "%76", "w": "%77", "x": "%78", "y": "%79", + "z": "%7A", "{": "%7B", "|": "%7C", "}": "%7D", "~": "%7E", "`": "%80", "": "%81", "‚": "%82", + "ƒ": "%83", "„": "%84", "…": "%85", "†": "%86", "‡": "%87", "ˆ": "%88", "‰": "%89", "Š": "%8A", + "‹": "%8B", "Œ": "%8C", "Ž": "%8E", "‘": "%91", "’": "%92", "“": "%93", "”": "%94", "•": "%95", + "–": "%96", "—": "%97", "˜": "%98", "™": "%99", "š": "%9A", "›": "%9B", "œ": "%9C", "ž": "%9E", + "Ÿ": "%9F", "¡": "%A1", "¢": "%A2", "£": "%A3", "¤": "%A4", "¥": "%A5", "¦": "%A6", "§": "%A7", + "¨": "%A8", "©": "%A9", "ª": "%AA", "«": "%AB", "¬": "%AC", "­": "%AD", "®": "%AE", "¯": "%AF", + "°": "%B0", "±": "%B1", "²": "%B2", "³": "%B3", "´": "%B4", "µ": "%B5", "¶": "%B6", "·": "%B7", + "¸": "%B8", "¹": "%B9", "º": "%BA", "»": "%BB", "¼": "%BC", "½": "%BD", "¾": "%BE", "¿": "%BF", + "À": "%C0", "Á": "%C1", "Â": "%C2", "Ã": "%C3", "Ä": "%C4", "Å": "%C5", "Æ": "%C6", "Ç": "%C7", + "È": "%C8", "É": "%C9", "Ê": "%CA", "Ë": "%CB", "Ì": "%CC", "Í": "%CD", "Î": "%CE", "Ï": "%CF", + "Ð": "%D0", "Ñ": "%D1", "Ò": "%D2", "Ó": "%D3", "Ô": "%D4", "Õ": "%D5", "Ö": "%D6", "×": "%D7", + "Ø": "%D8", "Ù": "%D9", "Ú": "%DA", "Û": "%DB", "Ü": "%DC", "Ý": "%DD", "Þ": "%DE", "ß": "%DF", + "à": "%E0", "á": "%E1", "â": "%E2", "ã": "%E3", "ä": "%E4", "å": "%E5", "æ": "%E6", "ç": "%E7", + "è": "%E8", "é": "%E9", "ê": "%EA", "ë": "%EB", "ì": "%EC", "í": "%ED", "î": "%EE", "ï": "%EF", + "ð": "%F0", "ñ": "%F1", "ò": "%F2", "ó": "%F3", "ô": "%F4", "õ": "%F5", "ö": "%F6", "÷": "%F7", + "ø": "%F8", "ù": "%F9", "ú": "%FA", "û": "%FB", "ü": "%FC", "ý": "%FD", "þ": "%FE", "ÿ": "%FF" + } + retval = "" + if isinstance(payload, unicode): + payload = str(payload) + for char in payload: + try: + retval += encodings[char] + except KeyError: + retval += char + return retval diff --git a/lib/attacks/xss_scan/__init__.py b/lib/attacks/xss_scan/__init__.py index 671c081..c8340f3 100644 --- a/lib/attacks/xss_scan/__init__.py +++ b/lib/attacks/xss_scan/__init__.py @@ -9,7 +9,8 @@ from lib.errors import InvalidTamperProvided from lib.attacks.tamper_scripts import ( unicode_encode, base64_encode, - hex_encode + hex_encode, + url_encode ) from lib.settings import ( logger, @@ -18,9 +19,23 @@ from lib.settings import ( proxy_string_to_dict, DBMS_ERRORS, create_tree, + prompt ) +def __tamper_warnings(script): + warn_msg = "" + if script == "hex": + warn_msg += "hex tamper script may increase risk of false positives..." + elif script == " base64": + warn_msg += "base64 tamper script may increase risk of not finding a vulnerability..." + else: + pass + logger.warning(set_color( + warn_msg, level=30 + )) + + def list_tamper_scripts(path="{}/lib/attacks/tamper_scripts"): retval = set() exclude = ["__init__.py", ".pyc"] @@ -39,6 +54,8 @@ def __tamper_payload(payload, tamper_type): return unicode_encode.tamper(payload) elif tamper_type == "hex": return hex_encode.tamper(payload) + elif tamper_type == "url": + return url_encode.tamper(payload) else: return base64_encode.tamper(payload) else: @@ -60,7 +77,7 @@ def create_urls(url, payload_list, tamper=None): for payload in payload_list: if tamper: payload = __tamper_payload(payload, tamper_type=tamper) - loaded_url = "{}{}\n".format(url, payload) + loaded_url = "{}{}\n".format(url.strip(), payload.strip()) tmp.write(loaded_url) return tf_name @@ -94,6 +111,7 @@ def main_xss(start_url, verbose=False, proxy=None, agent=None, tamper=None): logger.info(set_color( "tampering payloads with '{}'...".format(tamper) )) + __tamper_warnings(tamper) find_xss_script(start_url) logger.info(set_color( "loading payloads..." @@ -156,4 +174,9 @@ def main_xss(start_url, verbose=False, proxy=None, agent=None, tamper=None): else: logger.error(set_color( "host '{}' does not appear to be vulnerable to XSS attacks...".format(start_url) - )) \ No newline at end of file + )) + save = prompt( + "would you like to keep the URL's saved for further testing", opts="yN" + ) + if save.lower().startswith("n"): + os.remove(filename) \ No newline at end of file diff --git a/lib/settings.py b/lib/settings.py index 35e9298..1dd179c 100644 --- a/lib/settings.py +++ b/lib/settings.py @@ -22,7 +22,7 @@ except NameError: # clone link CLONE = "https://github.com/ekultek/zeus-scanner.git" # current version -VERSION = "1.0.19.174a" +VERSION = "1.0.20" # colors to output depending on the version VERSION_TYPE_COLORS = {"dev": 33, "stable": 92, "other": 30} # version string formatting diff --git a/var/google_search/search.py b/var/google_search/search.py index c81a28c..8a6ecb5 100644 --- a/var/google_search/search.py +++ b/var/google_search/search.py @@ -56,9 +56,6 @@ def get_urls(query, url, verbose=False, warning=True, user_agent=None, proxy=Non Bypass Google captchas and Google API by using selenium-webdriver to gather the Google URL. This will open a robot controlled browser window and attempt to get a URL from Google that will be used for scraping afterwards. - - Only downside to this method is that your IP and user agent will be visible - until the application pulls the URL. """ if verbose: logger.debug(set_color( @@ -144,7 +141,7 @@ def get_urls(query, url, verbose=False, warning=True, user_agent=None, proxy=Non ) if verbose: logger.debug(set_color( - "found current URL from selenium browser '{}'...".format(retval), level=10 + "found current URL from selenium browser...", level=10 )) logger.info(set_color( "closing the browser and continuing process.." @@ -248,7 +245,7 @@ def parse_search_results( url = str(url).encode("utf-8") if verbose: logger.debug(set_color( - "found '{}'...".format(url), level=10 + "found '{}'...".format(url.split("&")[0]), level=10 )) retval.add(url.split("&")[0]) logger.info(set_color(