Comments (22)
Hi,
Looks that is something wrong building target uri.
Extracted from XSSer examples using POST:
- Simple injection from URL, to a POST parameter (ex: password), with statistics results:
xsser -u "http://host.com/index.php" -p "target=login&user=admin&password=" -s
Is your target ok? -> -u 'http://127.0.0.1/DVWA/vulnerabilities/xss_r' -> Has xss_r any extension?
from xsser.
Otherwise, if xss_r is ok and if you want test all parameters, try to change this on your command:
-p 'txtName=123&btnSign=Sign+Guestbook&mtxMessage=123'
for this other (you can use 'XSS' as keyword to inject your payloads there):
-p 'txtName=XSS&btnSign=XSS&mtxMessage=XSS'
from xsser.
@epsylon thank you for support!
1.HEAD alive check for the target is OK
2.target is OK,there is burpsuite proxy request:
3.now i use command:./xsser -u 'http://192.168.145.164/DVWA/vulnerabilities/xss_s/index.php' -p 'txtName=XSS&mtxMessage=XSS&btnSign=XSS' --cookie='security=low; PHPSESSID=6712q25gnsfs7q6mamile9ctn4' --auto -s
but,the same error for all request! like this:
`
Target: http://192.168.145.164/DVWA/vulnerabilities/xss_s/index.php --> 2016-08-15 10:04:23.768106
[-] Hashing: 25cfcbab689476601142c001727e65eb
[+] Trying: txtName=XSS&mtxMessage=XSS&btnSign=XSS
[+] Browser Support: [Not Info]
[-] Injection Results:
XSSer is not working propertly!:
- Is something blocking connection(s)?
- Is target url ok?: (http://192.168.145.164/DVWA/vulnerabilities/xss_s/index.php)
`
the connection result:
Total Connections: 559
-------------------------
200-OK: 1 | 404: 0 | 503: 0 | Others: 558
Connec: 0 %
and i test other post request for xss test ,also report error!
xsser -u 'http://testphp.acunetix.com/userinfo.php' -p 'urname=XSS&ucc=XSS&uemail=XSS&uphone=XSS&uaddress=XSS&update=update' --cookie='login=test%2Ftest' --auto -s
from xsser.
3.now i use command:./xsser -u 'http://192.168.145.164/DVWA/vulnerabilities/xss_s/index.php'
But, according to your burp test:
https://cloud.githubusercontent.com/assets/5670103/17653972/2fad740c-62d0-11e6-8b50-4fd7ade3c6d1.png
Why you are using index.php at the end of your command?
from xsser.
Btw, try using -v (verbose), so we can track more deep how XSSer requests are built..
from xsser.
Trying your last example, which is remote and more easy for me to test it. I found that server is replying a 503 when starts to receive a flood of injections.
Maybe is not related at all with XSSer code and more with server side configuration. Try to send injections with a delay (--delay) between them and see results by using verbose mode to discover how server is responding. Also maybe there is a WAF there...
Here your example on my box:
xsser -u 'http://testphp.acunetix.com/userinfo.php' -p 'urname=XSS&ucc=XSS&uemail=XSS&uphone=XSS&uaddress=XSS&update=update' --cookie='login=test%2Ftest' -s -v
[Info] HEAD alive check for the target: (http://testphp.acunetix.com/userinfo.php) is OK(200) [AIMED]
[-] Hashing: b8a8869ec23d067422148d5e9cb1dac4
[+] Trying: urname=XSS&ucc=XSS&uemail=XSS&uphone=XSS&uaddress=XSS&update=update">b8a8869ec23d067422148d5e9cb1dac4
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[-] Headers Results:
[-] Injection Results:
**503 Service Unavailable: The server is currently unable to handle the request due to a temporary overloading**
from xsser.
log.txt
this is the command log....
still waiting for you answer!
from xsser.
@xj90512 "still waiting for you answer!" -> You mean, "thanks for your time epsylon", no?
I tryed your injection again and I see that you are not testing that app correctly. For example, you are injecting to "/userinfo.php" which doesn't exists. This is redirecting to "login.php", but web server is not handlering request correctly. Looks that is not a problem from XSSer. Review your target...
from xsser.
