搜索
中国白客联盟»论坛 Techniques 编程学习(Programming Learning) 【100行Python代码扫描器】 XSS vulnerability scanner ...
返回列表 发新帖
查看: 228|回复: 0

【100行Python代码扫描器】 XSS vulnerability scanner (DSXS)

[复制链接]
admin

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2014-12-2 21:11:22 | 显示全部楼层 |阅读模式
  1. #!/usr/bin/env python
  2. import cookielib, optparse, random, re, string, urllib, urllib2, urlparse

  4. NAME    = "Damn Small xss Scanner (DSXS) < 100 LoC (Lines of Code)"
  5. VERSION = "0.1q"
  6. AUTHOR  = "Miroslav Stampar (@stamparm)"
  7. LICENSE = "Public domain (FREE)"

  9. SMALLER_CHAR_POOL    = ('<', '>')                               # characters used for XSS tampering of parameter values (smaller set - for avoiding possible sqli errors)
  10. LARGER_CHAR_POOL     = ('\'', '"', '>', '<', ';')               # characters used for XSS tampering of parameter values (larger set)
  11. GET, POST            = "GET", "POST"                            # enumerator-like values used for marking current phase
  12. PREFIX_SUFFIX_LENGTH = 5                                        # length of random prefix/suffix used in XSS tampering
  13. CONTEXT_DISPLAY_OFFSET = 10                                     # offset outside the affected context for displaying in vulnerability report
  14. COOKIE, UA, REFERER = "Cookie", "User-Agent", "Referer"         # optional HTTP header names
  15. TIMEOUT = 30                                                    # connection timeout in seconds

  17. XSS_PATTERNS = (                                                # each (pattern) item consists of (r"context regex", (prerequisite unfiltered characters), "info text", r"content removal regex")
  18.     (r"\A[^<>]*%(chars)s[^<>]*\Z", ('<', '>'), "".xss.", pure text response, %(filtering)s filtering", None),
  19.     (r"<!--[^>]*%(chars)s|%(chars)s[^<]*-->", ('<', '>'), ""<!--.'.xss.'.-->", inside the comment, %(filtering)s filtering", None),
  20.     (r"(?s)<script[^>]*>[^<]*?'[^<']*%(chars)s|%(chars)s[^<']*'[^<]*</script>", ('\'', ';'), ""<script>.'.xss.'.</script>", enclosed by <script> tags, inside single-quotes, %(filtering)s filtering", None),
  21.     (r'(?s)<script[^>]*>[^<]*?"[^<"]*%(chars)s|%(chars)s[^<"]*"[^<]*</script>', ('"', ';'), "'<script>.".xss.".</script>', enclosed by <script> tags, inside double-quotes, %(filtering)s filtering", None),
  22.     (r"(?s)<script[^>]*>[^<]*?%(chars)s|%(chars)s[^<]*</script>", (';',), ""<script>.xss.</script>", enclosed by <script> tags, %(filtering)s filtering", None),
  23.     (r">[^<]*%(chars)s[^<]*(<|\Z)", ('<', '>'), "">.xss.<", outside of tags, %(filtering)s filtering", r"(?s)<script.+?</script>|<!--.*?-->"),
  24.     (r"<[^>]*'[^>']*%(chars)s[^>']*'[^>]*>", ('\'',), ""<.'.xss.'.>", inside the tag, inside single-quotes, %(filtering)s filtering", r"(?s)<script.+?</script>|<!--.*?-->"),
  25.     (r'<[^>]*"[^>"]*%(chars)s[^>"]*"[^>]*>', ('"',), "'<.".xss.".>', inside the tag, inside double-quotes, %(filtering)s filtering", r"(?s)<script.+?</script>|<!--.*?-->"),
  26.     (r"<[^>]*%(chars)s[^>]*>", (), ""<.xss.>", inside the tag, outside of quotes, %(filtering)s filtering", r"(?s)<script.+?</script>|<!--.*?-->")
  27. )

  29. USER_AGENTS = (                                                 # items used for picking random HTTP User-Agent header value
  30.     "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7_0; en-US) AppleWebKit/534.21 (KHTML, like Gecko) Chrome/11.0.678.0 Safari/534.21",
  31.     "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",
  32.     "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2) Gecko/20020508 Netscape6/6.1",
  33.     "Mozilla/5.0 (X11;U; Linux i686; en-GB; rv:1.9.1) Gecko/20090624 Ubuntu/9.04 (jaunty) Firefox/3.5",
  34. )

  36. _headers = {}                                                   # used for storing dictionary with optional header values

