swisskyrepo
/
DamnWebScanner
mirror of https://github.com/swisskyrepo/DamnWebScanner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bugfix - XSS Scanner working with Ghost update

master
Swissky 2017-09-12 22:01:07 +02:00
parent 62d77ece01
commit 4310733e43
5 changed files with 32 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
*.pyc *.pyc
Server/__pycache__/* Server/__pycache__/*
Server/core
TODO.md TODO.md

10
README.md
View File

@ -5,25 +5,21 @@ The extension is working on the background and will notify you if it finds any v
![Image of a noticiation](https://github.com/swisskyrepo/DamnWebScanner/blob/master/Screens/Notification.png?raw=true) ![Image of a noticiation](https://github.com/swisskyrepo/DamnWebScanner/blob/master/Screens/Notification.png?raw=true)
Currently it scans for: Currently it scans for:
- SQL Injection - SQL Injection : Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
- Cross Site Scripting - Cross Site Scripting : Using a browser simulator (Ghost)
- Local File Inclusion - Local File Inclusion
- Remote Commands Execution - Remote Commands Execution using polyglot vectors based on time
All the features are: All the features are:
- Detect if the server is up with a "/ping" request - Detect if the server is up with a "/ping" request
- New XSS vectors, work in different contexts (JS var, JS function, inside HTML tag, outside HTML tag) - New XSS vectors, work in different contexts (JS var, JS function, inside HTML tag, outside HTML tag)
- Basic page to list the vulnerabilities URL and TYPE - Basic page to list the vulnerabilities URL and TYPE
- Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
- RCE scanner using polyglot vectors based on time
- Re-use your cookies and user-agent to get access to page with cookie-authentication - Re-use your cookies and user-agent to get access to page with cookie-authentication
- Export vulnerabilities into a CSV file - Export vulnerabilities into a CSV file
- Launch scan when a form is submitted or a page is opened via the URL bar - Launch scan when a form is submitted or a page is opened via the URL bar
**Warning :** Do not use this extension for illegal purpose, the main goal of it is to simplify the life of bug hunters. It's a **BETA version**, many improvements will come don't worry **Warning :** Do not use this extension for illegal purpose, the main goal of it is to simplify the life of bug hunters. It's a **BETA version**, many improvements will come don't worry
**Warning 2:** XSS Scanner seems to be broken due to an update in the Ghost lib. I'm working on a fix.
## Install ## Install
You need to install and configure the server, it uses ghost and flask. You need to install and configure the server, it uses ghost and flask.
1. To get started you only need to start the docker and the dependencies will be installed. 1. To get started you only need to start the docker and the dependencies will be installed.

