creating tamper scripts for the XSS payloads

This commit is contained in:
ekultek 2017-09-28 11:16:48 -05:00
parent bf922eeb7c
commit 9de772204e
7 changed files with 70 additions and 6 deletions

View file

View file

@ -0,0 +1,5 @@
import base64
def tamper(payload, **kwargs):
return base64.b64encode(payload)

View file

@ -0,0 +1,6 @@
def tamper(payload, **kwargs):
retval = hex(hash(payload))
if "-" in str(retval):
return retval[1:-1]
else:
return retval

View file

@ -0,0 +1,8 @@
def tamper(payload, **kwargs):
i = 0
retval = ""
while i < len(payload):
retval += "%u{}".format(ord(payload[i]))
i += 1
return retval

View file

@ -5,6 +5,12 @@ import tempfile
import requests
from lib.errors import InvalidTamperProvided
from lib.attacks.tamper_scripts import (
unicode_encode,
base64_encode,
hex_encode
)
from lib.settings import (
logger,
set_color,
@ -15,16 +21,46 @@ from lib.settings import (
)
def list_tamper_scripts(path="{}/lib/attacks/tamper_scripts"):
retval = set()
exclude = ["__init__.py", ".pyc"]
for item in os.listdir(path.format(os.getcwd())):
if not any(f in item for f in exclude):
item = item.split(".")[0]
item = item.split("_")[0]
retval.add(item)
return retval
def __tamper_payload(payload, tamper_type):
acceptable = list_tamper_scripts()
if tamper_type in acceptable:
if tamper_type == "unicode":
return unicode_encode.tamper(payload)
elif tamper_type == "hex":
return hex_encode.tamper(payload)
else:
return base64_encode.tamper(payload)
else:
raise InvalidTamperProvided(
"sent tamper type '{}' is not a valid type, acceptable are {}...".format(
tamper_type, ", ".join(list(acceptable))
)
)
def __load_payloads(filename="{}/etc/xss_payloads.txt"):
with open(filename.format(os.getcwd())) as payloads: return payloads.readlines()
def create_urls(url, payload_list):
def create_urls(url, payload_list, tamper=None):
tf = tempfile.NamedTemporaryFile(delete=False)
tf_name = tf.name
with tf as tmp:
for payload in payload_list:
loaded_url = "{}{}".format(url, payload)
if tamper:
payload = __tamper_payload(payload, tamper_type=tamper)
loaded_url = "{}{}\n".format(url, payload)
tmp.write(loaded_url)
return tf_name
@ -53,7 +89,11 @@ def scan_xss(url, agent=None, proxy=None):
return False, None
def main_xss(start_url, verbose=False, proxy=None, agent=None):
def main_xss(start_url, verbose=False, proxy=None, agent=None, tamper=None):
if tamper:
logger.info(set_color(
"tampering payloads with '{}'...".format(tamper)
))
find_xss_script(start_url)
logger.info(set_color(
"loading payloads..."
@ -66,7 +106,7 @@ def main_xss(start_url, verbose=False, proxy=None, agent=None):
logger.info(set_color(
"payloads will be written to a temporary file and read from there..."
))
filename = create_urls(start_url, payloads)
filename = create_urls(start_url, payloads, tamper=tamper)
logger.info(set_color(
"loaded URL's have been saved to '{}'...".format(filename)
))

View file

@ -13,4 +13,7 @@ class SqlmapFailedStart(Exception): pass
class SpiderTestFailure(Exception): pass
class InvalidInputProvided(Exception): pass
class InvalidInputProvided(Exception): pass
class InvalidTamperProvided(Exception): pass

View file

@ -94,6 +94,8 @@ if __name__ == "__main__":
help="Show the arguments that nmap understands")
attacks.add_option("-P", "--show-possibles", dest="showAllConnections", action="store_true",
help="Show all connections made during the admin panel search")
attacks.add_option("--tamper", dest="tamperXssPayloads", metavar="TAMPER-SCRIPT",
help="Send the XSS payloads through tampering before sending to the target")
# search engine options
engines = optparse.OptionGroup(parser, "Search engine arguments",
@ -371,7 +373,7 @@ if __name__ == "__main__":
elif admin:
main(url, show=opt.showAllConnections, verbose=verbose)
elif xss:
main_xss(url, verbose=verbose, proxy=proxy_to_use, agent=agent_to_use)
main_xss(url, verbose=verbose, proxy=proxy_to_use, agent=agent_to_use, tamper=opt.tamperXssPayloads)
else:
pass
else: