diff --git a/lib/attacks/xss_scan/__init__.py b/lib/attacks/xss_scan/__init__.py index 9552579..37be45d 100644 --- a/lib/attacks/xss_scan/__init__.py +++ b/lib/attacks/xss_scan/__init__.py @@ -10,7 +10,8 @@ from lib.settings import ( set_color, DEFAULT_USER_AGENT, proxy_string_to_dict, - DBMS_ERRORS + DBMS_ERRORS, + create_tree, ) @@ -28,9 +29,12 @@ def create_urls(url, payload_list): return tf_name -def find_xss_script(url, query=4): +def find_xss_script(url, query=4, fragment=5): data = urlparse.urlparse(url) - return data[query] + if data[fragment] is not "" or None: + return "{}{}".format(data[query], data[fragment]) + else: + return data[query] def scan_xss(url, agent=None, proxy=None): @@ -51,7 +55,7 @@ def scan_xss(url, agent=None, proxy=None): return False -def main_xss(start_url, verbose=False, proxy=None, agent=DEFAULT_USER_AGENT, try_all=False): +def main_xss(start_url, verbose=False, proxy=None, agent=None): find_xss_script(start_url) logger.info(set_color( "loading payloads..." @@ -67,31 +71,30 @@ def main_xss(start_url, verbose=False, proxy=None, agent=DEFAULT_USER_AGENT, try filename = create_urls(start_url, payloads) if verbose: logger.debug(set_color( - "loaded URL's have been saved to '{}'...".format(filename) + "loaded URL's have been saved to '{}'...".format(filename), level=10 )) logger.info(set_color( "testing for XSS vulnerabilities on host '{}'...".format(start_url) )) - logger.info(set_color( - "adjusting user agent to '{}'...".format(agent) - )) if proxy is not None: logger.info(set_color( "using proxy '{}'...".format(proxy) )) + success = set() with open(filename) as urls: - for url in urls: + for url in urls.readlines(): url = url.strip() result = scan_xss(url, proxy=proxy, agent=agent) payload = find_xss_script(url) + logger.info(set_color( + "trying payload '{}'...".format(payload) + )) if result: - logger.info(set_color( - "host '{}' appears to be vulnerable to XSS attacks using payload '{}'...".format( - start_url, payload - ) - )) - if not try_all: - return + success.add(url) + if verbose: + logger.debug(set_color( + "payload '{}' appears to be usable...".format(payload), level=10 + )) elif result is "sqli": logger.error(set_color( "loaded URL '{}' threw a DBMS error and appears to be SQLi vulnerable, test for SQL injection".format( @@ -104,4 +107,5 @@ def main_xss(start_url, verbose=False, proxy=None, agent=DEFAULT_USER_AGENT, try "host '{}' does not appear to be vulnerable to XSS attacks with payload '{}'...".format( start_url, payload ), level=10 - )) \ No newline at end of file + )) + create_tree(start_url, list(success)) \ No newline at end of file diff --git a/lib/settings.py b/lib/settings.py index 193fa63..7f29c86 100644 --- a/lib/settings.py +++ b/lib/settings.py @@ -22,7 +22,7 @@ except NameError: # clone link CLONE = "https://github.com/ekultek/zeus-scanner.git" # current version -VERSION = "1.0.18.7db8" +VERSION = "1.0.18.7124" # colors to output depending on the version VERSION_TYPE_COLORS = {"dev": 33, "stable": 92, "other": 30} # version string formatting @@ -380,14 +380,4 @@ def create_tree(start, conns, down="|", over="-", sep="-" * 40): down, over, con ) ) - print(sep) - - -def add_https(url): - """ - add https:// to a url - """ - if "https://" in url: - return url - else: - return "https://{}".format(url.split("://")[-1]) \ No newline at end of file + print(sep) \ No newline at end of file diff --git a/var/google_search/search.py b/var/google_search/search.py index b68c703..c81a28c 100644 --- a/var/google_search/search.py +++ b/var/google_search/search.py @@ -18,7 +18,6 @@ from lib.settings import ( URL_REGEX, shutdown, create_dir, - add_https ) @@ -26,23 +25,30 @@ def bypass_ip_block(url, content_sep=("continue=", "Fid", "%")): """ bypass Google's IP blocking by extracting the true URL from the ban URL. """ + + def __add_https(data): + if "https://" in data: + return data + else: + return "https://{}".format(url.split("://")[-1]) + if isinstance(url, unicode): url = str(url) - index_list = [] - index_list_2 = [] + content_list_start = [] + content_list_end = [] if content_sep[0] in url: data_list = url.split(content_sep[0]) url_to_use = data_list[1] else: url_to_use = url - for m in re.finditer(content_sep[1], url_to_use): - index_list.append((m.start(), m.end())) - splice_to_use = index_list[-1][-1] + for match in re.finditer(content_sep[1], url_to_use): + content_list_start.append((match.start(), match.end())) + splice_to_use = content_list_start[-1][-1] - for m2 in re.finditer(content_sep[2], url[0:splice_to_use]): - index_list_2.append((m2.start(), m2.end())) - return add_https(url[0:index_list_2[-1][-1] - 1]) + for match in re.finditer(content_sep[2], url[0:splice_to_use]): + content_list_end.append((match.start(), match.end())) + return __add_https(url[0:content_list_end[-1][-1] - 1]) def get_urls(query, url, verbose=False, warning=True, user_agent=None, proxy=None, **kwargs): @@ -118,7 +124,8 @@ def get_urls(query, url, verbose=False, warning=True, user_agent=None, proxy=Non "obtaining URL from selenium..." )) retval = browser.current_url - if "http://ipv6.google.com" or "http://ipv4.google.com" in retval: + ban_url_schema = ["http://ipv6.google.com", "http://ipv4.google.com"] + if any(u in retval for u in ban_url_schema): # if you got IP banned logger.warning(set_color( "it appears that Google is attempting to block your IP address, attempting bypass...", level=30 )) diff --git a/zeus.py b/zeus.py index 50e2322..5168b89 100755 --- a/zeus.py +++ b/zeus.py @@ -93,8 +93,6 @@ if __name__ == "__main__": help="Show the arguments that nmap understands") attacks.add_option("-P", "--show-possibles", dest="showAllConnections", action="store_true", help="Show all connections made during the admin panel search") - attacks.add_option("--run-all", dest="runAllXssPayloads", action="store_true", - help="Run every loaded XSS payload") # search engine options engines = optparse.OptionGroup(parser, "Search engine arguments", @@ -363,7 +361,7 @@ if __name__ == "__main__": elif admin: main(url, show=opt.showAllConnections, verbose=verbose) elif xss: - main_xss(url, verbose=verbose, proxy=proxy_to_use, agent=agent_to_use, try_all=opt.runAllXssPayloads) + main_xss(url, verbose=verbose, proxy=proxy_to_use, agent=agent_to_use) else: pass else: