- This topic has 12 replies, 2 voices, and was last updated 4 years, 5 months ago by Diego Pérez.
- AuthorPosts
- July 20, 2020 at 3:36 pm #42713Peter QueenParticipant
Hello Diego,
When i run the vulnerability scanner
#!/usr/bin/env python import requests import re import urlparse class Scanner: def __init__(self, url): self.target_url = url self.target_links = [] def extract_links_from(self, url): response = requests.get(url) return re.findall('(?:href=")(.*?)"', response.content) # response.content.decode(ignore="error)) def crawl(self, url): href_links = self.extract_links_from(url) for link in href_links: link = urlparse.urljoin(url, link) if "#" in link: link = link.split("#")[0] if self.target_url in link and link not in self.target_links: self.target_links.append(link) print(link) self.crawl(link)
#!/usr/bin/env python import scanner target_url = "http://10.0.2.14/mutillidae" vuln_scanner = scanner.Scanner(target_url) vuln_scanner.crawl(target_url)
I only get those results:
root@kali:~/PycharmProjects/vulnerability-scanner# python vulnerability_scanner.py http://10.0.2.14/mutillidae http://10.0.2.14/mutillidae?page=add-to-your-blog.php http://10.0.2.14/mutillidae?page=view-someones-blog.php http://10.0.2.14/mutillidae?page=show-log.php http://10.0.2.14/mutillidae?page=text-file-viewer.php http://10.0.2.14/mutillidae?page=user-info.php http://10.0.2.14/mutillidae?page=login.php http://10.0.2.14/mutillidae?page=credits.php http://10.0.2.14/mutillidae?page=source-viewer.php http://10.0.2.14/mutillidae/documentation/mutillidae-installation-on-xampp-win7.pdf http://10.0.2.14/mutillidae?page=register.php root@kali:~/PycharmProjects/vulnerability-scanner#
When i run the spider alone i get full results.
Please advise
Thanks
July 21, 2020 at 3:39 am #42750Diego PérezModeratorHi Peter!
Can you add a froward slash at the end of the URL? I mean after mutillidae.Let me know how it goes!
DiegoJuly 22, 2020 at 6:26 pm #42844Peter QueenParticipantHello Diego,
Yes it was a the / the was missing, I now run into another error:
#!/usr/bin/env python import requests import re import urllib.parse as urlparse from bs4 import BeautifulSoup class Scanner: def __init__(self, url, ignore_links): self.session = requests.Session() self.target_url = url self.target_links = [] self.links_to_ignore = ignore_links def extract_links_from(self, url): response = self.session.get(url) return re.findall('(?:href=")(.*?)"', response.content.decode(errors="ignore")) # response.content.decode(ignore="error)) def crawl(self, url=None): if url == None: url =self.target_url href_links = self.extract_links_from(url) for link in href_links: link = urlparse.urljoin(url, link) if "#" in link: link = link.split("#")[0] if self.target_url in link and link not in self.target_links and link not in self.links_to_ignore: self.target_links.append(link) print(link) self.crawl(link) def extract_forms(self,url): response = self.session.get(url) parsed_html = BeautifulSoup(response.content, features="lxml") return parsed_html.find_all("form") def submit_form(self, form, value, url): action = form.get("action") post_url = urlparse.urljoin(url, action) method = form.get("method") inputs_list = form.find_all("input") post_data = {} for input in inputs_list: input_name = input.get("name") input_type = input.get("type") input_value = input.get("value") if input_type == "text": input_value = value post_data[input_name] = input_value if method == "post": return self.session.post(post_url, data=post_data) return self.session.get(post_url, params=post_data) def run_scanner(self): for link in self.target_links: forms = self.extract_forms(link) for form in forms: print("[+] Testing form in " + link) is_vulnerable_to_xss = self.test_xxs_in_form(form, link) if is_vulnerable_to_xss: print("[****] XXS discovered in " + link + "in the following form") print(form) if "=" in link: print("\n\n[+] Testing " + link) is_vulnerable_to_xss = self.test_xxs_in_link(link) if is_vulnerable_to_xss: print("[****] XXS discovered in " + link ) def test_xxs_in_link(self,url): xxs_test_script = "<sCript>alert('test')</scriPt>" url = url.replace("=", "=" + xxs_test_script) response = self.session.get(url) return xxs_test_script.encode() in response.content def test_xxs_in_form(self, form, url): xxs_test_script = "<sCript>alert('test')</scriPt>" response = self.submit_form(form, xxs_test_script, url) return xxs_test_script.encode() in response.content
#!/usr/bin/env python import scanner target_url = "http://10.0.2.14/dvwa/" links_to_ignore =["http://10.0.2.14/dvwa/logout.php"] data_dict = {"username": "admin", "password": "password", "Login": "submit"} vuln_scanner = scanner.Scanner(target_url, links_to_ignore) vuln_scanner.session.post("http://10.0.2.14/dvwa/login.php", data=data_dict) vuln_scanner.crawl() vuln_scanner.run_scanner()
Error:
root@kali:~/PycharmProjects/vulnerability-scanner# python3 vulnerability_scanner.py http://10.0.2.14/dvwa/dvwa/css/main.css http://10.0.2.14/dvwa/favicon.ico http://10.0.2.14/dvwa/ http://10.0.2.14/dvwa/instructions.php http://10.0.2.14/dvwa/setup.php http://10.0.2.14/dvwa/vulnerabilities/brute/ http://10.0.2.14/dvwa/vulnerabilities/exec/ http://10.0.2.14/dvwa/vulnerabilities/csrf/ http://10.0.2.14/dvwa/vulnerabilities/fi/?page=include.php http://10.0.2.14/dvwa/vulnerabilities/sqli/ http://10.0.2.14/dvwa/vulnerabilities/sqli_blind/ http://10.0.2.14/dvwa/vulnerabilities/upload/ http://10.0.2.14/dvwa/vulnerabilities/xss_r/ http://10.0.2.14/dvwa/vulnerabilities/xss_s/ http://10.0.2.14/dvwa/security.php http://10.0.2.14/dvwa/phpinfo.php http://10.0.2.14/dvwa/phpinfo.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 http://10.0.2.14/dvwa/about.php http://10.0.2.14/dvwa/instructions.php?doc=PHPIDS-license http://10.0.2.14/dvwa/instructions.php?doc=readme http://10.0.2.14/dvwa/instructions.php?doc=changelog http://10.0.2.14/dvwa/instructions.php?doc=copying http://10.0.2.14/dvwa/security.php?phpids=on http://10.0.2.14/dvwa/security.php?phpids=off http://10.0.2.14/dvwa/security.php?test=%22><script>eval(window.name)</script> http://10.0.2.14/dvwa/ids_log.php [+] Testing form in http://10.0.2.14/dvwa/setup.php [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/brute/ [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/exec/ [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/csrf/ [+] Testing http://10.0.2.14/dvwa/vulnerabilities/fi/?page=include.php [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/sqli/ [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/sqli_blind/ [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/upload/ Traceback (most recent call last): File "vulnerability_scanner.py", line 13, in <module> vuln_scanner.run_scanner() File "/root/PycharmProjects/vulnerability-scanner/scanner.py", line 66, in run_scanner is_vulnerable_to_xss = self.test_xxs_in_form(form, link) File "/root/PycharmProjects/vulnerability-scanner/scanner.py", line 87, in test_xxs_in_form return xxs_test_script.encode() in response.content AttributeError: 'NoneType' object has no attribute 'content' root@kali:~/PycharmProjects/vulnerability-scanner#
I could not work out, the same code few lines above doesn’t give an error.
If I may I have a suggestion, I have done a Python course on Udemy and there was the possibility to download the source code of what we were learning, it was easier like this to spot typo by our self.
Thanks
July 23, 2020 at 4:45 am #42870Diego PérezModeratorHi Peter!
In the return of extract_forms function you are using find_all and it should be findAll. An I see it also in the next fuction. So cahnge it and let meknow how it works.
There’s no such database of scripts because this will make a lot of students to cheat, so the best learning experience is to fail and solve the error.Hope it helps!
DiegoJuly 23, 2020 at 9:36 am #42879Peter QueenParticipantHello Diego,
I think with this version of BeautifulSoup i need to use find_all, see the error i get with findALL:
`root@kali:~/PycharmProjects/vulnerability-scanner# python3 vulnerability_scanner.py
http://10.0.2.14/dvwa/dvwa/css/main.css
http://10.0.2.14/dvwa/favicon.ico
http://10.0.2.14/dvwa/
http://10.0.2.14/dvwa/instructions.php
http://10.0.2.14/dvwa/setup.php
http://10.0.2.14/dvwa/vulnerabilities/brute/
http://10.0.2.14/dvwa/vulnerabilities/exec/
http://10.0.2.14/dvwa/vulnerabilities/csrf/
http://10.0.2.14/dvwa/vulnerabilities/fi/?page=include.php
http://10.0.2.14/dvwa/vulnerabilities/sqli/
http://10.0.2.14/dvwa/vulnerabilities/sqli_blind/
http://10.0.2.14/dvwa/vulnerabilities/upload/
http://10.0.2.14/dvwa/vulnerabilities/xss_r/
http://10.0.2.14/dvwa/vulnerabilities/xss_s/
http://10.0.2.14/dvwa/security.php
http://10.0.2.14/dvwa/phpinfo.php
http://10.0.2.14/dvwa/phpinfo.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
http://10.0.2.14/dvwa/about.php
http://10.0.2.14/dvwa/instructions.php?doc=PHPIDS-license
http://10.0.2.14/dvwa/instructions.php?doc=readme
http://10.0.2.14/dvwa/instructions.php?doc=changelog
http://10.0.2.14/dvwa/instructions.php?doc=copying
http://10.0.2.14/dvwa/security.php?phpids=on
http://10.0.2.14/dvwa/security.php?phpids=off
http://10.0.2.14/dvwa/security.php?test=%22><script>eval(window.name)</script>
http://10.0.2.14/dvwa/ids_log.php
Traceback (most recent call last):
File “vulnerability_scanner.py”, line 13, in <module>
vuln_scanner.run_scanner()
File “/root/PycharmProjects/vulnerability-scanner/scanner.py”, line 63, in run_scanner
forms = self.extract_forms(link)
File “/root/PycharmProjects/vulnerability-scanner/scanner.py”, line 39, in extract_forms
return parsed_html.findALL(“form”) # find_all
TypeError: ‘NoneType’ object is not callable
root@kali:~/PycharmProjects/vulnerability-scanner#July 23, 2020 at 9:39 am #42880Peter QueenParticipantsee here:
Since html.parser is not the same parser as SGMLParser, you may find that Beautiful Soup 4 gives you a different parse tree than Beautiful Soup 3 for the same markup. If you swap out html.parser for lxml or html5lib, you may find that the parse tree changes yet again. If this happens, you’ll need to update your scraping code to deal with the new tree.
Method namesrenderContents -> encode_contents
replaceWith -> replace_with
replaceWithChildren -> unwrap
findAll -> find_all
findAllNext -> find_all_next
findAllPrevious -> find_all_previous
findNext -> find_next
findNextSibling -> find_next_sibling
findNextSiblings -> find_next_siblings
findParent -> find_parent
findParents -> find_parents
findPrevious -> find_previous
findPreviousSibling -> find_previous_sibling
findPreviousSiblings -> find_previous_siblings
getText -> get_textJuly 24, 2020 at 4:09 am #42923Diego PérezModeratorHi Peter!
In any case you wrote ALL with all capitals, you should use All instead. I’m using Beautifulsoup 4 and it’s working fine.
Can you try it with the proper syntax?Let me know how it goes!
DiegoJuly 24, 2020 at 9:59 am #42938Peter QueenParticipantHi Diego!
I tried the findAll and I get the same error as I get with find_all:
root@kali:~/PycharmProjects/vulnerability-scanner# python3 vulnerability_scanner.py http://10.0.2.14/dvwa/dvwa/css/main.css http://10.0.2.14/dvwa/favicon.ico http://10.0.2.14/dvwa/ http://10.0.2.14/dvwa/instructions.php http://10.0.2.14/dvwa/setup.php http://10.0.2.14/dvwa/vulnerabilities/brute/ http://10.0.2.14/dvwa/vulnerabilities/exec/ http://10.0.2.14/dvwa/vulnerabilities/csrf/ http://10.0.2.14/dvwa/vulnerabilities/fi/?page=include.php http://10.0.2.14/dvwa/vulnerabilities/sqli/ http://10.0.2.14/dvwa/vulnerabilities/sqli_blind/ http://10.0.2.14/dvwa/vulnerabilities/upload/ http://10.0.2.14/dvwa/vulnerabilities/xss_r/ http://10.0.2.14/dvwa/vulnerabilities/xss_s/ http://10.0.2.14/dvwa/security.php http://10.0.2.14/dvwa/phpinfo.php http://10.0.2.14/dvwa/phpinfo.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 http://10.0.2.14/dvwa/about.php http://10.0.2.14/dvwa/instructions.php?doc=PHPIDS-license http://10.0.2.14/dvwa/instructions.php?doc=readme http://10.0.2.14/dvwa/instructions.php?doc=changelog http://10.0.2.14/dvwa/instructions.php?doc=copying http://10.0.2.14/dvwa/security.php?phpids=on http://10.0.2.14/dvwa/security.php?phpids=off http://10.0.2.14/dvwa/security.php?test=%22><script>eval(window.name)</script> http://10.0.2.14/dvwa/ids_log.php [+] Testing form in http://10.0.2.14/dvwa/setup.php [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/brute/ [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/exec/ [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/csrf/ [+] Testing http://10.0.2.14/dvwa/vulnerabilities/fi/?page=include.php [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/sqli/ [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/sqli_blind/ [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/upload/ Traceback (most recent call last): File "vulnerability_scanner.py", line 13, in <module> vuln_scanner.run_scanner() File "/root/PycharmProjects/vulnerability-scanner/scanner.py", line 66, in run_scanner is_vulnerable_to_xss = self.test_xxs_in_form(form, link) File "/root/PycharmProjects/vulnerability-scanner/scanner.py", line 87, in test_xxs_in_form return xxs_test_script.encode() in response.content AttributeError: 'NoneType' object has no attribute 'content'
any suggestions? thanks!
July 26, 2020 at 4:28 am #43047Diego PérezModeratorHi Peter!
It looks like this part of the submit_form function has an extra indentation:
if method == "post": return self.session.post(post_url, data=post_data) return self.session.get(post_url, params=post_data)
It should be at the same lave as for loop, not inside of it.
Let me know how it goes!
DiegoJuly 26, 2020 at 9:27 am #43067Peter QueenParticipantHi Diego,
I fixed the code but I still get the exact same error.
July 27, 2020 at 3:55 am #43111Diego PérezModeratorHi!
Can you share your fixed code?Thanks!
DiegoJuly 27, 2020 at 9:20 am #43129Peter QueenParticipantHello Diego,
here is the code:
#!/usr/bin/env python import requests import re import urllib.parse as urlparse from bs4 import BeautifulSoup class Scanner: def __init__(self, url, ignore_links): self.session = requests.Session() self.target_url = url self.target_links = [] self.links_to_ignore = ignore_links def extract_links_from(self, url): response = self.session.get(url) return re.findall('(?:href=")(.*?)"', response.content.decode(errors="ignore")) # response.content.decode(ignore="error)) def crawl(self, url=None): if url == None: url =self.target_url href_links = self.extract_links_from(url) for link in href_links: link = urlparse.urljoin(url, link) if "#" in link: link = link.split("#")[0] if self.target_url in link and link not in self.target_links and link not in self.links_to_ignore: self.target_links.append(link) print(link) self.crawl(link) def extract_forms(self,url): response = self.session.get(url) parsed_html = BeautifulSoup(response.content, features="lxml") return parsed_html.findAll("form") def submit_form(self, form, value, url): action = form.get("action") post_url = urlparse.urljoin(url, action) method = form.get("method") inputs_list = form.findAll("input") post_data = {} for input in inputs_list: input_name = input.get("name") input_type = input.get("type") input_value = input.get("value") if input_type == "text": input_value = value post_data[input_name] = input_value if method == "post": return self.session.post(post_url, data=post_data) return self.session.get(post_url, params=post_data) def run_scanner(self): for link in self.target_links: forms = self.extract_forms(link) for form in forms: print("[+] Testing form in " + link) is_vulnerable_to_xss = self.test_xxs_in_form(form, link) if is_vulnerable_to_xss: print("[****] XXS discovered in " + link + "in the following form") print(form) if "=" in link: print("\n\n[+] Testing " + link) is_vulnerable_to_xss = self.test_xxs_in_link(link) if is_vulnerable_to_xss: print("[****] XXS discovered in " + link ) def test_xxs_in_link(self,url): xxs_test_script = "<sCript>alert('test')</scriPt>" url = url.replace("=", "=" + xxs_test_script) response = self.session.get(url) return xxs_test_script.encode() in response.content def test_xxs_in_form(self, form, url): xxs_test_script = "<sCript>alert('test')</scriPt>" response = self.submit_form(form, xxs_test_script, url) return xxs_test_script.encode() in response.content
July 28, 2020 at 3:57 am #43177Diego PérezModeratorHi Peter!
You haven’t corrected the code as I told you, you just remove an indentation from one return and not the whole block that I pointed to, so yeah, the result will be exactly the same. So try to do as I suggested to.Let me know how it goes!
Diego - AuthorPosts
- You must be logged in to reply to this topic.