I'm having the same issue! I'm testing a very simple CGI script that just reflects user input and can work with both GET and POST:
#!/usr/bin/perl
use CGI;
my $q = CGI->new;
print $q->header();
print "<html><body>" . $q->param('payload') . "</body></html>";
When I do GET, xsser correctly identifies the vulnerability:
root@kali:~/xss/xsser/xsser# ./xsser -u http://172.30.11.103/cgi-bin/xss.pl?payload=xyz
...
[Info] HEAD alive check for the target: (http://172.30.11.103/cgi-bin/xss.pl?payload=xyz) is OK(200) [AIMED]
...
- Injections: 1
- Failed: 0
- Successful: 1
- Accur: 100 %
...
[+] Injection: http://172.30.11.103/cgi-bin/xss.pl?payload=xyz/">fd4a1bb5c48ee96d620d67671ee92a26
However, when I do a POST, it does not work:
root@kali:~/xss/xsser/xsser# ./xsser -u http://172.30.11.103/cgi-bin/xss.pl -p payload=xyz
...
[Info] HEAD alive check for the target: (http://172.30.11.103/cgi-bin/xss.pl) is OK(200) [AIMED]
Sending POST: payload=xyz
...
---------------------------------------------
[-] Hashing: 2f007c706ffb40b3c320fa56851d07a4
[+] Trying: payload=xyz">2f007c706ffb40b3c320fa56851d07a4
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[-] Injection Results:
XSSer is not working properly!:
- Is something blocking connection(s)?
- Is target url ok?: (http://172.30.11.103/cgi-bin/xss.pl)
...
- Injections: 1
- Failed: 1
- Successful: 0
- Accur: 0 %
...
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)
What am I doing wrong?
from xsser.
GET:
./xsser -u "http://127.0.0.1/cgi-bin/xss.pl?payload=" --no-head --payload="<script>document.alert(1)</script>"
POST:
./xsser -u "http://127.0.0.1/cgi-bin/xss.pl" -p "payload=" --no-head --payload="<script>document.alert(1)</script>"
from xsser.
Now both fail
# ./xsser -u "http://172.30.11.103/cgi-bin/xss.pl?payload=" --no-head --payload="<script>document.alert(1)</script>"
...
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
...
---------------------------------------------
[+] Trying: http://172.30.11.103/cgi-bin/xss.pl?payload=/<script>document.alert(1)</script>
[+] Checking: url attack with <script>document.alert(1)</script>... fail
...
- Injections: 1
- Failed: 1
- Successful: 0
- Accur: 0 %
...
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)
# ./xsser -u "http://172.30.11.103/cgi-bin/xss.pl" -p "payload=" --no-head --payload="<script>document.alert(1)</script>"
...
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
...
[+] Trying: payload=<script>document.alert(1)<script>
[+] Browser Support: [manual_injection]
[-] Injection Results:
XSSer is not working properly!:
- Is something blocking connection(s)?
- Is target url ok?: (http://172.30.11.103/cgi-bin/xss.pl)
...
- Injections: 1
- Failed: 1
- Successful: 0
- Accur: 0 %
...
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)
from xsser.
@epsylon I have created a test server, feel free to try the tool against it:
http://138.68.22.94/cgi-bin/xss.pl?payload=xyz
xsser -p
still doesn't work for me
from xsser.
Try to change number '1' with keyword 'XSS' and add a '?' after 'xss.pl' on your POST spelling:
GET:
./xsser -u "http://127.0.0.1/cgi-bin/xss.pl?payload=" --no-head --payload="<script>document.alert('XSS');</script>"
POST:
./xsser -u "http://127.0.0.1/cgi-bin/xss.pl?" -p "payload=" --no-head --payload="<script>document.alert('XSS');</script>"
btw, I will review POST, let me check against your webserver if there is any bug there.
from xsser.
Ok, no bugs. It is working perfectly. 🥇
You can check that I have tryed GET/POST methods against your server (by reviewing logs) and that I exploited both correctly on it.
