Closed ghost closed 4 years ago
You need to use XSS to mark the keyword like the help saying.
Oh that worked :D my bad..
but one of the domain throwed this error
===========================================================================
[*] Test: [ 13/8931 ] <-> 2019-12-12 16:57:04.133932
===========================================================================
[+] Target:
[ http://***************.com/ ]
Traceback (most recent call last):
File "./xsser", line 35, in <module>
app.run()
File "/home/iqzer0/tools/xsser/core/main.py", line 2726, in run
self.poll_workers()
File "/home/iqzer0/tools/xsser/core/main.py", line 2243, in poll_workers
self.pool.poll()
File "/home/iqzer0/tools/xsser/core/threadpool.py", line 358, in poll
request.callback(request, result)
File "/home/iqzer0/tools/xsser/core/main.py", line 910, in _cb
self.finish_attack_url_payload(c, request, result, payload,
File "/home/iqzer0/tools/xsser/core/main.py", line 1024, in finish_attack_url_payload
if c.info()["http-code"] in ["200", "302", "301"]:
File "/home/iqzer0/tools/xsser/core/curlcontrol.py", line 454, in info
m['content-type'] = (self.handle.getinfo(pycurl.CONTENT_TYPE) or '').strip(';')
TypeError: decoding to str: need a bytes-like object, NoneType found
thanks @Dylan886 @ikewzer0 should be nice to know why this specific target is replying an empty 'content-type'. Maybe you can try to debug it a bit more, using -v (verbose) to see if other HTTP Headers values are ok. Btw, it seems easy to patch just adding a try/exception routine. Please, try research a bit more about this latest "issue" it that I will fix it quicky.
Hi @epsylon i used the verbose mode, and it didn't show any additional information.
Example , this url shows the same error msg too http://api.marketplace.ibm.com/
Hi @ikewzer0 I cannot reproduce your error. Here your spelling is working correctly. We need more info aobut your enrionment. Please, try to fill this form: https://github.com/epsylon/xsser/blob/master/.github/ISSUE_TEMPLATE/bug_report.md
ventiska% xsser -u http://api.marketplace.ibm.com/ -g "XSS" -v
===========================================================================
XSSer v1.8[2]: "The Hiv3!" - (https://xsser.03c8.net) - 2010/2019 -> by psy
===========================================================================
Testing [XSS from URL]...
===========================================================================
===========================================================================
[*] Test: [ 1/1 ] <-> 2019-12-13 10:58:50.183578
===========================================================================
[+] Target:
[ http://api.marketplace.ibm.com/ ]
---------------------------------------------
[!] Hashing:
[ f4a204aa87e031e993fbcaf154a2646e ] : [ http://api.marketplace.ibm.com/XSS ]
---------------------------------------------
[*] Trying:
http://api.marketplace.ibm.com/">f4a204aa87e031e993fbcaf154a2646e
---------------------------------------------
[+] Vulnerable(s):
[IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
---------------------------------------------
[+] HTTP Headers Verbose:
[Client Request]
Cookie: None
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
Referer: None
Extra Headers: None
X-Forwarded-For: None
X-Client-IP: None
Authentication Type: None
Authentication Credentials: None
Proxy: None
Timeout: 30
Delaying: 0 seconds
Delaying: 0 seconds
Retries: 1
[Server Reply]
http-code: 301
total-time: 0.35160100000000005
namelookup-time: 1.9e-05
connect-time: 5.7e-05
header-size: 243
request-size: 347
response-code: 301
ssl-verifyresult: 0
content-type:
cookielist: []
<_io.StringIO object at 0x7fa2bf438288>
=============================================
[*] Injection(s) Results:
=============================================
[ NOT-FOUND ] -> [ f4a204aa87e031e993fbcaf154a2646e ] : [ http://api.marketplace.ibm.com/XSS ]
==================================================
Mosquito(es) landed!
==================================================
===========================================================================
[*] Final Results:
===========================================================================
- Injections: 1
- Failed: 1
- Successful: 0
- Accur: 0.0 %
===========================================================================
Ok. I think that I know what is the problem... Are you using Python-3.7?. Can you try it with Python-3.5?
Btw, after this commit: https://github.com/epsylon/xsser/commit/e57be7a0d26e0a3b61df21eaea5d96447ddc5d22 it should be working both (3.5/3.7/3.x)
Describe the bug I have tried to pass a host file using wizard, also manually using the command below xsser -i ~/bounty/resolve/hostlist.txt -g '/' the hostfile has lines as below https://domain1.com http://domain2.com
The error message i get is "[Error] XSSer cannot find a correct place to start an attack. Aborting!..."
I have attached the screenshots of the issue of both methods without wizard below
using wizard below