clickjack

发表于 | 分类于
字数统计: 729 | 阅读时长 ≈ 4

clickjack_check

巩固写代码,顺便使用loguru记录日志emmm;此处本质上就是检测返回数据包中是否存在X-FRAME-OPTIONS

废话不说,直接上代码

非面向对象

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
import requests
import time
import os,sys
import argparse
import urllib3
from loguru import logger
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def click_check(url):
    base_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
    log_file_path = os.path.join(base_dir,'/Log/click_test.log')
    # print(base_dir)
    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36'}
    respone = requests.get(url=url,headers=headers,timeout=6)
    if respone.status_code == 200:
        print('[+]Target stability')
        try:
            hea = respone.headers
            req1 = '[-]X-FRAME-OPTIONS ' + hea['X-FRAME-OPTIONS']
            req2 = '[-]X-FRAME-OPTIONS header, no click hijacking vulnerability can be used'
            logger.add(log_file_path, format="{time:YYYY-MM-DD at HH:mm:ss}-{level} {message}",level="INFO",encoding='utf-8')
            logger.info('\n' + req1 + '\n' + req2)
        except:
            req1 = '[+]There is no X-FRAME-OPTIONS header. There is a clicking hijacking vulnerability'
            req2 = '[!]Remind:It may be a defense against JS. Please test it yourself'
            logger.add(log_file_path, format="{time:YYYY-MM-DD at HH:mm:ss}-{level} {message}",level="INFO",encoding='utf-8')
            logger.info('\n' + req1 + '\n' + req2)
    else:
        print('[-]bjective instability')

def main():
    parse = argparse.ArgumentParser(description='Poc for clickjack.')
    parse.usage = "python3 clickjack.py [-h] [-u URL] "
    parse.add_argument('-u','--url',help='The website to be tested Url')
    args = parse.parse_args()
    if args.url:
        url = args.url
        click_check(url)
    else:
        parse.print_help()
if __name__ == '__main__':      
    main()

面向对象

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
import requests
import time
import os,sys
import argparse
import urllib3
from loguru import logger
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class click_jack(object):

    def __init__(self,url):
        self._url = url

    @property
    def url(self):
        return self._url
    
    @url.setter
    def url(self,url):
        self._url = url

    def check(self):
        base_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
        log_file_path = os.path.join(base_dir,'/Log/click_test.log')
        # print(base_dir)
        headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36'}
        respone = requests.get(url=self._url,headers=headers,timeout=6)
        if respone.status_code == 200:
            print('[+]Target stability')
            try:
                hea = respone.headers
                req1 = '[-]X-FRAME-OPTIONS ' + hea['X-FRAME-OPTIONS']
                req2 = '[-]X-FRAME-OPTIONS header, no click hijacking vulnerability can be used'
                logger.add(log_file_path, format="{time:YYYY-MM-DD at HH:mm:ss}-{level} {message}",level="INFO",encoding='utf-8')
                logger.info('\n' + req1 + '\n' + req2)
            except:
                req1 = '[+]There is no X-FRAME-OPTIONS header. There is a clicking hijacking vulnerability'
                req2 = '[!]Remind:It may be a defense against JS. Please test it yourself'
                logger.add(log_file_path, format="{time:YYYY-MM-DD at HH:mm:ss}-{level} {message}",level="INFO",encoding='utf-8')
                logger.info('\n' + req1 + '\n' + req2)
        else:
            print('[-]bjective instability')

    def main(self):
        parse = argparse.ArgumentParser(description='Poc for clickjack.')
        parse.usage = "python3 clickjack.py [-h] [-u URL] "
        parse.add_argument('-u','--url',help='The website to be tested Url')
        args = parse.parse_args()
        if args.url:
            url = args.url
            self._url = url
            self.check()
        else:
            parse.print_help()
            
if __name__ == '__main__':
    click = click_jack('')
    click.main()

效果如图:包含日志信息(日志信息如果想只存储结果,格式化时只保留message即可)

关于loguru可以看之前的文章

Python 中更优雅的日志记录方案

Reference

https://www.cnblogs.com/haq5201314/p/8992273.html