搜索
    Hi~登录注册
    查看: 113|回复: 0
    收起左侧

    CORS劫持多线程(验证工具)

    [复制链接]

    33

    主题

    0

    精华

    16 小时

    在线时间

    新手上路

    Rank: 1

    积分
    26
    发表于 2019-6-16 09:43:26 | 显示全部楼层 |阅读模式
    [Python] 纯文本查看 复制代码
    import requests
    from threading import Thread,activeCount
    from queue import Queue
    from sys import argv
    
    def cors_test(domain):
            if 'http://' or 'https://' not in domain:
                    domain = 'http://' + domain.strip()
            try:
                    characters = '[email protected]#$%^&*()_+~/*'
                    headers = {
                    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36',
                    'Origin': '{}'.format('http://www.abc.com')
                    }
                    req1 = requests.get(domain,headers=headers,timeout=(5,20),verify=False,allow_redirects=False)
                    if "Access-Control-Allow-Origin" and "Access-Control-Allow-Credentials" in req1.headers:
                            if req1.headers['Access-Control-Allow-Origin'] == headers['Origin']:
                                    print('[+]Mode 1:CORS Found {} {} {}'.format(domain.replace('http://',''),req1.headers['Access-Control-Allow-Origin'],req1.headers['Access-Control-Allow-Credentials']))
                                    with open('cors_success.txt','a+') as f:
                                            f.write('{} {} {} \n'.format(domain.replace('http://',''),req1.headers['Access-Control-Allow-Origin'],req1.headers['Access-Control-Allow-Credentials']))
                            else:
                                    headers['Origin'] = domain + '.baidu.com'
                                    req2 = requests.get(domain,headers=headers,timeout=(5,20),verify=False,allow_redirects=False)
                                    if req2.headers['Access-Control-Allow-Origin'] == headers['Origin']:
                                            print('[+]Mode 2:CORS Found {} {} {}'.format(domain.replace('http://',''),req2.headers['Access-Control-Allow-Origin'],req2.headers['Access-Control-Allow-Credentials']))
                                            with open('cors_success.txt','a+') as f:
                                                    f.write('{} {} {} \n '.format(domain.replace('http://',''),req2.headers['Access-Control-Allow-Origin'],req2.headers['Access-Control-Allow-Credentials']))
                                    else:
                                            for character in characters:
                                                    headers['Origin'] = domain + character + '.abc.com'
                                                    req3 = requests.get(domain,headers=headers,timeout=(5,20),verify=False,allow_redirects=False)
                                                    if req3.headers['Access-Control-Allow-Origin'] == headers['Origin']:
                                                            print('[+]Mode 3:CORS Found {} {} {}'.format(domain.replace('http://',''),req3.headers['Access-Control-Allow-Origin'],req3.headers['Access-Control-Allow-Credentials']))
                                                            with open('cors_success.txt','a+') as f:
                                                                    f.write('{} {} {} \n').format(domain.replace('http://',''),req3.headers['Access-Control-Allow-Origin'],req3.headers['Access-Control-Allow-Credentials'])
                                                    else:
                                                            if req.headers['Access-Control-Allow-Origin']:
                                                                    print('[+]maybe CORS Found {} {} {}'.format(domain.replace('http://',''),req3.headers['Access-Control-Allow-Origin'],req3.headers['Access-Control-Allow-Credentials']))
    
            except Exception as e:
                    print('[-]' + domain.replace('http://','') + ' ' +  str(e))
                    pass
    
    if __name__ == '__main__':
            try:
                    if argv[1]:
                            queue = Queue()
                            filename = open(argv[1],'r+')
                            for url in filename:
                                    queue.put(url.strip())
                            filename.close()
                            while queue.qsize()>0:
                                    if activeCount()<= 10:
                                            Thread(target=cors_test,args=(queue.get(),)).start()
            except IndexError:
                    print('Usage:python3 cors_test.py filename.txt')

    使用方法:python3 cors_test.py filename.txt

    支持三种模式:


    1.随机域名(abc.com)

    2.关联测试(domain.abc.com)

    3.随机字符串测试(domain.character.abc.com)

    输出:cors_success.txt

    之前测试的部分SRC网站:
    QQ截图20190616094302.png
    github:https://github.com/p1g3/CORS-SCAN



    上一篇:打扰一下大佬们
    下一篇:方程式smb、rdp远程溢出图形化版
    回复

    使用道具 举报

    游客
    回复
    您需要登录后才可以回帖 登录 | 获取账号

    快速回复 返回顶部 返回列表