Take out the grievances every day and bask in the sun, the mood will not be calcium deficiency
I have built a number of xss platforms before, and I have used several sets of source code. However, in comparison, I still think that wuyun’s xss.me source code is easier to use, even if it is older. Recently, because of the work needs, and ready to re-establish a set of xss platform, the source code decisively chose xss.me (of course, after the modification), my source code blog: [http://www.bodkin.ren/?p =133] (http://www.bodkin.ren/?p=133), thanks for sharing.
The construction process of the Xss platform is not complicated. Although some minor problems were encountered during the period, it was quickly solved and shared in this record.
[modified version] (https://git.oschina.net/nMask/Resource/raw/master/xss.me.new.zip)
First download the xssplatform source code, and then choose a server to install wamp, the reason why choose wamp to build the environment, mainly want to avoid the trouble of configuring apache, mysql, because the focus of this article is on the process of building the xss platform. (Great God can choose to install and configure apache separately on Linux)
After the server environment is configured, put the xss source code in the wamp’s www directory and start the wamp. At this time, if the wamp is running normally, we should open the localhost/xss/ and you should see the login interface, but you cannot log in or register at this time. , also need to perform multiple configurations.
Open wamp\bin\apache\apache2.4.9\conf\httpd.conf. In order to build the xss platform without error, let’s set the website directory first:
At this point open localhost you can see the landing page, without having to access the localhost/xss/ path. Of course, if there are special needs, you must set the secondary directory, then some path configuration, please set to a secondary directory, that is, add the directory name in front of the original path, such as /xss/index.php.
Open localhost/phpmyadmin and enter the phpmyadmin management interface, add a user root, 123456, delete other users for security reasons. Then add a database named poppy (the specific database name can be found in the xss.sql file, which is written inside), and then import the xss.sql file.
Change the domain name of the oc_module module, enter the oc_module table, execute the sql statement, and change to your own domain name. (affects the generated xss poc)
UPDATE oc_module SET code=REPLACE(code,”http://xsser.me","http://xxx.com“);
Modify the configuration as follows:
- $config[‘database’] = ‘poppy’; #Change, keep the same as the data name (database name view .sql file)
- The database account password can be changed or left unchanged.
- $config[‘register’] = ‘normal’; # Change to no invitation code.
- $config[‘urlroot’] = ‘http://localhost‘; #Change to local
Modify the authtest.php file in the root directory and change it to your own domain name or ip.
After modifying the configuration, open localhost and register an account. After the registration is completed, a new record will be added to the oc_user table. Manually change the adminlevel to 1 (that is, the administrator permission, you can have the permission to drop the invitation code).
After completing the above steps, the platform is almost ready to use, but if you encounter some other problems, please continue to look down.
The problem occurred: when visiting
When the auto-generated xss_poc is generated, a 404 error occurs because the url rewrite does not take effect, mainly because of the middleware configuration problem. The following is a solution for apache and iis middleware.
First add the .htaccess file to the root of the website. The contents of the file are as follows:
Note: If the website requires domain name + directory to access, such as: www.xxx.com/xss/, add /xss/index.php before the following code /index.php.
Then modify the apache configuration file to allow url rewriting.
In this way, apache will match the url rewrite rules according to the .htaccess file in the root directory.
After completing the above two configurations and accessing similar to this address, the xss_poc(js) content will be displayed.
When writing text, I am doing the test under Windows. The configuration method under Linux should be consistent.
- Modify the file \source\function.php 257 lines, change the password of the mailbox account inside, change the host to smtp.xx.com, such as: smtp.qq.com
- Fetion SMS reminder function, modify \source\api.php 72 line mobile phone number, may only support mobile phone number.
The new source does not need to modify the following parameters, the old version may need to be modified
Modify the contents of themes\default\templates\register.html:
(1) Comment out the permission control of the 10th line and the 50th line of the file source\user.php
Then visit /index.php?do=user&act=invite to generate a verification code.
(2) Register a user test, enter the database, change the user’s adminLevel to 1, then remove the comment added to (1); and add the permission control in the case ‘invite’:
(3) Or open the normal registration permission, modify the 18th line of the file /config.php
Modify the Delete() and MultiDelete() functions in the file themes\default\templates\project_view.html to change the URL of the post to
That is, add ‘/xss’ to the front based on the actual server path.