- First of all, we need to get the IP adress by typing ifconfig in Metasploitable, then to put it into the browser URL. By this actions we will be at this page, and we need to go to Mutilidae.
Now a file and call it extract_forms.py , we will use Beautiful Soup to extract useful information from a HTML page.
In case if your Beautiful Soup doesn’t work, install PYTHON-BS4. You can do it by pressing here or below. There will be all instructions how to install it, but i will tell you anyway that you need to open your terminal or terminator and type there: apt-get install-bs4 (Python 2) or apt-get install python3-bs4 (Python 3), if you meet some problems read on this site, there are all solves.
Now after we have got the “target_url” and deleted the “print(response.content” and add the Beautiful Soup Parse, we should have a result like below.
If we will inspect the “DNS Lookup” page, we can find elements we are interested in:
Let’s extract the HTML attributes from rows and tables. You have to replace “print(form)” and “print(form_list)” with “action = form.get(“action”)” and “print(action)”. You will see a little difference in the screenshots below:
After running “extract_forms.py” i need to do a important thing
I want to get the method, and after i added method variable and run the “extract_forms.py” i get “post“
Now we add “print(input_name)” so in terminator will be shown the names of the input, abd it is all that we need at the moment:
Next thing that you need to do is to add a “parse library”, you will have the full URL to post, but for this update your program and it should look like this:
Okay, now we create a dictionary and loop, for this we need to remove all “print” commands, we will need to find out input types, values, and names, for these we need an IF statement:
And if we test it with “test” in the input box, we get a message and let’s turn our “requests,post” into a result variable. So if we run it it will work how it should work.
Scanner
Now let’s make a scanner to discover vulnerabilities and analyse the response.
Create a file called “scanner,py” and one more called “vulnerability_scanner.py”
After adding the scanner class we need to add “init method”. We need a program to search all pages of a website.
The next stage will be pretty easy, we need to add “self” to class “method” and “target_url”, and also you will need to “import re” and to “import urlparse”, you will also have to fix “crawl” because it is underlined with red color :
Now we need to set our “vuln_scanner = scanner.Scanner” (there must be capital “S”). Also we are creating “target_url” variable with websites URL and include it as an input, but i have done too soon the screenshot and on 7th row there is no “target_url” in brackets.
After we tested the code, it should work, if no check if you wrote all corectly. We should not have “target_url” in both classes and crawl, but we can’t delete it from “self” because we still need it, so just add value “None” to “URL”
On the top is how your scanner should look like in pycharm, and below in terminator:
In case when our website has a login page our crawler might miss that and more functionalities we can exploit.
So now we need to add something new to our crawler, we send “requests” in a “sesion”:
To stay logged in we will need to change “requests.post” to “session.post” and we don’t need anymore the “response”, and because we specify the “login_url” not the “target_url” we need to delete “import requests”.
Now all is working almost perfectly, we just need to fix one thing. Every time when we want to run a scan we will be logged out, for this we add a new variable “links_to_ignore”.
Now we have done all , here are screenshots how should it look at the end:
PowerPoint Part 2
We have built a program that will extract forms, now we need to go to the “scanner” to modify the class and import “BeautifulSoup” there, it will help to extract forms.
Now we create a method, “extract_forms”, it will take “(self, url)” , and we need it to return all the forms in the given URL after it finishes the execution.
And a important think is not to forget to change “response = request(target_url)” to “response = self.session.get(url)”, and turn all elements with the “form” tag.
In order to be able to submit these forms, i need to create a method. So take the form we wante to submit, the values we want to set the inputs to and the URL from where this form was extracted from. So i am going to copy and paste again what we have already created.
Now we modify the “target_url” to “url” because it will be passed to this method through the “url” variable, and change “test” to “value” in “input_value” and return the result instead of “=” it. We already stored “method” variable, abd i will check “if method == “post:”. It is going to return as a part of a session. If it is not “==post:” then it will “return self.session.get”.
At this step we will change “vuln_scanner.py” to “.extract_forms”. How you can see here i added the URL Link into the parantheses to extract the form from this addres:
After running it you will se that we have a list which will contains one element which is the forms. And the value you are submitting is being submitted like you was on the page.
So now we are going to add “def run_scanner(self):” and write a program to iterate over each link in my target links list and to extract the forms for each of these links, test the forms and the link.
XXS allows a hacker to injecta JS into a webpage, so go to your DVWA and set the security to low, (go to DVWA Security).
You can inject here into text boxes and display your name, for example: “Hello Name”. How you can see, the URL is a get, so you can inject into there also. Now inject very simple JavaScript like below:
After you click on the XXS stored link you can that this page gives you the possibility to leave a message for others. You script can be placed here and anuone that views the page will execute the code from their database and the function to give an alert box will appear instead.
Next thing that you need to do is to visit beefproject.com. We need to download “Beef XXS Framework”, everyone who visit this page will be hooked to beef and we can run any commands that beef has to offer. If you don’t have it copy http://IP:3000/hook.js/script and to inject to a webpage like with alert script.
After you made this make sure that your script security is set to low.
Write a name and paste the hook that we got from the terminal. But modify it and include your ip address there instead “<IP”>.
If you don’t know how to find it out, just go to your terminal and type ifconfig like below:
Now after some actions we implement a method to scan for vulnerbilities automatically in all the pages on the target website. But before we do it we need to go to our Metasploitable and change the default settings, that are high, to medium. We need to do this procedure because the high settings protects the website from XXS vulnerabilities. So all we do is writing the following:
nano – it will ask for the password before opening the file
Scroll down and change high to medium. CTRL+X, then press “Y” for yes and enter. All done, we need to go back to Kali.
Now we want to send the script to test if the target is vulnerable or not without the simple alert script included. Then send a request to this form submiting this value as input. The input is the “form”, the value “xxs_test_script” and the “url” of this form is the “url” as an input. Then the result will be stored in the “response”.
Now if we will test the HTML Page it will not work, it will display only “Hello alert(‘test’)”. This is because of security level, it is set to medium.
We need to modify the payload to bypass filtering, we will do it by changing some letters to capitals. Now when we will submit it, it will work:
We know that our extract_forms is being stored in our “forms[0]” so we don’t have to call “submit_form” because we are already giving it the form to test it in by calling “test_xxs_in_form” and we already have the “url” that contains the form so we can delete “testtest”. The result will be stored in “response” and this can be true or nnot, so we can remove “content”. Now if we run our “vulnerability_scanner.py” it will work and it should look like the one below:
Now “url” is equal to “url.replace” and replace the “=” with another “=” so the “=” is not removed but now i will add “+” “xxs_test_script” to the equal. We could use a simple “get” request in our response as part of our sessio from the “(url)” input. Finally if the “xxs_test_script” is in the response then return “True”.
At this step we need to change “test_xxs_in_form” to “test_xxs_in_link” , also to delete “forms[0]” from the row 17 and “print(forms)” from the row 16. You can see the already made changes below:
So if we run the program now, we can see that it shows us “True”:
Now we need to replace instead “if xss_test_script in response.content:” “return xss_test_script in response.content”
Python will now evaluate whether “test_test_script” is in the “response.content” variable and tell us if it is “true” or “false”.
Now if we open the “run_scanner” method only, we do the last things there:
There we create a new variable: “is_vulnerable_to_xxs “=”self.test_xxs_in_forms(forms, links)”. And we need to add “IF statement”, so it will show us”XXS Discovered in link and in the folowing form”, if it is “vulnerable_to_xxs”.
Now we have to delete the 14, 15, 16 and 17 rows from “vulnerability_scanner.py”:
And instead them to write “vulns_scanner.crawl()” on the 14 row and on the 15 row “vuln_scanner.run_scanner()”.
After all these procedures your scanner will work perfectly and it will crawl and make automatically a list of vulnerable links, then testing these links and discover XXS vulnerabilities.
I hope this tutorial will help you to create a vulnerability scanner.
ICT BLOG 