xsser1.7b post xss test don't work about xsser HOT 22 CLOSED

Hi,
Looks that is something wrong building target uri.
Extracted from XSSer examples using POST:

• Simple injection from URL, to a POST parameter (ex: password), with statistics results:
  xsser -u "http://host.com/index.php" -p "target=login&user=admin&password=" -s

Is your target ok? -> -u 'http://127.0.0.1/DVWA/vulnerabilities/xss_r' -> Has xss_r any extension?

from xsser.

Otherwise, if xss_r is ok and if you want test all parameters, try to change this on your command:
-p 'txtName=123&btnSign=Sign+Guestbook&mtxMessage=123'
for this other (you can use 'XSS' as keyword to inject your payloads there):
-p 'txtName=XSS&btnSign=XSS&mtxMessage=XSS'

from xsser.

@epsylon thank you for support!
1.HEAD alive check for the target is OK
2.target is OK,there is burpsuite proxy request:

3.now i use command:./xsser -u 'http://192.168.145.164/DVWA/vulnerabilities/xss_s/index.php' -p 'txtName=XSS&mtxMessage=XSS&btnSign=XSS' --cookie='security=low; PHPSESSID=6712q25gnsfs7q6mamile9ctn4' --auto -s
but,the same error for all request! like this:
`
Target: http://192.168.145.164/DVWA/vulnerabilities/xss_s/index.php --> 2016-08-15 10:04:23.768106
[-] Hashing: 25cfcbab689476601142c001727e65eb
[+] Trying: txtName=XSS&mtxMessage=XSS&btnSign=XSS

XSSer is not working propertly!:

• Is something blocking connection(s)?
• Is target url ok?: (http://192.168.145.164/DVWA/vulnerabilities/xss_s/index.php)
  `
  the connection result:

Total Connections: 559
-------------------------
200-OK: 1 | 404: 0 | 503: 0 | Others: 558
Connec: 0 %

and i test other post request for xss test ,also report error!
xsser -u 'http://testphp.acunetix.com/userinfo.php' -p 'urname=XSS&ucc=XSS&uemail=XSS&uphone=XSS&uaddress=XSS&update=update' --cookie='login=test%2Ftest' --auto -s

from xsser.

3.now i use command:./xsser -u 'http://192.168.145.164/DVWA/vulnerabilities/xss_s/index.php'

But, according to your burp test:

https://cloud.githubusercontent.com/assets/5670103/17653972/2fad740c-62d0-11e6-8b50-4fd7ade3c6d1.png

Why you are using index.php at the end of your command?

from xsser.

Btw, try using -v (verbose), so we can track more deep how XSSer requests are built..

from xsser.

Trying your last example, which is remote and more easy for me to test it. I found that server is replying a 503 when starts to receive a flood of injections.

Maybe is not related at all with XSSer code and more with server side configuration. Try to send injections with a delay (--delay) between them and see results by using verbose mode to discover how server is responding. Also maybe there is a WAF there...

Here your example on my box:

xsser -u 'http://testphp.acunetix.com/userinfo.php' -p 'urname=XSS&ucc=XSS&uemail=XSS&uphone=XSS&uaddress=XSS&update=update' --cookie='login=test%2Ftest' -s -v

[Info] HEAD alive check for the target: (http://testphp.acunetix.com/userinfo.php) is OK(200) [AIMED]

[-] Hashing: b8a8869ec23d067422148d5e9cb1dac4
[+] Trying: urname=XSS&ucc=XSS&uemail=XSS&uphone=XSS&uaddress=XSS&update=update">b8a8869ec23d067422148d5e9cb1dac4
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[-] Headers Results:

[-] Injection Results:

**503 Service Unavailable: The server is currently unable to handle the request due to a temporary overloading**

from xsser.

log.txt
this is the command log....
still waiting for you answer!

from xsser.

@xj90512 "still waiting for you answer!" -> You mean, "thanks for your time epsylon", no?
I tryed your injection again and I see that you are not testing that app correctly. For example, you are injecting to "/userinfo.php" which doesn't exists. This is redirecting to "login.php", but web server is not handlering request correctly. Looks that is not a problem from XSSer. Review your target...

from xsser.

I'm having the same issue! I'm testing a very simple CGI script that just reflects user input and can work with both GET and POST:

#!/usr/bin/perl
use CGI;
my $q = CGI->new;
print $q->header();
print "<html><body>" . $q->param('payload') . "</body></html>";

When I do GET, xsser correctly identifies the vulnerability:

root@kali:~/xss/xsser/xsser# ./xsser -u http://172.30.11.103/cgi-bin/xss.pl?payload=xyz
...
[Info] HEAD alive check for the target: (http://172.30.11.103/cgi-bin/xss.pl?payload=xyz) is OK(200) [AIMED]
...
- Injections: 1
- Failed: 0
- Successful: 1
- Accur: 100 %
...
[+] Injection: http://172.30.11.103/cgi-bin/xss.pl?payload=xyz/">fd4a1bb5c48ee96d620d67671ee92a26

However, when I do a POST, it does not work:

root@kali:~/xss/xsser/xsser# ./xsser -u http://172.30.11.103/cgi-bin/xss.pl -p payload=xyz
...
[Info] HEAD alive check for the target: (http://172.30.11.103/cgi-bin/xss.pl) is OK(200) [AIMED]

Sending POST: payload=xyz 
...
---------------------------------------------
[-] Hashing: 2f007c706ffb40b3c320fa56851d07a4
[+] Trying: payload=xyz">2f007c706ffb40b3c320fa56851d07a4
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[-] Injection Results:

XSSer is not working properly!:
 - Is something blocking connection(s)?
 - Is target url ok?: (http://172.30.11.103/cgi-bin/xss.pl)
...
- Injections: 1
- Failed: 1
- Successful: 0
- Accur: 0 %
...
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)

What am I doing wrong?

from xsser.

GET:

./xsser -u "http://127.0.0.1/cgi-bin/xss.pl?payload=" --no-head --payload="<script>document.alert(1)</script>"

POST:

./xsser -u "http://127.0.0.1/cgi-bin/xss.pl" -p "payload=" --no-head --payload="<script>document.alert(1)</script>"

from xsser.

Now both fail

# ./xsser -u "http://172.30.11.103/cgi-bin/xss.pl?payload=" --no-head --payload="<script>document.alert(1)</script>"
...
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
...
---------------------------------------------
[+] Trying: http://172.30.11.103/cgi-bin/xss.pl?payload=/<script>document.alert(1)</script>
[+] Checking: url attack with <script>document.alert(1)</script>... fail
...
- Injections: 1
- Failed: 1
- Successful: 0
- Accur: 0 %
...
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)

# ./xsser -u "http://172.30.11.103/cgi-bin/xss.pl" -p "payload=" --no-head --payload="<script>document.alert(1)</script>"
...
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
...
[+] Trying: payload=<script>document.alert(1)<script>
[+] Browser Support: [manual_injection]
[-] Injection Results:

XSSer is not working properly!:
 - Is something blocking connection(s)?
 - Is target url ok?: (http://172.30.11.103/cgi-bin/xss.pl)
...
- Injections: 1
- Failed: 1
- Successful: 0
- Accur: 0 %
...
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)

from xsser.

@epsylon I have created a test server, feel free to try the tool against it:
http://138.68.22.94/cgi-bin/xss.pl?payload=xyz
xsser -p still doesn't work for me

from xsser.

Try to change number '1' with keyword 'XSS' and add a '?' after 'xss.pl' on your POST spelling:

GET:

./xsser -u "http://127.0.0.1/cgi-bin/xss.pl?payload=" --no-head --payload="<script>document.alert('XSS');</script>"

POST:

./xsser -u "http://127.0.0.1/cgi-bin/xss.pl?" -p "payload=" --no-head --payload="<script>document.alert('XSS');</script>"

btw, I will review POST, let me check against your webserver if there is any bug there.

from xsser.

