国家信息安全漏洞共享平台Cnvd分析

已于 2022-05-02 17:13:34 修改
阅读量2.8k 收藏 7
点赞数 5
分类专栏: 爬虫 文章标签: Cnvd
于 2022-04-30 21:59:20 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/leiwuhen92/article/details/124519506
版权
 

1、分析流程

 
3ddcfb7e5c424c10adec83c12d81259e.png
 
 
接口 https://www.cnvd.org.cn/flaw/list?max=20&offset=20连续请求了3次,前两次返回521,第三次200
 
第1次请求521:
02017bf47259435f9fcba41aef5265a6.png
响应 cookie:
  
__jsluid_s=d5e2b24b6f3d4f207880d9bc4bab0be6
response: 是一段js代码 
<script>document.cookie=('_')+('_')+('j')+('s')+('l')+('_')+('c')+('l')+('e')+('a')+('r')+('a')+('n')+('c')+('e')+('_')+('s')+('=')+(-~[]+'')+(3+3+'')+(2+3+'')+(-~false+'')+(-~1+'')+(8+'')+((1<<2)+'')+(~~{}+'')+(1+2+'')+((1+[2]>>2)+'')+('.')+(-~[7]+'')+(1+8+'')+((1+[2]>>2)+'')+('|')+('-')+(-~0+'')+('|')+(-~[7]+'')+('T')+((+false)+'')+('D')+(6+'')+('k')+('T')+('%')+(2+'')+('B')+('r')+('m')+('q')+('B')+('Q')+('z')+('l')+('E')+((1<<1)+'')+('l')+(3+4+'')+('P')+('L')+('A')+('w')+('P')+('c')+('A')+('c')+('%')+((2^1)+'')+('D')+(';')+('m')+('a')+('x')+('-')+('a')+('g')+('e')+('=')+(1+2+'')+(2+4+'')+(~~[]+'')+(~~[]+'')+(';')+('p')+('a')+('t')+('h')+('=')+('/');location.href=location.pathname+location.search</script>

响应头

80fc61cab6f34eadb3825be16550c434.png
js计算得出数据与set-cookie组成cookie用于下一个请求:
553868a268c6441bbe64666dd7018a5c.png
下一个请求的cookie为: 
__jsluid_s=d5070e6754e55e547a59addcf46f9082;__jsl_clearance_s=1651284033.893|-1|8T0D6kT%2BrmqBQzlE2l7PLAwPcAc%3D;max-age=3600;path=/
 
第2次请求521:
fd34d519b9ca4e1e909c5349484bb445.png
请求头包含Cookie: 
__jsluid_s=d5e2b24b6f3d4f207880d9bc4bab0be6;__jsl_clearance_s=1651210240.251|-1|F80UeObi5VXRVjWoLLiTGEFslaI%3D

