picture


A simple scanner/exploit tool written in GO that automatically exploits known and existing gadgets (checking for specific variables in the global context) to perform XSS via Prototype Pollution. Note: This program only exploits known gadgets, but does not include code analysis or any advanced prototype pollution exploits, which may include custom gadgets.

Make sure Chromium/Chrome is installed:

go get -u github.com/chromedp/chromedp

sudo sh -c 'echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -sudo apt-get updatesudo apt-get install google-chrome-stable

automatic
  • Download the compiled binaries here
  • give it execute permission chmod +x ppmap
Manually (compile by yourself)
  • Change directory to the ppmap folder:
cd ~/ppmap
  • build binaries
go build ppmap.go

use:
  • Scan directories/files (even just websites): 
echo 'https://target.com/index.html' | ./ppmap
echo 'http://target.com/something/?page=home' | ./ppmap
Batch scan:
cat url.txt | ./ppmap

Source code acquisition

Scan the code to add Huge WeChat, send the password: XSS scanner  can get it.

picture
not a robot

wait patiently don't rush