Closed xj90512 closed 7 years ago
epsylon
commented
8 years ago Hi, Looks that is something wrong building target uri. Extracted from XSSer examples using POST:
Is your target ok? -> -u 'http://127.0.0.1/DVWA/vulnerabilities/xss_r' -> Has xss_r any extension?
epsylon
commented
8 years ago Otherwise, if xss_r is ok and if you want test all parameters, try to change this on your command: -p 'txtName=123&btnSign=Sign+Guestbook&mtxMessage=123' for this other (you can use 'XSS' as keyword to inject your payloads there): -p 'txtName=XSS&btnSign=XSS&mtxMessage=XSS'
xj90512
commented
8 years ago @epsylon thank you for support! 1.HEAD alive check for the target is OK 2.target is OK,there is burpsuite proxy request:
3.now i use command:./xsser -u 'http://192.168.145.164/DVWA/vulnerabilities/xss_s/index.php' -p 'txtName=XSS&mtxMessage=XSS&btnSign=XSS' --cookie='security=low; PHPSESSID=6712q25gnsfs7q6mamile9ctn4' --auto -s
but,the same error for all request! like this:
`
Target: http://192.168.145.164/DVWA/vulnerabilities/xss_s/index.php --> 2016-08-15 10:04:23.768106
[-] Hashing: 25cfcbab689476601142c001727e65eb
[+] Trying: txtName=XSS&mtxMessage=XSS&btnSign=XSS
epsylon
commented
8 years ago 3.now i use command:./xsser -u 'http://192.168.145.164/DVWA/vulnerabilities/xss_s/index.php'
But, according to your burp test:
https://cloud.githubusercontent.com/assets/5670103/17653972/2fad740c-62d0-11e6-8b50-4fd7ade3c6d1.png
Why you are using index.php at the end of your command?
epsylon
commented
8 years ago Btw, try using -v (verbose), so we can track more deep how XSSer requests are built..
epsylon
commented
8 years ago Trying your last example, which is remote and more easy for me to test it. I found that server is replying a 503 when starts to receive a flood of injections.
Maybe is not related at all with XSSer code and more with server side configuration. Try to send injections with a delay (--delay) between them and see results by using verbose mode to discover how server is responding. Also maybe there is a WAF there...
Here your example on my box:
xsser -u 'http://testphp.acunetix.com/userinfo.php' -p 'urname=XSS&ucc=XSS&uemail=XSS&uphone=XSS&uaddress=XSS&update=update' --cookie='login=test%2Ftest' -s -v
[Info] HEAD alive check for the target: (http://testphp.acunetix.com/userinfo.php) is OK(200) [AIMED]
[-] Hashing: b8a8869ec23d067422148d5e9cb1dac4
[+] Trying: urname=XSS&ucc=XSS&uemail=XSS&uphone=XSS&uaddress=XSS&update=update">b8a8869ec23d067422148d5e9cb1dac4
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[-] Headers Results:
[-] Injection Results:
**503 Service Unavailable: The server is currently unable to handle the request due to a temporary overloading**@xj90512 "still waiting for you answer!" -> You mean, "thanks for your time epsylon", no? I tryed your injection again and I see that you are not testing that app correctly. For example, you are injecting to "/userinfo.php" which doesn't exists. This is redirecting to "login.php", but web server is not handlering request correctly. Looks that is not a problem from XSSer. Review your target...
kojenov
commented
7 years ago I'm having the same issue! I'm testing a very simple CGI script that just reflects user input and can work with both GET and POST:
#!/usr/bin/perl
use CGI;
my $q = CGI->new;
print $q->header();
print "<html><body>" . $q->param('payload') . "</body></html>";When I do GET, xsser correctly identifies the vulnerability:
root@kali:~/xss/xsser/xsser# ./xsser -u http://172.30.11.103/cgi-bin/xss.pl?payload=xyz
...
[Info] HEAD alive check for the target: (http://172.30.11.103/cgi-bin/xss.pl?payload=xyz) is OK(200) [AIMED]
...
- Injections: 1
- Failed: 0
- Successful: 1
- Accur: 100 %
...
[+] Injection: http://172.30.11.103/cgi-bin/xss.pl?payload=xyz/">fd4a1bb5c48ee96d620d67671ee92a26However, when I do a POST, it does not work:
root@kali:~/xss/xsser/xsser# ./xsser -u http://172.30.11.103/cgi-bin/xss.pl -p payload=xyz
...
[Info] HEAD alive check for the target: (http://172.30.11.103/cgi-bin/xss.pl) is OK(200) [AIMED]
Sending POST: payload=xyz
...
---------------------------------------------
[-] Hashing: 2f007c706ffb40b3c320fa56851d07a4
[+] Trying: payload=xyz">2f007c706ffb40b3c320fa56851d07a4
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[-] Injection Results:
XSSer is not working properly!:
- Is something blocking connection(s)?
- Is target url ok?: (http://172.30.11.103/cgi-bin/xss.pl)
...
- Injections: 1
- Failed: 1
- Successful: 0
- Accur: 0 %
...
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)What am I doing wrong?
epsylon
commented
7 years ago GET:
./xsser -u "http://127.0.0.1/cgi-bin/xss.pl?payload=" --no-head --payload=""
POST:
./xsser -u "http://127.0.0.1/cgi-bin/xss.pl" -p "payload=" --no-head --payload=""
kojenov
commented
7 years ago Now both fail
# ./xsser -u "http://172.30.11.103/cgi-bin/xss.pl?payload=" --no-head --payload="<script>document.alert(1)</script>"
...
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
...
---------------------------------------------
[+] Trying: http://172.30.11.103/cgi-bin/xss.pl?payload=/<script>document.alert(1)</script>
[+] Checking: url attack with <script>document.alert(1)</script>... fail
...
- Injections: 1
- Failed: 1
- Successful: 0
- Accur: 0 %
...
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)# ./xsser -u "http://172.30.11.103/cgi-bin/xss.pl" -p "payload=" --no-head --payload="<script>document.alert(1)</script>"
...
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
...
[+] Trying: payload=<script>document.alert(1)<script>
[+] Browser Support: [manual_injection]
[-] Injection Results:
XSSer is not working properly!:
- Is something blocking connection(s)?
- Is target url ok?: (http://172.30.11.103/cgi-bin/xss.pl)
...
- Injections: 1
- Failed: 1
- Successful: 0
- Accur: 0 %
...
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)@epsylon I have created a test server, feel free to try the tool against it:
http://138.68.22.94/cgi-bin/xss.pl?payload=xyz
xsser -p still doesn't work for me
epsylon
commented
7 years ago Try to change number '1' with keyword 'XSS' and add a '?' after 'xss.pl' on your POST spelling:
GET:
./xsser -u "http://127.0.0.1/cgi-bin/xss.pl?payload=" --no-head --payload=""
POST:
./xsser -u "http://127.0.0.1/cgi-bin/xss.pl?" -p "payload=" --no-head --payload=""
btw, I will review POST, let me check against your webserver if there is any bug there.
epsylon
commented
7 years ago Ok, no bugs. It is working perfectly. :1st_place_medal:
You can check that I have tryed GET/POST methods against your server (by reviewing logs) and that I exploited both correctly on it.
I have used a proxy to check headers before to send a request, which is a nice practice that I recommend you next time for debugging tasks, and these are the results:
REQUEST: POST /cgi-bin/xss.pl? HTTP/1.1 Host: 138.68.22.94 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg Connection: close Content-type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 45
payload=xyz">6cb2ceb99cd8ad5705e59afd1bc047b2
And this is how I have lauched XSSer to work with POST against your perl script:
ventiska% ./xsser -u "http://138.68.22.94/cgi-bin/xss.pl?" -p "payload=xyz"
NOTE: Remember to add a "?" on your URL because it is part of it --> YOUR SPELLING MISTAKE ON THIS ISSUE
[Info] HEAD alive check for the target: (http://138.68.22.94/cgi-bin/xss.pl?) is OK(200) [AIMED]
Sending POST: payload=xyz
----------------
Target: http://138.68.22.94/cgi-bin/xss.pl? --> 2017-03-28 02:03:08.108838
---------------------------------------------
[-] Hashing: 6cb2ceb99cd8ad5705e59afd1bc047b2
[+] Trying: payload=xyz">6cb2ceb99cd8ad5705e59afd1bc047b2
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[+] Checking: url attack with ">PAYLOAD... ok
Mosquito(es) landed!
[*] Final Results:
- Injections: 1
- Failed: 0
- Successful: 1
- Accur: 100 %
[*] List of possible XSS injections:
[I] Target: http://138.68.22.94/cgi-bin/xss.pl?
[+] Injection: payload=xyz">6cb2ceb99cd8ad5705e59afd1bc047b2
[-] Method: xss
[-] Browsers: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
-------------------------------------------------- Sorry, but XSSer is working correctly also with POST. Please, check it by yourself again and report it.
Thanks for your time.
kojenov
commented
7 years ago I'm sorry man, but it is not working. I had a co-worker try this as well, and he had the same failure. We both use the latest xsser from github. Are you, by any chance, using a different version of the code?
Here are the MD5 checksums I have. Again, these files are straight from github.
# md5sum `find -name "*.py" | sort`
89e29d541b4c2c09fb3ad1f2aa109bd5 ./core/crawler.py
f6ea63e6823bb4e1b2b7cfeeb13d88f4 ./core/curlcontrol.py
5e49f6c833526a8d4e94770279089209 ./core/dork.py
63342ed006aa430d4834ce780f4f882e ./core/encdec.py
c02dcd4f6967a75e1c0527173343b724 ./core/flashxss.py
78a1b5bb3841dc3bf50bfaa632f9a9ab ./core/fuzzing/DCP.py
14d90e68d64e53ef0b2d5aaafc39a65f ./core/fuzzing/DOM.py
71c189f462f3db1b6cfb0e41df1cc011 ./core/fuzzing/heuristic.py
065adbffefa16821048d9af1d723d333 ./core/fuzzing/HTTPsr.py
82324ee43869716a07d8a5e17a80336a ./core/fuzzing/__init__.py
d2986fa419e92bd239d49e1ddd9e8bef ./core/fuzzing/vectors.py
03d6af38f821ddd2ace3823d262f5352 ./core/globalmap.py
c0bd870e13fb115a0645c28d7e9e5b10 ./core/gtkcontroller.py
7aa12b28342cde59046bfd67f641f124 ./core/imagexss.py
82324ee43869716a07d8a5e17a80336a ./core/__init__.py
aaaac19f5b2b06890973a04b088ef935 ./core/main.py
504aefac1bd73d2f4ab599eb03d2fb34 ./core/mozchecker.py
008d21b9671e1892c46f173a6dd9957c ./core/options.py
82324ee43869716a07d8a5e17a80336a ./core/post/__init__.py
fb233db4e61bf9330f855a47f89fc8af ./core/post/xml_exporter.py
af3161f028af9bba17dd8dee32a1ea1e ./core/randomip.py
efe9c20339b585cb055812a5a8e4f794 ./core/reporter.py
c9acea173d1cf57a6796b30843bf566d ./core/threadpool.py
0926f41118242eee339777992a8b614a ./core/tokenhub.py
d882681cc9195503cc00d2290aae47c7 ./core/twsupport.py
1995e3f0c0c3fc93b05e7d171faf5bbf ./core/update.py
c5439189da3910ef1d48cfe3a93cead6 ./setup.pyAre you kidding me?.
