lotus needs OAST client for interact.sh

here's the client in Python as an example

class Interactsh:
    # Source: https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/modules/interactsh/__init__.py
    def __init__(self, token="", server=""):
        rsa = RSA.generate(2048)
        self.public_key = rsa.publickey().exportKey()
        self.private_key = rsa.exportKey()
        self.token = token
        self.server = server.lstrip('.') or 'interact.sh'
        self.headers = {
            "Content-Type": "application/json",
        }
        if self.token:
            self.headers['Authorization'] = self.token
        self.secret = str(uuid4())
        self.encoded = b64encode(self.public_key).decode("utf8")
        guid = uuid4().hex.ljust(33, 'a')
        guid = ''.join(i if i.isdigit() else chr(ord(i) + random.randint(0, 20)) for i in guid)
        self.domain = f'{guid}.{self.server}'
        self.correlation_id = self.domain[:20]

        self.session = requests.session()
        self.session.headers = self.headers
        self.session.verify = False
        self.session.proxies = proxies
        self.register()

    def register(self):
        data = {
            "public-key": self.encoded,
            "secret-key": self.secret,
            "correlation-id": self.correlation_id
        }
        res = self.session.post(
            f"https://{self.server}/register", headers=self.headers, json=data, timeout=30)
        if 'success' not in res.text:
            raise Exception("Can not initiate interact.sh DNS callback client")

    def pull_logs(self):
        result = []
        url = f"https://{self.server}/poll?id={self.correlation_id}&secret={self.secret}"
        res = self.session.get(url, headers=self.headers, timeout=30).json()
        aes_key, data_list = res['aes_key'], res['data']
        for i in data_list:
            decrypt_data = self.__decrypt_data(aes_key, i)
            result.append(self.__parse_log(decrypt_data))
        return result

    def __decrypt_data(self, aes_key, data):
        private_key = RSA.importKey(self.private_key)
        cipher = PKCS1_OAEP.new(private_key, hashAlgo=SHA256)
        aes_plain_key = cipher.decrypt(base64.b64decode(aes_key))
        decode = base64.b64decode(data)
        bs = AES.block_size
        iv = decode[:bs]
        cryptor = AES.new(key=aes_plain_key, mode=AES.MODE_CFB, IV=iv, segment_size=128)
        plain_text = cryptor.decrypt(decode)
        return json.loads(plain_text[16:])

    def __parse_log(self, log_entry):
        new_log_entry = {"timestamp": log_entry["timestamp"],
                         "host": f'{log_entry["full-id"]}.{self.domain}',
                         "remote_address": log_entry["remote-address"]
                         }
        return new_log_entry

Hello, When I was trying to install the tool, I got an error

But I don't have enough knowledge to figure out what happened, and what is the solution are you can help me with that?

Tealr already passes the features to mlua. No need to set them again in mlua.

Some features from mlua (actually, most of them) break its API in some way that tealr needs to know about. As a result, I highly recommend to not enable any features in mlua directly but instead enable their equivalent in tealr. Doing this enables them in mlua (including in the mlua you depend directly on) and makes it harder to accidentally enable a feature only in mlua, which can cause compile errors.

Ideally, you don't depend on mlua directly and instead use the reexport under tealr::mlu::mlua to side step this entire problem but I also agree that depending on mlua directly is nicer if its used a lot and it isn't a problem for as long as you keep the feature thing in mind.

i think we can just print the report in the CLI for the use without using the println function just add the report and lotus will display it

    NewReport:setName("reflected cross site scripting")
    NewReport:setDescription("https://owasp.org/www-community/attacks/xss/")
    NewReport:setRisk("medium")
    NewReport:setUrl(url)
    NewReport:setParam(parameter)
    NewReport:setAttack(payload)
    NewReport:setEvidence(generate_css_selector(payload))

[+] Reflected XSS on: {URL}
[!] Vulnerable Parameter: {PARAM}
[!] Risk: {RISK}
[!] Used Payload: {PAYLOAD} 
[!] Matching Pattern: {MATCHING PATTERN}
[!] Matched with: {MATCHIGN}

---

we need to make something to generate xss payloads based of the location of the reflected point

Avaible locatons

• ATTR NAME
• ATTR VALUE
• HTML TAG
• TEXT
• COMMENTS

when you tried to run some lua scripts like sqli.lua script you will find a weird thing in the reports, there's no List only hashmaps with numbers of index

we can convert it from this

{
  "5": {
    "payload": "\"\"123",
    "match": "Warning.*?\\Wmysqli?_",
    "url": "http://testphp.vulnweb.com/artists.php?artist=1%22%22123"
  },
}

to this

{
  "report": [ {
    "payload": "\"\"123",
    "match": "Warning.*?\\Wmysqli?_",
    "url": "http://testphp.vulnweb.com/artists.php?artist=1%22%22123"
  }]
}

lotus report handler

              let mut test_report: HashMap<String, mlua::Value> = HashMap::new();
                lua.globals(
)
                    .get::<_, mlua::Table>("REPORT")
                    .unwrap()
                    .pairs::<String, mlua::Value>()
                    .for_each(|out_report| {
                        let current_out = out_report.clone();
                        test_report.insert(current_out.unwrap().0, out_report.unwrap().1);
                    });
                let results = serde_json::to_string(&test_report).unwrap();
                self.write_report(&results);

headers = {}
headers["User-agent"] = "Firefox"
send_req("POST","http;//example.com","body=111",headers)

I think lotus need to make the payload injection process simple to the user, so instead of calling a lot of functions to change the parameters values like this

for payload in PAYLOADS:gmatch("[^\n]+") do
   new_querys = HttpMessage:setAllParams("testxss")
   for param_name, pay_url in pairs(new_querys) do 
      -- scanner logic
   end
end

to this

--[[
HttpMessage -> 
    set_payload(new_txt) -> set the chosien parameter value to the new_txt parameter value
    get_method() -> get http method
    get_url() -> get the request url
    get_body() -> get the request 
    get_targetparam() -> get the current param
    injection_point() -> get the injection point [body, url parameter value, url parameter name, url path, headers]
    set_*() -> to change all of get_* functions value
--]]

for payload in PAYLOADS:gmatch("[^\n]+") do
    new_req = HttpMessage:set_payload("xss_test")
    new_req:send()

this will make the normal scanning tasks easier and faster for reading or writing

inspired by zaproxy scripting

https://github.com/zaproxy/community-scripts/blob/main/active/bxss.py

There is a possibility to set a limit for loading and reading lua scripts, for example, by using the command --limit 5 (5 scripts per URL).

We can read five scripts for each url if we have 100 scripts; when the five scripts end, we can read five more scripts for that url.