__jsluid_s是第一次521中的响应cookie,“__jsl_clearance_s=1651210240.251|-1|F80UeObi5VXRVjWoLLiTGEFslaI%3D”则是第1次521中返回的js代码生成的。

 
response: 返回的是js代码,举例如下: 
<script>var _0x1f28=['w58ww5LCsw==','wrYxw6kq','K0vCoMK/','wpYgw7Qv','VcKtUMOx','TsODw4dK','SMOxw7HDrQ==','InfDm8Ka','w6PCo2PDvg==','JQfDi8OY','QcOhw610','fMKgTsOG','wq91w5MO','PGgkKA==','w4omG8KA','QcOkw6R+','QMOCUsKL','CgnDpsOG','w7shGw==','O8KYT8Ox','XsOyFFQ=','wqnChsObwqU=','LwsDw7k=','a8Kje8Ks','ETBeAQ==','wpPCiMOXwqU=','w6MIOcKc','dsKqQhU=','ecKHQMKd','RsKtfMKt','w5vDqcKZfA==','wpJgfMOK','wr9lw7B7','YsKJH8Ke','WMKZYsKu','AE0RXg==','IzIqw6w=','w44Hw5LCiA==','wprDnlzCkQ==','bMOSw5/DkQ==','bsO1w6bDoA==','w5DDtlU=','d8OOMXo=','w73CrVHDlw==','wrsJw5Ax','wpUMCSE=','KlIKPA==','NVIJOw==','AEZSwqU=','ZsKXR8Ow','IRVK','P8KCUMKW','w5LDt2hK','CcO5EcKx','VMKJUsKR','NG7Dgl8=','wpoTw7so','wqImw6Uk','ccOrw7/Dhw==','SsK+w6LDjw==','wqLDhHHCtQ==','S8O5ccKB','wr93w6FW','woEVw7Ur','wqnDjMKZw7o=','w5k1PMK0','Ry/DjAM=','w4XDnsKlfg==','VcKeDMKZ','ScKdRsKL','wr9XSMKy','wr9iasOX','Az4TRA==','f8KJcw==','wog5w6sH','Z0EHVw==','MgABXw==','acKjW8OR','wrBvasOT','VMKoTCM=','wodQO8Om','Q8Ozw7B5','w55/IcOH','MV8pGg==','w57Cn17DvQ==','w495OMOJ','wrIZw50Z','w43Cr8Kdw4Q=','w7PDulrCtg==','Ig0Uw5Q=','wrkmw6co','SMKXwp/Dow==','bcOZfXI=','PsKnbsK/','w6XDr1tH','VMOCw59K','asKew47DrA==','eMOgH1A=','wpjDgnjCuA==','wqtuw7pu','O8KNVsO1','6K6S5rGa6auH6K++','WcKwfsKg','YMKxQMKw','w7Rfw5zChQ==','wrJww5Zo','I1dSwqE=','wrwDBh4=','Q8KUYCc=','w4pWw5DCjg==','w6wNw6/CnQ==','JBgww4o=','w7tKw6HCkQ==','Cxwlw4E=','DH/DjcK/','Q8KNw6bDnw==','w7/DssK5Wg==','wrdfw5bChQ==','wp9zd8OS','PkYcIA==','w6HDsVXCtA==','XMO+YmI=','BnPDucK9','wp7DlXXCuA==','FTNdDA==','wpDDqMKW','VsKgTi4=','csOufMKq','w646JsK1','wpYsw7gn','wqXDvcKEw7U=','U8KeQcKK','wp9ddcK8','OkDCpMKW','E8K+QcK4','w4LDkcK3cg==','UMKiHsKw','c8Oxw7HDuw==','wqTDiMKjw7U=','wr48GTo=','wpIvw7wF','wrBow79u','UMK5wpTDnQ==','a8One8KG','w6vCqn3Djg==','wrsiw78m','QsOwEmQ=','TsKzQcKe','EGMuPQ==','w5ojK8KZ','woRBw68l','w5FWAcO0','ZcKVwrTDgA==','EcKaR8KJ','YcKcwoTDvA==','N8OYe0k=','J2DDmw==','XsKpV8Ot','S8OgH0w=','Az4AUw==','E8KEXsKQ','w7bDiF/Clw==','LQBPDw==','wpJwbsON','H2dDwq8=','OkNcwoc=','QcO8w5Bz','LiDDsMOv','wrQvw7Az','bcODw5XDmQ==','w64CEcKH','w5tNw6vCqg==','Jiwew4Q=','A8KAbMKM','wrUjw6Mo','w4fDsVnCgg==','wq1Bw70A','bsO7G1A=','ecKkTCc=','JiEhw7k=','w5Ilw6HCtA==','BhEHw5o=','cMKEwqbDpQ==','wrFkw6x1','w7bDvEh0','XD/Dmis=','L8K9SBU=','w4TCrXnDiQ==','WcO+w7XDgg==','OmHDklU='];(function(_0x17e03a,_0x1f28e7){var _0x22af88=function(_0x5ba2d5){while(--_0x5ba2d5){_0x17e03a['push'](_0x17e03a['shift']());}};_0x22af88(++_0x1f28e7);}(_0x1f28,0xc8));var _0x22af=function(_0x17e03a,_0x1f28e7){_0x17e03a=_0x17e03a-0x0;var _0x22af88=_0x1f28[_0x17e03a];if(_0x22af['xsfksp']===undefined){(function(){var _0x39f063;try{var _0x21dd33=Function('return\x20(function()\x20'+'{}.constructor(\x22return\x20this\x22)(\x20)'+');');_0x39f063=_0x21dd33();}catch(_0x2b2e91){_0x39f063=window;}var _0x9f038b='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';_0x39f063['atob']||(_0x39f063['atob']=function(_0x3459e0){var _0x5b8d46=String(_0x3459e0)['replace'](/=+$/,'');var _0x1a60e4='';for(var _0x1b9c23=0x0,_0x207d0a,_0x5692dd,_0x26113b=0x0;_0x5692dd=_0x5b8d46['charAt'](_0x26113b++);~_0x5692dd&&(_0x207d0a=_0x1b9c23%0x4?_0x207d0a*0x40+_0x5692dd:_0x5692dd,_0x1b9c23++%0x4)?_0x1a60e4+=String['fromCharCode'](0xff&_0x207d0a>>(-0x2*_0x1b9c23&0x6)):0x0){_0x5692dd=_0x9f038b['indexOf'](_0x5692dd);}return _0x1a60e4;});}());var _0x44b778=function(_0x53d5ac,_0x5e837c){var _0x4672d9=[],_0x229525=0x0,_0x5e1672,_0x4f8661='',_0x36c11f='';_0x53d5ac=atob(_0x53d5ac);for(var _0x69c717=0x0,_0x137d7b=_0x53d5ac['length'];_0x69c717<_0x137d7b;_0x69c717++){_0x36c11f+='%'+('00'+_0x53d5ac['charCodeAt'](_0x69c717)['toString'](0x10))['slice'](-0x2);}_0x53d5ac=decodeURIComponent(_0x36c11f);var _0x5739db;for(_0x5739db=0x0;_0x5739db<0x100;_0x5739db++){_0x4672d9[_0x5739db]=_0x5739db;}for(_0x5739db=0x0;_0x5739db<0x100;_0x5739db++){_0x229525=(_0x229525+_0x4672d9[_0x5739db]+_0x5e837c['charCodeAt'](_0x5739db%_0x5e837c['length']))%0x100;_0x5e1672=_0x4672d9[_0x5739db];_0x4672d9[_0x5739db]=_0x4672d9[_0x229525];_0x4672d9[_0x229525]=_0x5e1672;}_0x5739db=0x0;_0x229525=0x0;for(var _0x5a65de=0x0;_0x5a65de<_0x53d5ac['length'];_0x5a65de++){_0x5739db=(_0x5739db+0x1)%0x100;_0x229525=(_0x229525+_0x4672d9[_0x5739db])%0x100;_0x5e1672=_0x4672d9[_0x5739db];_0x4672d9[_0x5739db]=_0x4672d9[_0x229525];_0x4672d9[_0x229525]=_0x5e1672;_0x4f8661+=String['fromCharCode'](_0x53d5ac['charCodeAt'](_0x5a65de)^_0x4672d9[(_0x4672d9[_0x5739db]+_0x4672d9[_0x229525])%0x100]);}return _0x4f8661;};_0x22af['BNOTZv']=_0x44b778;_0x22af['TTGrbS']={};_0x22af['xsfksp']=!![];}var _0x5ba2d5=_0x22af['TTGrbS'][_0x17e03a];if(_0x5ba2d5===undefined){if(_0x22af['IxLvZn']===undefined){_0x22af['IxLvZn']=!![];}_0x22af88=_0x22af['BNOTZv'](_0x22af88,_0x1f28e7);_0x22af['TTGrbS'][_0x17e03a]=_0x22af88;}else{_0x22af88=_0x5ba2d5;}return _0x22af88;};function hash(_0x2a6105){var _0x115f00={};_0x115f00[_0x22af('0x86','rf@q')+'Y']=function(_0x3cd05c,_0x1b9b83){return _0x3cd05c^_0x1b9b83;};_0x115f00[_0x22af('0x81',')p[d')+'Y']=function(_0x1838d1,_0x1ebfad){return _0x1838d1&_0x1ebfad;};_0x115f00[_0x22af('0xb4',']H5r')+'j']=function(_0x34f5d8,_0x24af9f){return _0x34f5d8>>_0x24af9f;};_0x115f00[_0x22af('0x47','GXZq')+'F']=function(_0x239176,_0x176eed){return _0x239176+_0x176eed;};_0x115f00[_0x22af('0x78','Dd#V')+'s']=function(_0x4d6fa5,_0x2457f8){return _0x4d6fa5<_0x2457f8;};_0x115f00[_0x22af('0x4','3(X$')+'A']=function(_0x46c3e3,_0x22b9c6){return _0x46c3e3<<_0x22b9c6;};_0x115f00[_0x22af('0x2e','BCCQ')+'X']=function(_0x407dd6,_0xf74c47){return _0x407dd6*_0xf74c47;};_0x115f00[_0x22af('0x8a','(wtA')+'J']=function(_0x54b4bb,_0x15a3ac){return _0x54b4bb*_0x15a3ac;};_0x115f00[_0x22af('0xbb','QcA(')+'R']=function(_0x5a5617,_0x2254a0){return _0x5a5617&_0x2254a0;};_0x115f00[_0x22af('0x36','dlv1')+'d']=function(_0x30354f,_0x2e07a5){return _0x30354f-_0x2e07a5;};_0x115f00[_0x22af('0x4f','cIQ8')+'l']=function(_0x4c30bf,_0x222ae3){return _0x4c30bf&_0x222ae3;};_0x115f00[_0x22af('0x61',')p[d')+'f']=function(_0x4ac981,_0x440036){return _0x4ac981|_0x440036;};_0x115f00[_0x22af('0x35','Qh%M')+'q']=function(_0x52f444,_0x5824f2){return _0x52f444&_0x5824f2;};_0x115f00[_0x22af('0x53','&DKm')+'z']=function(_0x312ea9,_0x9217fa){return _0x312ea9^_0x9217fa;};_0x115f00[_0x22af('0x7c','&DKm')+'D']=function(_0x49885c,_0x3f99ef){return _0x49885c(_0x3f99ef);};_0x115f00[_0x22af('0x4c','BCCQ')+'Z']=function(_0x48bf6b,_0xa36df2,_0x44c554){return _0x48bf6b(_0xa36df2,_0x44c554);};_0x115f00[_0x22af('0x40','BCCQ')+'W']=function(_0x217511,_0x58f729){return _0x217511^_0x58f729;};_0x115f00[_0x22af('0x85','nW)!')+'z']=function(_0x1033c1,_0x13e211,_0x47b279){return _0x1033c1(_0x13e211,_0x47b279);};_0x115f00[_0x22af('0x3c','^[&X')+'n']=function(_0x345c48,_0x56f2d9,_0x1efdd5,_0x5d1793,_0x498101){return _0x345c48(_0x56f2d9,_0x1efdd5,_0x5d1793,_0x498101);};_0x115f00[_0x22af('0x8d','%2L4')+'u']=function(_0x301cf5,_0x4b9759,_0x18d335){return _0x301cf5(_0x4b9759,_0x18d335);};_0x115f00[_0x22af('0xa1','I*$D')+'Y']=function(_0x11df96,_0x2c05e1){return _0x11df96+_0x2c05e1;};_0x115f00[_0x22af('0x5d','XgUR')+'L']=function(_0x365faf,_0x1575e1){return _0x365faf+_0x1575e1;};var _0x2c002c=_0x115f00;function _0x4d2bb5(_0x556882,_0x7500db){return _0x2c002c[_0x22af('0x68','QcA(')+'Y']((_0x556882&0x7fffffff)+_0x2c002c[_0x22af('0x62','#g2L')+'Y'](_0x7500db,0x7fffffff)^_0x556882&0x80000000,_0x2c002c[_0x22af('0xa2','cIQ8')+'Y'](_0x7500db,0x80000000));}function _0x27b342(_0x297cc0){var _0x322f0c=_0x22af('0x2b','SB(A')+_0x22af('0xb0','HFFW')+_0x22af('0x4d','Dd#V')+_0x22af('0x0','GXZq');var _0x2c308a='';for(var _0x3121f8=0x7;_0x3121f8>=0x0;_0x3121f8--){_0x2c308a+=_0x322f0c[_0x22af('0x83','es3B')+'At'](_0x2c002c[_0x22af('0x19','$@tJ')+'Y'](_0x2c002c[_0x22af('0x8e','x%[4')+'j'](_0x297cc0,_0x3121f8*0x4),0xf));}return _0x2c308a;}function _0x580b04(_0x50cf06){var _0x3409be=_0x2c002c[_0x22af('0x6c','3J]J')+'F'](_0x2c002c[_0x22af('0x96','&DKm')+'F'](_0x50cf06[_0x22af('0xa9','RqVG')+'th'],0x8)>>0x6,0x1),_0x3ba19a=new Array(_0x3409be*0x10);for(var _0x6aea62=0x0;_0x2c002c[_0x22af('0x43','SB(A')+'s'](_0x6aea62,_0x3409be*0x10);_0x6aea62++){_0x3ba19a[_0x6aea62]=0x0;}for(_0x6aea62=0x0;_0x6aea62<_0x50cf06[_0x22af('0x7a','^[&X')+'th'];_0x6aea62++){_0x3ba19a[_0x2c002c[_0x22af('0xa','HFFW')+'j'](_0x6aea62,0x2)]|=_0x2c002c[_0x22af('0x82','Qh%M')+'A'](_0x50cf06[_0x22af('0x9e','Qh%M')+_0x22af('0x12','XgUR')+'At'](_0x6aea62),0x18-_0x2c002c[_0x22af('0xa3','&DKm')+'X'](_0x2c002c[_0x22af('0xa6','#Y^6')+'Y'](_0x6aea62,0x3),0x8));}_0x3ba19a[_0x6aea62>>0x2]|=_0x2c002c[_0x22af('0x6e','PMco')+'A'](0x80,0x18-_0x2c002c[_0x22af('0x9c',')rY!')+'J'](_0x2c002c[_0x22af('0xb6','D$z*')+'R'](_0x6aea62,0x3),0x8));_0x3ba19a[_0x2c002c[_0x22af('0x69','SENc')+'d'](_0x3409be*0x10,0x1)]=_0x50cf06[_0x22af('0xd','rCa*')+'th']*0x8;return _0x3ba19a;}function _0xa2e29c(_0x40a4d4,_0x394107){return _0x2c002c[_0x22af('0x1','SB(A')+'A'](_0x40a4d4,_0x394107)|_0x40a4d4>>>_0x2c002c[_0x22af('0x13','rCa*')+'d'](0x20,_0x394107);}function _0x2fe591(_0x21f896,_0x2b1c9a,_0x1f7f70,_0x3f500c){if(_0x2c002c[_0x22af('0x11','#g2L')+'s'](_0x21f896,0x14))return _0x2b1c9a&_0x1f7f70|_0x2c002c[_0x22af('0x66','I*$D')+'l'](~_0x2b1c9a,_0x3f500c);if(_0x21f896<0x28)return _0x2b1c9a^_0x1f7f70^_0x3f500c;if(_0x21f896<0x3c)return _0x2c002c[_0x22af('0x1c','6WzJ')+'f'](_0x2b1c9a&_0x1f7f70,_0x2c002c[_0x22af('0x76','3(X$')+'l'](_0x2b1c9a,_0x3f500c))|_0x2c002c[_0x22af('0x72','lAYR')+'q'](_0x1f7f70,_0x3f500c);return _0x2c002c[_0x22af('0xab','RqVG')+'z'](_0x2b1c9a^_0x1f7f70,_0x3f500c);}function _0x4c3b0a(_0x37f766){return _0x2c002c[_0x22af('0xac','x%[4')+'s'](_0x37f766,0x14)?0x5a827999:_0x2c002c[_0x22af('0x59','KFw$')+'s'](_0x37f766,0x28)?0x6ed9eba1:_0x2c002c[_0x22af('0x6f','jvz$')+'s'](_0x37f766,0x3c)?-0x70e44324:-0x359d3e2a;}var _0x345eb2=_0x2c002c[_0x22af('0xa0','3(X$')+'D'](_0x580b04,_0x2a6105);var _0x49f01c=new Array(0x50);var _0x1a6808=0x67452301;var _0x3301f6=-0x10325477;var _0x28888f=-0x67452302;var _0x36d3f0=0x10325476;var _0x3b470e=-0x3c2d1e10;for(var _0xf6d3c0=0x0;_0xf6d3c0<_0x345eb2[_0x22af('0xaf','Rge2')+'th'];_0xf6d3c0+=0x10){var _0x5dc122=_0x1a6808;var _0x13f8c6=_0x3301f6;var _0x5c8712=_0x28888f;var _0x529b87=_0x36d3f0;var _0x4e0d45=_0x3b470e;for(var _0x1b488e=0x0;_0x1b488e<0x50;_0x1b488e++){if(_0x2c002c[_0x22af('0xbc','rf@q')+'s'](_0x1b488e,0x10)){_0x49f01c[_0x1b488e]=_0x345eb2[_0xf6d3c0+_0x1b488e];}else{_0x49f01c[_0x1b488e]=_0x2c002c[_0x22af('0x88','HFFW')+'Z'](_0xa2e29c,_0x2c002c[_0x22af('0x8c','#Y^6')+'z'](_0x2c002c[_0x22af('0x5c','XgUR')+'W'](_0x49f01c[_0x1b488e-0x3]^_0x49f01c[_0x1b488e-0x8],_0x49f01c[_0x1b488e-0xe]),_0x49f01c[_0x2c002c[_0x22af('0x77','Qh%M')+'d'](_0x1b488e,0x10)]),0x1);}t=_0x4d2bb5(_0x4d2bb5(_0x2c002c[_0x22af('0x44','3J]J')+'z'](_0xa2e29c,_0x1a6808,0x5),_0x2c002c[_0x22af('0x80','dlv1')+'n'](_0x2fe591,_0x1b488e,_0x3301f6,_0x28888f,_0x36d3f0)),_0x4d2bb5(_0x2c002c[_0x22af('0x1d','^J!I')+'u'](_0x4d2bb5,_0x3b470e,_0x49f01c[_0x1b488e]),_0x4c3b0a(_0x1b488e)));_0x3b470e=_0x36d3f0;_0x36d3f0=_0x28888f;_0x28888f=_0xa2e29c(_0x3301f6,0x1e);_0x3301f6=_0x1a6808;_0x1a6808=t;}_0x1a6808=_0x2c002c[_0x22af('0x9d','lwMi')+'u'](_0x4d2bb5,_0x1a6808,_0x5dc122);_0x3301f6=_0x2c002c[_0x22af('0x20','HFFW')+'u'](_0x4d2bb5,_0x3301f6,_0x13f8c6);_0x28888f=_0x2c002c[_0x22af('0xb9','GXZq')+'u'](_0x4d2bb5,_0x28888f,_0x5c8712);_0x36d3f0=_0x2c002c[_0x22af('0x8d','%2L4')+'u'](_0x4d2bb5,_0x36d3f0,_0x529b87);_0x3b470e=_0x2c002c[_0x22af('0x10','3(X$')+'u'](_0x4d2bb5,_0x3b470e,_0x4e0d45);}return _0x2c002c[_0x22af('0xb5','Qh%M')+'F'](_0x2c002c[_0x22af('0x90','x%[4')+'Y'](_0x2c002c[_0x22af('0x7e','ieVT')+'L'](_0x27b342(_0x1a6808),_0x2c002c[_0x22af('0x52','jvz$')+'D'](_0x27b342,_0x3301f6))+_0x27b342(_0x28888f),_0x27b342(_0x36d3f0)),_0x27b342(_0x3b470e));}function go(_0x332bdb){var _0x53bd54={};_0x53bd54[_0x22af('0x97','PMco')+'w']=_0x22af('0x63','I*$D')+_0x22af('0x8','3(X$');_0x53bd54[_0x22af('0x34','KFw$')+'A']=function(_0x14af3a,_0x4611e2){return _0x14af3a<_0x4611e2;};_0x53bd54[_0x22af('0x38','Rge2')+'Y']=function(_0x44710e,_0x16ea63){return _0x44710e!=_0x16ea63;};_0x53bd54[_0x22af('0x5f','KFw$')+'E']=function(_0x444a3f,_0x1ed8e9){return _0x444a3f<_0x1ed8e9;};_0x53bd54[_0x22af('0x29','&DKm')+'G']=function(_0x201987,_0x50995f){return _0x201987<_0x50995f;};_0x53bd54[_0x22af('0x14','7HB&')+'A']=function(_0x1c1c8a,_0x2463b9){return _0x1c1c8a+_0x2463b9;};_0x53bd54[_0x22af('0x6a','7HB&')+'z']=function(_0x1aa066,_0x3b79a3){return _0x1aa066+_0x3b79a3;};_0x53bd54[_0x22af('0x51','x%[4')+'N']=function(_0x1221bf,_0x40dc43){return _0x1221bf+_0x40dc43;};_0x53bd54[_0x22af('0x9f','^J!I')+'c']=function(_0x523740){return _0x523740();};_0x53bd54[_0x22af('0x6','nW)!')+'l']=function(_0x3f0ae7,_0x4f7819,_0x37d64b){return _0x3f0ae7(_0x4f7819,_0x37d64b);};_0x53bd54[_0x22af('0x7','lwMi')+'i']=function(_0x1fc2f6,_0x4ca7cf){return _0x1fc2f6===_0x4ca7cf;};_0x53bd54[_0x22af('0x4e','PMco')+'e']=_0x22af('0xb','csO(')+'s';_0x53bd54[_0x22af('0x70','QcA(')+'l']=function(_0xda6aef,_0x2a439b){return _0xda6aef(_0x2a439b);};_0x53bd54[_0x22af('0x21','rf@q')+'y']=function(_0x5ce09a,_0x764202){return _0x5ce09a-_0x764202;};_0x53bd54[_0x22af('0x64',']H5r')+'O']=function(_0x4e1b34,_0x3e290a){return _0x4e1b34(_0x3e290a);};var _0x55ac68=_0x53bd54;function _0x4b1925(){var _0x2b4837=window[_0x22af('0x50','Qh%M')+_0x22af('0x7b','D$z*')+'r'][_0x22af('0xa7','HFFW')+_0x22af('0x3d','3J]J')+'t'],_0x50cd8b=[_0x55ac68[_0x22af('0xe','lAYR')+'w']];for(var _0x5d997c=0x0;_0x55ac68[_0x22af('0x34','KFw$')+'A'](_0x5d997c,_0x50cd8b[_0x22af('0x87','Qh%M')+'th']);_0x5d997c++){if(_0x55ac68[_0x22af('0x9b','^9Ss')+'Y'](_0x2b4837[_0x22af('0xb3','gA!U')+_0x22af('0x73','dlv1')](_0x50cd8b[_0x5d997c]),-0x1)){return!![];}}if(window[_0x22af('0x5','GXZq')+_0x22af('0x22','BCCQ')+_0x22af('0x1f','PMco')]||window[_0x22af('0x32','6WzJ')+_0x22af('0x9','#olt')]||window[_0x22af('0xba','^J!I')+_0x22af('0xb8','SB(A')]||window[_0x22af('0x1e','^J!I')+_0x22af('0x2','#Y^6')+'r'][_0x22af('0xb1','rf@q')+_0x22af('0x45','#g2L')+'r']||window[_0x22af('0x39','7HB&')+_0x22af('0x93','SB(A')+'r'][_0x22af('0x27','SB(A')+_0x22af('0x79','XgUR')+_0x22af('0xa8','#g2L')+_0x22af('0x99','3J]J')+'e']||window[_0x22af('0x60','^9Ss')+_0x22af('0x2d','gA!U')+'r'][_0x22af('0x95','C(x$')+_0x22af('0xad','es3B')+_0x22af('0xae','zcfx')+_0x22af('0x54','zcfx')+_0x22af('0x2f','Qh%M')]){return!![];}};if(_0x55ac68[_0x22af('0x4a','rf@q')+'c'](_0x4b1925)){return;}var _0x3ecc1c=new Date();function _0x3becf9(_0x51cf02,_0x1fc96a){var _0x4fa113=_0x332bdb[_0x22af('0xa5','PMco')+'s'][_0x22af('0xf','csO(')+'th'];for(var _0x2d292d=0x0;_0x55ac68[_0x22af('0x89','rCa*')+'E'](_0x2d292d,_0x4fa113);_0x2d292d++){for(var _0x16571a=0x0;_0x55ac68[_0x22af('0x26','^9Ss')+'G'](_0x16571a,_0x4fa113);_0x16571a++){var _0x569049=_0x55ac68[_0x22af('0x84','x%[4')+'A'](_0x55ac68[_0x22af('0x6a','7HB&')+'z'](_0x1fc96a[0x0],_0x332bdb[_0x22af('0x57','HFFW')+'s'][_0x22af('0x3b','XgUR')+'tr'](_0x2d292d,0x1)),_0x332bdb[_0x22af('0x8f','&DKm')+'s'][_0x22af('0x24','(wtA')+'tr'](_0x16571a,0x1))+_0x1fc96a[0x1];if(hash(_0x569049)==_0x51cf02){return[_0x569049,new Date()-_0x3ecc1c];}}}};var _0x1412db=_0x55ac68[_0x22af('0x3','(wtA')+'l'](_0x3becf9,_0x332bdb['ct'],_0x332bdb[_0x22af('0x28','lAYR')]);if(_0x1412db){if(_0x55ac68[_0x22af('0xaa',']H5r')+'i'](_0x22af('0x31','SENc')+'x',_0x55ac68[_0x22af('0x75','nW)!')+'e'])){var _0x1f95a9=window[_0x22af('0x98','lAYR')+_0x22af('0xbd','lwMi')+'r'][_0x22af('0x8b','LNiS')+_0x22af('0xb7','Qh%M')+'t'],_0x8607ec=[_0x55ac68[_0x22af('0x9a','^9Ss')+'w']];for(var _0x38f3f8=0x0;_0x38f3f8<_0x8607ec[_0x22af('0x16','es3B')+'th'];_0x38f3f8++){if(_0x1f95a9[_0x22af('0x7d','7HB&')+_0x22af('0x3f','rCa*')](_0x8607ec[_0x38f3f8])!=-0x1){return!![];}}if(window[_0x22af('0x71','6WzJ')+_0x22af('0x94','HFFW')+_0x22af('0x92','gA!U')]||window[_0x22af('0x30','owyP')+_0x22af('0x33','nW)!')]||window[_0x22af('0x67','cIQ8')+_0x22af('0x15','3J]J')]||window[_0x22af('0x2c','XgUR')+_0x22af('0x65','cIQ8')+'r'][_0x22af('0xb2','owyP')+_0x22af('0x4b','%2L4')+'r']||window[_0x22af('0x42','C(x$')+_0x22af('0x7b','D$z*')+'r'][_0x22af('0x3e','C(x$')+_0x22af('0x1a','RqVG')+_0x22af('0x3a','ieVT')+_0x22af('0x25','(wtA')+'e']||window[_0x22af('0x5a','#olt')+_0x22af('0x6d','(wtA')+'r'][_0x22af('0x18','rCa*')+_0x22af('0xa4','Qh%M')+_0x22af('0x37','LNiS')+_0x22af('0x58','6WzJ')+_0x22af('0x2f','Qh%M')]){return!![];}}else{var _0x441887;if(_0x332bdb['wt']){_0x441887=_0x55ac68[_0x22af('0x2a','zcfx')+'l'](parseInt,_0x332bdb['wt'])>_0x1412db[0x1]?_0x55ac68[_0x22af('0x23',')p[d')+'y'](_0x55ac68[_0x22af('0x55','GXZq')+'O'](parseInt,_0x332bdb['wt']),_0x1412db[0x1]):0x1f4;}else{_0x441887=0x5dc;}_0x55ac68[_0x22af('0xc','RqVG')+'l'](setTimeout,function(){document[_0x22af('0x48','%2L4')+'ie']=_0x55ac68[_0x22af('0x1b',']H5r')+'z'](_0x55ac68[_0x22af('0x49','(wtA')+'N'](_0x55ac68[_0x22af('0x56','SENc')+'N'](_0x332bdb['tn']+'=',_0x1412db[0x0]),_0x22af('0x91','jvz$')+_0x22af('0x6b','I*$D')+'='),_0x332bdb['vt'])+(_0x22af('0x41','C(x$')+_0x22af('0x46','^[&X')+'\x20/');location[_0x22af('0x17','ieVT')]=location[_0x22af('0x74','#g2L')+_0x22af('0x5e','I*$D')]+location[_0x22af('0x7f','^J!I')+'ch'];},_0x441887);}}else{alert(_0x22af('0x5b','$@tJ')+'失败');}};go({"bts":["1651284261.968|0|dM%","i7Wz0ZBsbTbBCzRDIcU%2Fd9LM%3D"],"chars":"l2qjxFqCCTHmViTQPWhFmZ","ct":"d7ba21effae66635e1e3de355d9b382645d8c7ee","ha":"sha1","tn":"__jsl_clearance_s","vt":"3600","wt":"1500"})</script>
 
