功能介紹
根據用戶提供的payloads文件去暴力測試每一個參數,以此來確定是否存在xss漏洞(說起來也就是一個兩層循環)。
具體實現
XSStrike3.0 bruteforcer.py源碼如下:
import copy
from urllib.parse import urlparse, unquote
from core.colors import run, good, bad, green, end
from core.requester import requester
from core.utils import getUrl, getParams, verboseOutput
def bruteforcer(target, paramData, payloadList, verbose, encoding, headers, delay, timeout):
GET, POST = (False, True) if paramData else (True, False)
#輸出此次掃描目標的相關信息:主機地址,url,以及參數字典(都是在verbose模式下才輸出)
host = urlparse(target).netloc # Extracts host out of the url
verboseOutput(host, 'host', verbose)
url = getUrl(target, GET)
verboseOutput(url, 'url', verbose)
params = getParams(target, paramData, GET)
if not params:
print('%s No parameters to test.' % bad)
quit()
verboseOutput(params, 'params', verbose)
for paramName in params.keys():
progress = 1
paramsCopy = copy.deepcopy(params)
for payload in payloadList:
print ('%s Bruteforcing %s[%s%s%s]%s: %i/%i' % (run, green, end, paramName, green, end, progress, len(payloadList)), end='\r')
if encoding:
payload = encoding(unquote(payload))
paramsCopy[paramName] = payload
response = requester(url, paramsCopy, headers,
GET, delay, timeout).text
if encoding:
payload = encoding(payload)
if payload in response:
print('%s %s' % (good, payload))
progress += 1
print ()
其中涉及到兩個相對重要的函數:
getparams
先上源碼:
def getParams(url, data, GET):
params = {}
if '=' in url:
data = url.split('?')[1]
if data[:1] == '?':
data = data[1:]
elif data:
if core.config.globalVariables['jsonData'] or core.config.globalVariables['path']:
params = data
else:
try:
params = json.loads(data.replace('\'', '"'))
return params
except json.decoder.JSONDecodeError:
pass
else:
return None
if not params:
parts = data.split('&')
for part in parts:
each = part.split('=')
try:
params[each[0]] = each[1]
except IndexError:
params = None
return params
該函數的主要功能就是將需要測試的參數都轉換成一個字典返回。但是讀者可能也知道參數有四種形式:get參數,post參數(a=b形式),post參數(json形式),path(路徑中也可能存在xss)
當然,如果是json或者path,在xsstrike.py中就已經進行了處理,並作爲data參數傳了過來,所以直接賦值給params就行。
requester
使用requests庫去請求服務器,於此同時設置了一些頭信息