  38. def _retrieve_content(url, data=None):
  39.     try:
  40.         req = urllib2.Request("".join(url[i].replace(' ', "%20") if i > url.find('?') else url[i] for i in xrange(len(url))), data, _headers)
  41.         retval = urllib2.urlopen(req, timeout=TIMEOUT).read()
  42.     except Exception, ex:
  43.         retval = ex.read() if hasattr(ex, "read") else getattr(ex, "msg", str())
  44.     return retval or ""

  46. def _contains(content, chars):
  47.     content = re.sub(r"\\[%s]" % re.escape("".join(chars)), "", content) if chars else content
  48.     return all(char in content for char in chars)

  50. def scan_page(url, data=None):
  51.     retval, usable = False, False
  52.     url, data = re.sub(r"=(&|\Z)", "=1\g<1>", url) if url else url, re.sub(r"=(&|\Z)", "=1\g<1>", data) if data else data
  53.     try:
  54.         for phase in (GET, POST):
  55.             current = url if phase is GET else (data or "")
  56.             for match in re.finditer(r"((\A|[?&])(?P<parameter>[\w\[\]]+)=)(?P<value>[^&]+)", current):
  57.                 found, usable = False, True
  58.                 print "* scanning %s parameter '%s'" % (phase, match.group("parameter"))
  59.                 prefix, suffix = ("".join(random.sample(string.ascii_lowercase, PREFIX_SUFFIX_LENGTH)) for i in xrange(2))
  60.                 for pool in (LARGER_CHAR_POOL, SMALLER_CHAR_POOL):
  61.                     if not found:
  62.                         tampered = current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote("%s%s%s%s" % ("'" if pool == LARGER_CHAR_POOL else "", prefix, "".join(random.sample(pool, len(pool))), suffix))))
  63.                         content = (_retrieve_content(tampered, data) if phase is GET else _retrieve_content(url, tampered)).replace("%s%s" % ("'" if pool == LARGER_CHAR_POOL else "", prefix), prefix)
  64.                         for sample in re.finditer("%s([^ ]+?)%s" % (prefix, suffix), content, re.I):
  65.                             for regex, condition, info, content_removal_regex in XSS_PATTERNS:
  66.                                 context = re.search(regex % {"chars": re.escape(sample.group(0))}, re.sub(content_removal_regex or "", "", content), re.I)
  67.                                 if context and not found and sample.group(1).strip():
  68.                                     if _contains(sample.group(1), condition):
  69.                                         print " (i) %s parameter '%s' appears to be XSS vulnerable (%s)" % (phase, match.group("parameter"), info % dict((("filtering", "no" if all(char in sample.group(1) for char in LARGER_CHAR_POOL) else "some"),)))
  70.                                         found = retval = True
  71.                                     break
  72.         if not usable:
  73.             print " (x) no usable GET/POST parameters found"
  74.     except KeyboardInterrupt:
  75.         print "\r (x) Ctrl-C pressed"
  76.     return retval

  78. def init_options(proxy=None, cookie=None, ua=None, referer=None):
  79.     global _headers
  80.     _headers = dict(filter(lambda _: _[1], ((COOKIE, cookie), (UA, ua or NAME), (REFERER, referer))))
  81.     urllib2.install_opener(urllib2.build_opener(urllib2.ProxyHandler({'http': proxy})) if proxy else None)

  83. if __name__ == "__main__":
  84.     print "%s #v%s\n by: %s\n" % (NAME, VERSION, AUTHOR)
  85.     parser = optparse.OptionParser(version=VERSION)
  86.     parser.add_option("-u", "--url", dest="url", help="Target URL (e.g. "http://www.target.com/page.php?id=1")")
  87.     parser.add_option("--data", dest="data", help="POST data (e.g. "query=test")")
  88.     parser.add_option("--cookie", dest="cookie", help="HTTP Cookie header value")
  89.     parser.add_option("--user-agent", dest="ua", help="HTTP User-Agent header value")
  90.     parser.add_option("--random-agent", dest="randomAgent", action="store_true", help="Use randomly selected HTTP User-Agent header value")
  91.     parser.add_option("--referer", dest="referer", help="HTTP Referer header value")
  92.     parser.add_option("--proxy", dest="proxy", help="HTTP proxy address (e.g. "http://127.0.0.1:8080")")
  93.     options, _ = parser.parse_args()
  94.     if options.url:
  95.         init_options(options.proxy, options.cookie, options.ua if not options.randomAgent else random.choice(USER_AGENTS), options.referer)
  96.         result = scan_page(options.url if options.url.startswith("http") else "http://%s" % options.url, options.data)
  97.         print "\nscan results: %s vulnerabilities found" % ("possible" if result else "no")
  98.     else:
  99.         parser.print_help()
复制代码
过段时间可能会取消签到功能了
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表