文章目录
- 概要
- 整体架构流程
- 技术细节
- 小结
概要
提示:仅供学习,不得用做商业交易,如有侵权请及时联系
逆向:瑞树3 - cookie值
URL:aHR0cDovL3d3dy5jaGluYWRydWd0cmlhbHMub3JnLmNuL2luZGV4Lmh0bWw=
目标:
整体架构流程
提示:大致步骤跟瑞树4差不多
一、加载步骤(生成):
1、打开无痕浏览器窗口 - 输入网址 - 事件监听器打开脚本直接断住
ts文件
2、跟栈往后面走,到html文件
这里分别是content和js组成,content后面会取值,js会生成cookie
注意:我们不能直接去复制到本地的js文件中,不然会出现js的转义问题
3、python获取对应的content、ts、js代码
headers = {
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6',
'Connection': 'keep-alive',
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Edg/133.0.0.0',
}
response = requests.get('http://xxx/index.html', headers=headers, verify=False)
print('第一次访问状态:',response.status_code)
tree = etree.HTML(response.text)
content =tree.xpath('//meta[2]/@content')[0]
content = 'content = "{}";'.format(content)
content = content.replace('\\',"\\\\")
with open('./cont.js','w') as f:
f.write(content)
cd = tree.xpath('//script[2]/text()')[0]
with open('./cd.js','w') as f:
f.write(cd.replace('\\',"\\\\"))
tsUrl = 'http://www.xxxx.org.cn' + tree.xpath('//script[1]/@src')[0]
with open('./ts.js','w') as f:
f.write(requests.get(url = tsUrl,headers=headers,verify=False).text)
4、挂代理补环境:
function proxy(obj,name){
return new Proxy(obj,{
get:function (target, p, receiver) {
console.table([{'method':'get',target:name,p:p,receiver:receiver,value:Reflect.get(target, p, receiver)}])
return Reflect.get(target, p, receiver)
},
set:function (target, p, value,receiver){
console.table([{'method':'set',target:name, p:p, value:value, receiver:receiver}])
return Reflect.set(target, p, value, receiver)
},
})
};
注意:补着补着会发现,会检测nodejs,出现变量没有定义或者方法没有的情况
5、不能直接挂代理补,得使用vm2,纯v8环境
二、使用vm2,首先要下载,还有就是浏览器联调:
npm install -g vm2
npm install -g node-inspect
const {VM,VMScript} = require("vm2");
const fs = require('fs');
var code = fs.readFileSync('./env.js') + '\n' // 环境代码
code += fs.readFileSync('./cont.js') + '\n' // content代码
code += fs.readFileSync('./ts.js') + '\n' // ts代码
code += fs.readFileSync('./cd.js') + '\n'; // js代码
const vm = new VM();
vm.run(code);
vscode联调:调试配置
pycharm联调:–inspect-brk
这里我使用的是vscode
三、在env.js加上代理直接开补,缺啥补啥:
document:getElementById 9DhefwqGPrzGxEp9hPaoag
document = {
getElementById:function (res){
if(res === '9DhefwqGPrzGxEp9hPaoag'){
return proxy({
content:content,
parentNode:{
removeChild:function (){}
}
},'meta1')
}
},
createElement:function (res){
if(res === 'div'){
return proxy({
getElementsByTagName:function (res){
if(res === 'i'){
return {length:0}
}
},
innerHTML:''
},'div')
}
},
characterSet:'UTF-8',
exitFullscreen:function (){
},
documentElement:proxy({
style:proxy({},'documentElement-style'),
getAttribute:function (){
return null
}
},'documentElement'),
addEventListener:function (){},
cookie:'',
getElementsByTagName:function (res){
if(res === 'script'){
return proxy(script,'script')
}
}
}
navigator:直接补Navigator
Promise2 = {
then: function () {
return this;
},
catch: function (){},
};
Navigator = function Navigator(){};
Navigator.prototype.toString = function (){
return '[object Navigator]'
}
Navigator.prototype.getBattery = function (){
return proxy(Promise2,'Promise2'); // 电源状态信息
}
PluginArray = function PluginArray(){}
