├── onetips
├── readme.md
└── heavy-query-sqli.md
├── bypass-XPO
├── readme.md
├── xpo.php
├── iframe_src_future.php
└── poc.html
├── request_merging
├── iframe.html
├── img0.png
├── img1.png
├── iframe_merging_poc.html
├── index.html
├── many_out_script.html
├── response_with_diff_size.py
├── jsonp.php
├── poc.html
├── fuzz_size_of_response.html
├── iframe_request_merging.html
├── readme.md
└── readme.bak.md.txt
├── fuzzing-Chrome-XSS-Auditor-by-HTTP-status-code
├── test.html
├── xss.php
├── location_to_another.php
├── fuzzfile
│ ├── 200.php
│ ├── 201.php
│ ├── 202.php
│ ├── 203.php
│ ├── 204.php
│ ├── 205.php
│ ├── 206.php
│ ├── 207.php
│ ├── 208.php
│ ├── 226.php
│ ├── 300.php
│ ├── 301.php
│ ├── 302.php
│ ├── 303.php
│ ├── 304.php
│ ├── 305.php
│ ├── 306.php
│ ├── 307.php
│ └── 308.php
├── status_code_in_phpself.php
├── generate_phpfile.py
├── test_chrome_xss_adult.html
├── test_chrome_js_outside_execute.html
└── readme.md
├── fuzzing-browser-MIME-Sniffing-by-status-code-in-HTTP1.0
├── firefox.png
├── http_status_code_in_query.php
├── readme.md
└── fuzz.html
├── python-url-object-for-uniq
├── readme.md
└── url_filter.py
├── fuzzing_char_after_angel_bracket
├── readme.md
├── fuzz.html
└── main.py
├── .gitattributes
├── golang_https_http_server_conflict
├── cert.pem
├── create_file
│ └── create_file.go
├── private.pem
└── app.go
├── readme.md
├── postMessage_and_addEventListener_message
├── postmessage.html
└── topwindow.html
├── golang-use-struct-inheritance-and-bson-together.md
├── create_readme.py
├── .gitignore
└── xunfeng_icmp_scan_test.py
/onetips/readme.md:
--------------------------------------------------------------------------------
1 | # 把 漏洞 或者 Writeup 拆开成一个个知识点
2 |
3 | 使得信息更加简洁。
4 |
--------------------------------------------------------------------------------
/bypass-XPO/readme.md:
--------------------------------------------------------------------------------
1 | # bypass X-Frame-Options: SAMEORIGIN
2 |
3 |
4 |
--------------------------------------------------------------------------------
/request_merging/iframe.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/request_merging/img0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/neargle/tips-note/HEAD/request_merging/img0.png
--------------------------------------------------------------------------------
/request_merging/img1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/neargle/tips-note/HEAD/request_merging/img1.png
--------------------------------------------------------------------------------
/bypass-XPO/xpo.php:
--------------------------------------------------------------------------------
1 | ");
6 |
--------------------------------------------------------------------------------
/fuzzing-Chrome-XSS-Auditor-by-HTTP-status-code/test.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/fuzzing-Chrome-XSS-Auditor-by-HTTP-status-code/xss.php:
--------------------------------------------------------------------------------
1 | ";
4 | echo "$payload";
5 | echo "";
--------------------------------------------------------------------------------
/fuzzing-Chrome-XSS-Auditor-by-HTTP-status-code/location_to_another.php:
--------------------------------------------------------------------------------
1 | `, Fuzz更多的属性和方法才可以获得想要的bypass tip。
8 |
9 | but it is another story...
