Closed meto1111 closed 3 years ago
epsylon
commented
3 years ago @meto1111 can you report your issue but more detailed and using this template -> https://github.com/epsylon/xsser/blob/master/.github/ISSUE_TEMPLATE/bug_report.md?. It will be more easy for me to figure out whats really going on...
meto1111
commented
3 years ago Describe the bug while crawling my website for vulnerabilities I am getting a error like this:
TypeError: coercing to str: need a bytes-like object, NoneType found
I followed the instructions as described in a previos issue number #48
To Reproduce
Run 'xsser -u http://172.17.55.204/reflected.php?NAME=XSS -c 10 --Cw 1 --Cl -s --user-agent Googlebot/2.1 (+http://www.google.com/bot.html)
--auth-type basic --auth-cred USERNAME=Administrator:PASSWORD=Administrator --threads 5 --timeout 30 --retries 1 --delay 0 --payload '
See error: Exception in thread Thread-2: Traceback (most recent call last): File "/usr/local/lib/python3.5/threading.py", line 914, in _bootstrap_inner self.run() File "/usr/share/xsser/core/gtkcontroller.py", line 1992, in run self.app.run(self._cmd[1:]) File "/usr/share/xsser/core/main.py", line 2711, in run self.poll_workers() File "/usr/share/xsser/core/main.py", line 2228, in poll_workers self.pool.poll() File "/usr/share/xsser/core/threadpool.py", line 358, in poll request.callback(request, result) File "/usr/share/xsser/core/main.py", line 910, in _cb query_string, url, dest_url) File "/usr/share/xsser/core/main.py", line 1023, in finish_attack_url_payload if c.info()["http-code"] in ["200", "302", "301"]: File "/usr/share/xsser/core/curlcontrol.py", line 454, in info m['content-type'] = (self.handle.getinfo(pycurl.CONTENT_TYPE) or '').strip(';') TypeError: coercing to str: need a bytes-like object, NoneType found
Expected behavior expecting that xsser show me the result after i crawled a web application
Running environment:
epsylon
commented
3 years ago Thanks @meto1111
XSSer version [e.g. 1.8.2]
1). We are currently at : 1.8.[3]-dev-2.
Can you please upgrade the tool to the latest version and try it again?
2) This issue has been previously fixed -> https://github.com/epsylon/xsser/issues/48
epsylon
commented
3 years ago @meto1111 We can re-open this thread if the issue still persists after your upgrade...
For that, because Kali Linux hasn't the latest version, you will need to clone this repository, directly:
git clone https://github.com/epsylon/xsser
epsylon
commented
3 years ago XSSer -> Kali Linux -> v1.8.[2] -> https://gitlab.com/kalilinux/packages/xsser XSSer -> Official Packages+GIT -> 1.8.[3] -> https://xsser.03c8.net/#intro
epsylon
commented
3 years ago @sbrun What do you think about whether it would be possible to update the Kali Linux upstream to the latest version?.
The tool is one version (and several important bugs fixed) above and is more stable.
https://github.com/epsylon/xsser/commits/master
It also includes a more sophisticated method to exploit the XSS tunnel.
meto1111
commented
3 years ago as mentioned in the previous comment i have updated to 1.8.3 following the instructions on https://xsser.03c8.net/#intro ::
wget https://xsser.03c8.net/xsser/xsser_1.8-3.tar.gz tar xf xsser_1.8-3.tar.gz cd xsser sudo python setup.py install ./xsser -h ./xsser --gtk (for gui)
After running xsser, i am getting the same error
epsylon
commented
3 years ago I see @meto1111. Thanks!
The thing is that I have checked the line of code in which you have an exception:
File "/usr/share/xsser/core/curlcontrol.py", **line 454**, in info
m['content-type'] = (self.handle.getinfo**(pycurl.CONTENT_TYPE)** or '').strip(';')
TypeError: coercing to str: need a bytes-like object, NoneType foundAnd looks that the Exception that we have under control is not running propertly:
try:
m['content-type'] = (self.handle.getinfo(pycurl.CONTENT_TYPE) or '').strip(';')
except:
m['content-type'] = NoneProbably because we should provide any content rather than None.
I will try to reproduce your issue on a sanbox.
epsylon
commented
3 years ago @meto1111 pls, tell me if this patch is fixing your issue:
1 - Go to file core/curlcontrol.py, line 454 2 - Replace this block:
try:
m['content-type'] = (self.handle.getinfo(pycurl.CONTENT_TYPE) or '').strip(';')
except:
m['content-type'] = NoneFor this other. Look that now, we are passing directly a str with a common content-type and not a None:
try:
m['content-type'] = (self.handle.getinfo(pycurl.CONTENT_TYPE) or '').strip(';')
except:
m['content-type'] = str("text/html; charset=UTF-8")3 - Re-run your tests.
meto1111
commented
3 years ago Its working now thanks
epsylon
commented
3 years ago @meto1111 thanks for your report.
fixed at: https://github.com/epsylon/xsser/commit/d27089443962c60a94f20921f82129ed497d33b4
When i am using the crawler it goes well till a point, after that xsser get stucks and shows:
Exception in thread Thread-2: Traceback (most recent call last): File "/usr/local/lib/python3.5/threading.py", line 914, in _bootstrap_inner self.run() File "/usr/share/xsser/core/gtkcontroller.py", line 1992, in run self.app.run(self._cmd[1:]) File "/usr/share/xsser/core/main.py", line 2711, in run self.poll_workers() File "/usr/share/xsser/core/main.py", line 2228, in poll_workers self.pool.poll() File "/usr/share/xsser/core/threadpool.py", line 358, in poll request.callback(request, result) File "/usr/share/xsser/core/main.py", line 910, in _cb query_string, url, dest_url) File "/usr/share/xsser/core/main.py", line 1023, in finish_attack_url_payload if c.info()["http-code"] in ["200", "302", "301"]: File "/usr/share/xsser/core/curlcontrol.py", line 454, in info m['content-type'] = (self.handle.getinfo(pycurl.CONTENT_TYPE) or '').strip(';') TypeError: coercing to str: need a bytes-like object, NoneType found