for vect in vects:
progress += 1
print('%s Payloads tried [%i/%i]' % (run, progress, total),
end='\r')
if not GET:
vect = unquote(vect)
efficiencies = checker(url, paramsCopy, headers, GET, delay, vect)
if not efficiencies:
for i in range(len(occurences)):
efficiencies.append(0)
bestEfficiency = max(efficiencies)
if bestEfficiency == 100 or (vect[0] == '\\'
and bestEfficiency >= 95):
print(('%s-%s' % (red, end)) * 60)
print('%s Payload: %s' % (good, vect))
print('%s Efficiency: %i' % (info, bestEfficiency))
print('%s Cofidence: %i' % (info, confidence))
if GET:
flatParams = flattenParams(paramName, paramsCopy, vect)
if '"' not in flatParams and '}' not in flatParams:
webbrowser.open(url + flatParams)
choice = input(
'%s Would you like to continue scanning? [y/N] ' %
que).lower()
if choice != 'y':
quit()
elif bestEfficiency > minEfficiency:
print(('%s-%s' % (red, end)) * 60)
print('%s Payload: %s' % (good, vect))
print('%s Efficiency: %i' % (info, bestEfficiency))
print('%s Cofidence: %i' % (info, confidence))
def singleTarget(target, paramData):
if paramData:
GET, POST = False, True
else:
GET, POST = True, False
# If the user hasn't supplied the root url with http(s), we will handle it
if target.startswith('http'):
target = target
else:
try:
response = requests.get('https://' + target)
target = 'https://' + target
except:
target = 'http://' + target
try:
response = requests.get(target).text
if not skipDOM:
print('%s Checking for DOM vulnerabilities' % run)
if dom(response):
print('%s Potentially vulnerable objects found' % good)
except Exception as e:
print('%s Unable to connect to the target' % bad)
print('%s Error: %s' % (bad, e))
quit()
host = urlparse(target).netloc # Extracts host out of the url
url = getUrl(target, paramData, GET)
params = getParams(target, paramData, GET)
if args.find:
params = arjun(url, GET, headers, delay)
if not params:
quit()
WAF = wafDetector(url, {list(params.keys())[0]: xsschecker}, headers, GET,
delay)
if WAF:
print('%s WAF detected: %s%s%s' % (bad, green, WAF, end))
else:
print('%s WAF Status: %sOffline%s' % (good, green, end))
if fuzz:
for paramName in params.keys():
print('%s Fuzzing parameter: %s' % (info, paramName))
paramsCopy = copy.deepcopy(params)
paramsCopy[paramName] = xsschecker
fuzzer(url, paramsCopy, headers, GET, delay, WAF)
quit()
for paramName in params.keys():
paramsCopy = copy.deepcopy(params)
print('%s Testing parameter: %s' % (info, paramName))
paramsCopy[paramName] = xsschecker
response = requester(url, paramsCopy, headers, GET, delay).text
occurences = htmlParser(response)
if not occurences:
print('%s No reflection found' % bad)
continue
else:
print('%s Reflections found: %s' % (info, len(occurences)))
print('%s Analysing reflections' % run)
efficiencies = filterChecker(url, paramsCopy, headers, GET, delay,
occurences)
print('%s Generating payloads' % run)
vectors = generator(occurences, response)
total = 0
for v in vectors.values():
total += len(v)
if total == 0:
print('%s No vectors were crafted' % bad)
continue
print('%s Payloads generated: %i' % (info, total))
progress = 0
for confidence, vects in vectors.items():
for vect in vects:
progress += 1
print('%s Payloads tried [%i/%i]' % (run, progress, total),
end='\r')
if not GET:
vect = unquote(vect)
efficiencies = checker(url, paramsCopy, headers, GET, delay,
vect)
if not efficiencies:
for i in range(len(occurences)):
efficiencies.append(0)
bestEfficiency = max(efficiencies)
if bestEfficiency == 100 or (vect[0] == '\\'
and bestEfficiency >= 95):
print(('%s-%s' % (red, end)) * 60)
print('%s Payload: %s' % (good, vect))
print('%s Efficiency: %i' % (info, bestEfficiency))
print('%s Cofidence: %i' % (info, confidence))
if GET:
flatParams = flattenParams(paramName, paramsCopy, vect)
if '"' not in flatParams and '}' not in flatParams and not skipPOC:
webbrowser.open(url + flatParams)
choice = input(
'%s Would you like to continue scanning? [y/N] ' %
que).lower()
if choice != 'y':
quit()
elif bestEfficiency > minEfficiency:
print(('%s-%s' % (red, end)) * 60)
print('%s Payload: %s' % (good, vect))
print('%s Efficiency: %i' % (info, bestEfficiency))
print('%s Cofidence: %i' % (info, confidence))
firstResponse = requester(url, '', headers, GET, delay)
print('%s Now lets see how target deals with a non-existent parameter' % run)
originalFuzz = randomString(6)
data = {originalFuzz: originalFuzz[::-1]}
response = requester(url, data, headers, GET, delay)
reflections = response.text.count(originalFuzz[::-1])
print('%s Reflections: %s%i%s' % (info, green, reflections, end))
originalResponse = response.text.replace(
originalFuzz + '=' + originalFuzz[::-1], '')
originalCode = response.status_code
print('%s Response Code: %s%i%s' % (info, green, originalCode, end))
newLength = len(response.text) - len(flattenParams(data))
print('%s Content Length: %s%i%s' % (info, green, newLength, end))
print('%s Parsing webpage for potenial parameters' % run)
heuristic(firstResponse.text, paramList)
fuzz = randomString(8)
data = {fuzz: fuzz[::-1]}
responseMulti = requester(url, data, headers, GET, delay)
multiplier = int(
(len(responseMulti.text.replace(fuzz + '=' + fuzz[::-1], '')) -
len(response.text.replace(originalFuzz + '=' + originalFuzz[::-1], ''))) /
2)
print('%s Content Length Multiplier: %s%i%s' % (info, green, multiplier, end))