I have used a proxy to check headers before to send a request, which is a nice practice that I recommend you next time for debugging tasks, and these are the results:
REQUEST:
POST /cgi-bin/xss.pl? HTTP/1.1
Host: 138.68.22.94
User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)
Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg
Connection: close
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 45
payload=xyz">6cb2ceb99cd8ad5705e59afd1bc047b2
And this is how I have lauched XSSer to work with POST against your perl script:
ventiska% ./xsser -u "http://138.68.22.94/cgi-bin/xss.pl?" -p "payload=xyz"
NOTE: Remember to add a "?" on your URL because it is part of it --> YOUR SPELLING MISTAKE ON THIS ISSUE
[Info] HEAD alive check for the target: (http://138.68.22.94/cgi-bin/xss.pl?) is OK(200) [AIMED]
Sending POST: payload=xyz
----------------
Target: http://138.68.22.94/cgi-bin/xss.pl? --> 2017-03-28 02:03:08.108838
---------------------------------------------
[-] Hashing: 6cb2ceb99cd8ad5705e59afd1bc047b2
[+] Trying: payload=xyz">6cb2ceb99cd8ad5705e59afd1bc047b2
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[+] Checking: url attack with ">PAYLOAD... ok
Mosquito(es) landed!
[*] Final Results:
- Injections: 1
- Failed: 0
- Successful: 1
- Accur: 100 %
[*] List of possible XSS injections:
[I] Target: http://138.68.22.94/cgi-bin/xss.pl?
[+] Injection: payload=xyz">6cb2ceb99cd8ad5705e59afd1bc047b2
[-] Method: xss
[-] Browsers: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
--------------------------------------------------
Sorry, but XSSer is working correctly also with POST. Please, check it by yourself again and report it.
Thanks for your time.
from xsser.
I'm sorry man, but it is not working. I had a co-worker try this as well, and he had the same failure. We both use the latest xsser from github. Are you, by any chance, using a different version of the code?
Here are the MD5 checksums I have. Again, these files are straight from github.
# md5sum `find -name "*.py" | sort`
89e29d541b4c2c09fb3ad1f2aa109bd5 ./core/crawler.py
f6ea63e6823bb4e1b2b7cfeeb13d88f4 ./core/curlcontrol.py
5e49f6c833526a8d4e94770279089209 ./core/dork.py
63342ed006aa430d4834ce780f4f882e ./core/encdec.py
c02dcd4f6967a75e1c0527173343b724 ./core/flashxss.py
78a1b5bb3841dc3bf50bfaa632f9a9ab ./core/fuzzing/DCP.py
14d90e68d64e53ef0b2d5aaafc39a65f ./core/fuzzing/DOM.py
71c189f462f3db1b6cfb0e41df1cc011 ./core/fuzzing/heuristic.py
065adbffefa16821048d9af1d723d333 ./core/fuzzing/HTTPsr.py
82324ee43869716a07d8a5e17a80336a ./core/fuzzing/__init__.py
d2986fa419e92bd239d49e1ddd9e8bef ./core/fuzzing/vectors.py
03d6af38f821ddd2ace3823d262f5352 ./core/globalmap.py
c0bd870e13fb115a0645c28d7e9e5b10 ./core/gtkcontroller.py
7aa12b28342cde59046bfd67f641f124 ./core/imagexss.py
82324ee43869716a07d8a5e17a80336a ./core/__init__.py
aaaac19f5b2b06890973a04b088ef935 ./core/main.py
504aefac1bd73d2f4ab599eb03d2fb34 ./core/mozchecker.py
008d21b9671e1892c46f173a6dd9957c ./core/options.py
82324ee43869716a07d8a5e17a80336a ./core/post/__init__.py
fb233db4e61bf9330f855a47f89fc8af ./core/post/xml_exporter.py
af3161f028af9bba17dd8dee32a1ea1e ./core/randomip.py
efe9c20339b585cb055812a5a8e4f794 ./core/reporter.py
c9acea173d1cf57a6796b30843bf566d ./core/threadpool.py
0926f41118242eee339777992a8b614a ./core/tokenhub.py
d882681cc9195503cc00d2290aae47c7 ./core/twsupport.py
1995e3f0c0c3fc93b05e7d171faf5bbf ./core/update.py
c5439189da3910ef1d48cfe3a93cead6 ./setup.py
from xsser.
Are you kidding me?.
