From 0203b386ffd6c763cb04caa752ae897ef9d031fc Mon Sep 17 00:00:00 2001 From: Medicean Date: Wed, 12 Apr 2017 11:31:48 +0800 Subject: [PATCH] v1.0.1 --- CHANGELOG.md | 17 +++++ README.md | 24 ++++++- README_CN.md | 184 +++++++++++++++++++++++++++++++++++++++++++++++++++ xssencode.py | 1 + 4 files changed, 224 insertions(+), 2 deletions(-) create mode 100644 CHANGELOG.md create mode 100644 README_CN.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..9ac61b4 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,17 @@ +### v1.0.1 (2017/04/12) + +* Add `ZipEncode` and `ZipDecode` + + ``` +hello world! <=> x\x9c\xcbH\xcd\xc9\xc9W(\xcf/\xcaIQ\x04\x00\x1e\x89\x04~ + ``` + +* Add `Rot13Encode` and `Rot13Decode` + + ``` +hello world! <=> uryyb jbeyq! + ``` + +### v1.0.0 + +* Support Package Control diff --git a/README.md b/README.md index 7e47d99..ab93bdd 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,21 @@ # Sublime XssEncode -Converts characters from one encoding to another using a transformation. +[English](README.md) | [中文说明](README_CN.md) + +Converts characters from one encoding to another using a transformation. This tool will help you encode payloads in testing sql injections, XSS holes and site security. **Convert the region you selected or convert all characters.** +XssEncode supports both Sublime Text 2 and 3. + Installation ---- + +Using [Package Control](https://sublime.wbond.net/installation) to find, install and upgrade *XssEncode* is the recommended method to install this plug-in. + + +Otherwise, you can use the following steps manually install: + 1. Open the Sublime Text Packages folder * OS X: ~/Library/Application Support/Sublime Text 3/Packages/ * Windows: %APPDATA%/Sublime Text 3/Packages/ @@ -17,9 +27,19 @@ Installation git clone https://github.com/Medicean/SublimeXssEncode.git ``` -Commands +3. Rename the new folder to **xssencode** + + +ChangeLog +--- + +See more at [ChangeLog](CHANGELOG.md) + +Example Commands ---- +> You can type the Command HotKeys(Win: `ctrl+shift+p`, OSX: Command+shift+p),type `xssencode` and choice your action。Otherwise, click the menu bar `tools` => `XssEncode` and choice your action. + * `html_escape` Converts characters to their HTML entity. diff --git a/README_CN.md b/README_CN.md new file mode 100644 index 0000000..0044b29 --- /dev/null +++ b/README_CN.md @@ -0,0 +1,184 @@ +# Sublime XssEncode + +[English](README.md) | [中文说明](README_CN.md) + +XssEncode 是一个字符编码转换工具,这个工具可以在你进行 SQL 注入、XSS 测试、加密解密时快速的对 Payload 进行转换。 + +**转换你选中的字符,如果未选中则默认转换整个文本域的内容** + +XssEncode 支持 Sublime Text 2 和 3. + +如何安装 +---- + +强烈推荐使用 [Package Control](https://sublime.wbond.net/installation) 进行查找、安装、升级 **XssEncode** + +当然,你也可以按照以下步骤手动进行安装: + +1. 打开 Sublime Text Packages 目录(可直接通过菜单中的 Browse Packages 进入该目录) + * OS X: ~/Library/Application Support/Sublime Text 3/Packages/ + * Windows: %APPDATA%/Sublime Text 3/Packages/ + * Linux: ~/.Sublime Text 3/Packages/ or ~/.config/sublime-text-3/Packages + +2. Clone 本仓库到该目录下 + + ``` + git clone https://github.com/Medicean/SublimeXssEncode.git + ``` + +3. 将目录名重命名为:**xssencode** + + +改动日志 +--- + +详情见:[ChangeLog](CHANGELOG.md) + +转换命令样例: +---- + +> 你可以直接通过命令快捷键(Win: `ctrl+shift+p`, OSX: Command+shift+p),然后输入 `xssencode` 选择你要进行的操作。或者可以点击菜单栏 `tools` => `XssEncode` 选择你要进行的操作。 + +* `html_escape` + + HTML 实体编码 + + **eg:** + + `a1@&` => `a1@&` + +* `html10_encode` + + HTML 10 进制实体编码 + + **eg:** + + `a1@&` => `a1@&` + +* `html16_encode` + + HTML 16 进制实体编码 + + **eg:** + + `a1@&` => `a1@&` + +* `html_unescape` + + HTML 实体解码 + + **eg:** + + `aaa&` => `aaa&` + +* `base64_encode` + + Base64 编码 + + **eg:** + + `a1@&` => `YTFAJg==` + +* `base64_decode` + + **eg:** + + `YTFAJg==` => `a1@&` + +* `url_encode` + + URL 编码 + + **eg:** + + `alert(/xss/);` => `alert%28/xss/%29%3B` + +* `url_decode` + + **eg:** + + `alert%28/xss/%29%3B` => `alert(/xss/);` + +* `string_from_char_code` + + **eg:** + + `alert(/xss/);` => `String.fromCharCode(97,108,101,114,116,40,47,120,115,115,47,41,59)` + +* `mysql_char` + + **eg:** + + `123` => `CHAR(49,50,51)` + + You can excute the sql commands below. + + `select 123;` + + `select CHAR(49,50,51);` + +* `oracle_chr` + + **eg:** + + `123` => `CHR(49)||CHR(50)||CHR(51)` + + You can excute the sql commands below. + + `select 123;` + + `select CHR(49)||CHR(50)||CHR(51);` + +* `php_chr` + + 转换为 PHP chr 函数连接形式. + + **eg:** + + 假如现在我们有一个 PHP 的 WebShell, 内容是: `` + + 如果你要绕过一些安全防护(比如:WAF),你可以把你要执行的命令转换一下,比如下面这个例子: + + `ls -al` => `CHR(108).CHR(115).CHR(32).CHR(45).CHR(97).CHR(108)` + + 然后,你可以这样发起请求: + + `http://127.0.0.1/backdoor.php?cmd=system(CHR(108).CHR(115).CHR(32).CHR(45).CHR(97).CHR(108));` + +* `string_to_hex` + + 将字符转换成 16 进制,在 SQL 注入中使用的非常多 + + **eg:** + + `root` => `726f6f74` + + 你可以在 mysql 命令行下执行下面两条指令,查看效果: + + `SELECT user from mysql.user where user='root';` + + `SELECT user from mysql.user where user=0x726f6f74;` + +* `hex_to_string` + + **eg:** + + `726f6f74` => `root` + +* `unicode_decode` + + **eg:** + + `测试` => `\u6d4b\u8bd5` + +* `unicode_encode` + + **eg:** + + `\u6d4b\u8bd5` => `测试` + +* `md5_encode` + + **eg:** + + `1` => `c4ca4238a0b923820dcc509a6f75849b` diff --git a/xssencode.py b/xssencode.py index 037e2df..33a9091 100644 --- a/xssencode.py +++ b/xssencode.py @@ -1,5 +1,6 @@ import sublime import sublime_plugin +__VERSION__ = '1.0.1' class XssEncodeCommand(sublime_plugin.TextCommand):