Closed aerickson closed 6 years ago
I cannot reproduce your bug. Can you try it by using --verbose (or switching on main.py -> DEBUG=0 to DEBUG=1)?
Strange, perhaps because I'm on OS X?
Darwin REDACTED-B-MBP.local 15.6.0 Darwin Kernel Version 15.6.0: Mon Jan 9 23:07:29 PST 2017; root:xnu-3248.60.11.2.1~1/RELEASE_X86_64 x86_64
Thanks.
--
With --verbose:
REDACTED-B-MBP:~/Downloads/xsser_1.7-1/xsser-public > ./xsser --no-head -u 'http://REDACTED.compute.amazonaws.com' --threads 1 --delay 10 --verbose
===========================================================================
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
===========================================================================
Testing [XSS from URL]...
===========================================================================
[-]Verbose: active
[-]Cookie: None
[-]HTTP User Agent: Googlebot/2.1 (+http://www.google.com/bot.html)
[-]HTTP Referer: None
[-]Extra HTTP Headers: None
[-]X-Forwarded-For: None
[-]X-Client-IP: None
[-]Authentication Type: None
[-]Authentication Credentials: None
[-]Proxy: None
[-]Timeout: 30
[-]Delaying: 10 seconds
[-]Delaying: 10 seconds
[-]Retries: 1
===========================================================================
Target: http://REDACTED.compute.amazonaws.com --> 2017-04-14 11:30:37.042749
===========================================================================
---------------------------------------------
[-] Hashing: c9ef4aeda3600a6519a60b67925a9993
[+] Trying: http://REDACTED.compute.amazonaws.com/">c9ef4aeda3600a6519a60b67925a9993
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[-] Headers Results:
Date: Fri, 14 Apr 2017 18:30:47 GMT
Content-Length: 0
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Accept, Content-Type, Origin, X-Requested-With, X-Auth-Token, X-Client-Token
X-Application-Context: application:live
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
http-code: 406
total-time: 0.175092
namelookup-time: 0.004958
connect-time: 0.065701
header-size: 536
request-size: 319
response-code: 406
ssl-verifyresult: 0
content-type:
cookielist: []
---------------------------------------------
[-] Injection Results:
Not injected!. Server responses with http-code different to: 200 OK (406)
===========================================================================
Mosquito(es) landed!
===========================================================================
[*] Final Results:
===========================================================================
- Injections: 1
- Failed: 1
- Sucessfull: 0
- Accur: 0 %
===========================================================================
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)
===========================================================================
Traceback (most recent call last):
File "./xsser", line 38, in <module>
app.land(True)
File "/Users/REDACTED/Downloads/xsser_1.7-1/xsser-public/core/main.py", line 1966, in land
self.hub.shutdown()
File "/Users/REDACTED/Downloads/xsser_1.7-1/xsser-public/core/tokenhub.py", line 66, in shutdown
self.socket.shutdown(socket.SHUT_RDWR)
File "/usr/local/Cellar/python/2.7.13/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 228, in meth
return getattr(self._sock,name)(*args)
socket.error: [Errno 57] Socket is not connected
REDACTED-B-MBP:~/Downloads/xsser_1.7-1/xsser-public >
With DEBUG=1:
REDACTED-B-MBP:~/Downloads/xsser_1.7-1/xsser-public > ./xsser --no-head -u 'http://REDACTED.compute.amazonaws.com' --threads 1 --delay 10
===========================================================================
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
===========================================================================
Testing [XSS from URL]...
===========================================================================
===========================================================================
Target: http://REDACTED.compute.amazonaws.com --> 2017-04-14 11:31:42.844027
===========================================================================
---------------------------------------------
[-] Hashing: f5a6eac3004023fffb3357cb444937d6
[+] Trying: http://REDACTED.compute.amazonaws.com/">f5a6eac3004023fffb3357cb444937d6
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[-] Injection Results:
Not injected!. Server responses with http-code different to: 200 OK (406)
===========================================================================
Mosquito(es) landed!
===========================================================================
[*] Final Results:
===========================================================================
- Injections: 1
- Failed: 1
- Sucessfull: 0
- Accur: 0 %
===========================================================================
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)
===========================================================================
Traceback (most recent call last):
File "./xsser", line 38, in <module>
app.land(True)
File "/Users/REDACTED/Downloads/xsser_1.7-1/xsser-public/core/main.py", line 1966, in land
self.hub.shutdown()
File "/Users/REDACTED/Downloads/xsser_1.7-1/xsser-public/core/tokenhub.py", line 66, in shutdown
self.socket.shutdown(socket.SHUT_RDWR)
File "/usr/local/Cellar/python/2.7.13/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 228, in meth
return getattr(self._sock,name)(*args)
socket.error: [Errno 57] Socket is not connected
REDACTED-B-MBP:~/Downloads/xsser_1.7-1/xsser-public >
I think it is related with local machine ports. This happens sometimes with OSx when using websockets.
Look, the hub is binding a socket on localhost:19084
You can try to see when XSSer is launched if you have this port correctly listening (netstat -atunp | grep LISTEN).
If is not listening, you can try to change it on "core/tokenhub.py#line 75" for another port such as 9999 or 8080 and try it again.
I also encountered the same problem
@xiaofengtongxue can you provide me more details about it?. Which OS are you using?