Closed cuvoh closed 6 years ago
epsylon
commented
6 years ago What is the problem? You are injecting your script on "--payload", which is also used to define cookie injection. Take a look to main source code to understand it:
''' if options.coo: hashing = self.generate_hash('cookie') cookie = payload['payload'].replace('PAYLOAD', hashing) '''
Are you using any transparent proxy (burp, etc..) to review if your injection is correctly done?
cuvoh
commented
6 years ago What is the problem?
My problem is that I need to make an injection only in the cookie, not in URL.
Are you using any transparent proxy (burp, etc..) to review if your injection is correctly done?
Yes, I'm using Proxy. Thats request from burb proxy:
GET /mutillidae/index.php?page=capture-data.php/ HTTP/1.1 Host: 127.0.0.1 User-Agent: PycURL/7.43.0 libcurl/7.57.0 GnuTLS/3.5.16 zlib/1.2.8 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) libssh2/1.8.0 nghttp2/1.29.0 librtmp/2.3 Cookie:
epsylon
commented
6 years ago Ok. Now i understand it. You cannot... :(
Manual injection payload is used to define both. It is not possible to make a "cookie only" injection.
Thanks for that burp output.
Let me think how to add it and I will commit that new feature soon.
epsylon
commented
6 years ago Problem here is how to hash some parameter input by user. This issue is directly related with main XSSer function (url_generation) schema: https://xsser.03c8.net/xsser/url_generation.png That means that, XSSer needs to generate a previous hash, uses as unique key, that after search on target's replied code, to identify it. If you want to enter manually some code, if is a classics (as you used as example), it is not a problem to identify number '1' or word 'XSS' on that payload, but it is not easy to implement it on a more complex spells. So, how to identify something that only user can know, needs to evade hashing certify idea on whole process... Good news is that I accept this quest. Let me solve it...
epsylon
commented
6 years ago Hey,
Now, you have it ;-)
''' python xsser -u "http://127.0.0.1/mutillidae/index.php?page=capture-data.php" --Coo --payload="" --proxy "http://127.0.0.1:8080" --no-head '''
''' GET /mutillidae/index.php?page=capture-data.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Referer: 127.0.0.1 Cookie: Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg Connection: close Content-type: application/x-www-form-urlencoded; charset=UTF-8 '''
Also, I have added a new feature to recognize specific numeric XSS payloads (ex: alert(1) ) and to generate numeric only hashes:
''' python xsser -u "http://127.0.0.1/mutillidae/index.php?page=capture-data.php" --Coo --payload="" --proxy "http://127.0.0.1:8080" --no-head '''
''' GET /mutillidae/index.php?page=capture-data.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Referer: 127.0.0.1 Cookie: Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg Connection: close Content-type: application/x-www-form-urlencoded; charset=UTF-8 '''
This is nice to increase XSS bug discovering and now dorking system is more funny, hehe ;-)
--auto is also working for "Cookie Only":
''' python xsser -u "http://127.0.0.1/mutillidae/index.php?page=capture-data.php" --Coo --payload="" --proxy "http://127.0.0.1:8080" --no-head --auto '''
Thanks for your report!
epsylon
commented
6 years ago Finally, to inject in both: cookie injection + GET
''' python xsser -u "http://127.0.0.1/mutillidae/index.php?page=XSS" --Coo --payload="" --proxy "http://127.0.0.1:8080" --no-head '''
Hello. I apologize for my bad english. Xsser is great tool, but I have a problem with cookie injection. Xsser for some reason makes an injection simultaneously in cookie and in URL. Thats my command
xsser -u "http://127.0.0.1/mutillidae/index.php?page=capture-data.php" --Coo --payload="<script>alert(1);</script>" --proxy "http://127.0.0.1:8080"Thats request
I tried many variations, otherwise I would not have written here. My questions are not answered by Google. What am I doing wrong?