Today, durning surfing at net I found a nice link...
Few days (or weeks) ago I wrote a very simple (and 'dirty') code that after reading
mentioned link, can be used here to check one idea. ;]
I decide to publish here only a 'few lines' so as a homework, try to add other
functions mentioned at OWASP's publication. Try a little modification
of regexp's, you will find DOM-based vulnerabilities at (from ;) remote host(s).
Remember to use it only against your host.
--- < code > ---
#!/usr/bin/env python
# sialala ;]
#
import re
import urllib2
import sys
import urllib
import os
# defines :
url = sys.argv[1]
fpih = 'first_page.txt'
replaced = 'replaced.txt'
found_log_here = 'FOUND.log'
save_js_log = 'savejs.txt'
extract_js = './output/'
final_log = 'FINAL.log'
# --------------------------------------------
# locate few vulns in files 'here'
def tryhere(extract_js):
final = open(final_log,'w')
for extract_js, extract_jss, filenames in os.walk(extract_js):
print final.writelines(('[+] dirname to check: %s\n') % ( extract_js))
print '\n___________________________________________'
for filename in filenames:
def reada_file(filename):
print final.writelines(('[+] --- filename ------------------------------------ > %s\n') % (filename))
with open(extract_js+'/'+filename,'r') as fd:
n_line = 0
page_file = fd.readlines()
for line in page_file:
n_line += 1
if line.find('function ') != -1:
print final.writelines('\t[!] =========> [+] Found FUNCTION NAME, check at source:\n')
print final.writelines(('\t[ -> line number: [ %d ]\n') % (n_line))
print final.writelines(('\t[ check parameter here, maybe it\'s not/wrong filtered :]\n %s\n\n') % (line.replace(';',';\n\n')))
print final.writelines('-------> next ----> bug ---> -------------\n')
elif (line.find('document.write') != -1) & (line.find('+') != -1) & (line.find('"') != -1):
print final.writelines('\t[!] =========> [+] Found DOCUMENT.WRITE, check at source:\n')
print final.writelines(('\t[ -> line number: [ %d ]\n') % (n_line))
print final.writelines(('\t[ check parameter here, maybe it\'s not/wrong filtered :]\n %s\n\n') % (line))
print final.writelines('-------> next ----> bug ---> -------------\n')
elif line.find('eval(') != -1:
print final.writelines('\t[!] =========> [+] Found EVAL() FUNCTION, check at source:\n')
print final.writelines(('\t[ -> line number: [ %d ]\n') % (n_line))
print final.writelines(('\t[ check parameter here, maybe it\'s not/wrong filtered :]\n %s\n\n') % (line))
print final.writelines('-------> next ----> bug ---> -------------\n')
n_line=n_line+1
print ''
reada_file(filename)
## end get_files()
# --
# --------------------------------------------
# f() from http://code.activestate.com/recipes/496685-downloading-a-file-from-the-web/
# big thanks for an idea!
#
def download(url):
webFile = urllib.urlopen(url)
localFile = open(extract_js+url.split('/')[-1], 'w')
localFile.write(webFile.read())
webFile.close()
localFile.close()
# eof ()
# -
# --------------------------------------------
# GET this URL and save it to fpih-log file
#
def checkThisUrl(url):
print '[+] URL to check: ', url
response = urllib2.urlopen(url) # GET this URL
html_page = response.readlines() # read it per line
fd = open(fpih,'w') # open fpih to write
for line in html_page: # save lines to fpih
fd.writelines(line)
fd.close()
print '[+] Content of URL saved to : ',fpih
# eof()
# ----
# open fpih-log and replace ; for ;\n\n to specify
# JS code. (I know it's now 'the best of the best'
# method, but it will help with few simple examples.
# there is no problem to extend it in the future).
#
def sort_file(file):
print '[+] No we will sort log file a little.\n'
fd = open(fpih,'r') # read fpih
fdRepLog = open(replaced,'w') # create output log
fd_page = fd.readlines()
for line in fd_page:
line = line.replace(';',';\n\n')
if line:
line = line.replace('><','>\n<')
print fdRepLog.writelines(line)
fdRepLog.close()
fd.close()
# eof()
# ----
# search for JS files in code
#
def search_js(file):
fd = open(replaced,'r')
lines = fd.readlines()
found_log = open(found_log_here,'w')
n_line = 0
print found_log.writelines('\n[+] Searching for code from JS files:\n')
for line in lines:
if line.find('<script ') != -1:
if line.find(' src="http:') != -1:
print found_log.writelines(('[!] FOUND: HTTP in SCRIPT tag, line : %d .\n[+] Contain: \n %s') % (n_line,line))
n_line = n_line + 1
print found_log.writelines('\n\n--------------------------- next bug ---------------------------------->\n\n')
elif line.find(' src="/') != -1:
print found_log.writelines(('[!] FOUND: WWW-ROOT in SCRIPT tag, line : %d .\n') % (n_line))
print found_log.writelines(('[+] Contain : \n %s') % (line))
print found_log.writelines('\n\n--------------------------- next bug ---------------------------------->\n\n')
n_line = n_line + 1
found_log.close()
# eof()
# ----
# try to get content of JS files found at URL (saved file)
#
def try2get(file):
fd = open(found_log_here,'r') # here we're looking for JS links
fd_file = fd.readlines() # per line
save_js = open(save_js_log,'w')
for line in fd_file:
r = re.compile(' src="(.*?)"') # regex it
m = r.search(line) # match in line
if m:
txt = m.group(1)
if line.find('http:') != -1:
print save_js.writelines(('%s \n') % (txt))
download(txt)
else:
print save_js.writelines(('%s%s \n') % (url,txt))
download(url+txt)
fd.close()
save_js.close()
# eof
# ----
# --------------------------------------------
# hi:
if len(sys.argv) == 2:
checkThisUrl(url)
sort_file(fpih)
search_js(replaced)
try2get(found_log_here)
tryhere(extract_js)
else:
print '[-] try: ', sys.argv[0] ,' URL\n'
--- < code > ---
Read the code to run this code correctly. ;]
Cheers o/
(Hint from OWASP Code Review:
--- < code > ---
document.cookie
document.referrer
document.attachEvent
document.body
document.body.innerHtml
document.body.innerText
document.close
document.create(...)
and so on... Read it. ;)
--- < code > ---
o/
No comments:
Post a Comment
What do You think...?