Closed thiscantbetaken closed 6 years ago
thiscantbetaken
commented
6 years ago I pulled and updated a Docker Kali image this evening and then installed xsser - same issue as reported above.
It looks like the problem is with whatever SSL library (curl/openssl ?) that xsser is using, as the HEAD check works on http sites but fails on everything https.
epsylon
commented
6 years ago Hi @GregoryPerry706,
I see. Should be nice if you add -v (verbose) to your spelling to see HTTP Headers detailed info.
Yes, it looks like a curl/requests/SSL error. Can you try it again but using 'http' ?
Which versions for this libs are you using:
Did you tried python setup.py install script for auto-installing?
thiscantbetaken
commented
6 years ago Unfortunately I ditched Ubuntu 17.10 over the last few days in lieu of CentOS 7. I think it may have been a conflict between Python2 and Python3, but who knows.
It doesn't look like xsser has any native support for RHEL, so I am going the Kali / Docker route with it tonight to see if that is a viable solution.
epsylon
commented
6 years ago @GregoryPerry706.... XSSer only supports python2.
You can specify it when spelling on command shell by using:
python2 xsser -a http://target.com
And if you use --gui, XSSer will search for correct python env automatically.
It doesn't look like xsser has any native support for RHEL, so I am going the Kali / Docker route with it tonight to see if that is a viable solution.
Ok, let's take a look to that results...
thiscantbetaken
commented
6 years ago On the previous Ubuntu 17.10 host I had specified python2 on the command line, but with the same results.
Tonight I pulled, updated and then committed the most recent Kali Docker image, nothing is working with xsser:
# xsser -u "https://www.google.com"
===========================================================================
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
===========================================================================
Testing [XSS from URL]...
===========================================================================
[Info] HEAD alive check for the target: (https://www.google.com) is FAILED(0) [DISCARDED]
===========================================================================
Mosquito(es) landed!
===========================================================================and...
# xsser -u "https://www.google.com" --no-head
===========================================================================
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
===========================================================================
Testing [XSS from URL]...
===========================================================================
===========================================================================
Target: https://www.google.com --> 2018-01-05 03:15:38.649203
===========================================================================
---------------------------------------------
[-] Hashing: 8e926102204899b5106fe336580708d9
[+] Trying: https://www.google.com/">8e926102204899b5106fe336580708d9
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[-] Injection Results:
XSSer is not working propertly!:
- Is something blocking connection(s)?
- Is target url ok?: (https://www.google.com)
===========================================================================
Mosquito(es) landed!
===========================================================================
[*] Final Results:
===========================================================================
- Injections: 1
- Failed: 1
- Sucessfull: 0
- Accur: 0 %
===========================================================================
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)
===========================================================================with verbose flags...
# xsser -v -u "https://www.google.com"
===========================================================================
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
===========================================================================
Testing [XSS from URL]...
===========================================================================
[-]Verbose: active
[-]Cookie: None
[-]HTTP User Agent: Googlebot/2.1 (+http://www.google.com/bot.html)
[-]HTTP Referer: None
[-]Extra HTTP Headers: None
[-]X-Forwarded-For: None
[-]X-Client-IP: None
[-]Authentication Type: None
[-]Authentication Credentials: None
[-]Proxy: None
[-]Timeout: 30
[-]Delaying: 0 seconds
[-]Delaying: 0 seconds
[-]Retries: 1
[Info] HEAD alive check for the target: (https://www.google.com) is FAILED(0) [DISCARDED]
===========================================================================
Mosquito(es) landed!
===========================================================================--no-head verbose
# xsser -v -u "https://www.google.com" --no-head
===========================================================================
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
===========================================================================
Testing [XSS from URL]...
===========================================================================
[-]Verbose: active
[-]Cookie: None
[-]HTTP User Agent: Googlebot/2.1 (+http://www.google.com/bot.html)
[-]HTTP Referer: None
[-]Extra HTTP Headers: None
[-]X-Forwarded-For: None
[-]X-Client-IP: None
[-]Authentication Type: None
[-]Authentication Credentials: None
[-]Proxy: None
[-]Timeout: 30
[-]Delaying: 0 seconds
[-]Delaying: 0 seconds
[-]Retries: 1
===========================================================================
Target: https://www.google.com --> 2018-01-05 03:22:51.587444
===========================================================================
---------------------------------------------
[-] Hashing: 3c0dd857479a162a349e788e3cf50751
[+] Trying: https://www.google.com/">3c0dd857479a162a349e788e3cf50751
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[-] Headers Results:
http-code: 0
total-time: 0.11727
namelookup-time: 0.028437
connect-time: 0.034342
header-size: 0
request-size: 0
response-code: 0
ssl-verifyresult: 0
content-type:
cookielist: []
---------------------------------------------
[-] Injection Results:
XSSer is not working propertly!:
- Is something blocking connection(s)?
- Is target url ok?: (https://www.google.com)
===========================================================================
Mosquito(es) landed!
===========================================================================
[*] Final Results:
===========================================================================
- Injections: 1
- Failed: 1
- Sucessfull: 0
- Accur: 0 %
===========================================================================
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)
===========================================================================...host (Docker container) stuff:
# uname -or
3.10.0-693.11.6.el7.x86_64 GNU/Linux
# uname -a
Linux a7a887de0dec 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Jan 4 01:06:37 UTC 2018 x86_64 GNU/Linux
# cat /proc/version
Linux version 3.10.0-693.11.6.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Thu Jan 4 01:06:37 UTC 2018
# cat /etc/os-release
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2017.3"
VERSION_ID="2017.3"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.kali.org/"
SUPPORT_URL="http://forums.kali.org/"
BUG_REPORT_URL="http://bugs.kali.org/"
# which python
/usr/bin/python
# ls -al /usr/bin/python
lrwxrwxrwx. 1 root root 9 Dec 13 22:39 /usr/bin/python -> python2.7@thiscantbetaken I see... Please try it again but using like target prefix: http:// (without SSL):
xsser -v -u "http://www.google.com" --no-head
thiscantbetaken
commented
6 years ago Same error no matter if it's https or http prefix.
