Method: Cross::Engine#inject

Defined in:
lib/cross/engine.rb

#injectObject

return :links=>links, :message=>” end



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
 
# File 'lib/cross/engine.rb', line 59

def inject
  start if @agent.nil?

  $logger.log "Authenticating to the app using #{@options[:auth][:username]}:#{@options[:auth][:password]}" if debug? && authenticate?

  @agent.add_auth(@target, @options[:auth][:username], @options[:auth][:password]) if authenticate?

  if @options[:exploit_url]
    # You ask to exploit the url, so I won't check for form values

    theurl= Codesake::Core::Url.new(@target)

    attack_url(theurl, Cross::Attack::XSS.rand) if oneshot?

    if ! oneshot?
      Cross::Attack::XSS.each do |pattern|
        attack_url(theurl, pattern)
      end
    end

  else
    begin
      page = @agent.get(@target)
    rescue Mechanize::UnauthorizedError
      $logger.err 'Authentication failed. Giving up.'
      return false
    rescue Mechanize::ResponseCodeError
      $logger.err 'Server gave back 404. Giving up.'
      return false
    rescue Net::HTTP::Persistent::Error => e
      $logger.err e.message
      return false
    end

    
    if page.forms.size == 0
      $logger.log "no forms found, please try to exploit #{@target} with the -u flag"
      return false
    else
      $logger.log "#{page.forms.size} form(s) found" if debug?
    end
    attack_form(page, Cross::Attack::XSS.rand) if oneshot?

    if ! oneshot?
      Cross::Attack::XSS.each do |pattern|
        attack_form(page, pattern)
      end
    end
  end
  @results.empty?
end