Installation | Usage | waybackurls | SedFilter | WayBackUrls_SedFilter | UniqOnly | URL-Reflected-XSS | Inputs-Reflected-XSS | ByPassTester | LFI
$ git clone https://github.com/LoaiEsam37/Lazyxss
$ cd Lazyxss
$ sudo chmod u+x setup.sh
$ sudo chmod u+x main.py
$ ./setup.sh
$ ./main.py
if you have a problem with running ./main.py
try to change the first line in main.py from #!/bin/bash/python3
to #!/bin/bash/python3.10
It depends on what version you have on your pc.
$ cd
$ nano .bashrc
-
add this line alias lazyxss='python3 Foo/bar/Lazyxss/main.py'
-
close the terminal and open it again
-
Type
lazyxss -h
to display the options of the tool and some Examples for how to use it.
- There are two ways you can use the tool with
- you can use Easy Selection that is look like this:
$ lazyxss
- or you can use it with specific Options that is look like this:
$ lazyxss -t r-xss -f google -o vuln -d 1 -pf Payloads
- Make sure to Download Waybackurls and put it in
/usr/bin
because this section of my tool depends on it.
def Command(URL, OUTPUT)
# WayBackUrls
os.system(f"echo \{URL} | waybackurls >> {OUTPUT}")
- Here we can choose the method we will use,
- Let`s try manually Option first
- as you could see we put the Url we want to get waybackurl from, then we put the output file
-
Now Let`s try file Option
-
We made a file that contains 3 targets let`s use waybackurls
- Now we need to prepair the urls to be ready to add Payloads in it
- https://www.google.com/#q=Ten+Amoretterobots.txt as we can see here
- we need to remove the Ten+Amoretterobots.txt part of the url like this:
os.system(f"cat {INPUT} |grep -v 'jpg\|jpeg\|png\|svg' |sed 's/=.*/=/g' |uniq > {OUTPUT}")
- let`s see how to do this with the tool
- To understand this section checkout WayBackUrls, SedFilter
- here we have duplicate url
- let`s see how to do this with the tool
- This tool is for using your payloads on just the Url parameters
- This tool is for using your payloads on every input on the website
- This tool is for using payloads on just the Url parameters
PAYLOAD = ["\'\'\'\'\'\'", "\"\"\"\"\"\"", ">>>>>>", "<<<<<<", "\\\\\\\\\\\\"]
- The idea here is to try every bypass char on the website