forked from CTFTraining/base_image_xssbot
-
Notifications
You must be signed in to change notification settings - Fork 0
/
app.js
133 lines (109 loc) · 3.68 KB
/
app.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
const puppeteer = require('puppeteer-core');
const http = require('http');
const ADMIN_URL = process.env.ADMIN_URL || "http://web/admin.php";
const DOMAIN = process.env.HOST || "http://web";
var num = 0;
// Bot 单独访问每个页面,所以要获取
// 接口限制,一次获取的 URL 有限制,具体看服务器性能了
const get_urls = async () => {
try {
// TODO: 总感觉这个获取方式好复杂啊
http.get(ADMIN_URL, resp => {
var respText = [];
var size = 0;
resp.on('data', function (data) {
respText.push(data);
size += data.length;
});
resp.on('end', function () {
respText = Buffer.concat(respText, size);
let obj = JSON.parse(respText);
obj.forEach(async e => {
await open_payload_url(e.user, `${DOMAIN}${e.url}`);
})
});
});
} catch (e) {
console.error("[-] Get Urls\n", e.stack)
}
setTimeout(() => {
get_urls();
}, 3000);
}
const open_payload_url = async (user, url) => {
let _num = ++num;
console.log(`[${user}][${_num}] [+] Open Page ${url}`);
let page;
try {
page = await browser.newPage();
await page.on('error', err => {
console.error(`[${user}][${_num}] [#] Error!`, err);
});
await page.on('pageerror', msg => {
console.error(`[${user}][${_num}] [-] Page error : `, msg);
})
await page.on('dialog', async dialog => {
console.debug(`[#] Dialog : [${dialog.type()}] "${dialog.message()}" ${dialog.defaultValue() || ""}`);
await dialog.dismiss();
});
await page.on('console', async msg => {
msg.args().forEach(arg => {
arg.jsonValue().then(_arg => {
console.log(`[$] Console : `, _arg)
});
});
});
await page.on('requestfailed', req => {
console.error(`[-] Request failed : ${req.url()} ${req.failure().errorText}`);
})
await page.goto(url, {
waitUntil: 'networkidle2',
});
// ===== Custom Action =====
// 自定义页面操作
await page.setCookie({
name: "flag",
value: process.env.FLAG || "no flag",
domain: DOMAIN || "www.virzz.com",
path: "/",
httpOnly: false,
secure: false,
sameSite: "Lax"
});
await page.waitFor(5 * 1000);
// =========================
} catch (e) {
console.error("[-] Page open_payload_url\n", e.stack)
}
page.close();
console.log(`[${user}][${_num}] [+] Close...`)
}
var browser;
(async () => {
// 启动 Chrome
browser = await puppeteer.launch({
executablePath: '/usr/bin/chromium-browser',
args: [
'--headless',
'--disable-dev-shm-usage',
'--no-sandbox',
'--disable-setuid-sandbox',
'--disable-gpu',
'--no-gpu',
'--disable-default-apps',
'--disable-translate',
'--disable-device-discovery-notifications',
'--disable-software-rasterizer',
'--disable-xss-auditor'
],
userDataDir: '/home/bot/data/',
// 忽略 HTTPS 错误
ignoreHTTPSErrors: true
});
// 创建一个匿名的浏览器上下文
// browser = await browser.createIncognitoBrowserContext();
console.log("[+] Browser", "Launch success!");
get_urls();
// console.log("[+] Browser", "Close success!");
// await browser.close();
})();