On Mon, Jan 15, 2018 at 12:33 PM, psy notifications@github.com wrote:
@thiscantbetaken https://github.com/thiscantbetaken I see... Please try it again but using like target prefix: http:// (without SSL):
xsser -v -u "http://www.google.com" --no-head
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/epsylon/xsser/issues/25#issuecomment-357746775, or mute the thread https://github.com/notifications/unsubscribe-auth/AdgQiuE7qomVA6VouA4p4PsFVl9P2z5Gks5tK4vagaJpZM4RJDYm .
epsylon
commented
6 years ago Is that happening to you also when using GTK?:
xsser --gtk -> Intruder mode -> http://www.google.com/ -> AIM -> Fly!
thiscantbetaken
commented
6 years ago I am running this in a Docker container so all command line.
FYI, I just got the 5000+ XSS payload database from the Xenotix project maintainer if you're interested. He is no longer supporting the project so it will likely be dropped by OWASP soon.
On Mon, Jan 15, 2018 at 5:17 PM, psy notifications@github.com wrote:
Is that happening to you also when using GTK?:
xsser --gtk
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/epsylon/xsser/issues/25#issuecomment-357801530, or mute the thread https://github.com/notifications/unsubscribe-auth/AdgQiqCNpbxJnFlui3q-8tgIqlI1-WJWks5tK859gaJpZM4RJDYm .
epsylon
commented
6 years ago Are other tools (net)working correctly on that Docker?. It looks that something goes wrong with your connection or that you are missing some libs at your container/net build.
5000+ XSS sounds interesting. Are browsers supported by payloads on that list?. Btw, you can openly pull it here... 🥇
thiscantbetaken
commented
6 years ago Yeah everything else in the docker container works fine network wise.
From: psy notifications@github.com Sent: Thursday, January 18, 2018 6:03:14 PM To: epsylon/xsser Cc: gp; Mention Subject: Re: [epsylon/xsser] XSSer not working at all (#25)
Are other tools (net)working correctly on that Docker container?. It looks that something goes wrong with your connection.
5000+ XSS sounds interesting. Are browsers supported by payloads on that list?. Btw, you can openly pull it here... 🥇
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/epsylon/xsser/issues/25#issuecomment-358811718, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AdgQin7Q1LhyoyduuK-y9M2yNR7ybCkaks5tL82ygaJpZM4RJDYm.
epsylon
commented
6 years ago @thiscantbetaken so looks that can be something related with pycurl or SSL libs. Are that libs correctly working with other tools?... It is really strange that only XSSer is not working on your docker, just without any other interaction. I think that your problem is not related with the code/tool...
Can you provide me more info about how you built that container?.
thiscantbetaken
commented
6 years ago Just pulled it from the official docker repo. I am on a different flavor of Linux now and will pull it again to see if the same issue is there.
From: psy notifications@github.com Sent: Sunday, January 21, 2018 12:50:07 PM To: epsylon/xsser Cc: gp; Mention Subject: Re: [epsylon/xsser] XSSer not working at all (#25)
@thiscantbetakenhttps://github.com/thiscantbetaken so looks that can be something related with pycurl or SSL libs. Are that libs correctly working with other tools?... It is really strange that only XSSer is not working on your docker, just without any other interaction. I think that this is not related with the tool...
Can you provide me more info about how you built that container?.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/epsylon/xsser/issues/25#issuecomment-359266526, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AdgQisOhMhAQu1muAcI3UWRJmq_RtoKyks5tM3jPgaJpZM4RJDYm.
thiscantbetaken
commented
6 years ago From: psy notifications@github.com Sent: Sunday, January 21, 2018 12:50:07 PM To: epsylon/xsser Cc: gp; Mention Subject: Re: [epsylon/xsser] XSSer not working at all (#25)
@thiscantbetakenhttps://github.com/thiscantbetaken so looks that can be something related with pycurl or SSL libs. Are that libs correctly working with other tools?... It is really strange that only XSSer is not working on your docker, just without any other interaction. I think that this is not related with the tool...
Can you provide me more info about how you built that container?.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/epsylon/xsser/issues/25#issuecomment-359266526, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AdgQisOhMhAQu1muAcI3UWRJmq_RtoKyks5tM3jPgaJpZM4RJDYm.
epsylon
commented
6 years ago @thiscantbetaken roger!
epsylon
commented
6 years ago fixed: removed SSL deprecated method: https://github.com/epsylon/xsser/issues/27#issuecomment-380459116
Varun416
commented
4 years ago Getting error I am getting issue when i am running python3 xsser --gtk i am getting error root@kali:~/xsser# python3 xsser --gtk Traceback (most recent call last): File "xsser", line 35, in app.run() File "/root/xsser/core/main.py", line 2768, in run self.create_gtk_interface() File "/root/xsser/core/main.py", line 2688, in create_gtk_interface from core.gtkcontroller import Controller, reactor File "/root/xsser/core/gtkcontroller.py", line 49, in from core.globalmap import GlobalMap File "/root/xsser/core/globalmap.py", line 47, in import GeoIP ModuleNotFoundError: No module named 'GeoIP'
epsylon
commented
4 years ago
I've installed the most recent XSSer from the git repo with all of the required libraries, but it looks like it's not even establishing a network connection for some reason:
I've tried various flags including disabling the HEAD check:
And when specifying an interception proxy, no network connections are being made that I can see.
Any ideas?