Commit 8d3ff7b5 authored by Jorge's avatar Jorge
Browse files

fix multipayload

parent 21a32abf
......@@ -4,24 +4,14 @@ import json
from termcolor import colored
from prettytable import PrettyTable
parser = argparse.ArgumentParser(description='Find suitable XSS Payloads.')
parser.add_argument('-f', '--file', help='file with the payloads', default='db.json')
parser.add_argument('-t', '--tags', help='array with allowed tags', nargs='+')
parser.add_argument('-e', '--events', help='array with allowed events', nargs='+')
parser.add_argument('-o', '--output', help='output payload list')
args = parser.parse_args()
filename = args.file
tags = args.tags
events = args.events
def find_payload(filename, tags=[], events=[]):
def find_payload(filename, tags, events):
'''
Find suitable payloads inside db.json
'''
with open(filename) as json_file:
data = json.load(json_file)
# Return all tags of events
result = []
if events and not tags:
......@@ -44,50 +34,81 @@ def find_payload(filename, tags=[], events=[]):
for tag in event['tags']:
if tag['tag'] in tags:
result.append(tag)
if tags:
result = check_multi_payload(result, tags)
return result
def check_multi_payload(payloads, tags):
'''
Check if a payload with various tags can be exploited
'''
result = []
for payload in payloads:
tags_regex = re.findall(r'\<\w*[^\/]', payload['code'])
allowed = True
for i in tags_regex:
i = i.replace("<", "")
i = i.replace(">", "")
i = i.replace(" ", "")
if i not in tags:
allowed = False
if allowed:
result.append(payload)
return result
def intersection(lst1, lst2):
return list(set(lst1) & set(lst2))
def prettyprint(payloads):
def prettyprint(payloads, output=""):
'''
Print the table and the output in a file
'''
browsers_colors = {'safari' : 'cyan',
'edge' : 'blue',
'firefox': 'red',
'chrome': 'white'}
'edge' : 'blue',
'firefox': 'red',
'chrome' : 'white'}
print("\nPayloads found:\n")
t = PrettyTable(['Payload', 'Browser Compatibility'])
t.align['Payload'] = "l"
table = PrettyTable(['Payload', 'Browser Compatibility'])
table.align['Payload'] = "l"
for payload in payloads:
# payload['code']
browsers = ''
for browser in payload['browsers']:
browsers += colored(browser,browsers_colors[browser]) + " "
t.add_row([payload['code'], browsers])
browsers += colored(browser, browsers_colors[browser]) + " "
table.add_row([payload['code'], browsers])
print(t)
print(table)
if args.output:
f = open(args.output,'w+')
if output:
file = open(output, 'w+')
for payload in payloads:
f.write(payload['code']+'\n')
f.close()
print("Payloads saved in: " + args.output)
file.write(payload['code']+'\n')
file.close()
print("Payloads saved in: " + output)
def main():
'''
Main function
'''
parser = argparse.ArgumentParser(description='Find suitable XSS Payloads.')
parser.add_argument('-f', '--file', help='file with the payloads', default='db.json')
parser.add_argument('-t', '--tags', help='array with allowed tags', nargs='+')
parser.add_argument('-e', '--events', help='array with allowed events', nargs='+')
parser.add_argument('-o', '--output', help='output payload list')
args = parser.parse_args()
filename = args.file
tags = args.tags
events = args.events
if events or tags:
payloads = find_payload(filename,tags,events)
prettyprint(payloads)
payloads = find_payload(filename, tags, events)
prettyprint(payloads, args.output)
else:
parser.print_help()
if __name__== "__main__":
main()
\ No newline at end of file
if __name__ == "__main__":
main()
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment