Search...

Ppmap - A Scanner/Exploitation Tool Written In GO, Which Leverages Prototype Pollution To XSS By Exploiting Known Gadgets

2021-07-25T12:30:00

ID KITPLOIT:5555983330929000779
Type kitploit
Reporter KitPloit
Modified 2021-07-25T12:30:00

Description

A simple scanner/exploitation tool written in GO which automatically exploits known and existing gadgets (checks for specific variables in the global context) to perform XSS via Prototype Pollution. NOTE: The program only exploits known gadgets, but does not cover code analysis or any advanced Prototype Pollution exploitation, which may include custom gadgets.

Requirements

Make sure to have chromedp installed:
`go get -u github.com/chromedp/chromedp`

Installation

Automatically

Download the already compiled binary here

Give it the permission to execute `chmod +x ppmap`

Manually (compile it yourself)

Clone the project:
`git clone https://github.com/kleiton0x00/ppmap.git`

Change directory to ppmap folder:
`cd ~/ppmap`

Build the binary
`go build ppmap.go`

Usage

Using the program is very simple, you can either:

scan a directory/file (or even just the website): `echo 'https://target.com/index.html' | ./ppmap`

or endpoint: `echo 'http://target.com/something/?page=home' | ./ppmap`

For mass scanning:
`cat url.txt | ./ppmap` where url.txt contains all url(s) in column.

Demo

Feel free to test the tool on the following websites as a part of demonstration:
https://msrkp.github.io/pp/2.html
https://ctf.nikitastupin.com/pp/known.html

Workflow

Identify if the website is vulnerable to Prototype Pollution by heuristic scan

Fingerprint the known gadgets (checks for specific variables in the global context)

Display the final exploit & ready to perform XSS

Credits

Many thanks to @Tomnomnom for the inspiration: https://www.youtube.com/watch?v=Gv1nK6Wj8qM&t=1558s
The workflow of this program is hugely based on this article: https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2
The fingerprint javascript file is based on this git: https://gist.github.com/nikitastupin/b3b64a9f8c0eb74ce37626860193eaec

Download Ppmap

JSON Vulners Source

Initial Source

{"id": "KITPLOIT:5555983330929000779", "bulletinFamily": "tools", "title": "Ppmap - A Scanner/Exploitation Tool Written In GO, Which Leverages Prototype Pollution To XSS By Exploiting Known Gadgets", "description": "[ ![](https://1.bp.blogspot.com/-iP9i_8VMqr4/YPiojQGNE-I/AAAAAAAAjao/361K5qU2dXcjLf491-8oXKkJ2Twb9uYdwCK4BGAYYCw/w640-h562/ppmap_1-703557.gif) ](<https://1.bp.blogspot.com/-iP9i_8VMqr4/YPiojQGNE-I/AAAAAAAAjao/361K5qU2dXcjLf491-8oXKkJ2Twb9uYdwCK4BGAYYCw/s1600/ppmap_1-703557.gif>)\n\n \n\n\nA simple scanner/exploitation tool written in GO which automatically [ exploits ](<https://www.kitploit.com/search/label/Exploits> \"exploits\" ) known and existing gadgets (checks for specific variables in the global context) to perform XSS via Prototype Pollution. NOTE: The program only exploits known gadgets, but does not cover [ code analysis ](<https://www.kitploit.com/search/label/Code%20Analysis> \"code analysis\" ) or any advanced Prototype Pollution exploitation, which may include custom gadgets. \n\n \n\n\n** Requirements ** \n\n\nMake sure to have [ chromedp ](<https://github.com/chromedp/chromedp> \"chromedp\" ) installed: \n` go get -u github.com/chromedp/chromedp `\n\n \n** Installation ** \n\n\n * Automatically \n\n * Download the already compiled binary [ here ](<https://github.com/kleiton0x00/ppmap/releases> \"here\" )\n * Give it the permission to execute ` chmod +x ppmap `\n * Manually (compile it yourself) \n\n * Clone the project: \n` git clone https://github.com/kleiton0x00/ppmap.git `\n * Change directory to ppmap folder: \n` cd ~/ppmap `\n * Build the binary \n` go build ppmap.go `\n \n** Usage ** \n\n\nUsing the program is very simple, you can either: \n\n * scan a directory/file (or even just the website): ` echo 'https://target.com/index.html' | ./ppmap `\n\n * or endpoint: ` echo 'http://target.com/something/?page=home' | ./ppmap `\n\nFor mass scanning: \n` cat url.txt | ./ppmap ` where ** url.txt ** contains all url(s) in column. \n\n \n** Demo ** \n\n\n[ ](<https://camo.githubusercontent.com/87f422644420b45d4a485317b0f69adc1bc6a5dfe0acbd39895a4b81d529dd85/68747470733a2f2f692e696d6775722e636f6d2f30356e766677582e676966> \"A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets. \\(5\\)\" ) [ ![](https://1.bp.blogspot.com/-iP9i_8VMqr4/YPiojQGNE-I/AAAAAAAAjao/361K5qU2dXcjLf491-8oXKkJ2Twb9uYdwCK4BGAYYCw/w640-h562/ppmap_1-703557.gif) ](<https://1.bp.blogspot.com/-iP9i_8VMqr4/YPiojQGNE-I/AAAAAAAAjao/361K5qU2dXcjLf491-8oXKkJ2Twb9uYdwCK4BGAYYCw/s1600/ppmap_1-703557.gif>)\n\nFeel free to test the tool on the following websites as a part of demonstration: \n[ https://msrkp.github.io/pp/2.html ](<https://msrkp.github.io/pp/2.html> \"https://msrkp.github.io/pp/2.html\" ) \n[ https://ctf.nikitastupin.com/pp/known.html ](<https://ctf.nikitastupin.com/pp/known.html> \"https://ctf.nikitastupin.com/pp/known.html\" )\n\n \n** Workflow ** \n\n\n * Identify if the website is [ vulnerable ](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) to Prototype Pollution by heuristic scan \n * Fingerprint the known gadgets (checks for specific variables in the global context) \n * Display the final exploit & ready to perform XSS \n \n** Credits ** \n\n\nMany thanks to @Tomnomnom for the inspiration: [ https://www.youtube.com/watch?v=Gv1nK6Wj8qM&t=1558s ](<https://www.youtube.com/watch?v=Gv1nK6Wj8qM&t=1558s> \"https://www.youtube.com/watch?v=Gv1nK6Wj8qM&t=1558s\" ) \nThe workflow of this program is hugely based on this article: [ https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2 ](<https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2> \"https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2\" ) \nThe [ fingerprint ](<https://www.kitploit.com/search/label/Fingerprint> \"fingerprint\" ) javascript file is based on this git: [ https://gist.github.com/nikitastupin/b3b64a9f8c0eb74ce37626860193eaec ](<https://gist.github.com/nikitastupin/b3b64a9f8c0eb74ce37626860193eaec> \"https://gist.github.com/nikitastupin/b3b64a9f8c0eb74ce37626860193eaec\" )\n\n \n \n\n\n** [ Download Ppmap ](<https://github.com/kleiton0x00/ppmap> \"Download Ppmap\" ) **\n", "published": "2021-07-25T12:30:00", "modified": "2021-07-25T12:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://www.kitploit.com/2021/07/ppmap-scannerexploitation-tool-written.html", "reporter": "KitPloit", "references": ["https://gist.github.com/nikitastupin/b3b64a9f8c0eb74ce37626860193eaec", "https://github.com/kleiton0x00/ppmap/releases", "https://github.com/kleiton0x00/ppmap", "https://camo.githubusercontent.com/87f422644420b45d4a485317b0f69adc1bc6a5dfe0acbd39895a4b81d529dd85/68747470733a2f2f692e696d6775722e636f6d2f30356e766677582e676966", "https://msrkp.github.io/pp/2.html", "https://github.com/chromedp/chromedp"], "cvelist": [], "immutableFields": [], "type": "kitploit", "lastseen": "2021-07-25T12:38:25", "edition": 1, "viewCount": 71, "enchantments": {"dependencies": {"references": [], "modified": "2021-07-25T12:38:25", "rev": 2}, "score": {"value": -0.4, "vector": "NONE", "modified": "2021-07-25T12:38:25", "rev": 2}, "vulnersScore": -0.4}, "toolHref": "https://github.com/kleiton0x00/ppmap", "cvss2": {}, "cvss3": {}}