声明
本文章中所有内容仅供学习交流使用,不用于其他任何目的,抓包内容、敏感网址、数据接口等均已做脱敏处理,严禁用于商业用途和非法用途,否则由此产生的一切后果均与作者无关!
关键代码
document.createElement = function createElement() {
tag = arguments[0]
console.log('document.createElement', tag)
if (tag == 'b') {
return {
getElementsByTagName: function () {
return {length: 1}
}
}
}
if (tag == 'style') {
return {
appendChild: function () {
}
}
}
if (tag == 'iframe') {
let newWindow = Object.assign({}, window)
return {
sandbox: "allow-same-origin allow-scripts",
contentWindow: newWindow,
style: {},
id: '_s3i',
srcdoc: 'blank\x20page',
parentNode: document.body
}
}
if (tag == 'canvas') {
canvas = new HTMLCanvasElement()
return canvas
}
if (tag == 'div') {
return {
tagName: "DIV",
appendChild: function () {
},
removeChild: function () {
},
getElementsByTagName(name) {
console.log('getElementsByTagName', name)
if (name == 'i') {
return {}
}
}
}
}
if (tag == "audio") {
return new HTMLAudioElement()
}
if (tag == 'video') {
return new HTMLVideoElement()
}
if (tag == 'span') {
return {style: {}, tagName: "SPAN"}
}
if (tag == 'a') {
return {}
}
debugger;
}
document.createTextNode = function createTextNode() {
return function () {
}
}
document.getElementsByTagName = function () {
console.log('document.getElementsByTagName', arguments)
tag = arguments[0]
if (tag == 'meta') {
return [{}]
if (tag == 'body') {
return []
}
if (tag == 'i') {
return []
}
if (tag == 'script') {
return {}
if (tag == 'base') {
return []
}
}
结果
总结
1.出于安全考虑,本章未提供完整流程,调试环节省略较多,只提供大致思路,具体细节要你自己还原,相信你也能调试出来。