search

epsylon / xsser

Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
https://xsser.03c8.net
1.17k stars 238 forks source link

Xsser not working with targets from a file #50

Closed ghost closed 4 years ago

ghost commented 4 years ago

Describe the bug I have tried to pass a host file using wizard, also manually using the command below xsser -i ~/bounty/resolve/hostlist.txt -g '/' the hostfile has lines as below https://domain1.com http://domain2.com

The error message i get is "[Error] XSSer cannot find a correct place to start an attack. Aborting!..."

I have attached the screenshots of the issue of both methods without wizard below Screenshot from 2019-12-12 03-01-13

using wizard below Screenshot from 2019-12-12 02-42-03

Dylan886 commented 4 years ago

You need to use XSS to mark the keyword like the help saying.

ghost commented 4 years ago

Oh that worked :D my bad..

but one of the domain throwed this error

===========================================================================
[*] Test: [ 13/8931 ] <-> 2019-12-12 16:57:04.133932
===========================================================================

[+] Target: 

 [ http://***************.com/ ]

Traceback (most recent call last):
  File "./xsser", line 35, in <module>
    app.run()
  File "/home/iqzer0/tools/xsser/core/main.py", line 2726, in run
    self.poll_workers()
  File "/home/iqzer0/tools/xsser/core/main.py", line 2243, in poll_workers
    self.pool.poll()
  File "/home/iqzer0/tools/xsser/core/threadpool.py", line 358, in poll
    request.callback(request, result)
  File "/home/iqzer0/tools/xsser/core/main.py", line 910, in _cb
    self.finish_attack_url_payload(c, request, result, payload,
  File "/home/iqzer0/tools/xsser/core/main.py", line 1024, in finish_attack_url_payload
    if c.info()["http-code"] in ["200", "302", "301"]:
  File "/home/iqzer0/tools/xsser/core/curlcontrol.py", line 454, in info
    m['content-type'] = (self.handle.getinfo(pycurl.CONTENT_TYPE) or '').strip(';')
TypeError: decoding to str: need a bytes-like object, NoneType found
epsylon commented 4 years ago

thanks @Dylan886 @ikewzer0 should be nice to know why this specific target is replying an empty 'content-type'. Maybe you can try to debug it a bit more, using -v (verbose) to see if other HTTP Headers values are ok. Btw, it seems easy to patch just adding a try/exception routine. Please, try research a bit more about this latest "issue" it that I will fix it quicky.

ghost commented 4 years ago

Hi @epsylon i used the verbose mode, and it didn't show any additional information.

ghost commented 4 years ago

Example , this url shows the same error msg too http://api.marketplace.ibm.com/ Screenshot from 2019-12-13 00-46-04

epsylon commented 4 years ago

Hi @ikewzer0 I cannot reproduce your error. Here your spelling is working correctly. We need more info aobut your enrionment. Please, try to fill this form: https://github.com/epsylon/xsser/blob/master/.github/ISSUE_TEMPLATE/bug_report.md

ventiska% xsser -u http://api.marketplace.ibm.com/ -g "XSS" -v
===========================================================================

XSSer v1.8[2]: "The Hiv3!" - (https://xsser.03c8.net) - 2010/2019 -> by psy

===========================================================================
Testing [XSS from URL]...
===========================================================================
===========================================================================
[*] Test: [ 1/1 ] <-> 2019-12-13 10:58:50.183578
===========================================================================

[+] Target: 

 [ http://api.marketplace.ibm.com/ ]

---------------------------------------------

[!] Hashing: 

 [ f4a204aa87e031e993fbcaf154a2646e ] : [ http://api.marketplace.ibm.com/XSS ]

---------------------------------------------

[*] Trying: 

http://api.marketplace.ibm.com/">f4a204aa87e031e993fbcaf154a2646e

---------------------------------------------

[+] Vulnerable(s): 

 [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]

---------------------------------------------

[+] HTTP Headers Verbose:

 [Client Request]

Cookie: None
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
Referer: None
Extra Headers: None
X-Forwarded-For: None
X-Client-IP: None
Authentication Type: None
Authentication Credentials: None
Proxy: None
Timeout: 30
Delaying: 0 seconds
Delaying: 0 seconds
Retries: 1 

 [Server Reply]

http-code: 301
total-time: 0.35160100000000005
namelookup-time: 1.9e-05
connect-time: 5.7e-05
header-size: 243
request-size: 347
response-code: 301
ssl-verifyresult: 0
content-type: 
cookielist: []

<_io.StringIO object at 0x7fa2bf438288>
=============================================
[*] Injection(s) Results:
=============================================

 [ NOT-FOUND ] -> [ f4a204aa87e031e993fbcaf154a2646e ] : [ http://api.marketplace.ibm.com/XSS ]

==================================================
Mosquito(es) landed!
==================================================

===========================================================================
[*] Final Results:
===========================================================================

- Injections: 1
- Failed: 1
- Successful: 0
- Accur: 0.0 %

===========================================================================
epsylon commented 4 years ago

Ok. I think that I know what is the problem... Are you using Python-3.7?. Can you try it with Python-3.5?

epsylon commented 4 years ago

Btw, after this commit: https://github.com/epsylon/xsser/commit/e57be7a0d26e0a3b61df21eaea5d96447ddc5d22 it should be working both (3.5/3.7/3.x)