50
Server/scans.py
View File

@ -10,37 +10,38 @@ import re
Description: inject a polyglot vector for XSS in every parameter, then it checks if an alert was triggered Description: inject a polyglot vector for XSS in every parameter, then it checks if an alert was triggered
Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
""" """
def scan_xss(method, vulns, url, fuzz, cookie, useragent, firefox, data): def scan_xss(method, vulns, url, fuzz, cookie, useragent, data):
#payload = 'javascript://\'/</Title></sTyle></teXtarea></scRipt>--><svg" %0Aonload=confirm(42)//>*/prompt(42)/*<details/open/ontoggle=confirm`42` >' #payload = 'javascript://\'/</Title></sTyle></teXtarea></scRipt>--><svg" %0Aonload=confirm(42)//>*/prompt(42)/*<details/open/ontoggle=confirm`42` >'
payload = 'jaVasCript:alert(1)//" name=alert(1) onErrOr=eval(name) src=1 autofocus oNfoCus=eval(name)><marquee><img src=x onerror=alert(1)></marquee>" ></textarea\></|\><details/open/ontoggle=prompt`1` ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>\'-->" ></script><sCrIpt>confirm(1)</scRipt>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>\'"><!--' payload = 'jaVasCript:alert(1)//" name=alert(1) onErrOr=eval(name) src=1 autofocus oNfoCus=eval(name)><marquee><img src=x onerror=alert(1)></marquee>" ></textarea\></|\><details/open/ontoggle=prompt`1` ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>\'-->" ></script><sCrIpt>confirm(1)</scRipt>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>\'"><!--'
try: try:
with firefox.start() as session: ghost = Ghost()
x = ghost.start()
# POST # POST
if (method == 'POST' and fuzz != ''): if (method == 'POST' and fuzz != ''):
inject = dict(data) inject = dict(data)
inject[fuzz] = inject[fuzz] + payload inject[fuzz] = inject[fuzz] + payload
del inject[''] del inject['']
page, extra_resources = session.open(url, headers={'Cookie':cookie}, user_agent=useragent) page, extra_resources = x.open(url, headers={'Cookie':cookie}, user_agent=useragent)
result, resources = session.fill("form", inject) result, resources = x.fill("form", inject)
page, resources = session.call("form", "submit", expect_loading=True) page, resources = x.call("form", "submit", expect_loading=True)
result, resources = session.wait_for_alert(1) result, resources = x.wait_for_alert(1)
inject = url + ":" + fuzz + ":" + inject[fuzz] inject = url + ":" + fuzz + ":" + inject[fuzz]
# GET # GET
if (method == 'GET'): if (method == 'GET'):
inject = url.replace(fuzz+"=", fuzz+"="+payload) inject = url.replace(fuzz+"=", fuzz+"="+payload)
page, extra_resources = session.open(inject, headers={'Cookie':cookie}, user_agent=useragent) page, extra_resources = x.open(inject, headers={'Cookie':cookie}, user_agent=useragent)
result, resources = session.wait_for_alert(1) result, resources = x.wait_for_alert(1)
# Detect XSS result with an alert # Detect XSS result with an alert
if result == '1': if result == '1':
print ("\t\t\033[93mXSS Detected\033[0m for ", fuzz, " with the payload :", payload) print ("\t\t\033[93mXSS Detected\033[0m for ", fuzz, " with the payload :", payload)
vulns['xss'] += 1 vulns['xss'] += 1
vulns['list'] += 'XSS|TYPE|'+inject+'|DELIMITER|' vulns['list'] += 'XSS|TYPE|'+inject+'|DELIMITER|'
else: else:
print ("\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload) print ("\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload)
except Exception as e: except Exception as e:
if "confirm" in str(e) : #or "alert" in str(e): if "confirm" in str(e) : #or "alert" in str(e):
@ -49,6 +50,7 @@ def scan_xss(method, vulns, url, fuzz, cookie, useragent, firefox, data):
vulns['xss'] += 1 vulns['xss'] += 1
vulns['list'] += 'XSS|TYPE|'+inject+'|DELIMITER|' vulns['list'] += 'XSS|TYPE|'+inject+'|DELIMITER|'
else: else:
print ("Error",e)
print ("\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload) print ("\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload)

3
Server/server.py
View File

@ -8,7 +8,6 @@ import datetime
import re import re
app = Flask(__name__) app = Flask(__name__)
firefox = Ghost()
""" Route /ping """ Route /ping
Description: Simple ping implementation to check if the server is up via the extension Description: Simple ping implementation to check if the server is up via the extension
@ -92,7 +91,7 @@ def index():
# Launch scans - iterate through all parameters # Launch scans - iterate through all parameters
for fuzz in matches: for fuzz in matches:
print ("\n---[ " + method + " - New parameter " + fuzz + " for url: " + url + " ]---") print ("\n---[ " + method + " - New parameter " + fuzz + " for url: " + url + " ]---")
scan_xss(method, vulns, url, fuzz, cookies_ghost, useragent, firefox, data_requests) scan_xss(method, vulns, url, fuzz, cookies_ghost, useragent, data_requests)
scan_lfi(method, vulns, url, fuzz, cookies_requests, useragent, data_requests) scan_lfi(method, vulns, url, fuzz, cookies_requests, useragent, data_requests)
scan_sql_error(method, vulns, url, fuzz, cookies_requests, useragent, data_requests) scan_sql_error(method, vulns, url, fuzz, cookies_requests, useragent, data_requests)
scan_sql_blind_time(method, vulns, url, fuzz, cookies_requests, useragent, data_requests) scan_sql_blind_time(method, vulns, url, fuzz, cookies_requests, useragent, data_requests)

2
Server/templates/index.html
View File

@ -5,6 +5,6 @@
<title></title> <title></title>
</head> </head>
<body> <body>
<p id='info'> TODO </p> <p id='info'> TODO - Will be used in the next release ;) </p>
</body> </body>
</html> </html>