diff --git a/Plugin/background.js b/Plugin/background.js index 668bc3c..91dd827 100644 --- a/Plugin/background.js +++ b/Plugin/background.js @@ -25,9 +25,9 @@ function extract_domain(url){ * @param string(impact) - aggressivity of the scan from 0 to 5 * */ -function send_target(server, url, deep, impact, cookies){ +function send_target(server, url, deep, impact, cookies, method, data){ var http = new XMLHttpRequest(); - infos = server + "/?url=" + url + "&deep="+ deep + "&impact=" + impact + "&cookies=" + cookies + "&useragent=" + navigator.userAgent; + infos = server + "/?url=" + url + "&deep="+ deep + "&impact=" + impact + "&cookies=" + cookies + "&useragent=" + navigator.userAgent + "&method=" + method + "&data="+ data; // Display the informations sent by the scanner http.onreadystatechange = function() { @@ -86,10 +86,46 @@ function send_target(server, url, deep, impact, cookies){ chrome.storage.sync.set({'rce':0, 'xss': 0, 'sql': 0, 'lfi': 0, 'work': 0, 'list':'' }) + + +// Handle POST scan +chrome.runtime.onMessage.addListener( + function(request, sender, sendResponse) { + if (request.type == "scan_plz" && request.data != ''){ + + // Start a POST scan with the url and the cookies + send_target(config_server, escape(request.url), 0, 0, escape(request.cookie), 'POST', escape(request.data)); + } +}); + + // Launch a scan when the tab change - Submit a form / Open new URL from bar chrome.tabs.onUpdated.addListener(function(tabId,changeInfo, tab) { - if(changeInfo.status == 'complete'){ + + // Inject this function into the page to catch a submit event for every forms + function inject_onsubmit(){ + for (var i = 0; i < document.forms.length ; i++) { + document.forms[i].addEventListener('submit', function(){ + + // Detect value of inputs of the form + post_data = ''; + for (var j = 0; j < document.forms[i-1].elements.length -1; j++) { + post_data += (document.forms[i-1].elements[j].name+":"+document.forms[i-1].elements[j].value+"|"); + } + + // Send data to this plugin (POST Scan) + if(post_data != ''){ + console.log(post_data); + chrome.runtime.sendMessage({type: "scan_plz", data:post_data, url:document.location.href, cookie:document.cookie}, function() {}); + } + }); + } + } + chrome.tabs.executeScript({code: '(' + inject_onsubmit + ')();'}, (results) => {}); + + + // Get the information of the updated tab chrome.tabs.get(tabId, function(tab){ // Handle start/stop button @@ -99,17 +135,19 @@ chrome.tabs.onUpdated.addListener(function(tabId,changeInfo, tab) { // Extract cookies from the domain var cookies_string = ""; chrome.cookies.getAll({ 'domain': extract_domain(tab.url)}, function(cookies) { + + // Custom cookie string with all cookies from the domain for (var i = 0; i < cookies.length; i++) { cookies_string += ("name:" + cookies[i].name + "|value:" + cookies[i].value+"\n"); } - // Start a scan with the url and the cookies - send_target(config_server, escape(tab.url), 0, 0, escape((cookies_string)) ); + // Start a GET scan with the url and the cookies + send_target(config_server, escape(tab.url), 0, 0, escape(cookies_string), 'GET', ''); + }); } - }); + }); } - }); \ No newline at end of file diff --git a/README.md b/README.md index eaea656..f01091d 100755 --- a/README.md +++ b/README.md @@ -51,6 +51,7 @@ You can try the Error SQL, Blind SQL, LFI with Damn Vulnerable Web App ## TODO - Work in progress - Should detect target in source code.. (list of targets, then launch scan) - Should detect and work with POST requests +- all scans will be in another file, scans.py, (get_scan, post_scan) ## Thanks - Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/) diff --git a/Server/server.py b/Server/server.py index 386e61b..4725b24 100644 --- a/Server/server.py +++ b/Server/server.py @@ -163,34 +163,63 @@ def index(): args = request.args url = args['url'] useragent = args['useragent'] + methods = args['method'] + data = args['data'] - # Parse cookies strings - string like name:username|value:admin - cookies_requests = {} - cookies_ghost = "" - for cookie in args['cookies'].split('\n'): - - c = cookie.split('|') - if c != '' and c != None: - if len(c) != 1: - name = str(c[0]).replace('name:','') - value = str(c[1]).replace('value:','') - cookies_requests[name] = value - cookies_ghost += " "+cookie.replace('name:','').replace('value:','=').replace('|','') + ";" - + # Parse args for GET if "?" in url: + + # Parse cookies strings - string like name:username|value:admin + cookies_requests = {} + cookies_ghost = "" + for cookie in args['cookies'].split('\n'): + + c = cookie.split('|') + if c != '' and c != None: + if len(c) != 1: + name = str(c[0]).replace('name:','') + value = str(c[1]).replace('value:','') + cookies_requests[name] = value + cookies_ghost += " "+cookie.replace('name:','').replace('value:','=').replace('|','') + ";" + + # Parse url params = url.split('?')[1] regex = re.compile('([a-zA-Z0-9\-_]*?)=') matches = regex.findall(params) # Launch scans for fuzz in matches: - print "\n---[ New parameter " + fuzz + " for url: " + url + " ]---" + print "\n---[ GET - New parameter " + fuzz + " for url: " + url + " ]---" scan_xss(vulns, url, fuzz, cookies_ghost, useragent) scan_lfi(vulns, url, fuzz, cookies_requests, useragent) scan_sql_error(vulns, url, fuzz, cookies_requests, useragent) scan_sql_blind_time(vulns, url, fuzz, cookies_requests, useragent) scan_rce(vulns, url, fuzz, cookies_requests, useragent) + # Parse args for POST + if data != '': + + # Parse document.cookie for Ghost and Requests + cookies_requests = {} #dict + cookies_ghost = "" #string header + for cookie in args['cookies'].split(';'): + c = cookie.split('=') + if c != '' and c != None: + if len(c) != 1: + name = c[0] + value = c[1] + cookies_requests[name] = value + cookies_ghost += " "+cookie.replace('name:','').replace('value:','=').replace('|','') + ";" + + # DEBUG + print cookies_requests + print cookies_ghost + + # TODO parse POST data + fuzz = data + print "\n---[ POST - New parameter |" + fuzz + "| for url: " + url + " ]---" + + # Display results as a json return jsonify(vulns)