Installation | Usage | waybackurls | SedFilter | WayBackUrls_SedFilter | UniqOnly | URL-Reflected-XSS | Inputs-Reflected-XSS | ByPassTester | LFI
$ git clone https://github.com/LoaiEsam37/Lazyxss
$ cd Lazyxss
$ sudo chmod u+x setup.sh
$ sudo chmod u+x main.py
$ ./setup.sh
$ ./main.py
if you have a problem with running ./main.py
try to change the first line in main.py from #!/bin/bash/python3
to #!/bin/bash/python3.10
It depends on what version you have on your pc.
$ cd
$ nano .bashrc
-
add this line alias lazyxss='python3 Foo/bar/Lazyxss/main.py'
-
close the terminal and open it again
-
Type
lazyxss -hto display the options of the tool and some Examples for how to use it.
.png)
- There are two ways you can use the tool with
- you can use Easy Selection that is look like this:
$ lazyxss
.png)
- or you can use it with specific Options that is look like this:
$ lazyxss -t r-xss -f google -o vuln -d 1 -pf Payloads
.png)
- Make sure to Download Waybackurls and put it in
/usr/binbecause this section of my tool depends on it.
def Command(URL, OUTPUT)
# WayBackUrls
os.system(f"echo \{URL} | waybackurls >> {OUTPUT}").png)
- Here we can choose the method we will use,
- Let`s try manually Option first
.png)
- as you could see we put the Url we want to get waybackurl from, then we put the output file
.png)
-
Now Let`s try file Option
-
We made a file that contains 3 targets let`s use waybackurls
.png)
.png)
- Now we need to prepair the urls to be ready to add Payloads in it
- https://www.google.com/#q=Ten+Amoretterobots.txt as we can see here
- we need to remove the Ten+Amoretterobots.txt part of the url like this:
os.system(f"cat {INPUT} |grep -v 'jpg\|jpeg\|png\|svg' |sed 's/=.*/=/g' |uniq > {OUTPUT}")- let`s see how to do this with the tool
.png)
.png)
- To understand this section checkout WayBackUrls, SedFilter
- here we have duplicate url
.png)
- let`s see how to do this with the tool
.png)
- This tool is for using your payloads on just the Url parameters
.png)
.png)
.png)
- This tool is for using your payloads on every input on the website
- This tool is for using payloads on just the Url parameters
PAYLOAD = ["\'\'\'\'\'\'", "\"\"\"\"\"\"", ">>>>>>", "<<<<<<", "\\\\\\\\\\\\"]- The idea here is to try every bypass char on the website