I have cloned repo directly from github, these are the commands I have used:
git clone https://github.com/epsylon/xsser cd xsser/ cd xsser/ python setup.py install
xsser -u "http://138.68.22.94/cgi-bin/xss.pl?" -p "payload=xyz"
POST injections are working correctly, check by yourself again, review logs at your webserver (which are a 100% real PoC) and please, stop wasting my time..
kojenov
commented
7 years ago Look, I'm just trying to help... When three people are saying something is not working, maybe you should listen and cooperate to get to the root cause of the issue.
So, I spent some time in the debugger and found the problem. I've just submitted pull request #22. With those changes, both GET and POST are working. Feel free to accept the pull request or insist that I'm crazy and a waste of your time, I don't care :)
By the way, the question mark is absolutely unnecessary in the URL when the method is POST
$ ./xsser -u "http://138.68.22.94/cgi-bin/xss.pl" -p "payload=xyz"
===========================================================================
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
===========================================================================
Testing [XSS from URL]...
===========================================================================
[Info] HEAD alive check for the target: (http://138.68.22.94/cgi-bin/xss.pl) is OK(200) [AIMED]
Sending POST: payload=xyz
===========================================================================
Target: http://138.68.22.94/cgi-bin/xss.pl --> 2017-03-29 17:35:02.713293
===========================================================================
---------------------------------------------
[-] Hashing: 3d39da37d50b5b9d69e63d27711083b6
[+] Trying: http://138.68.22.94/cgi-bin/xss.pl
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[+] Checking: url attack with ">PAYLOAD... ok
===========================================================================
Mosquito(es) landed!
===========================================================================
[*] Final Results:
===========================================================================
- Injections: 1
- Failed: 0
- Successful: 1
- Accur: 100 %
===========================================================================
[*] List of possible XSS injections:
===========================================================================
[I] Target: http://138.68.22.94/cgi-bin/xss.pl
[+] Injection: http://138.68.22.94/cgi-bin/xss.pl
[-] Method: xss
[-] Browsers: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
-------------------------------------------------- Look, I'm just trying to help... When three people are saying something is not working, maybe you should listen and cooperate to get to the root cause of the issue.
Really you believe on that sentence?. What about religion?...Haha.... ;-)
Sorry, I don't see the point on your issue. Did you tested steps added on my previous comment?. I have tried your perl script against localhost and your remote webserver, just downloading code directly from github and it is working.
Did you checked your webserver logs to see how POST injections have been made?.
epsylon
commented
7 years ago I have recorded you a video: https://xsser.03c8.net/xsser/XSSer-POST-PoC.ogv
Sorry but I keep trying to figure out whats wrong.
epsylon
commented
7 years ago Ok. I have found an error that only is happening when no proxy is being used which is the point for this issue. And it is related with deprecated code (that you pointed correctly on your patch, when calling to callback) for some functions.
My mistake was to be using always a proxy (tor, burp), because this scenario is working. I figure out because on local I was using burp to check it and on that moment I realized that probably is something related with threads implementation and proxy handlerer... So code was not fully broken as you said, hehe, half and half...
Btw, I have tried your code on a VM and also against your webserver and it is working correctly, with and without proxy, so I will push it to production code...
Again, many thanks for your time. ;-)
epsylon
commented
7 years ago kojenov
commented
7 years ago Excellent! Thank you for the xsser and for your time troubleshooting this issue!
this is what i use:
xsser -u 'http://127.0.0.1/DVWA/vulnerabilities/xss_r' -p 'txtName=123&btnSign=Sign+Guestbook&mtxMessage=123' --cookie='security=medium; PHPSESSID=v22q9j23m3f7i1nk15favvfg72' --auto --heuristic --threads 30 --timeout 30 --retries 1 --delay 0 --follow-redirectserror log:(use DVWA for test xsser)
this is result:
[*] Final Results: