tried puppeteer

gwen001 · Dec 18, 2019 · 6b10835 · 6b10835
1 parent 91cad39
commit 6b10835
Show file tree

Hide file tree

Showing 3 changed files with 107 additions and 2 deletions.
diff --git a/phantom-xss.js b/phantom-xss.js
@@ -48,9 +48,11 @@ page.onAlert = function(str) {
 };
 page.onConfirm = function(str) {
     console.log('confirm() called: '+str);
+    phantom.exit();
 };
 page.onPrompt = function(str) {
     console.log('prompt() called: '+str);
+    phantom.exit();
 };
 ////////////////////////////////////////////////////////////////////////////////
 
@@ -76,4 +78,4 @@ setTimeout( run(page,method,url,post), 0 );
 
 setTimeout(function() {
 	phantom.exit();
-}, 30000);
+}, 5000);
diff --git a/puppeteer-xss.js b/puppeteer-xss.js
@@ -0,0 +1,97 @@
+
+const puppeteer = require('puppeteer');
+var args = process.argv.slice(2);
+
+if( args.length < 2 || args.length > 5 ) {
+	console.log( 'Usage: node xss.js <method> <url> [<post_params>] [<cookies> <domain>]');
+	process.exit();
+}
+
+var method = Buffer.from(args[0], 'base64').toString()
+var url = Buffer.from(args[1], 'base64').toString()
+
+if( args.length > 3 ) {
+	var post = Buffer.from(args[2], 'base64').toString()
+} else {
+	var post = '';
+}
+
+if( args.length >= 5 && args[3].length ) {
+	var cookies = Buffer.from(args[3], 'base64').toString().split(';');
+  var domain = Buffer.from(args[4], 'base64').toString()
+  var t_cookies = []
+
+	for( var i=0 ; i<cookies.length ; i++ ) {
+		c = cookies[i].trim().split( '=' );
+        t_cookies[i] = { 'domain':domain, 'name':c[0], 'value':c[1] }
+	}
+} else {
+	var t_cookies = [];
+	var domain = '';
+}
+
+// console.log(method)
+// console.log(url)
+// console.log(post)
+// console.log(t_cookies)
+// console.log(domain)
+
+setTimeout( run, 0, url, method, post, t_cookies );
+
+setTimeout(function() {
+    process.exit();
+}, 5000);
+
+
+function run( url, method, post, t_cookies )
+{
+    const options = {
+        args: [
+          '--no-sandbox',
+          '--disable-setuid-sandbox',
+          '--disable-dev-shm-usage',
+          '--disable-accelerated-2d-canvas',
+          '--no-first-run',
+          '--no-zygote',
+          '--single-process', // <- this one doesn't works in Windows
+          '--disable-gpu'
+        ],
+        headless: true
+      };
+
+    puppeteer.launch(options).then(async browser => {
+    const page = await browser.newPage();
+    // await page.setUserAgent('Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/60.0');
+
+    if( t_cookies.length ) {
+      for( i=0 ; i<t_cookies.length ; i++ ) {
+        await page.setCookie( t_cookies[i] );
+      }
+    }
+
+    if( post.length ) {
+        await page.setRequestInterception( true );
+        page.on('request', interceptedRequest => {
+            interceptedRequest.continue({
+                method: 'POST',
+                postData: post,
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            });
+        });
+    }
+
+    page.on('dialog', async dialog => {
+        console.log('dialog() called: '+dialog.message());
+        // await page.close()
+        // await browser.close();
+        process.exit();
+    });
+
+    await page.goto( url );
+    // debug
+    // console.log( await page.content() )
+    await page.close()
+    await browser.close();
+    process.exit();
+  });
+}
diff --git a/xss.py b/xss.py
@@ -75,6 +75,7 @@ def testParams( t_urlparse, payload ):
             t_urlparse = t_urlparse._replace(query=new_query)
             url = urllib.parse.urlunparse(t_urlparse)
             doTest( url )
+            # convert get params to post
             # t_urlparse = t_urlparse._replace(query='')
             # url = urllib.parse.urlunparse(t_urlparse)
             # doTest( url, 'POST', new_query )
@@ -136,11 +137,14 @@ def doTest( url, method='GET', post_params='' ):
     cmd = _phantom_cmd
     for param in t_params:
         cmd = cmd + ' ' + '"'+base64.b64encode(param.encode()).decode()+'"'
-    # print(cmd)
+    if _verbose >= 3:
+        print(cmd)
 
     cmd_output = ''
     try:
         cmd_output = subprocess.check_output( cmd, shell=True ).decode('utf-8')
+        if _verbose >= 3:
+            print( cmd_output )
     except Exception as e:
         if _verbose >= 3:
             sys.stdout.write( "%s[-] error occurred: %s%s\n" % (fg('red'),e,attr(0)) )
@@ -181,9 +185,11 @@ def doTest( url, method='GET', post_params='' ):
     _phantom = args.phantom
 else:
     _phantom = '/usr/local/bin/phantomjs'
+    # _phantom = '/usr/local/bin/node'
 if not os.path.isfile(_phantom):
     parser.error( 'phantomjs not found!' )
 _phantom_cmd = _phantom + ' ' + os.path.dirname(os.path.realpath(__file__)) + '/phantom-xss.js'
+# _phantom_cmd = _phantom + ' ' + os.path.dirname(os.path.realpath(__file__)) + '/puppeteer-xss.js'
 # print( _phantom_cmd )
 
 if args.scheme: