Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #42713
    Peter QueenPeter Queen
    Participant

    Hello Diego,

    When i run the vulnerability scanner

    #!/usr/bin/env python
    
    import requests
    import re
    import urlparse
    
    class Scanner:
        def __init__(self, url):
            self.target_url = url
            self.target_links = []
    
        def extract_links_from(self, url):
            response = requests.get(url)
            return re.findall('(?:href=")(.*?)"', response.content)  # response.content.decode(ignore="error))
    
        def crawl(self, url):
            href_links = self.extract_links_from(url)
            for link in href_links:
                link = urlparse.urljoin(url, link)
    
                if "#" in link:
                    link = link.split("#")[0]
    
                if self.target_url in link and link not in self.target_links:
                    self.target_links.append(link)
                    print(link)
                    self.crawl(link)
    #!/usr/bin/env python
    
    import scanner
    
    target_url = "http://10.0.2.14/mutillidae"
    vuln_scanner = scanner.Scanner(target_url)
    vuln_scanner.crawl(target_url)

    I only get those results:

    [email protected]:~/PycharmProjects/vulnerability-scanner# python vulnerability_scanner.py 
    http://10.0.2.14/mutillidae
    http://10.0.2.14/mutillidae?page=add-to-your-blog.php
    http://10.0.2.14/mutillidae?page=view-someones-blog.php
    http://10.0.2.14/mutillidae?page=show-log.php
    http://10.0.2.14/mutillidae?page=text-file-viewer.php
    http://10.0.2.14/mutillidae?page=user-info.php
    http://10.0.2.14/mutillidae?page=login.php
    http://10.0.2.14/mutillidae?page=credits.php
    http://10.0.2.14/mutillidae?page=source-viewer.php
    http://10.0.2.14/mutillidae/documentation/mutillidae-installation-on-xampp-win7.pdf
    http://10.0.2.14/mutillidae?page=register.php
    [email protected]:~/PycharmProjects/vulnerability-scanner#

    When i run the spider alone i get full results.

    Please advise

    Thanks

    #42750
    diegodiego
    Moderator

    Hi Peter!
    Can you add a froward slash at the end of the URL? I mean after mutillidae.

    Let me know how it goes!
    Diego

    #42844
    Peter QueenPeter Queen
    Participant

    Hello Diego,

    Yes it was a the / the was missing, I now run into another error:

    #!/usr/bin/env python
    
    import requests
    import re
    import urllib.parse as urlparse
    from bs4 import BeautifulSoup
    
    class Scanner:
        def __init__(self, url, ignore_links):
            self.session = requests.Session()
            self.target_url = url
            self.target_links = []
            self.links_to_ignore = ignore_links
    
        def extract_links_from(self, url):
            response = self.session.get(url)
            return re.findall('(?:href=")(.*?)"', response.content.decode(errors="ignore"))  # response.content.decode(ignore="error))
    
        def crawl(self, url=None):
            if url == None:
                url =self.target_url
    
            href_links = self.extract_links_from(url)
            for link in href_links:
                link = urlparse.urljoin(url, link)
    
                if "#" in link:
                    link = link.split("#")[0]
    
                if self.target_url in link and link not in self.target_links and link not in self.links_to_ignore:
                    self.target_links.append(link)
                    print(link)
                    self.crawl(link)
    
        def extract_forms(self,url):
            response = self.session.get(url)
            parsed_html = BeautifulSoup(response.content, features="lxml")
            return parsed_html.find_all("form")
    
        def submit_form(self, form, value, url):
            action = form.get("action")
            post_url = urlparse.urljoin(url, action)
            method = form.get("method")
    
            inputs_list = form.find_all("input")
            post_data = {}
            for input in inputs_list:
                input_name = input.get("name")
                input_type = input.get("type")
                input_value = input.get("value")
                if input_type == "text":
                    input_value = value
    
                post_data[input_name] = input_value
                if method == "post":
                    return self.session.post(post_url, data=post_data)
                return self.session.get(post_url, params=post_data)
    
        def run_scanner(self):
            for link in self.target_links:
                forms = self.extract_forms(link)
                for form in forms:
                    print("[+] Testing form in " + link)
                    is_vulnerable_to_xss = self.test_xxs_in_form(form, link)
                    if is_vulnerable_to_xss:
                        print("[****] XXS discovered in " + link + "in the following form")
                        print(form)
    
                if  "=" in link:
                    print("\n\n[+] Testing  " + link)
                    is_vulnerable_to_xss = self.test_xxs_in_link(link)
                    if is_vulnerable_to_xss:
                        print("[****] XXS discovered in " + link )
    
        def test_xxs_in_link(self,url):
            xxs_test_script = "<sCript>alert('test')</scriPt>"
            url = url.replace("=", "=" + xxs_test_script)
            response = self.session.get(url)
            return xxs_test_script.encode() in response.content
    
        def test_xxs_in_form(self, form, url):
            xxs_test_script = "<sCript>alert('test')</scriPt>"
            response = self.submit_form(form, xxs_test_script, url)
            return xxs_test_script.encode() in response.content
    #!/usr/bin/env python
    
    import scanner
    
    target_url = "http://10.0.2.14/dvwa/"
    links_to_ignore =["http://10.0.2.14/dvwa/logout.php"]
    data_dict = {"username": "admin", "password": "password", "Login": "submit"}
    
    vuln_scanner = scanner.Scanner(target_url, links_to_ignore)
    vuln_scanner.session.post("http://10.0.2.14/dvwa/login.php", data=data_dict)
    
    vuln_scanner.crawl()
    vuln_scanner.run_scanner()

    Error:

    [email protected]:~/PycharmProjects/vulnerability-scanner# python3 vulnerability_scanner.py 
    http://10.0.2.14/dvwa/dvwa/css/main.css
    http://10.0.2.14/dvwa/favicon.ico
    http://10.0.2.14/dvwa/
    http://10.0.2.14/dvwa/instructions.php
    http://10.0.2.14/dvwa/setup.php
    http://10.0.2.14/dvwa/vulnerabilities/brute/
    http://10.0.2.14/dvwa/vulnerabilities/exec/
    http://10.0.2.14/dvwa/vulnerabilities/csrf/
    http://10.0.2.14/dvwa/vulnerabilities/fi/?page=include.php
    http://10.0.2.14/dvwa/vulnerabilities/sqli/
    http://10.0.2.14/dvwa/vulnerabilities/sqli_blind/
    http://10.0.2.14/dvwa/vulnerabilities/upload/
    http://10.0.2.14/dvwa/vulnerabilities/xss_r/
    http://10.0.2.14/dvwa/vulnerabilities/xss_s/
    http://10.0.2.14/dvwa/security.php
    http://10.0.2.14/dvwa/phpinfo.php
    http://10.0.2.14/dvwa/phpinfo.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
    http://10.0.2.14/dvwa/about.php
    http://10.0.2.14/dvwa/instructions.php?doc=PHPIDS-license
    http://10.0.2.14/dvwa/instructions.php?doc=readme
    http://10.0.2.14/dvwa/instructions.php?doc=changelog
    http://10.0.2.14/dvwa/instructions.php?doc=copying
    http://10.0.2.14/dvwa/security.php?phpids=on
    http://10.0.2.14/dvwa/security.php?phpids=off
    http://10.0.2.14/dvwa/security.php?test=%22><script>eval(window.name)</script>
    http://10.0.2.14/dvwa/ids_log.php
    [+] Testing form in http://10.0.2.14/dvwa/setup.php
    [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/brute/
    [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/exec/
    [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/csrf/
    
    [+] Testing  http://10.0.2.14/dvwa/vulnerabilities/fi/?page=include.php
    [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/sqli/
    [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/sqli_blind/
    [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/upload/
    Traceback (most recent call last):
      File "vulnerability_scanner.py", line 13, in <module>
        vuln_scanner.run_scanner()
      File "/root/PycharmProjects/vulnerability-scanner/scanner.py", line 66, in run_scanner
        is_vulnerable_to_xss = self.test_xxs_in_form(form, link)
      File "/root/PycharmProjects/vulnerability-scanner/scanner.py", line 87, in test_xxs_in_form
        return xxs_test_script.encode() in response.content
    AttributeError: 'NoneType' object has no attribute 'content'
    [email protected]:~/PycharmProjects/vulnerability-scanner# 

    I could not work out, the same code few lines above doesn’t give an error.

    If I may I have a suggestion, I have done a Python course on Udemy and there was the possibility to download the source code of what we were learning, it was easier like this to spot typo by our self.

    Thanks

    #42870
    diegodiego
    Moderator

    Hi Peter!
    In the return of extract_forms function you are using find_all and it should be findAll. An I see it also in the next fuction. So cahnge it and let meknow how it works.
    There’s no such database of scripts because this will make a lot of students to cheat, so the best learning experience is to fail and solve the error.

    Hope it helps!
    Diego

    #42879
    Peter QueenPeter Queen
    Participant

    Hello Diego,

    I think with this version of BeautifulSoup i need to use find_all, see the error i get with findALL:

    `[email protected]:~/PycharmProjects/vulnerability-scanner# python3 vulnerability_scanner.py
    http://10.0.2.14/dvwa/dvwa/css/main.css
    http://10.0.2.14/dvwa/favicon.ico
    http://10.0.2.14/dvwa/
    http://10.0.2.14/dvwa/instructions.php
    http://10.0.2.14/dvwa/setup.php
    http://10.0.2.14/dvwa/vulnerabilities/brute/
    http://10.0.2.14/dvwa/vulnerabilities/exec/
    http://10.0.2.14/dvwa/vulnerabilities/csrf/
    http://10.0.2.14/dvwa/vulnerabilities/fi/?page=include.php
    http://10.0.2.14/dvwa/vulnerabilities/sqli/
    http://10.0.2.14/dvwa/vulnerabilities/sqli_blind/
    http://10.0.2.14/dvwa/vulnerabilities/upload/
    http://10.0.2.14/dvwa/vulnerabilities/xss_r/
    http://10.0.2.14/dvwa/vulnerabilities/xss_s/
    http://10.0.2.14/dvwa/security.php
    http://10.0.2.14/dvwa/phpinfo.php
    http://10.0.2.14/dvwa/phpinfo.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
    http://10.0.2.14/dvwa/about.php
    http://10.0.2.14/dvwa/instructions.php?doc=PHPIDS-license
    http://10.0.2.14/dvwa/instructions.php?doc=readme
    http://10.0.2.14/dvwa/instructions.php?doc=changelog
    http://10.0.2.14/dvwa/instructions.php?doc=copying
    http://10.0.2.14/dvwa/security.php?phpids=on
    http://10.0.2.14/dvwa/security.php?phpids=off
    http://10.0.2.14/dvwa/security.php?test=%22><script>eval(window.name)</script&gt;
    http://10.0.2.14/dvwa/ids_log.php
    Traceback (most recent call last):
    File “vulnerability_scanner.py”, line 13, in <module>
    vuln_scanner.run_scanner()
    File “/root/PycharmProjects/vulnerability-scanner/scanner.py”, line 63, in run_scanner
    forms = self.extract_forms(link)
    File “/root/PycharmProjects/vulnerability-scanner/scanner.py”, line 39, in extract_forms
    return parsed_html.findALL(“form”) # find_all
    TypeError: ‘NoneType’ object is not callable
    [email protected]:~/PycharmProjects/vulnerability-scanner#

    #42880
    Peter QueenPeter Queen
    Participant

    see here:

    Since html.parser is not the same parser as SGMLParser, you may find that Beautiful Soup 4 gives you a different parse tree than Beautiful Soup 3 for the same markup. If you swap out html.parser for lxml or html5lib, you may find that the parse tree changes yet again. If this happens, you’ll need to update your scraping code to deal with the new tree.
    Method names

    renderContents -> encode_contents
    replaceWith -> replace_with
    replaceWithChildren -> unwrap
    findAll -> find_all
    findAllNext -> find_all_next
    findAllPrevious -> find_all_previous
    findNext -> find_next
    findNextSibling -> find_next_sibling
    findNextSiblings -> find_next_siblings
    findParent -> find_parent
    findParents -> find_parents
    findPrevious -> find_previous
    findPreviousSibling -> find_previous_sibling
    findPreviousSiblings -> find_previous_siblings
    getText -> get_text

    #42923
    diegodiego
    Moderator

    Hi Peter!

    In any case you wrote ALL with all capitals, you should use All instead. I’m using Beautifulsoup 4 and it’s working fine.
    Can you try it with the proper syntax?

    Let me know how it goes!
    Diego

    #42938
    Peter QueenPeter Queen
    Participant

    Hi Diego!

    I tried the findAll and I get the same error as I get with find_all:

    [email protected]:~/PycharmProjects/vulnerability-scanner# python3 vulnerability_scanner.py 
    http://10.0.2.14/dvwa/dvwa/css/main.css
    http://10.0.2.14/dvwa/favicon.ico
    http://10.0.2.14/dvwa/
    http://10.0.2.14/dvwa/instructions.php
    http://10.0.2.14/dvwa/setup.php
    http://10.0.2.14/dvwa/vulnerabilities/brute/
    http://10.0.2.14/dvwa/vulnerabilities/exec/
    http://10.0.2.14/dvwa/vulnerabilities/csrf/
    http://10.0.2.14/dvwa/vulnerabilities/fi/?page=include.php
    http://10.0.2.14/dvwa/vulnerabilities/sqli/
    http://10.0.2.14/dvwa/vulnerabilities/sqli_blind/
    http://10.0.2.14/dvwa/vulnerabilities/upload/
    http://10.0.2.14/dvwa/vulnerabilities/xss_r/
    http://10.0.2.14/dvwa/vulnerabilities/xss_s/
    http://10.0.2.14/dvwa/security.php
    http://10.0.2.14/dvwa/phpinfo.php
    http://10.0.2.14/dvwa/phpinfo.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
    http://10.0.2.14/dvwa/about.php
    http://10.0.2.14/dvwa/instructions.php?doc=PHPIDS-license
    http://10.0.2.14/dvwa/instructions.php?doc=readme
    http://10.0.2.14/dvwa/instructions.php?doc=changelog
    http://10.0.2.14/dvwa/instructions.php?doc=copying
    http://10.0.2.14/dvwa/security.php?phpids=on
    http://10.0.2.14/dvwa/security.php?phpids=off
    http://10.0.2.14/dvwa/security.php?test=%22><script>eval(window.name)</script>
    http://10.0.2.14/dvwa/ids_log.php
    [+] Testing form in http://10.0.2.14/dvwa/setup.php
    [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/brute/
    [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/exec/
    [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/csrf/
    
    [+] Testing  http://10.0.2.14/dvwa/vulnerabilities/fi/?page=include.php
    [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/sqli/
    [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/sqli_blind/
    [+] Testing form in http://10.0.2.14/dvwa/vulnerabilities/upload/
    Traceback (most recent call last):
      File "vulnerability_scanner.py", line 13, in <module>
        vuln_scanner.run_scanner()
      File "/root/PycharmProjects/vulnerability-scanner/scanner.py", line 66, in run_scanner
        is_vulnerable_to_xss = self.test_xxs_in_form(form, link)
      File "/root/PycharmProjects/vulnerability-scanner/scanner.py", line 87, in test_xxs_in_form
        return xxs_test_script.encode() in response.content
    AttributeError: 'NoneType' object has no attribute 'content'

    any suggestions? thanks!

    #43047
    diegodiego
    Moderator

    Hi Peter!

    It looks like this part of the submit_form function has an extra indentation:

    if method == "post":
            return self.session.post(post_url, data=post_data)
    return self.session.get(post_url, params=post_data)

    It should be at the same lave as for loop, not inside of it.

    Let me know how it goes!
    Diego

    #43067
    Peter QueenPeter Queen
    Participant

    Hi Diego,

    I fixed the code but I still get the exact same error.

    #43111
    diegodiego
    Moderator

    Hi!
    Can you share your fixed code?

    Thanks!
    Diego

    #43129
    Peter QueenPeter Queen
    Participant

    Hello Diego,

    here is the code:

    #!/usr/bin/env python
    
    import requests
    import re
    import urllib.parse as urlparse
    from bs4 import BeautifulSoup
    
    class Scanner:
        def __init__(self, url, ignore_links):
            self.session = requests.Session()
            self.target_url = url
            self.target_links = []
            self.links_to_ignore = ignore_links
    
        def extract_links_from(self, url):
            response = self.session.get(url)
            return re.findall('(?:href=")(.*?)"', response.content.decode(errors="ignore"))  # response.content.decode(ignore="error))
    
        def crawl(self, url=None):
            if url == None:
                url =self.target_url
    
            href_links = self.extract_links_from(url)
            for link in href_links:
                link = urlparse.urljoin(url, link)
    
                if "#" in link:
                    link = link.split("#")[0]
    
                if self.target_url in link and link not in self.target_links and link not in self.links_to_ignore:
                    self.target_links.append(link)
                    print(link)
                    self.crawl(link)
    
        def extract_forms(self,url):
            response = self.session.get(url)
            parsed_html = BeautifulSoup(response.content, features="lxml")
            return parsed_html.findAll("form")
    
        def submit_form(self, form, value, url):
            action = form.get("action")
            post_url = urlparse.urljoin(url, action)
            method = form.get("method")
    
            inputs_list = form.findAll("input")
            post_data = {}
            for input in inputs_list:
                input_name = input.get("name")
                input_type = input.get("type")
                input_value = input.get("value")
                if input_type == "text":
                    input_value = value
    
                post_data[input_name] = input_value
                if method == "post":
                    return self.session.post(post_url, data=post_data)
                    return self.session.get(post_url, params=post_data)
    
        def run_scanner(self):
            for link in self.target_links:
                forms = self.extract_forms(link)
                for form in forms:
                    print("[+] Testing form in " + link)
                    is_vulnerable_to_xss = self.test_xxs_in_form(form, link)
                    if is_vulnerable_to_xss:
                        print("[****] XXS discovered in " + link + "in the following form")
                        print(form)
    
                if  "=" in link:
                    print("\n\n[+] Testing  " + link)
                    is_vulnerable_to_xss = self.test_xxs_in_link(link)
                    if is_vulnerable_to_xss:
                        print("[****] XXS discovered in " + link )
    
        def test_xxs_in_link(self,url):
            xxs_test_script = "<sCript>alert('test')</scriPt>"
            url = url.replace("=", "=" + xxs_test_script)
            response = self.session.get(url)
            return xxs_test_script.encode() in response.content
    
        def test_xxs_in_form(self, form, url):
            xxs_test_script = "<sCript>alert('test')</scriPt>"
            response = self.submit_form(form, xxs_test_script, url)
            return xxs_test_script.encode() in response.content
    #43177
    diegodiego
    Moderator

    Hi Peter!
    You haven’t corrected the code as I told you, you just remove an indentation from one return and not the whole block that I pointed to, so yeah, the result will be exactly the same. So try to do as I suggested to.

    Let me know how it goes!
    Diego

Viewing 13 posts - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.