I have cloned repo directly from github, these are the commands I have used:
git clone https://github.com/epsylon/xsser
cd xsser/
cd xsser/
python setup.py install
xsser -u "http://138.68.22.94/cgi-bin/xss.pl?" -p "payload=xyz"
POST injections are working correctly, check by yourself again, review logs at your webserver (which are a 100% real PoC) and please, stop wasting my time..
from xsser.
Look, I'm just trying to help... When three people are saying something is not working, maybe you should listen and cooperate to get to the root cause of the issue.
So, I spent some time in the debugger and found the problem. I've just submitted pull request #22. With those changes, both GET and POST are working. Feel free to accept the pull request or insist that I'm crazy and a waste of your time, I don't care :)
By the way, the question mark is absolutely unnecessary in the URL when the method is POST
$ ./xsser -u "http://138.68.22.94/cgi-bin/xss.pl" -p "payload=xyz"
===========================================================================
XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy
===========================================================================
Testing [XSS from URL]...
===========================================================================
[Info] HEAD alive check for the target: (http://138.68.22.94/cgi-bin/xss.pl) is OK(200) [AIMED]
Sending POST: payload=xyz
===========================================================================
Target: http://138.68.22.94/cgi-bin/xss.pl --> 2017-03-29 17:35:02.713293
===========================================================================
---------------------------------------------
[-] Hashing: 3d39da37d50b5b9d69e63d27711083b6
[+] Trying: http://138.68.22.94/cgi-bin/xss.pl
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[+] Checking: url attack with ">PAYLOAD... ok
===========================================================================
Mosquito(es) landed!
===========================================================================
[*] Final Results:
===========================================================================
- Injections: 1
- Failed: 0
- Successful: 1
- Accur: 100 %
===========================================================================
[*] List of possible XSS injections:
===========================================================================
[I] Target: http://138.68.22.94/cgi-bin/xss.pl
[+] Injection: http://138.68.22.94/cgi-bin/xss.pl
[-] Method: xss
[-] Browsers: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
--------------------------------------------------
from xsser.
Look, I'm just trying to help... When three people are saying something is not working, maybe you should listen and cooperate to get to the root cause of the issue.
Really you believe on that sentence?. What about religion?...Haha.... ;-)
Sorry, I don't see the point on your issue. Did you tested steps added on my previous comment?. I have tried your perl script against localhost and your remote webserver, just downloading code directly from github and it is working.
Did you checked your webserver logs to see how POST injections have been made?.
from xsser.
I have recorded you a video: https://xsser.03c8.net/xsser/XSSer-POST-PoC.ogv
Sorry but I keep trying to figure out whats wrong.
from xsser.
Ok. I have found an error that only is happening when no proxy is being used which is the point for this issue. And it is related with deprecated code (that you pointed correctly on your patch, when calling to callback) for some functions.
My mistake was to be using always a proxy (tor, burp), because this scenario is working. I figure out because on local I was using burp to check it and on that moment I realized that probably is something related with threads implementation and proxy handlerer... So code was not fully broken as you said, hehe, half and half...
Btw, I have tried your code on a VM and also against your webserver and it is working correctly, with and without proxy, so I will push it to production code...
Again, many thanks for your time. ;-)
from xsser.
fixed: #22 (comment)
from xsser.
Excellent! Thank you for the xsser and for your time troubleshooting this issue!
from xsser.
Related Issues (20)
- Valueerror when install xsser in windows 8 32bit HOT 4
- --reverse-check fails due to initial cookies improperly added to second query with reverse payload HOT 10
- it seems not useful HOT 4
- Couldnt specify injection point HOT 1
- xsser can't find the attack place HOT 1
- Using python 3.5 TypeError: coercing to str: need a bytes-like object, NoneType found HOT 11
- Error HOT 2
- TypeError HOT 2
- TypeError HOT 1
- xsser can not working HOT 1
- xsser not working HOT 1
- Error execution HOT 1
- Mac (12.0.1) Installation HOT 1
- print result bug INT HOT 1
- Typo in main.py - "self.repot" HOT 1
- Infinity Landing gtk HOT 3
- pycurl installation error HOT 1
- Xsser calls not found on every parameter HOT 2
- Error] Not any valid source provided to start a test... Aborting! HOT 1
- UnboundLocalError: cannot access local variable 'payload_string' where it is not associated with a value HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xsser.