From 9de772204ea2e48daa08dd9f22b54b47883ecc06 Mon Sep 17 00:00:00 2001 From: ekultek Date: Thu, 28 Sep 2017 11:16:48 -0500 Subject: [PATCH] creating tamper scripts for the XSS payloads --- lib/attacks/tamper_scripts/__init__.py | 0 lib/attacks/tamper_scripts/base64_encode.py | 5 ++ lib/attacks/tamper_scripts/hex_encode.py | 6 +++ lib/attacks/tamper_scripts/unicode_encode.py | 8 ++++ lib/attacks/xss_scan/__init__.py | 48 ++++++++++++++++++-- lib/errors.py | 5 +- zeus.py | 4 +- 7 files changed, 70 insertions(+), 6 deletions(-) create mode 100644 lib/attacks/tamper_scripts/__init__.py create mode 100644 lib/attacks/tamper_scripts/base64_encode.py create mode 100644 lib/attacks/tamper_scripts/hex_encode.py create mode 100644 lib/attacks/tamper_scripts/unicode_encode.py diff --git a/lib/attacks/tamper_scripts/__init__.py b/lib/attacks/tamper_scripts/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/lib/attacks/tamper_scripts/base64_encode.py b/lib/attacks/tamper_scripts/base64_encode.py new file mode 100644 index 0000000..19b2979 --- /dev/null +++ b/lib/attacks/tamper_scripts/base64_encode.py @@ -0,0 +1,5 @@ +import base64 + + +def tamper(payload, **kwargs): + return base64.b64encode(payload) \ No newline at end of file diff --git a/lib/attacks/tamper_scripts/hex_encode.py b/lib/attacks/tamper_scripts/hex_encode.py new file mode 100644 index 0000000..5365a96 --- /dev/null +++ b/lib/attacks/tamper_scripts/hex_encode.py @@ -0,0 +1,6 @@ +def tamper(payload, **kwargs): + retval = hex(hash(payload)) + if "-" in str(retval): + return retval[1:-1] + else: + return retval diff --git a/lib/attacks/tamper_scripts/unicode_encode.py b/lib/attacks/tamper_scripts/unicode_encode.py new file mode 100644 index 0000000..1433fa7 --- /dev/null +++ b/lib/attacks/tamper_scripts/unicode_encode.py @@ -0,0 +1,8 @@ +def tamper(payload, **kwargs): + i = 0 + retval = "" + + while i < len(payload): + retval += "%u{}".format(ord(payload[i])) + i += 1 + return retval diff --git a/lib/attacks/xss_scan/__init__.py b/lib/attacks/xss_scan/__init__.py index 2ddb424..671c081 100644 --- a/lib/attacks/xss_scan/__init__.py +++ b/lib/attacks/xss_scan/__init__.py @@ -5,6 +5,12 @@ import tempfile import requests +from lib.errors import InvalidTamperProvided +from lib.attacks.tamper_scripts import ( + unicode_encode, + base64_encode, + hex_encode +) from lib.settings import ( logger, set_color, @@ -15,16 +21,46 @@ from lib.settings import ( ) +def list_tamper_scripts(path="{}/lib/attacks/tamper_scripts"): + retval = set() + exclude = ["__init__.py", ".pyc"] + for item in os.listdir(path.format(os.getcwd())): + if not any(f in item for f in exclude): + item = item.split(".")[0] + item = item.split("_")[0] + retval.add(item) + return retval + + +def __tamper_payload(payload, tamper_type): + acceptable = list_tamper_scripts() + if tamper_type in acceptable: + if tamper_type == "unicode": + return unicode_encode.tamper(payload) + elif tamper_type == "hex": + return hex_encode.tamper(payload) + else: + return base64_encode.tamper(payload) + else: + raise InvalidTamperProvided( + "sent tamper type '{}' is not a valid type, acceptable are {}...".format( + tamper_type, ", ".join(list(acceptable)) + ) + ) + + def __load_payloads(filename="{}/etc/xss_payloads.txt"): with open(filename.format(os.getcwd())) as payloads: return payloads.readlines() -def create_urls(url, payload_list): +def create_urls(url, payload_list, tamper=None): tf = tempfile.NamedTemporaryFile(delete=False) tf_name = tf.name with tf as tmp: for payload in payload_list: - loaded_url = "{}{}".format(url, payload) + if tamper: + payload = __tamper_payload(payload, tamper_type=tamper) + loaded_url = "{}{}\n".format(url, payload) tmp.write(loaded_url) return tf_name @@ -53,7 +89,11 @@ def scan_xss(url, agent=None, proxy=None): return False, None -def main_xss(start_url, verbose=False, proxy=None, agent=None): +def main_xss(start_url, verbose=False, proxy=None, agent=None, tamper=None): + if tamper: + logger.info(set_color( + "tampering payloads with '{}'...".format(tamper) + )) find_xss_script(start_url) logger.info(set_color( "loading payloads..." @@ -66,7 +106,7 @@ def main_xss(start_url, verbose=False, proxy=None, agent=None): logger.info(set_color( "payloads will be written to a temporary file and read from there..." )) - filename = create_urls(start_url, payloads) + filename = create_urls(start_url, payloads, tamper=tamper) logger.info(set_color( "loaded URL's have been saved to '{}'...".format(filename) )) diff --git a/lib/errors.py b/lib/errors.py index 606447d..bd8b81c 100644 --- a/lib/errors.py +++ b/lib/errors.py @@ -13,4 +13,7 @@ class SqlmapFailedStart(Exception): pass class SpiderTestFailure(Exception): pass -class InvalidInputProvided(Exception): pass \ No newline at end of file +class InvalidInputProvided(Exception): pass + + +class InvalidTamperProvided(Exception): pass \ No newline at end of file diff --git a/zeus.py b/zeus.py index bfd4926..e02320a 100755 --- a/zeus.py +++ b/zeus.py @@ -94,6 +94,8 @@ if __name__ == "__main__": help="Show the arguments that nmap understands") attacks.add_option("-P", "--show-possibles", dest="showAllConnections", action="store_true", help="Show all connections made during the admin panel search") + attacks.add_option("--tamper", dest="tamperXssPayloads", metavar="TAMPER-SCRIPT", + help="Send the XSS payloads through tampering before sending to the target") # search engine options engines = optparse.OptionGroup(parser, "Search engine arguments", @@ -371,7 +373,7 @@ if __name__ == "__main__": elif admin: main(url, show=opt.showAllConnections, verbose=verbose) elif xss: - main_xss(url, verbose=verbose, proxy=proxy_to_use, agent=agent_to_use) + main_xss(url, verbose=verbose, proxy=proxy_to_use, agent=agent_to_use, tamper=opt.tamperXssPayloads) else: pass else: