21js加密一个套了轻ob的webpack
luzhisheng
BIN
猿人学练习/21js加密一个套了轻ob的webpack/img/1.png
Normal file
|
After Width: | Height: | Size: 42 KiB |
BIN
猿人学练习/21js加密一个套了轻ob的webpack/img/10.png
Normal file
|
After Width: | Height: | Size: 39 KiB |
BIN
猿人学练习/21js加密一个套了轻ob的webpack/img/11.png
Normal file
|
After Width: | Height: | Size: 31 KiB |
BIN
猿人学练习/21js加密一个套了轻ob的webpack/img/2.png
Normal file
|
After Width: | Height: | Size: 37 KiB |
BIN
猿人学练习/21js加密一个套了轻ob的webpack/img/3.png
Normal file
|
After Width: | Height: | Size: 30 KiB |
BIN
猿人学练习/21js加密一个套了轻ob的webpack/img/4.png
Normal file
|
After Width: | Height: | Size: 32 KiB |
BIN
猿人学练习/21js加密一个套了轻ob的webpack/img/5.png
Normal file
|
After Width: | Height: | Size: 111 KiB |
BIN
猿人学练习/21js加密一个套了轻ob的webpack/img/6.png
Normal file
|
After Width: | Height: | Size: 76 KiB |
BIN
猿人学练习/21js加密一个套了轻ob的webpack/img/7.png
Normal file
|
After Width: | Height: | Size: 26 KiB |
BIN
猿人学练习/21js加密一个套了轻ob的webpack/img/8.png
Normal file
|
After Width: | Height: | Size: 59 KiB |
BIN
猿人学练习/21js加密一个套了轻ob的webpack/img/9.png
Normal file
|
After Width: | Height: | Size: 34 KiB |
60
猿人学练习/21js加密一个套了轻ob的webpack/main.py
Normal file
@ -0,0 +1,60 @@
|
||||
import requests
|
||||
import time
|
||||
|
||||
|
||||
def get_s():
|
||||
timestamp = int(time.time() * 1000)
|
||||
data = {"timestamp": str(timestamp)}
|
||||
url = f"http://0.0.0.0:3005/sign_21"
|
||||
session = requests.session()
|
||||
headers = {'content-type': 'application/x-www-form-urlencoded; charset=UTF-8'}
|
||||
session.headers = headers
|
||||
response = session.request("POST", url, data=data)
|
||||
return response.text, timestamp
|
||||
|
||||
|
||||
def challenge21(page, s, t):
|
||||
url = "https://www.python-spider.com/api/challenge21"
|
||||
payload = f"page={page}&s={s}&t={t}"
|
||||
session = requests.session()
|
||||
headers = {
|
||||
'content-length': '57',
|
||||
'pragma': 'no-cache',
|
||||
'cache-control': 'no-cache',
|
||||
'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"',
|
||||
'accept': 'application/json, text/javascript, */*; q=0.01',
|
||||
'content-type': 'application/x-www-form-urlencoded; charset=UTF-8',
|
||||
'x-requested-with': 'XMLHttpRequest',
|
||||
'sec-ch-ua-mobile': '?0',
|
||||
'user-agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36',
|
||||
'sec-ch-ua-platform': '"Linux"',
|
||||
'origin': 'https://www.python-spider.com',
|
||||
'sec-fetch-site': 'same-origin',
|
||||
'sec-fetch-mode': 'cors',
|
||||
'sec-fetch-dest': 'empty',
|
||||
'referer': 'https://www.python-spider.com/challenge/21',
|
||||
'accept-encoding': 'gzip, deflate, br',
|
||||
'accept-language': 'zh-CN,zh;q=0.9,en;q=0.8',
|
||||
'cookie': 'sessionid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
|
||||
}
|
||||
session.headers = headers
|
||||
response = session.request("POST", url, data=payload)
|
||||
return response.json()
|
||||
|
||||
|
||||
def run():
|
||||
data_num = 0
|
||||
for page in range(1, 101):
|
||||
s, t = get_s()
|
||||
print(s, t)
|
||||
response_json = challenge21(page, s, t)
|
||||
print(response_json)
|
||||
data_list = response_json.get('data')
|
||||
print(data_list)
|
||||
for data in data_list:
|
||||
data_num += int(data.get('value'))
|
||||
print(data_num)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
run()
|
||||
@ -1,6 +1,100 @@
|
||||
# 知识点:
|
||||
# 知识点:webpack4,魔改的md5,eval渗透,AC表转字符串
|
||||
|
||||
## 解题思路
|
||||
|
||||
https://blog.csdn.net/qq523176585/article/details/124722785
|
||||
https://app.yinxiang.com/fx/970ae39c-9964-4aae-aa96-7e81fee4ef8f
|
||||
js基础课的webpack
|
||||
|
||||
查看请求地址,发现存在`s`加密变量和`t`变量
|
||||
|
||||
|
||||
|
||||
断点进入
|
||||
|
||||
|
||||
|
||||
个人习惯都,先解混淆,在`reres`替换文件
|
||||
|
||||
|
||||
|
||||
`reres`替换成本地文件
|
||||
|
||||
|
||||
|
||||
断点进入代码,了解过webpack打包的,就不难发现这段代码是webpack4的打包
|
||||
|
||||
webpack打包后的基本结构
|
||||
|
||||
|
||||
|
||||
想要调试webpack代码,只需要在分发器上打上断点,就能知道运行的哪些模块
|
||||
|
||||
|
||||
|
||||
刷新页面,第一个加载的模块是`110`,查看代码也符合预期,这里初始执行的模块就是`110`
|
||||
|
||||
|
||||
|
||||
继续断点执行,并每次执行后打印模块名,可以发现模块执行顺序是`512,520,684,200,274,200,555,567`
|
||||
|
||||
|
||||
|
||||
就是说整个加密过程经历了`512,520,684,200,274,200,555,567`模块
|
||||
|
||||
如何扣webpack代码,类似如下
|
||||
|
||||
window = global;
|
||||
p = window;
|
||||
var getToken;
|
||||
|
||||
!function (_0x33909e) {
|
||||
var t={}
|
||||
|
||||
// 分发器
|
||||
function d(n){
|
||||
if (t[n])
|
||||
return t[n].exports;
|
||||
console.log(n)
|
||||
var r = t[n] = {
|
||||
i:n,
|
||||
l:!1,
|
||||
exports:{}
|
||||
};
|
||||
return e[n].call(r.exports,r,r.exports,d),
|
||||
r.l = !0;
|
||||
r.exports
|
||||
}
|
||||
|
||||
// d(1)
|
||||
getToken = d; // 导出执行入口函数
|
||||
}({
|
||||
// 模块
|
||||
520: function (_0x30cc03, _0x3b380c, _0x3f415a) {},
|
||||
684: function (_0x41d8d5, _0x220a8e) {},
|
||||
200: function (_0xd2ef5e, _0x515626) {},
|
||||
274: function (_0x4dc078, _0x4f5a3) {},
|
||||
555: function (_0x71207c, _0x1e06ab, _0x4c8811) {},
|
||||
567: function (_0x244241, _0x257cd8, _0x4d003a) {},
|
||||
});
|
||||
|
||||
// 函数外执行
|
||||
var k = getToken(520);
|
||||
let _0x4d0a2e = k();
|
||||
console.dir(_0x4d0a2e);
|
||||
|
||||
将入口函数`d`赋值给全局变量`getToken`,将需要执行的函数复制粘贴到模块中,在函数外给到需要执行的模块,最后得到想要的值
|
||||
|
||||
## 注意点
|
||||
|
||||
利用AC表插入一断危险代码
|
||||
|
||||
|
||||
|
||||
并执行一断定时任务
|
||||
|
||||
|
||||
|
||||
类似的地方还有一处
|
||||
|
||||
|
||||
18
猿人学练习/21js加密一个套了轻ob的webpack/server.js
Normal file
@ -0,0 +1,18 @@
|
||||
const express = require('express');
|
||||
const app = express();
|
||||
const code_21 = require("./21");
|
||||
var bodyParser = require('body-parser');
|
||||
app.use(bodyParser());
|
||||
|
||||
|
||||
app.post('/sign_21', function (req, res) {
|
||||
let result = '';
|
||||
let timestamp = req.body.timestamp;
|
||||
result = code_21.sign_21(timestamp);
|
||||
res.send(result.toString());
|
||||
});
|
||||
|
||||
|
||||
app.listen(3005, () => {
|
||||
console.log("开启服务,端口 3005")
|
||||
});
|
||||