s0md3v/XSStrike
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bug fix round #1

Browse Source
This commit is contained in:
s0md3v
2022-03-20 14:51:41 +05:30
parent e03c2dbb05
commit ba5c75bee7
5 changed files with 26 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
core/arjun.py
View File

@@ -1,42 +0,0 @@
import concurrent.futures
import re
from core.colors import green, end
from core.config import blindParams, xsschecker, threadCount
from core.requester import requester
from core.log import setup_logger
logger = setup_logger(__name__)
def checky(param, paraNames, url, headers, GET, delay, timeout):
if param not in paraNames:
logger.debug('Checking param: {}'.format(param))
response = requester(url, {param: xsschecker},
headers, GET, delay, timeout).text
if '\'%s\'' % xsschecker in response or '"%s"' % xsschecker in response or ' %s ' % xsschecker in response:
paraNames[param] = ''
logger.good('Valid parameter found: %s%s', green, param)
def arjun(url, GET, headers, delay, timeout):
paraNames = {}
response = requester(url, {}, headers, GET, delay, timeout).text
matches = re.findall(
r'<input.*?name=\'(.*?)\'.*?>|<input.*?name="(.*?)".*?>', response)
for match in matches:
try:
foundParam = match[1]
except UnicodeDecodeError:
continue
logger.good('Heuristics found a potentially valid parameter: %s%s%s. Priortizing it.' % (
green, foundParam, end))
if foundParam not in blindParams:
blindParams.insert(0, foundParam)
threadpool = concurrent.futures.ThreadPoolExecutor(max_workers=threadCount)
futures = (threadpool.submit(checky, param, paraNames, url,
headers, GET, delay, timeout) for param in blindParams)
for i, _ in enumerate(concurrent.futures.as_completed(futures)):
if i + 1 == len(blindParams) or (i + 1) % threadCount == 0:
logger.info('Progress: %i/%i\r' % (i + 1, len(blindParams)))
return paraNames

4
core/dom.py
View File

@@ -34,13 +34,13 @@ def dom(response):
for part in parts:
if source in part:
controlledVariables.add(re.search(r'[a-zA-Z$_][a-zA-Z0-9$_]+', part).group().replace('$', '\$'))
sourceFound = True
line = line.replace(source, yellow + source + end)
for controlledVariable in controlledVariables:
allControlledVariables.add(controlledVariable)
for controlledVariable in allControlledVariables:
matches = list(filter(None, re.findall(r'\b%s\b' % controlledVariable, line)))
if matches:
sourceFound = True
line = re.sub(r'\b%s\b' % controlledVariable, yellow + controlledVariable + end, line)
pattern = re.finditer(sinks, newLine)
for grp in pattern:
@@ -54,7 +54,7 @@ def dom(response):
num += 1
except MemoryError:
pass
if sinkFound and sourceFound:
if sinkFound or sourceFound:
return highlighted
else:
return []

5
modes/scan.py
View File

@@ -2,7 +2,6 @@ import copy
import re
from urllib.parse import urlparse, quote, unquote
from core.arjun import arjun
from core.checker import checker
from core.colors import end, green, que
import core.config
@@ -19,7 +18,7 @@ from core.log import setup_logger
logger = setup_logger(__name__)
def scan(target, paramData, encoding, headers, delay, timeout, skipDOM, find, skip):
def scan(target, paramData, encoding, headers, delay, timeout, skipDOM, skip):
GET, POST = (False, True) if paramData else (True, False)
# If the user hasn't supplied the root url with http(s), we will handle it
if not target.startswith('http'):
@@ -47,8 +46,6 @@ def scan(target, paramData, encoding, headers, delay, timeout, skipDOM, find, sk
logger.debug('Url to scan: {}'.format(url))
params = getParams(target, paramData, GET)
logger.debug_json('Scan parameters:', params)
if find:
params = arjun(url, GET, headers, delay, timeout)
if not params:
logger.error('No parameters to test.')
quit()

22
test.html Normal file
View File

@@ -0,0 +1,22 @@
<!DOCTYPE html>
<html>
<body>
<div>
<pre>document.writeln(new URL(window.location.href).searchParams.get("a"))</pre>
<script>document.writeln(new URL(window.location.href).searchParams.get("a"))</script>
</div>
<div>
<pre>document.write(new URLSearchParams(window.location.search).get("b"))</pre>
<script>document.write(new URLSearchParams(window.location.search).get("b"))</script>
</div>
<div>
<pre>eval(new URLSearchParams(window.location.search).get("c") || "")</pre>
<script>eval(new URLSearchParams(window.location.search).get("c") || "")</script>
</div>
<div>
<div id="xss-d"></div>
<pre>document.querySelector("#xss-d").innerHTML = new URLSearchParams(window.location.search).get("d")</pre>
<script>document.querySelector("#xss-d").innerHTML = new URLSearchParams(window.location.search).get("d")</script>
</div>
</body>
</html>

5
xsstrike.py
View File

@@ -49,8 +49,6 @@ parser.add_argument('--timeout', help='timeout',
dest='timeout', type=int, default=core.config.timeout)
parser.add_argument('--proxy', help='use prox(y|ies)',
dest='proxy', action='store_true')
parser.add_argument('--params', help='find params',
dest='find', action='store_true')
parser.add_argument('--crawl', help='crawl',
dest='recursive', action='store_true')
parser.add_argument('--json', help='treat post data as json',
@@ -95,7 +93,6 @@ fuzz = args.fuzz
update = args.update
timeout = args.timeout
proxy = args.proxy
find = args.find
recursive = args.recursive
args_file = args.args_file
args_seeds = args.args_seeds
@@ -174,7 +171,7 @@ elif not recursive and not args_seeds:
if args_file:
bruteforcer(target, paramData, payloadList, encoding, headers, delay, timeout)
else:
scan(target, paramData, encoding, headers, delay, timeout, skipDOM, find, skip)
scan(target, paramData, encoding, headers, delay, timeout, skipDOM, skip)
else:
if target:
seedList.append(target)