#!/usr/bin/env ruby require "XSpear" Options = Struct.new(:url, :data, :headers, :params, :thread, :verbose, :output, :blind) class Parser def self.parse(options) args = Options.new('xspear') if options.empty? banner puts 'please ' + "'-h'".yellow + ' option' exit end opt_parser = OptionParser.new do |opts| opts.banner = "Usage: xspear -u [target] -[options] [value]\n[ e.g ]\n$ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'\n\n[ Options ]" opts.on('-u', '--url=target_URL', '[required] Target Url') do |n| args.url = n end opts.on('-d', '--data=POST Body', '[optional] POST Method Body data') do |n| args.data = n end opts.on('--headers=HEADERS', '[optional] Add HTTP Headers') do |n| args.headers = n end opts.on('--cookie=COOKIE', '[optional] Add Cookie') do |n| args.headers = 'Cookie: ' + n end opts.on('-p', '--param=PARAM', '[optional] Test paramters') do |n| args.params = n end opts.on('-b', '--BLIND=URL', '[optional] Add vector of Blind XSS',' + with XSS Hunter, ezXSS, HBXSS, etc...',' + e.g : -b https://hahwul.xss.ht') do |n| args.blind = n end opts.on('-t', '--threads=NUMBER', '[optional] thread , default: 10') do |n| args.thread = n end opts.on('-o', '--output=FILENAME', '[optional] Save JSON Result') do |n| args.output = n end opts.on('-v', '--verbose=1~3', '[optional] Show log depth', ' + Default value: 2', ' + v=1 : quite mode', ' + v=2 : show scanning log', ' + v=3 : show detail log(req/res)') do |n| args.verbose = n end opts.on('-h', '--help', 'Prints this help') do banner puts opts exit end opts.on('--version', 'Show XSpear version') do puts XSpear::VERSION exit end opts.on('--update', 'Update with online') do puts "[RubyGem user] : $ gem update XSpear" puts "[Soft | Developer & Git clone user] : $ git pull -v " puts "[Hard | Developer & Git clone user] : $ git reset --hard HEAD; git pull -v " exit end end opt_parser.parse!(options) args end end options = Parser.parse ARGV exit unless options.url options.thread = 10 unless options.thread options.verbose = 2 unless options.verbose if options.verbose.to_i != 1 banner end s = XspearScan.new options.url, options.data, options.headers, options.params, options.thread.to_i, options.output, options.verbose, options.blind s.run