10 |
--------------------------------------------------------------------------------
/request_merging/iframe_merging_poc.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/fuzzing-Chrome-XSS-Auditor-by-HTTP-status-code/status_code_in_phpself.php:
--------------------------------------------------------------------------------
1 |
7 |
8 | 
444444
9 |
--------------------------------------------------------------------------------
/request_merging/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | index in http://0.0.0.0
5 |
6 |
7 |
8 |
11 |
12 |
13 |
--------------------------------------------------------------------------------
/bypass-XPO/poc.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | poc localhost:8082
8 |
9 |
10 |
11 |
12 |
--------------------------------------------------------------------------------
/request_merging/many_out_script.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/request_merging/response_with_diff_size.py:
--------------------------------------------------------------------------------
1 | from flask import Response, Flask, stream_with_context
2 |
3 | app = Flask(__name__)
4 |
5 | @app.route('/jsonp/')
6 | def jsonp(size):
7 | def _genrate_file(size):
8 | yield "1"
9 | yield "\0" * (size-1)
10 | return Response(stream_with_context(_genrate_file(size)))
11 |
12 | if __name__ == "__main__":
13 | app.run(debug=True, threaded=True, port=8888, host="0.0.0.0")
14 |
--------------------------------------------------------------------------------
/request_merging/jsonp.php:
--------------------------------------------------------------------------------
1 |
3 |
4 |
5 |
6 | outside js http status_code fuzz
7 |
8 |
9 |
18 |
19 |
20 |
21 |
22 |
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
4 | # Custom for Visual Studio
5 | *.cs diff=csharp
6 |
7 | # Standard to msysgit
8 | *.doc diff=astextplain
9 | *.DOC diff=astextplain
10 | *.docx diff=astextplain
11 | *.DOCX diff=astextplain
12 | *.dot diff=astextplain
13 | *.DOT diff=astextplain
14 | *.pdf diff=astextplain
15 | *.PDF diff=astextplain
16 | *.rtf diff=astextplain
17 | *.RTF diff=astextplain
18 |
19 |
20 | *.css linguist-language=Text
21 | *.html linguist-language=Text
22 |
--------------------------------------------------------------------------------
/fuzzing-Chrome-XSS-Auditor-by-HTTP-status-code/generate_phpfile.py:
--------------------------------------------------------------------------------
1 | import os
2 |
3 | php_code_format = '''
4 | '
4 |
5 | for num in range(0x000, 0xfff):
6 | with open("{}.html".format(num), "w") as f:
7 | payload = ''
8 | if unicodedata.category(unichr(num)) == 'Cc':
9 | payload = r'\x{0:02x}'.format(num)
10 | payload = base_payload.encode('utf-8') %(payload, payload)
11 | else:
12 | payload = unichr(num)
13 | payload = (base_payload %(payload, payload)).encode('utf-8')
14 | f.write(payload)
15 | print("{}.html".format(num))
--------------------------------------------------------------------------------
/golang_https_http_server_conflict/cert.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIBuTCCASICCQD6c09wbxFRQzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZk
3 | b21haW4tc2VjLXByb2plY3QuY29tMB4XDTE4MDIxMjEwMjYzOVoXDTI4MDIxMDEw
4 | MjYzOVowITEfMB0GA1UEAwwWZG9tYWluLXNlYy1wcm9qZWN0LmNvbTCBnzANBgkq
5 | hkiG9w0BAQEFAAOBjQAwgYkCgYEA0IAsNwBO5krnwGEjhpaOar12CUU9+3s/cafJ
6 | ZRqh0wIrO/2ebTXQD+gv/Lp5hgfsIvhfWh4xemLyv2WEt4V0eBrnESDrq5vnGFxX
7 | HPXc0aOn3OOVZ/z8LATHbFw17NN6a4ktd6Kjf1rHS3vYHiR6Avk8wcJ0MOXDQ7IJ
8 | /gbMhOcCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCMMRN3VG2HUlTSl6RKwZh52phT
9 | BvJko/tpSdan3c5VUuAAZWOuYQD6XkOT+u7eWckXDaSfm7kt8jU0iHYDdP6wo6t4
10 | 1gOk0RC20GjBcp0gkFJvKfMP2oUQh809qw0sMoMpIIdq7169K+YF+Hgz8u9Y+GoJ
11 | 2G4twjCsaqG7EdEnfw==
12 | -----END CERTIFICATE-----
13 |
--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
1 |
2 | # 平时做的一些小实验,小代码,小Tip的收集和分享
3 |
4 | 平时做的一些如fuzz的小实验,或者写的一些小工具,其内容并不能成为一篇文章或者一个项目,但是又是可以分享的,我就放到这里来。
5 |
6 |
7 | ## 目录
8 |
9 | - [golang定义struct使用继承时如何和bson及json库兼容](./golang-use-struct-inheritance-and-bson-together.md)
