云函数代理蚁剑流量

1.创建云函数
2021-11-20T12:38:58.png

#!/usr/bin/env
# -*- coding:utf-8 -*-

import requests
import json
from urllib.parse import urlsplit

def geturl(urlstr):
    jurlstr = json.dumps(urlstr)
    dict_url = json.loads(jurlstr)
    return dict_url['url']

def main_handler(event, context):
    url = geturl(event['queryString'])
    host = urlsplit(url).netloc
    postdata = event['body']
    headers = event['headers']
    headers["HOST"] = host
    resp = requests.post(url, data=postdata, headers=headers, verify=False)
    response = {
        "isBase64Encoded": False,
        "statusCode": 200,
        "headers": {'Content-Type': 'text/html;charset=' + resp.apparent_encoding},
        "body": resp.text
}
    return response

2021-11-20T12:41:41.png
使用时在webshell前加api访问路径。

https://service-ncowiper-xxxxxxx.apigw.tencentcs.com/release/helloworld-1637410382?url=https://www.baidu.com/shell.php

2021-11-20T12:44:05.png

云函数HTTP代理

2021-11-20T13:01:14.png

# -*- coding: utf8 -*-
import json
import pickle
from base64 import b64decode, b64encode

import requests


SCF_TOKEN = "INYZCKWDRHLGAFBQEXPTSMVUO"


def authorization():
    return {
        "isBase64Encoded": False,
        "statusCode": 401,
        "headers": {},
        "body": "Please provide correct SCF-Token",
    }


def main_handler(event: dict, context: dict):
    # Tencent cloud has its own authorization system https://console.cloud.tencent.com/cam/capi
    # But it may be a little overqualified for a simple usage like this
    try:
        token = event["headers"]["scf-token"]
    except KeyError:
        return authorization()

    if token != SCF_TOKEN:
        return authorization()

    data = event["body"]
    kwargs = json.loads(data)
    kwargs['data'] = b64decode(kwargs['data'])
    # Prohibit automatic redirect to avoid network errors such as connection reset
    r = requests.request(**kwargs, verify=False, allow_redirects=False)


    # TODO: REFACTOR NEEDED. Return response headers and body directly.
    # There are many errors occured when setting headers to r.headers with some aujustments(https://cloud.tencent.com/document/product/583/12513).
    # and the response `r.content`/`r.raw.read()` to body.(like gzip error)
    serialized_resp = pickle.dumps(r)

    return {
        "isBase64Encoded": False,
        "statusCode": 200,
        "headers": {},
        "body": b64encode(serialized_resp).decode("utf-8"),
    }

本地安装 mitmproxy

pip3 install mitmproxy
import json
import pickle
from typing import List
from random import choice
from urllib.parse import urlparse
from base64 import b64encode, b64decode

import mitmproxy
from mitmproxy.net.http import Headers

# API访问地址,可以添加多个,以逗号分隔
scf_servers: List[str] = ['https://service-xxxx.apigw.tencentcs.com/release/helloworld-1637412674']

# 授权Token,与云函数中的token配置一致
SCF_TOKEN = "INYZCKWDRHLGAFBQEXPTSMVUO"


def request(flow: mitmproxy.http.HTTPFlow):
    scf_server = choice(scf_servers)
    r = flow.request
    data = {
        "method": r.method,
        "url": r.pretty_url,
        "headers": dict(r.headers),
        "cookies": dict(r.cookies),
        "params": dict(r.query),
        "data": b64encode(r.raw_content).decode("ascii"),
    }

    flow.request = flow.request.make(
        "POST",
        url=scf_server,
        content=json.dumps(data),
        headers={
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
            "Accept-Encoding": "gzip, deflate, compress",
            "Accept-Language": "en-us;q=0.8",
            "Cache-Control": "max-age=0",
            "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
            "Connection": "close",
            "Host": urlparse(scf_server).netloc,
            "SCF-Token": SCF_TOKEN,
        },
    )


def response(flow: mitmproxy.http.HTTPFlow):
    if flow.response.status_code != 200:
        mitmproxy.ctx.log.warn("Error")

    if flow.response.status_code == 401:
        flow.response.headers = Headers(content_type="text/html;charset=utf-8")
        return

    if flow.response.status_code == 433:
        flow.response.headers = Headers(content_type="text/html;charset=utf-8")
        flow.response.text = "<html><body>操作已超过云函数服务最大时间限制,可在函数配置中修改执行超时时间</body></html>"
        return

    if flow.response.status_code == 200:
        body = flow.response.content.decode("utf-8")
        resp = pickle.loads(b64decode(body))

        r = flow.response.make(
            status_code=resp.status_code,
            headers=dict(resp.headers),
            content=resp.content,
        )
        flow.response = r

启动客户端

mitmdump -s client.py -p 8080

修改浏览器代理
2021-11-20T13:04:29.png
添加mitmdump证书
2021-11-20T13:05:18.png
2021-11-20T13:06:15.png
选择证书导入
查看IP,每次刷新IP都会变化
2021-11-20T13:07:00.png

最后修改:2022 年 01 月 03 日 07 : 21 PM
如果觉得我的文章对你有用,请随意赞赏