Monday 24 June 2013

[EN] Any JavaScript?

Today, durning surfing at net I found a nice link...

Few days (or weeks) ago I wrote a very simple (and 'dirty') code that after reading
mentioned link, can be used here to check one idea. ;]

I decide to publish here only a 'few lines' so as a homework, try to add other
functions mentioned at OWASP's publication. Try a little modification
of regexp's, you will find DOM-based vulnerabilities at (from ;) remote host(s).

Remember to use it only against your host.

--- < code > ---
#!/usr/bin/env python
# sialala ;]
#
import re
import urllib2
import sys
import urllib
import os

# defines :
url = sys.argv[1]
fpih = 'first_page.txt'        
replaced = 'replaced.txt'      
found_log_here = 'FOUND.log'
save_js_log = 'savejs.txt'
extract_js = './output/'
final_log = 'FINAL.log'

# --------------------------------------------
# locate few vulns in files 'here'
def tryhere(extract_js):
  final = open(final_log,'w')

  for extract_js, extract_jss, filenames in os.walk(extract_js):
    print final.writelines(('[+] dirname to check: %s\n') % ( extract_js))
    print '\n___________________________________________'
    for filename in filenames:
      def reada_file(filename):
        print  final.writelines(('[+] --- filename ------------------------------------ > %s\n') % (filename))

        with open(extract_js+'/'+filename,'r') as fd:
          n_line = 0
          page_file = fd.readlines()

          for line in page_file:
            n_line += 1

            if line.find('function ') != -1:
              print  final.writelines('\t[!] =========> [+] Found FUNCTION NAME, check at source:\n')
              print  final.writelines(('\t[ -> line number: [ %d ]\n') % (n_line))
              print  final.writelines(('\t[ check parameter here, maybe it\'s not/wrong filtered :]\n %s\n\n') % (line.replace(';',';\n\n')))
              print  final.writelines('-------> next ----> bug ---> -------------\n')
            elif (line.find('document.write') != -1) & (line.find('+') != -1) & (line.find('"') != -1):
              print  final.writelines('\t[!] =========> [+] Found DOCUMENT.WRITE, check at source:\n')
              print  final.writelines(('\t[ -> line number: [ %d ]\n') % (n_line))
              print  final.writelines(('\t[ check parameter here, maybe it\'s not/wrong filtered :]\n %s\n\n') % (line))
              print  final.writelines('-------> next ----> bug ---> -------------\n')

            elif line.find('eval(') != -1:
              print  final.writelines('\t[!] =========> [+] Found EVAL() FUNCTION, check at source:\n')
              print  final.writelines(('\t[ -> line number: [ %d ]\n') % (n_line))
              print  final.writelines(('\t[ check parameter here, maybe it\'s not/wrong filtered :]\n %s\n\n') % (line))
              print  final.writelines('-------> next ----> bug ---> -------------\n')

            n_line=n_line+1

      print ''
      reada_file(filename)
## end get_files()
# --
# --------------------------------------------
# f() from http://code.activestate.com/recipes/496685-downloading-a-file-from-the-web/
# big thanks for an idea!
#
def download(url):

  webFile = urllib.urlopen(url)
  localFile = open(extract_js+url.split('/')[-1], 'w')
  localFile.write(webFile.read())
  webFile.close()
  localFile.close()

# eof ()
# -
# --------------------------------------------
# GET this URL and save it to fpih-log file
#
def checkThisUrl(url):
  print '[+] URL to check: ', url

  response = urllib2.urlopen(url)       # GET this URL
  html_page = response.readlines()      # read it per line

  fd = open(fpih,'w')                   # open fpih to write

  for line in html_page:                # save lines to fpih
    fd.writelines(line)

  fd.close()
  print '[+] Content of URL saved to : ',fpih

# eof()
# ----

# open fpih-log and replace ; for ;\n\n to specify
# JS code. (I know it's now 'the best of the best'
# method, but it will help with few simple examples.
# there is no problem to extend it in the future).
#
def sort_file(file):
  print '[+] No we will sort log file a little.\n'

  fd = open(fpih,'r')                   # read fpih
  fdRepLog = open(replaced,'w')         # create output log

  fd_page = fd.readlines()

  for line in fd_page:
    line = line.replace(';',';\n\n')
    if line:
      line = line.replace('><','>\n<')
      print fdRepLog.writelines(line)

  fdRepLog.close()
  fd.close()

# eof()
# ----
# search for JS files in code
#
def search_js(file):
  fd = open(replaced,'r')
  lines = fd.readlines()

  found_log = open(found_log_here,'w')
  n_line = 0

  print found_log.writelines('\n[+] Searching for code from JS files:\n')

  for line in lines:
    if line.find('<script ') != -1:
      if line.find(' src="http:') != -1:
        print found_log.writelines(('[!] FOUND: HTTP in SCRIPT tag, line : %d .\n[+] Contain: \n %s') % (n_line,line))
        n_line = n_line + 1
        print found_log.writelines('\n\n--------------------------- next bug ---------------------------------->\n\n')
      elif line.find(' src="/') != -1:
        print found_log.writelines(('[!] FOUND: WWW-ROOT in SCRIPT tag, line : %d .\n') % (n_line))
        print found_log.writelines(('[+] Contain : \n %s') % (line))
        print found_log.writelines('\n\n--------------------------- next bug ---------------------------------->\n\n')
        n_line = n_line + 1
  found_log.close()

# eof()
# ----
# try to get content of JS files found at URL (saved file)
#
def try2get(file):
  fd = open(found_log_here,'r')         # here we're looking for JS links
  fd_file = fd.readlines()              # per line
  save_js = open(save_js_log,'w')

  for line in fd_file:
    r = re.compile(' src="(.*?)"') # regex it
    m = r.search(line)          # match in line

    if m:
      txt = m.group(1)

      if line.find('http:') != -1:
        print save_js.writelines(('%s \n') % (txt))
        download(txt)
      else:
        print save_js.writelines(('%s%s \n') % (url,txt))
        download(url+txt)


  fd.close()
  save_js.close()

# eof
# ----
# --------------------------------------------
# hi:

if len(sys.argv) == 2:
  checkThisUrl(url)
  sort_file(fpih)
  search_js(replaced)
  try2get(found_log_here)
  tryhere(extract_js)

else:
  print '[-] try: ', sys.argv[0] ,' URL\n'


--- < code > ---

Read the code to run this code correctly. ;]

Cheers o/


(Hint from OWASP Code Review:
--- < code > ---

document.cookie
document.referrer
document.attachEvent
document.body
document.body.innerHtml
document.body.innerText
document.close
document.create(...)

and so on... Read it. ;)
--- < code > ---

o/

No comments:

Post a Comment

What do You think...?