10 | - [把 漏洞 或者 Writeup 拆开成一个个知识点](./onetips)
11 | - [使用Fuzz的方式对“Chrome XSS Auditor”与“HTTP状态码”的关系进行研究](./fuzzing-Chrome-XSS-Auditor-by-HTTP-status-code)
12 | - [Fuzz 尖括号跟什么字符可以使html正常解析?](./fuzzing_char_after_angel_bracket)
13 | - [firefox任意版本在HTTP1.0且HTTP状态码为304的情况下, 任何Content-type都会解析为html](./fuzzing-browser-MIME-Sniffing-by-status-code-in-HTTP1.0)
14 | - [专门用于sql注入等扫描器的url去重和比较 Python url类](./python-url-object-for-uniq)
15 | - [使用request merging bypass referer(jsonp) 检测](./request_merging)
16 |
17 |
18 |
--------------------------------------------------------------------------------
/postMessage_and_addEventListener_message/postmessage.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | Document
8 |
9 |
10 |
23 |
24 |
--------------------------------------------------------------------------------
/request_merging/poc.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
10 |
11 |
24 |
--------------------------------------------------------------------------------
/golang_https_http_server_conflict/create_file/create_file.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "log"
5 | "os"
6 | "time"
7 | )
8 |
9 | var filename = ""
10 |
11 | func createFile(path string) {
12 | var _, err = os.Stat(path)
13 | if os.IsNotExist(err) {
14 | var file, err = os.Create(path)
15 | if err != nil {
16 | panic(err)
17 | }
18 | defer file.Close()
19 | }
20 | }
21 |
22 | func createA() {
23 | filename = "/tmp/a"
24 | createFile(filename)
25 | log.Println(filename)
26 | }
27 |
28 | func createB() {
29 | filename = "/tmp/b"
30 | createFile(filename)
31 | log.Println(filename)
32 | }
33 |
34 | func main() {
35 | go createA()
36 | // time.Sleep(1000 * time.Microsecond)
37 | go createB()
38 |
39 | for {
40 | time.Sleep(2 * time.Microsecond)
41 | }
42 | }
43 |
--------------------------------------------------------------------------------
/request_merging/fuzz_size_of_response.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | fuzz size of response about request merging
7 |
8 |
9 |
26 |
27 |
28 |
29 |
30 |
--------------------------------------------------------------------------------
/fuzzing-Chrome-XSS-Auditor-by-HTTP-status-code/test_chrome_xss_adult.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | outside js http status_code fuzz
7 |
8 |
9 |
10 |
25 |
26 |
27 |
28 |
29 |
--------------------------------------------------------------------------------
/fuzzing-browser-MIME-Sniffing-by-status-code-in-HTTP1.0/readme.md:
--------------------------------------------------------------------------------
1 | # firefox任意版本在HTTP1.0且HTTP状态码为304的情况下, 任何Content-type都会解析为html
2 |
3 | 此Tip是我们不小心试出来的,不知道之前有没有人发现过。
4 |
5 | ## 目录:
6 |
7 | ```
8 | ├── fuzz.html : fuzz用html文件
9 | ├── http_status_code_in_query.php : 会根据`?payload=`返回http响应的php脚本
10 | ```
11 |
12 | ## 记录
13 |
14 | 1. firefox任意版本在HTTP1.0且HTTP状态码为304的情况下, 任何Content-type都会解析html
15 | 返回包为:
16 | ```
17 | HTTP/1.0 304 Not Modified
18 | Date: Tue, 05 Sep 2017 12:26:32 GMT
19 | Server: Apache/2.4.23 (Unix) OpenSSL/1.0.2h PHP/7.0.9 mod_perl/2.0.8-dev Perl/v5.16.3
20 | Connection: close
21 |
22 |
23 | ```
24 | 2. response body必须得以html标签起始
25 |
26 | ## 图
27 |
28 | 
29 |
30 | ## thx
31 |
32 | - wolf
33 | - evi1m0
34 |
--------------------------------------------------------------------------------
/golang_https_http_server_conflict/private.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIICXQIBAAKBgQDQgCw3AE7mSufAYSOGlo5qvXYJRT37ez9xp8llGqHTAis7/Z5t
3 | NdAP6C/8unmGB+wi+F9aHjF6YvK/ZYS3hXR4GucRIOurm+cYXFcc9dzRo6fc45Vn
4 | /PwsBMdsXDXs03priS13oqN/WsdLe9geJHoC+TzBwnQw5cNDsgn+BsyE5wIDAQAB
5 | AoGAbR9oBLFImgcCHBG7AimyB/N434k503DB1741DZFOuJ0d+5vVWtsbNfgThXYj
6 | PB7RW8waO5Qp2SAIZFvBhjt2pKKIgechCFxUMzlSshfyEi7R4c8hMFrQYxLooX9G
7 | uSped3u+4mAnv/sgzoaE4DqIMlTqcjR4dPZgyDCJV1wMQwECQQD/KmLQA98I4fm6
8 | LeJQpAUnKTGBYRDoNa+ufEpJiT5Vi8zhy/b0bK1SATqL68kkx8Lz3mGvMRP22Z0/
9 | BCVP+anHAkEA0S64h2W6YgZoH4jToOvwJ8xBg1H9P/BjDkmMPDrfvkVNdrNoJcOz
10 | l2Gnb/jwmny+ryTSqfJJdGC/2G0c81dL4QJBAKKpMIiOjzWoaHvpGCZ0CNzoA6kI
11 | abC92JqQnQK3vMbn8dnXHjy+stZd9iaQTo9l0L+JehgmXyWzn+w2BlsvOq0CQQDH
12 | CSN/gWYE23+7cZ+cIKMT2yAC6cKEUiCOeaC7tnEqRBre9PoF5N4/DiYZPs8Az+1I
13 | DUt9dRI7b8tbDQdc6xVBAkAS4XZA7l2VBzsZ4z56rjN+sczCsXqVPGGKrd/x6lRE
14 | sLReqeFxWJlo5FSbjlQteyy5wjxET7vlmragi3hpjKSG
15 | -----END RSA PRIVATE KEY-----
16 |
--------------------------------------------------------------------------------
/golang_https_http_server_conflict/app.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "log"
5 | "net"
6 | "net/http"
7 | "time"
8 | )
9 |
10 | func handler(w http.ResponseWriter, req *http.Request) {
11 | w.Header().Set("Content-Type", "text/plain")
12 | w.Write([]byte("This is an example server.\n"))
13 | }
14 |
15 | var Server *http.Server
16 | var addr = ""
17 |
18 | func runHTTPS() {
19 | addr = ":8083"
20 | http.HandleFunc("/", handler)
21 | log.Println("https://127.0.0.1:8083/")
22 | err := http.ListenAndServeTLS(addr, "cert.pem", "private.pem", nil)
23 | if err != nil {
24 | panic(err)
25 | }
26 | }
27 |
28 | func runHTTP() {
29 | addr = ":8082"
30 | log.Println("http://127.0.0.1:8082/")
31 | ln, err := net.Listen("tcp4", addr)
32 | if err != nil {
33 | panic(err)
34 | }
35 | log.Println(ln)
36 | }
37 |
38 | func main() {
39 |
40 | go runHTTPS()
41 | // time.Sleep(1000 * time.Microsecond)
42 | go runHTTP()
43 |
44 | for {
45 | time.Sleep(2 * time.Microsecond)
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/golang-use-struct-inheritance-and-bson-together.md:
--------------------------------------------------------------------------------
1 | # golang定义struct使用继承时如何和bson及json库兼容
2 |
3 | 情况如下:
4 |
5 | ```go
6 | type Example struct {
7 | ID bson.ObjectId `bson:"_id,omitempty" json:"_id,omitempty"`
8 | baseModel
9 | }
10 | ```
11 |
12 | 1. 使用小写开头的基结构体,可以使转换而成的bson或json结构不带baseModel
13 | 2. 在自动转化为bson时,例如mgo.v2在insert的时候如果带有小写的基结构体,程序会爆以下错误:
14 |
15 | ```
16 | reflect.Value.Interface: cannot return value obtained from unexported field or method
17 | ```
18 |
19 | 解决方法:
20 |
21 | ```go
22 | type Example struct {
23 | ID bson.ObjectId `bson:"_id,omitempty" json:"_id,omitempty"`
24 | baseModel `bson:",inline"`
25 | }
26 | ```
27 |
28 | 定义bson为inline,则在自动转换的时候,mgo.v2不会用反射去猜测baseModel的结构。
29 |
30 | 官方解释:
31 |
32 | > inline Inline the field, which must be a struct or a map,
33 | > causing all of its fields or keys to be processed as if
34 | > they were part of the outer struct. For maps, keys must
35 | > not conflict with the bson keys of other struct fields.
36 |
--------------------------------------------------------------------------------
/postMessage_and_addEventListener_message/topwindow.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | Document
8 |
9 |
10 |
11 |
31 |
32 |
--------------------------------------------------------------------------------
/request_merging/iframe_request_merging.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | iframe request merging
7 |
8 |
9 |
10 |
11 |
12 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
--------------------------------------------------------------------------------
/fuzzing-Chrome-XSS-Auditor-by-HTTP-status-code/test_chrome_js_outside_execute.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | outside js http status_code fuzz
7 |
8 |
9 |
24 |
25 |
26 |
27 |
28 |
--------------------------------------------------------------------------------
/fuzzing-Chrome-XSS-Auditor-by-HTTP-status-code/readme.md:
--------------------------------------------------------------------------------
1 | # 使用Fuzz的方式对“Chrome XSS Auditor”与“HTTP状态码”的关系进行研究
2 |
3 | ```
4 | - fuzzfile
5 | │ ── 200.php
6 | │ ├── 201.php
7 | │ ├── 202.php
8 | │ ├── 203.php
9 | │ ├── ***.php
10 | │ └── 308.php
11 | ├── generate_phpfile.py
12 | ├── readme.md
13 | ├── status_code_in_phpself.php
14 | ├── test.html
15 | ├── test_chrome_js_outside_execute.html
16 | ├── test_chrome_xss_adult.html
17 | └── xss.php
18 | ```
19 |
20 | - fuzzfile : python脚本生成的php文件所放的文件夹
21 | - generate_phpfile.py : 生成返回不同状态码的php脚本的python脚本
22 | - status_code_in_phpself.php : 最初使用这个脚本获取`_SERVER["PHP_SELF"]`或get请求来更改状态码
23 | - test.html : html 测试文件
24 | - test_chrome_js_outside_execute.html : Fuzz那些状态码内的内容可以在`
68 |
69 |