声明
本文章中所有内容仅供学习交流使用,不用于其他任何目的,抓包内容、敏感网址、数据接口等均已做脱敏处理,严禁用于商业用途和非法用途,否则由此产生的一切后果均与作者无关!
大部分关键代码
!(() => {
"use strict";
const $toString = Function.toString;
const myFunction_toString_symbol = Symbol('('.concat('', ')_', (Math.random() + '').toString(36)));
const myToString = function () {
return typeof this == 'function' && this[myFunction_toString_symbol] || $toString.call(this);
};
function set_native(func, key, value) {
Object.defineProperty(func, key, {
"enumerable": false,
"configurable": true,
"writable": true,
"value": value
})
};
delete Function.prototype['toString']; //删除原型链上的toString
set_native(Function.prototype, "toString", myToString); //自己定义个getter方法
set_native(Function.prototype.toString, myFunction_toString_symbol, "function toString() { [native code] }"); //套个娃 保护一下我们定义的toString 否则就暴露了
this.func_set_natvie = (func) => {
set_native(func, myFunction_toString_symbol, `function ${myFunction_toString_symbol, func.name || ''}() { [native code] }`);
}; //导出函数到globalThis
}).call(this);
const XMLHttpRequest = require('xhr2');
Window = function Window() {
throw new TypeError('Illegal constructor')
};
this.func_set_natvie(Window);
Window.prototype.PERSISTENT = 1
Window.prototype.TEMPORARY = 0
Navigator = function Navigator() {
throw new TypeError('Illegal constructor')
};
this.func_set_natvie(Navigator);
window = global
Object.defineProperties(Window.prototype, {
[Symbol.toStringTag]: {
value: 'Window',
configurable: true
}
})
Object.defineProperties(Navigator.prototype, {
[Symbol.toStringTag]: {
value: 'Navigator',
configurable: true
}
})
window.__proto__ = Window.prototype
window.DataView = function DataView() {
console.log('window.DataView', arguments)
};
this.func_set_natvie(DataView);
window.Notification = function Notification() {
console.log('window.Notification', arguments)
};
this.func_set_natvie(Notification);
location ={
}
okeys=Object.keys
Object.keys=function keys() {
temp=okeys.apply(this,arguments)
return temp
}
screen = {}
screen.width = 1536
screen.height = 864
screen.availHeight = 834
screen.availWidth = 1536
screen.orientation = {
type: "landscape-primary",
angle: 0
}
screen.pixelDepth = 24
screen.colorDepth = 24
window.XMLHttpRequest = function XMLHttpRequest() {
console.log('window.XMLHttpRequest'.arguments)
return {
open: function open() {
},
send: function send() {
}
}
}
window.fetchHooked = true
window.wDomains =[
]
window.name = ''
window.indexedDB = {}
window._phantom = undefined
window.phantom = undefined
window.callPhantom = undefined
navigator.plugins = [{name: "PDF Viewer"}, {name: "Chrome PDF Viewer"}, {name: "Chromium PDF Viewer"},
{name: "Microsoft Edge PDF Viewer"}, {name: "WebKit built-in PDF"}]
document.body = {
}
window.AudioContext = function AudioContext() {
console.log('window.AudioContext', arguments)
}
window.screenX = 0
window.screenY = 0
window.screenLeft = 0
window.screenTop = 0
window.parent = window
window.opener = null
window.frames = window
window.closed = false
window.customElements = {}
window.locationbar = {visible: true}
window.menubar = {visible: true}
window.personalbar = {visible: true}
window.scrollbars = {visible: true}
window.statusbar = {visible: true}
window.toolbar = {visible: true}
window.status = ''
window.frameElement = null
window.onsearch = null
window.external = {}
window.styleMedia = {type: "screen"}
window.isSecureContext = true
window.getSelection = function getSelection() {
return {
anchorOffset: 0,
baseOffset: 0,
extentOffset: 0,
focusOffset: 0,
isCollapsed: true,
rangeCount: 0,
type: "None",
}
}
window.find = function find() {
console.log("window.find", arguments)
}
window.close = function close() {
console.log("window.close", arguments)
}
window.focus = function focus() {
console.log("window.focus", arguments)
}
window.blur = function blur() {
console.log("window.blur", arguments)
}
window.dispatchEvent = function dispatchEvent() {
console.log("window.dispatchEvent ", arguments)
}
window.postMessage = function postMessage() {
console.log("window.postMessage", arguments)
}
window.removeEventListener = function removeEventListener() {
console.log("window.removeEventListener", arguments)
}
document.removeEventListener = function removeEventListener(val1, val2) {
console.log("document.removeEventListener", arguments)
}
window.addEventListener = function addEventListener(val1, val2, val3) {
console.log("window.addEventListener", arguments)
// val2()
}
window.PointerEvent = function PointerEvent() {
console.log('windo.wPointerEvent', arguments)
}
document.addEventListener = function addEventListener(val1, val2, val3) {
// console.log("document.addEventListener", arguments)
fa = {
"isTrusted": true,
}
if (val1 === 'click') {
fa['srcElement'] = {div: {}}
fa['clientX'] = 90
fa['clientY'] = 390
fa['type'] = val1
val2(fa)
} else if (val1 === "mousedown" || val1 === 'mousedown' || val1 === 'mouseout') {
fa['target'] = {"DIV": {}}
fa['clientX'] = 148
fa['clientY'] = 303
fa['type'] = val1
val2(fa)
} else {
fa['srcElement'] = {div: {}}
fa['clientX'] = 90
fa['clientY'] = 390
fa['type'] = val1
val2(fa)
}
}
window.createImageBitmap = function createImageBitmap() {
console.log("window.createImageBitmap", arguments)
}
navigator.sendBeacon = function sendBeacon() {
console.log('navigator.sendBeacon', arguments)
}
navigator.javaEnabled = function javaEnabled() {
console.log('navigator.javaEnabled', arguments)
}
navigator.vibrate = function vibrate() {
console.log('navigator.vibrate', arguments)
}
navigator.userActivation = {
hasBeenActive: true,
isActive: false
}
navigator.mediaSession = {
playbackState: "none"
}
navigator.clipboard = {}
navigator.credentials = {}
navigator.keyboard = {}
navigator.locks = {}
navigator.mediaCapabilities = {}
navigator.onLine = true
navigator.serviceWorker = {}
navigator.storage = {}
navigator.presentation = {}
navigator.bluetooth = {}
navigator.usb = {}
结果
总结
1.出于安全考虑,本章未提供完整流程,调试环节省略较多,只提供大致思路,具体细节要你自己还原,相信你也能调试出来。
1543
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
