From 151d44beff9d5403c4d1769bf8f7dfd353df018a Mon Sep 17 00:00:00 2001 From: ekultek Date: Sat, 2 Dec 2017 11:23:48 -0600 Subject: [PATCH] patch for an issue where the status code was in the wrong place issue #219 --- etc/checksum/md5sum.md5 | 12 ++--- lib/attacks/admin_panel_finder/__init__.py | 2 +- lib/attacks/xss_scan/__init__.py | 61 +++++++++++----------- lib/core/common.py | 2 +- lib/core/settings.py | 2 +- lib/header_check/__init__.py | 46 ++-------------- var/auto_issue/github.py | 4 +- var/search/selenium_search.py | 2 +- 8 files changed, 46 insertions(+), 85 deletions(-) diff --git a/etc/checksum/md5sum.md5 b/etc/checksum/md5sum.md5 index 5214cb2..c80e56d 100644 --- a/etc/checksum/md5sum.md5 +++ b/etc/checksum/md5sum.md5 @@ -69,18 +69,18 @@ d41d8cd98f00b204e9800998ecf8427e ./lib/attacks/__init__.py 5e5bb575014ebe613db6bf671d008cf8 ./lib/attacks/sqlmap_scan/sqlmap_opts.py 7bc7a6f3e85651aab3588f087563eded ./lib/attacks/whois_lookup/__init__.py 8ec72bb33df998e32b925e3060d9d17a ./lib/attacks/whois_lookup/whois.py -8c6f696f6a983e6309d7d09e409d97e6 ./lib/attacks/admin_panel_finder/__init__.py -48ed675099dc8549a7d80bd2d9da7d17 ./lib/attacks/xss_scan/__init__.py +f65411ebaf58392e6e2b617dba99ff90 ./lib/attacks/admin_panel_finder/__init__.py +0e3fbd55788c040bb96faa1ef0cf1394 ./lib/attacks/xss_scan/__init__.py 7642d078fe304a7ca8bfaaa070a0cb31 ./lib/attacks/nmap_scan/__init__.py 216999fa0e84866d5c1d96d5676034e4 ./lib/attacks/nmap_scan/nmap_opts.py -888686098a0850750f2435d0e1645944 ./lib/header_check/__init__.py -1c0535bf9fc6138d317bd1c31a2d7fe1 ./lib/core/common.py +ac942d36f7d78c249e587417736e88e6 ./lib/header_check/__init__.py +cd8e35cfd995d0a93892cfc83f01dea7 ./lib/core/common.py 4433353fb5c55578391d8b4006191ee8 ./lib/core/errors.py d41d8cd98f00b204e9800998ecf8427e ./lib/core/__init__.py -c31e5ed269fe4ef888bf7eb4425539e4 ./lib/core/settings.py +f723499d996a3bbbd3022cc372dffdd9 ./lib/core/settings.py 801a4f7ac892b74676c649bd4844ccdb ./lib/core/decorators.py 9a02e5b913d210350545ac26510a63c9 ./var/search/__init__.py -0545ee54ade186681b25d157fb32f350 ./var/search/selenium_search.py +1ed3c450e620ff1edd8b0864179fdea7 ./var/search/selenium_search.py cfcce04aac694eee7a6c73969861ce43 ./var/search/pgp_search.py d41d8cd98f00b204e9800998ecf8427e ./var/__init__.py d41d8cd98f00b204e9800998ecf8427e ./var/auto_issue/__init__.py diff --git a/lib/attacks/admin_panel_finder/__init__.py b/lib/attacks/admin_panel_finder/__init__.py index c8c3e25..bb84599 100644 --- a/lib/attacks/admin_panel_finder/__init__.py +++ b/lib/attacks/admin_panel_finder/__init__.py @@ -40,7 +40,7 @@ def check_for_externals(url, data_sep="-" * 30, **kwargs): try: url = lib.core.settings.replace_http(url) full_url = "{}{}{}".format("http://", url, currently_searching) - _, data, code, _ = lib.core.common.get_page(full_url) + _, code, data, _ = lib.core.common.get_page(full_url) except (TooManyRedirects, ConnectionError): lib.core.settings.logger.error(lib.core.settings.set_color( "connection to '{}' failed, assuming does not exist and continuing...".format(full_url), level=40 diff --git a/lib/attacks/xss_scan/__init__.py b/lib/attacks/xss_scan/__init__.py index e236b8e..481d087 100644 --- a/lib/attacks/xss_scan/__init__.py +++ b/lib/attacks/xss_scan/__init__.py @@ -187,6 +187,36 @@ def main_xss(start_url, proxy=None, agent=None, **kwargs): payload = find_xss_script(url) try: result = scan_xss(url, proxy=proxy, agent=agent) + if verbose: + lib.core.settings.logger.info(lib.core.settings.set_color( + "trying payload '{}'...".format(payload) + )) + if result[0] != "sqli" and result[0] is True: + success.add(url) + if verbose: + lib.core.settings.logger.debug(lib.core.settings.set_color( + "payload '{}' appears to be usable...".format(payload), level=15 + )) + elif result[0] is "sqli": + if i <= 1: + lib.core.settings.logger.error(lib.core.settings.set_color( + "loaded URL '{}' threw a DBMS error and appears to be injectable, test for " + "SQL injection, backend DBMS appears to be '{}'...".format( + url, result[1] + ), level=40 + )) + else: + if verbose: + lib.core.settings.logger.error(lib.core.settings.set_color( + "SQL error discovered...", level=40 + )) + else: + if verbose: + lib.core.settings.logger.debug(lib.core.settings.set_color( + "host '{}' does not appear to be vulnerable to XSS attacks with payload '{}'...".format( + start_url, payload + ), level=10 + )) except ( requests.exceptions.ConnectionError, requests.exceptions.TooManyRedirects, @@ -195,36 +225,7 @@ def main_xss(start_url, proxy=None, agent=None, **kwargs): lib.core.settings.logger.error(lib.core.settings.set_color( "payload '{}' caused a connection error, assuming no good and continuing...".format(payload), level=40 )) - if verbose: - lib.core.settings.logger.info(lib.core.settings.set_color( - "trying payload '{}'...".format(payload) - )) - if result[0] != "sqli" and result[0] is True: - success.add(url) - if verbose: - lib.core.settings.logger.debug(lib.core.settings.set_color( - "payload '{}' appears to be usable...".format(payload), level=15 - )) - elif result[0] is "sqli": - if i <= 1: - lib.core.settings.logger.error(lib.core.settings.set_color( - "loaded URL '{}' threw a DBMS error and appears to be injectable, test for SQL injection, " - "backend DBMS appears to be '{}'...".format( - url, result[1] - ), level=40 - )) - else: - if verbose: - lib.core.settings.logger.error(lib.core.settings.set_color( - "SQL error discovered...", level=40 - )) - else: - if verbose: - lib.core.settings.logger.debug(lib.core.settings.set_color( - "host '{}' does not appear to be vulnerable to XSS attacks with payload '{}'...".format( - start_url, payload - ), level=10 - )) + if len(success) != 0: lib.core.settings.logger.info(lib.core.settings.set_color( "possible XSS scripts to be used:", level=25 diff --git a/lib/core/common.py b/lib/core/common.py index 37f0445..9a7ef50 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -329,7 +329,7 @@ def get_page(url, **kwargs): else: proxies = {} - req = requests.get(url, params=headers, proxies=proxies, verify=False if skip_verf else True) + req = requests.get(url, params=headers, proxies=proxies, verify=False if skip_verf else True, timeout=20) status = req.status_code html = req.content headers = req.headers diff --git a/lib/core/settings.py b/lib/core/settings.py index d8ade6e..8319854 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -46,7 +46,7 @@ CLONE = "https://github.com/ekultek/zeus-scanner.git" ISSUE_LINK = "https://github.com/ekultek/zeus-scanner/issues" # current version -VERSION = "1.3.15".format(PATCH_ID) +VERSION = "1.3.15-pre".format(PATCH_ID) # colors to output depending on the version VERSION_TYPE_COLORS = {"dev": 33, "stable": 92, "other": 30} diff --git a/lib/header_check/__init__.py b/lib/header_check/__init__.py index db4bcf7..cc1c682 100644 --- a/lib/header_check/__init__.py +++ b/lib/header_check/__init__.py @@ -3,7 +3,6 @@ import re import importlib import unicodedata -import requests from xml.dom import minidom from requests.exceptions import ConnectionError @@ -13,13 +12,11 @@ from lib.core.common import ( write_to_log_file, shutdown, pause, - HTTP_HEADER + get_page, ) from lib.core.settings import ( logger, set_color, HEADER_XML_DATA, - proxy_string_to_dict, - create_random_ip, replace_http, HEADER_RESULT_PATH, COOKIE_LOG_PATH, @@ -43,23 +40,6 @@ def detect_protection(url, **kwargs): proxy = kwargs.get("proxy", None) xforward = kwargs.get("xforward", False) - if xforward: - ip_list = ( - create_random_ip(), - create_random_ip(), - create_random_ip() - ) - headers = { - HTTP_HEADER.CONNECTION: "close", - HTTP_HEADER.USER_AGENT: agent, - HTTP_HEADER.X_FORWARDED_FOR: "{}, {}, {}".format(ip_list[0], ip_list[1], ip_list[2]) - } - else: - headers = { - HTTP_HEADER.CONNECTION: "close", - HTTP_HEADER.USER_AGENT: agent - } - url = "{} {}".format(url.strip(), PROTECTION_CHECK_PAYLOAD) if verbose: @@ -67,11 +47,7 @@ def detect_protection(url, **kwargs): "attempting connection to '{}'...".format(url), level=10 )) try: - protection_check_req = requests.get( - url, params=headers, proxies=proxy_string_to_dict(proxy), timeout=20 - ) - - html, status, headers = protection_check_req.content, protection_check_req.status_code, protection_check_req.headers + _, status, html, headers = get_page(url, agent=agent, proxy=proxy, xforward=xforward) # make sure there are no DBMS errors in the HTML for dbms in DBMS_ERRORS: @@ -163,23 +139,7 @@ def load_headers(url, **kwargs): literal_match = re.compile(r"\\(\X(\d+)?\w+)?", re.I) - if proxy is not None: - proxy = proxy_string_to_dict(proxy) - if not xforward: - header_value = { - HTTP_HEADER.CONNECTION: "close", - HTTP_HEADER.USER_AGENT: agent - } - else: - ip_list = create_random_ip(), create_random_ip(), create_random_ip() - header_value = { - HTTP_HEADER.CONNECTION: "close", - HTTP_HEADER.USER_AGENT: agent, - HTTP_HEADER.X_FORWARDED_FOR: "{}, {}, {}".format( - ip_list[0], ip_list[1], ip_list[2] - ) - } - req = requests.get(url, params=header_value, proxies=proxy, timeout=10) + req, _, _, _ = get_page(url, agent=agent, proxy=proxy) if len(req.cookies) > 0: logger.info(set_color( "found a request cookie, saving to file...", level=25 diff --git a/var/auto_issue/github.py b/var/auto_issue/github.py index f000fd6..505ef2d 100644 --- a/var/auto_issue/github.py +++ b/var/auto_issue/github.py @@ -44,14 +44,14 @@ def request_issue_creation(): )) lib.core.common.shutdown() - question = lib.core.common.prompt( + '''question = lib.core.common.prompt( "would you like to create an anonymous issue and post it to Zeus's Github", opts="yN" ) if question.lower().startswith("n"): lib.core.settings.logger.error(lib.core.settings.set_color( "Zeus has experienced an internal error and cannot continue, shutting down...", level=40 )) - lib.core.common.shutdown() + lib.core.common.shutdown()''' lib.core.settings.fix_log_file() lib.core.settings.logger.info(lib.core.settings.set_color( diff --git a/var/search/selenium_search.py b/var/search/selenium_search.py index 1c6f324..f77b92c 100644 --- a/var/search/selenium_search.py +++ b/var/search/selenium_search.py @@ -147,7 +147,7 @@ def get_urls(query, url, verbose=False, **kwargs): ) else: do_continue = prompt( - question_msg, opts="yN", default="n" + question_msg, opts="yN", default="y" ) # shutdown and write the URL to a file