From 4e0945b842a4640db0b4cb70648279738efcb1f1 Mon Sep 17 00:00:00 2001 From: ekultek Date: Wed, 6 Dec 2017 17:14:13 -0600 Subject: [PATCH] patches an issue where any connection problem (timeout, disconnect, etc) would cause a unexpected exception (issue #239). also patches an issue where XSS was stuck in a loop (issue #240). added two new plugin detection scripts --- etc/checksum/md5sum.md5 | 6 ++++-- lib/attacks/xss_scan/__init__.py | 36 ++++++++++++------------------- lib/core/settings.py | 2 +- lib/plugins/clipbucket.py | 21 ++++++++++++++++++ lib/plugins/mssqlreportmanager.py | 18 ++++++++++++++++ 5 files changed, 58 insertions(+), 25 deletions(-) create mode 100644 lib/plugins/clipbucket.py create mode 100644 lib/plugins/mssqlreportmanager.py diff --git a/etc/checksum/md5sum.md5 b/etc/checksum/md5sum.md5 index 3840f28..c854908 100644 --- a/etc/checksum/md5sum.md5 +++ b/etc/checksum/md5sum.md5 @@ -84,6 +84,8 @@ c4ac50a3f3550c62219e7e4f38d4b496 ./lib/plugins/1024.py 76a1d1decfb872bfafdf510c656f113a ./lib/plugins/rssfeed.py 320f0db977c85b477ba1ea78b140cb8a ./lib/plugins/4images.py 35dc8b7da4becb60662aab3c48a9210b ./lib/plugins/openxchange.py +353db8b22c031433ea73a12943927557 ./lib/plugins/clipbucket.py +ce3b79dc80e369ffd55d2cbe90e6a0ab ./lib/plugins/mssqlreportmanager.py b5ff3286060c0bbc0fe1f0f591131c9c ./lib/attacks/gist_lookup/__init__.py 86224bd899c2a2438042cbdc077dc4cc ./lib/attacks/clickjacking_scan/__init__.py d41d8cd98f00b204e9800998ecf8427e ./lib/attacks/__init__.py @@ -92,7 +94,7 @@ d41d8cd98f00b204e9800998ecf8427e ./lib/attacks/__init__.py 7bc7a6f3e85651aab3588f087563eded ./lib/attacks/whois_lookup/__init__.py 8ec72bb33df998e32b925e3060d9d17a ./lib/attacks/whois_lookup/whois.py 916b768e783ff771bce80bd6f5112d4f ./lib/attacks/admin_panel_finder/__init__.py -52942c7b33ff696901f5a4201ba4507f ./lib/attacks/xss_scan/__init__.py +f87f388a9ded1cd8a7e333353652c4df ./lib/attacks/xss_scan/__init__.py 6b8ad5d11aa7f1e2b5f993ca3dde1975 ./lib/attacks/nmap_scan/__init__.py 216999fa0e84866d5c1d96d5676034e4 ./lib/attacks/nmap_scan/nmap_opts.py 8ef704ee0460fdec5ea03f47036664fe ./lib/header_check/__init__.py @@ -100,7 +102,7 @@ d2f8777360a73a412ef158eff2fdf631 ./lib/core/common.py 4433353fb5c55578391d8b4006191ee8 ./lib/core/errors.py 38d8ce4aec42ec147b44a36c69b15ea8 ./lib/core/parse.py d41d8cd98f00b204e9800998ecf8427e ./lib/core/__init__.py -f3b7a9cae1668e883541b388107f07c4 ./lib/core/settings.py +62f71741205d25ab425f5ef32b39423a ./lib/core/settings.py de4254c5e40f7aa4fb81e0608f758a2c ./lib/core/decorators.py 9a02e5b913d210350545ac26510a63c9 ./var/search/__init__.py 83928f6c090722d87a905a447cb51aed ./var/search/selenium_search.py diff --git a/lib/attacks/xss_scan/__init__.py b/lib/attacks/xss_scan/__init__.py index 94a0796..00624fa 100644 --- a/lib/attacks/xss_scan/__init__.py +++ b/lib/attacks/xss_scan/__init__.py @@ -73,12 +73,11 @@ def create_urls(url, payload_list, tamper=None, verbose=False): else: payload = __tamper_payload(payload, tamper_type=tamper, warning=False, verbose=verbose) except InvalidTamperProvided: - lib.core.settings.logger.error(lib.core.settings.set_color( + lib.core.settings.logger.warning(lib.core.settings.set_color( "you provided and invalid tamper script, acceptable tamper scripts are: {}...".format( " | ".join(list_tamper_scripts()), level=40 ) )) - lib.core.common.shutdown() loaded_url = "{}{}\n".format(url.strip(), payload.strip()) tmp.write(loaded_url) return tf_name @@ -110,7 +109,6 @@ def scan_xss(url, agent=None, proxy=None): be tampered or encoded if the site is not vulnerable """ - retry_flags = 3 auto_assign = "http://{}" url_verification = re.compile(r"http(s)?", re.I) @@ -120,25 +118,19 @@ def scan_xss(url, agent=None, proxy=None): )) url = auto_assign.format(url) - while retry_flags > 0: - try: - _, status, html_data, _ = lib.core.common.get_page(url, agent=agent, proxy=proxy) - query = find_xss_script(url) - for db in lib.core.settings.DBMS_ERRORS.keys(): - for item in lib.core.settings.DBMS_ERRORS[db]: - if re.findall(item, html_data): - return "sqli", db - if status != 404: - if query in html_data: - return True, None - retry_flags -= 1 - except requests.exceptions.ChunkedEncodingError: - lib.core.settings.logger.warning(lib.core.settings.set_color( - "encoding seems to be messed up, retrying request...", level=30 - )) - retry_flags -= 1 - - return False, None + try: + _, status, html_data, _ = lib.core.common.get_page(url, agent=agent, proxy=proxy) + query = find_xss_script(url) + for db in lib.core.settings.DBMS_ERRORS.keys(): + for item in lib.core.settings.DBMS_ERRORS[db]: + if re.findall(item, html_data): + return "sqli", db + if status != 404: + if query in html_data: + return True, None + return False, None + except (requests.exceptions.ChunkedEncodingError, requests.exceptions.ConnectionError): + return False, None def main_xss(start_url, proxy=None, agent=None, **kwargs): diff --git a/lib/core/settings.py b/lib/core/settings.py index a11335a..8a6cc7e 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -45,7 +45,7 @@ CLONE = "https://github.com/ekultek/zeus-scanner.git" ISSUE_LINK = "https://github.com/ekultek/zeus-scanner/issues" # current version -VERSION = "1.4.1.{}".format(PATCH_ID) +VERSION = "1.4.2.{}".format(PATCH_ID) # colors to output depending on the version VERSION_TYPE_COLORS = {"dev": 33, "stable": 92, "other": 30} diff --git a/lib/plugins/clipbucket.py b/lib/plugins/clipbucket.py new file mode 100644 index 0000000..2a09262 --- /dev/null +++ b/lib/plugins/clipbucket.py @@ -0,0 +1,21 @@ +import re + + +__product__ = "ClipBucket" +__description__ = ( + "ClipBucket is an Open Source and freely downloadable PHP " + "script that will let you start your own Video Sharing website" +) + + +def search(html, **kwargs): + html = str(html) + plugin_detection_schema = ( + re.compile(r"<.\S+.clipbucket", re.I), + re.compile(r"content.[\'\"]clipbucket", re.I), + re.compile(r"http(s)?.//(www.)?clip.bucket.com", re.I), + re.compile(r"http(s)?.//(www.)?clipbucket.com", re.I), + ) + for plugin in plugin_detection_schema: + if plugin.search(html) is not None: + return True diff --git a/lib/plugins/mssqlreportmanager.py b/lib/plugins/mssqlreportmanager.py new file mode 100644 index 0000000..9544198 --- /dev/null +++ b/lib/plugins/mssqlreportmanager.py @@ -0,0 +1,18 @@ +import re + + +__product__ = "Microsoft SQL Report Manager" +__description__ = ( + "Microsoft SQL Server Report Manager - web-based report access and management tool" +) + + +def search(html, **kwargs): + html = str(html) + plugin_detection_schema = ( + re.compile(r"content.[\'\"]?microsoft.sql.server.report", re.I), + re.compile(r"microsoft.sql.server.report.manager", re.I) + ) + for plugin in plugin_detection_schema: + if plugin.search(html) is not None: + return True