{"id":13841619,"url":"https://github.com/opensec-cn/conote-community","last_synced_at":"2025-07-11T12:33:17.076Z","repository":{"id":53676041,"uuid":"436664365","full_name":"opensec-cn/conote-community","owner":"opensec-cn","description":"Conote 综合安全测试平台社区版。","archived":true,"fork":false,"pushed_at":"2024-08-15T14:49:58.000Z","size":4446,"stargazers_count":364,"open_issues_count":1,"forks_count":64,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-08-15T16:48:57.421Z","etag":null,"topics":["django","pentesting"],"latest_commit_sha":null,"homepage":"https://phithon.gitbooks.io/conote/content/","language":"CSS","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/opensec-cn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-12-09T15:21:55.000Z","updated_at":"2024-08-15T14:50:10.000Z","dependencies_parsed_at":"2022-08-22T10:00:17.960Z","dependency_job_id":null,"html_url":"https://github.com/opensec-cn/conote-community","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensec-cn%2Fconote-community","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensec-cn%2Fconote-community/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensec-cn%2Fconote-community/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensec-cn%2Fconote-community/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/opensec-cn","download_url":"https://codeload.github.com/opensec-cn/conote-community/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225720438,"owners_count":17513601,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["django","pentesting"],"created_at":"2024-08-04T17:01:17.006Z","updated_at":"2024-11-21T11:31:38.824Z","avatar_url":"https://github.com/opensec-cn.png","language":"CSS","funding_links":[],"categories":["CSS","Web安全"],"sub_categories":[],"readme":"**Archived: 请使用2.0版本 \u003chttps://phith0n.github.io/conote-docs/\u003e，CoNote 1.0版本不再维护。**\n\n\n# CoNote 综合安全测试平台（社区版）\n\nCoNote是一个内部使用的工作台，它会让我们的安全测试过程变得非常方便，于2021年12月推出社区版。\n\n使用说明：\u003chttps://phithon.gitbooks.io/conote/content/\u003e\n\n演示视频：\n\n[![conote](img/2.png)](https://www.youtube.com/watch?v=WqbjJ8NISys)\n\n![](img/3.png)\n\n搭建文档尚不完善，尽情期待，有能力的同学可以先自行研究。\n\n## 全局配置与环境变量\n\nconote使用.env来配置环境变量，我们需要先将文件`.env.default`复制成`.env`。\n\n具体值的意义，请参考conf/settings.py以及conf/settings_deploy.py。\n\n## 主域名\n\nconote平台需要一个主域名，如`note.leavesongs.com`，用户可以通过这个域名访问管理页面。\n\n主域名不用在配置文件里配置。\n\n## 子域名\n\n每个用户将被分配一个子域名，这个域名用于：\n\n1. 记录Web日志\n2. 记录DNS日志\n3. 存放并访问用户笔记\n\n在配置文件中配置如下选项，指定根域名（每个用户分配到的子域名将是`xxxx.2m1.pw`）：\n\n```python\nO_SERVER_DOMAIN = '2m1.pw'\n```\n\n这个域名如何配置解析，在下一节进行说明。\n\n## DNS 配置\n\n因为要记录DNS日志，所以我们需要将conote配置成一个DNS服务器。\n\n首先，选择两个域名`ns1.leavesongs.com`、`ns2.leavesongs.com`（随意即可，无要求），A记录指向conote服务器IP。\n\n然后，在配置文件中增加如下选项：\n\n```python\nO_NS1_DOMAIN = 'ns1.leavesongs.com'\nO_NS2_DOMAIN = 'ns2.leavesongs.com'\nO_SERVER_IP = '45.32.43.49'\nO_ADDITION_ZONE = ''\n```\n\n然后，在`O_SERVER_DOMAIN`域名（也就是`2m1.pw`）的注册商处，配置DNS服务器为`ns1.leavesongs.com`和`ns2.leavesongs.com`。\n\n`O_ADDITION_ZONE`中可以配置一些额外的DNS区域，比如MX记录等。\n\n## 配置用户自定义DNS域名\n\nconote可以允许用户配置自定义的DNS记录，用于测试Rebind漏洞。\n\n选择一个`O_SERVER_DOMAIN`的子域名（不要和用户的子域名重复），如`s.2m1.pw`。增加如下配置：\n\n```python\nO_REBIND_DOMAIN = 's.2m1.pw'\n```\n\n不再需要额外配置，因为conote的DNS服务器会接管这个域名。\n\n## 配置短域名\n\nconote支持短域名模块，我们可以注册一个短域名，如`mhz.pw`，然后增加如下配置：\n\n```python\nO_SHORT_DOMAIN = 'mhz.pw'\n```\n\n然后需要在域名解析商处将这个域名指向conote的IP地址。\n\n当然，也可以配置为`O_SERVER_DOMAIN`的另一个子域名，如`a.2m1.pw`。但这时候，我们就需要修改`O_ADDITION_ZONE`，为这个子域名添加一个A记录，因为此时即conote充当域名解析商的角色。\n\n## 配置XSS平台域名\n\nconote支持xss平台，除了名字不同，配置同上一节：\n\n```python\nO_XSS_DOMAIN = 'tj.2m1.pw'\n```\n\n## 配置第三方登录\n\nCoNote现在使用的是第三方登录，如果要对接自己的OAuth平台，我们可以略微修改代码。\n\n首先在.env中修改OAuth的配置项：\n\n```\nCLIENT_ID=xxxx\nCLIENT_SECRET=xxxx\nCALLBACK_URL=http://note.leavesongs.com/auth/callback/\n# 将callback_url中的example.com修改成conote平台主域名即可，path不要修改。\n```\n\n然后在`app/ucenter/views.py`中，修改如下三个url：\n\n```python\nauthorization_base_url = 'https://auth.tricking.io/o/authorize/'\ntoken_url = 'https://auth.tricking.io/o/token/'\nprofile_url = 'https://auth.tricking.io/api/profile/'\n```\n\n第一个是获取code的url，第二个是用code兑换access_token的url，第三个是获取用户信息的url。\n\n然后修改一下同文件中的RegisterView类：\n\n```python\nclass RegisterView(generic.CreateView):\n    model = User\n    fields = [\n        'username',\n        'email'\n    ]\n    template_name = 'registration/register.html'\n\n    def dispatch(self, request, *args, **kwargs):\n        try:\n            session = OAuth2Session(client_id, token=request.session['oauth_token'])\n            self.user_data = session.get(profile_url).json()\n        except BaseException as e:\n            return render(request, '500.html', context=dict(errors=str(e)))\n\n        user = User.objects.filter(auth_id=self.user_data['auth_id']).first()\n        if user:\n            self.login(user)\n            return redirect(resolve_url(settings.LOGIN_REDIRECT_URL))\n        else:\n            return super().dispatch(request, *args, **kwargs)\n\n    def get_initial(self):\n        return dict(\n            username=self.user_data['username'],\n            email=self.user_data['email']\n        )\n\n    def login(self, user):\n        auth_login(self.request, user)\n        self.request.session.pop('oauth_token', None)\n        self.request.session.pop('oauth_state', None)\n\n    @transaction.atomic\n    def form_valid(self, form):\n        form.instance.set_unusable_password()\n        form.instance.auth_id = self.user_data['auth_id']\n        user = form.save()\n        self.login(user)\n        return redirect(resolve_url(settings.LOGIN_REDIRECT_URL))\n    # ...\n```\n\n其中`self.user_data`是获取到的用户信息，修改成你的平台提供的信息即可。\n\n## 配置Docker\n\n拉取新的镜像：\n\n```\ndocker pull php:7.2-fpm-alpine\ndocker pull php:5.6-fpm-alpine\n```\n\n如果希望限制容器内tmp文件夹大小，请先创建一个文件系统，步骤如下：\n\n```bash\n# 创建一个大小为64M的文件\ndd if=/dev/zero bs=1024 count=64000 of=/usr/local/tmpfile\n\n# 对文件进行格式化\nmkfs.ext4 /usr/local/tmpfile\n\n# 建立目录\nmkdir /data/tmp\n\n# 修改/etc/fstab\nvim /etc/fstab\n# /usr/local/tmpfile /data/tmp ext4 rw,user,auto,noexec 0 0\n\n# 或手工挂载\nmount -o loop /usr/local/tmpfile /data/tmp\n```\n\n然后，配置settings.py：\n\n```python\nSANDBOX_ROOT = os.path.join(BASE_DIR, 'media', 'sandbox')\nDOCKER_CONFIG = {\n    'php-5.6': {\n        'image': 'php:5.6-fpm-alpine',\n        'container_name': 'conote_php56',\n        'network_name': 'network_01',\n        'subnet': '10.233.101.0/24',\n        'gateway': '10.233.101.254',\n        'ip': '10.233.101.10',\n        'tmp': '/data/tmp/php56'\n    },\n    'php-7.2': {\n        'image': 'php:7.2-fpm-alpine',\n        'container_name': 'conote_php72',\n        'network_name': 'network_02',\n        'subnet': '10.233.102.0/24',\n        'gateway': '10.233.102.254',\n        'ip': '10.233.102.10',\n        'tmp': '/data/tmp/php72'\n    }\n}\n```\n\nDocker启动后，还需要将tmp目录权限修改为0777。\n\n如果不用限制/tmp目录的大小，则无需上述操作，且settings中tmp的值为`None`。\n\n### 下载gvisor\n\nconote利用[gvisor](https://github.com/google/gvisor)来控制沙箱，所以需要下载gvisor的二进制文件并配置docker：\n\n下载二进制文件:`wget https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc -O /usr/local/bin/runsc`，并给其添加可执行权限`chmod +x /usr/local/bin/runsc`，然后修改docker配置文件`/etc/docker/daemon.json`（如果不存在则创建之）：\n\n```\n{\n    \"runtimes\": {\n        \"runsc\": {\n            \"path\": \"/usr/local/bin/runsc\"\n        }\n    }\n}\n```\n\n最后重启docker即可。\n\n## 配置匿名邮箱与SMTP模块\n\n在DNS服务商处（或conote的DNS配置处），设置MX记录指向服务器IP。\n\n```python\n1m6.win.         IN      MX      5 note.leavesongs.com.\n```\n\n然后在settings中设置：\n\n```python\nO_MAIL_DOMAIN = '1m6.win'\n```\n\n用`./manage.py mailserver`启动smtp服务器，将监听0.0.0.0:25。\n\n## 运行conote\n\nconote分为4部分：\n\n1. web端\n2. dns服务器\n3. 后台任务\n4. smtp服务器\n\n所以需要分成4个服务运行。systemd文件如下：\n\n```\n# Conote\n[Unit]\nDescription=Conote web application\nAfter=network.target\n\n[Service]\nPIDFile=/run/gunicorn/conote.pid\nRuntimeDirectory=gunicorn\nUser=root\nGroup=root\nWorkingDirectory=/home/conote\nRestart=always\nExecStart=/bin/bash /home/conote/conote.sh --pid /run/gunicorn/conote.pid\nExecStop=/bin/kill -s TERM $MAINPID\n\n[Install]\nWantedBy=multi-user.target\n```\n\n```\n# dns server\n[Unit]\nDescription=Conote dns application\nAfter=network.target\n\n[Service]\nUser=root\nGroup=root\nWorkingDirectory=/home/conote\nRestart=always\nExecStart=/home/conote/env/bin/python manage.py dnsserver\n\n[Install]\nWantedBy=multi-user.target\n```\n\n```\n# huey\n[Unit]\nDescription=Conote huey background tasks\nAfter=network.target\n\n[Service]\nUser=root\nGroup=root\nWorkingDirectory=/home/conote\nRestart=always\nExecStart=/home/conote/env/bin/python manage.py run_huey\n\n[Install]\nWantedBy=multi-user.target\n```\n\n```\n# smtpd\n[Unit]\nDescription=Conote email server\nAfter=network.target\n\n[Service]\nUser=root\nGroup=root\nWorkingDirectory=/home/conote\nRestart=always\nExecStart=/home/conote/env/bin/python manage.py mailserver\n\n[Install]\nWantedBy=multi-user.target\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopensec-cn%2Fconote-community","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopensec-cn%2Fconote-community","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopensec-cn%2Fconote-community/lists"}