PluginArray.prototype.toString = function (){return '[object PluginArray]'}
PluginArray.toString = function (){return 'function PluginArray() { [native code] }'}
Object.defineProperties(PluginArray.prototype,{[Symbol.toStringTag]:{value:'PluginArray'}})
plugins = proxy({
length: 5,
'0': proxy({
name: 'PDF Viewer',
filename: 'internal-pdf-viewer',
length: 2,
'0': proxy({
type:'application/pdf'
}, 'plugins00'),
'1': proxy({
type:'text/pdf'
},'plugins01')
},'plugins0'),
'1': proxy({
name: 'Chrome PDF Viewer',
filename: 'internal-pdf-viewer',
length: 2,
'0': proxy({
type:'application/pdf'
}, 'plugins10'),
'1': proxy({
type:'text/pdf'
},'plugins11')
},'plugins1'),
'2': proxy({
name: 'Chromium PDF Viewer',
filename: 'internal-pdf-viewer',
length: 2,
'0': proxy({
type:'application/pdf'
}, 'plugins20'),
'1': proxy({
type:'text/pdf'
},'plugins21')
},'plugins2'),
'3': proxy({
name: 'Microsoft Edge PDF Viewer',
filename: 'internal-pdf-viewer',
length: 2,
'0': proxy({
type:'application/pdf'
}, 'plugins30'),
'1': proxy({
type:'text/pdf'
},'plugins31')
},'plugins3'),
'4': proxy({
name: 'WebKit built-in PDF',
filename: 'internal-pdf-viewer',
length: 2,
'0': proxy({
type:'application/pdf'
}, 'plugins40'),
'1': proxy({
type:'text/pdf'
},'plugins41')
},'plugins4')
}, 'plugins')
plugins.__proto__ = PluginArray.prototype;
Navigator.prototype.plugins = plugins
Navigator.prototype.mimeTypes = proxy({
length:2,
'0':{
type:'application/pdf',
description:'Portable Document Format'
},
'1':{
type:'application/pdf',
description:'Portable Document Format'
}
},'mimeTypes')
Navigator.prototype.webdriver = false;
Navigator.prototype.connection = {
downlink: 4.7,
effectiveType: "4g",
onchange: null,
rtt: 50,
saveData: false
}
Navigator.prototype.platform = 'Win32'
Navigator.prototype.appCodeName = 'Mozilla'
Navigator.prototype.appName = 'Netscape'
Navigator.prototype.appVersion = "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
Navigator.prototype.deviceMemory = 8
Navigator.prototype.hardwareConcurrency = 8
Navigator.prototype.webkitPersistentStorage = proxy({},'webkitPersistentStorage')
Navigator.prototype.language = "zh-CN"
Navigator.prototype.languages = ['zh-CN', 'zh']
Navigator.prototype.userAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36'
Navigator.toString = function (){
return 'function Navigator() { [native code] }'
}
Object.defineProperties(Navigator.prototype,{
[Symbol.toStringTag]:{
value:'Navigator'
}
})
screen:到这里吧,慢慢补,没什么检测,代码补通了就可以
最后看结果:
提示:关于怎么调出值,上面写了那个注释就是
//func_name :方法名称
function result(func_name) {
let lwVm_module = {
exports:{}
}
let export_func = `\r\nlwVm_module.exports = {
${func_name}: ${func_name},
}`;
const vm = new VM({ sandbox: { lwVm_module } });
var code = fs.readFileSync('./env.js') + '\n'
code += fs.readFileSync('./cont.js') + '\n'
code += fs.readFileSync('./ts.js') + '\n'
code += fs.readFileSync('./cd.js') + '\n';
code += fs.readFileSync('./getcookie.js') + '\n';
code += export_func;
const script = new VMScript(code);
return vm.run(script)['getCookie']();
}
console.log(result('getCookie'));
技术细节
小结
提示:学习交流+v主页
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