Ok, no bugs. It is working perfectly. 🥇

You can check that I have tryed GET/POST methods against your server (by reviewing logs) and that I exploited both correctly on it.

I have used a proxy to check headers before to send a request, which is a nice practice that I recommend you next time for debugging tasks, and these are the results:

REQUEST:
POST /cgi-bin/xss.pl? HTTP/1.1
Host: 138.68.22.94
User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)
Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg
Connection: close
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 45

payload=xyz">6cb2ceb99cd8ad5705e59afd1bc047b2

And this is how I have lauched XSSer to work with POST against your perl script:

ventiska% ./xsser -u "http://138.68.22.94/cgi-bin/xss.pl?" -p "payload=xyz"

NOTE: Remember to add a "?" on your URL because it is part of it --> YOUR SPELLING MISTAKE ON THIS ISSUE

[Info] HEAD alive check for the target: (http://138.68.22.94/cgi-bin/xss.pl?) is OK(200) [AIMED]

Sending POST: payload=xyz 

----------------
Target: http://138.68.22.94/cgi-bin/xss.pl? --> 2017-03-28 02:03:08.108838
---------------------------------------------
[-] Hashing: 6cb2ceb99cd8ad5705e59afd1bc047b2
[+] Trying: payload=xyz">6cb2ceb99cd8ad5705e59afd1bc047b2
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[+] Checking: url attack with ">PAYLOAD... ok

Mosquito(es) landed!

[*] Final Results:

- Injections: 1
- Failed: 0
- Successful: 1
- Accur: 100 %

[*] List of possible XSS injections:

[I] Target: http://138.68.22.94/cgi-bin/xss.pl?
[+] Injection: payload=xyz">6cb2ceb99cd8ad5705e59afd1bc047b2
[-] Method: xss
[-] Browsers: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] 
 -------------------------------------------------- 

Sorry, but XSSer is working correctly also with POST. Please, check it by yourself again and report it.

Thanks for your time.

from xsser.

I'm sorry man, but it is not working. I had a co-worker try this as well, and he had the same failure. We both use the latest xsser from github. Are you, by any chance, using a different version of the code?

Here are the MD5 checksums I have. Again, these files are straight from github.

# md5sum `find -name "*.py" | sort`
89e29d541b4c2c09fb3ad1f2aa109bd5  ./core/crawler.py
f6ea63e6823bb4e1b2b7cfeeb13d88f4  ./core/curlcontrol.py
5e49f6c833526a8d4e94770279089209  ./core/dork.py
63342ed006aa430d4834ce780f4f882e  ./core/encdec.py
c02dcd4f6967a75e1c0527173343b724  ./core/flashxss.py
78a1b5bb3841dc3bf50bfaa632f9a9ab  ./core/fuzzing/DCP.py
14d90e68d64e53ef0b2d5aaafc39a65f  ./core/fuzzing/DOM.py
71c189f462f3db1b6cfb0e41df1cc011  ./core/fuzzing/heuristic.py
065adbffefa16821048d9af1d723d333  ./core/fuzzing/HTTPsr.py
82324ee43869716a07d8a5e17a80336a  ./core/fuzzing/__init__.py
d2986fa419e92bd239d49e1ddd9e8bef  ./core/fuzzing/vectors.py
03d6af38f821ddd2ace3823d262f5352  ./core/globalmap.py
c0bd870e13fb115a0645c28d7e9e5b10  ./core/gtkcontroller.py
7aa12b28342cde59046bfd67f641f124  ./core/imagexss.py
82324ee43869716a07d8a5e17a80336a  ./core/__init__.py
aaaac19f5b2b06890973a04b088ef935  ./core/main.py
504aefac1bd73d2f4ab599eb03d2fb34  ./core/mozchecker.py
008d21b9671e1892c46f173a6dd9957c  ./core/options.py
82324ee43869716a07d8a5e17a80336a  ./core/post/__init__.py
fb233db4e61bf9330f855a47f89fc8af  ./core/post/xml_exporter.py
af3161f028af9bba17dd8dee32a1ea1e  ./core/randomip.py
efe9c20339b585cb055812a5a8e4f794  ./core/reporter.py
c9acea173d1cf57a6796b30843bf566d  ./core/threadpool.py
0926f41118242eee339777992a8b614a  ./core/tokenhub.py
d882681cc9195503cc00d2290aae47c7  ./core/twsupport.py
1995e3f0c0c3fc93b05e7d171faf5bbf  ./core/update.py
c5439189da3910ef1d48cfe3a93cead6  ./setup.py

from xsser.

Are you kidding me?.

I have cloned repo directly from github, these are the commands I have used:

git clone https://github.com/epsylon/xsser
cd xsser/
cd xsser/
python setup.py install

xsser -u "http://138.68.22.94/cgi-bin/xss.pl?" -p "payload=xyz"

POST injections are working correctly, check by yourself again, review logs at your webserver (which are a 100% real PoC) and please, stop wasting my time..

from xsser.

Look, I'm just trying to help... When three people are saying something is not working, maybe you should listen and cooperate to get to the root cause of the issue.

So, I spent some time in the debugger and found the problem. I've just submitted pull request #22. With those changes, both GET and POST are working. Feel free to accept the pull request or insist that I'm crazy and a waste of your time, I don't care :)

By the way, the question mark is absolutely unnecessary in the URL when the method is POST

$ ./xsser -u "http://138.68.22.94/cgi-bin/xss.pl" -p "payload=xyz"
===========================================================================

XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy

===========================================================================
Testing [XSS from URL]...
===========================================================================
[Info] HEAD alive check for the target: (http://138.68.22.94/cgi-bin/xss.pl) is OK(200) [AIMED]


Sending POST: payload=xyz 

===========================================================================
Target: http://138.68.22.94/cgi-bin/xss.pl --> 2017-03-29 17:35:02.713293
===========================================================================

---------------------------------------------
[-] Hashing: 3d39da37d50b5b9d69e63d27711083b6
[+] Trying: http://138.68.22.94/cgi-bin/xss.pl
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[+] Checking: url attack with ">PAYLOAD... ok

===========================================================================

Mosquito(es) landed!

===========================================================================
[*] Final Results:
===========================================================================

- Injections: 1
- Failed: 0
- Successful: 1
- Accur: 100 %

===========================================================================
[*] List of possible XSS injections:
===========================================================================

[I] Target: http://138.68.22.94/cgi-bin/xss.pl
[+] Injection: http://138.68.22.94/cgi-bin/xss.pl
[-] Method: xss
[-] Browsers: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] 
 -------------------------------------------------- 

from xsser.

Look, I'm just trying to help... When three people are saying something is not working, maybe you should listen and cooperate to get to the root cause of the issue.

Really you believe on that sentence?. What about religion?...Haha.... ;-)

Sorry, I don't see the point on your issue. Did you tested steps added on my previous comment?. I have tried your perl script against localhost and your remote webserver, just downloading code directly from github and it is working.

Did you checked your webserver logs to see how POST injections have been made?.

from xsser.

I have recorded you a video: https://xsser.03c8.net/xsser/XSSer-POST-PoC.ogv

Sorry but I keep trying to figure out whats wrong.

from xsser.

Ok. I have found an error that only is happening when no proxy is being used which is the point for this issue. And it is related with deprecated code (that you pointed correctly on your patch, when calling to callback) for some functions.

My mistake was to be using always a proxy (tor, burp), because this scenario is working. I figure out because on local I was using burp to check it and on that moment I realized that probably is something related with threads implementation and proxy handlerer... So code was not fully broken as you said, hehe, half and half...

Btw, I have tried your code on a VM and also against your webserver and it is working correctly, with and without proxy, so I will push it to production code...

Again, many thanks for your time. ;-)

from xsser.

fixed: #22 (comment)

from xsser.

Excellent! Thank you for the xsser and for your time troubleshooting this issue!

from xsser.