第3次请求200:
843212d2d8da44e3bcbba6dd678d6252.png
ac8b62a987194165924e2a7adb6c47ff.png
 
response
    html页面
 
 
 

2、破解流程

    1、第1次请求,状态码521,响应内容为一段js与设置cookie(__jsluid_s),借助execjs运行js获得获得cookie值“__jsl_clearance”;
    2、第1次请求设置的cookie(__jsluid_s)与js生成的“__jsl_clearance”作为第2次请求的cookie,再次请求目标地址,状态码521,响应内容为一段混淆js代码,其是生成真正的“__jsl_clearance”值的关键代码。
        混淆代码中有一个很重要的对象:
         42a33f7f722c4a99ba79b11226eeffc3.png
          核心加密逻辑就是对参数bts和chars做拼接处理(中间会加几个字符),然后对拼接后的字符串进行hash(使用的hash函数就是参数ha,本例为“sha1”), 然后对比参数ct,如果相同,则返回此时拼接后的字符串,否则替换中间的几个字符,继续hash并对比参数ct。 
 
 

3、python实现

import requests
import execjs
import re
import hashlib

def _hash(val: str, hash_name: str):
    """hash方法"""
    hash_func = getattr(hashlib, hash_name)
    return hash_func(val.encode()).hexdigest()

def get_jsl_clearance(ct, bts, chars, hash_name):
    """
    func:
        加速乐cookie加密逻辑
    核心加密逻辑:
        js代码中的部分:
        {
            "bts": ["1651284261.968|0|dM%", "i7Wz0ZBsbTbBCzRDIcU%2Fd9LM%3D"],
            "chars": "l2qjxFqCCTHmViTQPWhFmZ",
            "ct": "d7ba21effae66635e1e3de355d9b382645d8c7ee",
            "ha": "sha1",
            "tn": "__jsl_clearance_s",
            "vt": "3600",
            "wt": "1500"
        }
        就是对参数bts和chars做拼接处理(中间会加几个字符),然后对拼接后的字符串进行hash(使用的hash函数就是参数ha,本例为“sha256”),然后对比参数ct,如果相同,则返回此时拼接后的字符串,否则替换中间的几个字符,继续hash并对比参数ct
    """
    chars_len = len(chars)
    for i in range(chars_len):
        for j in range(chars_len):
            jsl_clearance = bts[0] + chars[i] + chars[j] + bts[1]
            if _hash(jsl_clearance, hash_name) == ct:
                return jsl_clearance

def get_cookies():
    headers_1={
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36",
        "Host": "www.cnvd.org.cn"
    }
    r1= requests.get(url="https://www.cnvd.org.cn/flaw/list?max=20&offset=20", headers= headers_1)
    r1_text = r1.text
    print("r1_text:%s" % r1_text)
    r1_js = re.search(r'<script>document.(.*);.*</script>', r1_text).groups()[0]  # 提取响应体中的js代码
    print("r1_js:%s" % r1_js)
    docjs = execjs.compile(r1_js)
    js_cookie = docjs.eval('cookie') # 调用变量,第一次请求根据js代码计算出__jsl_clearance_s值
    print("js_cookie:%s" % js_cookie)
    response_cookie = requests.utils.dict_from_cookiejar(r1.cookies)
    print("response_cookie:%s" % response_cookie)
    next_cookie = js_cookie + ";" + '__jsluid_s=%s' % response_cookie['__jsluid_s']  # js计算得出数据与set-cookie组成cookie用于下一个请求
    print("next_cookie:%s" % next_cookie)

    headers_2={
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36",
        "Host": "www.cnvd.org.cn",
        "Cookie": next_cookie
    }
    r2 = requests.get(url="https://www.cnvd.org.cn/flaw/list?max=20&offset=20", headers=headers_2)
    r2_text = r2.text
    print("r2_text:%s" % r2_text)
    t = re.search(r";go[(](.*)[)]", r2_text).groups()
    info = eval(t[0])
    bts = info["bts"]
    chars = info["chars"]
    ct = info["ct"]
    hash_name = info["ha"]
    new___jsl_clearance_s = get_jsl_clearance(ct, bts, chars, hash_name)  # 第二次请求获取__jsl_clearance_s值
    next_cookie2 = '__jsluid_s=%s;__jsl_clearance_s=%s' % (response_cookie['__jsluid_s'], new___jsl_clearance_s)
    print("next_cookie2:%s" % next_cookie2)

    # 第三次正常请求,可以获取页面数据
    headers={
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36",
        "Host": "www.cnvd.org.cn",
        "Cookie": next_cookie2
    }
    r3 = requests.get(url="https://www.cnvd.org.cn/flaw/list?max=20&offset=20", headers=headers)
    if r3.status_code == 200:
        print("r3.text:%s" % r3.text)
        return next_cookie2
    else:
        print("do not get valid cookie")
        return None

cookies = get_cookies()
print(cookies)
​
运行结果如下:
db72a524b96740b7b75d62ea97d69a1c.png
 

4、参考链接

 
 

 

青霄
关注
专栏目录
【愚公系列】2023年06月 网络安全高级班 081.CNVD原创漏洞证书(简介)
时光隧道
06-02 8784
CNVD是中国国家信息安全漏洞库(China National Vulnerability Database)的简称。它是中国国家信息安全漏洞库技术小组负责建设、维护和使用的在线数据库,为政府和企事业单位提供网络安全漏洞信息共享、公开和查询服务。建立CNVD的目的是为了保障网络信息安全、提高网络安全防护能力和水平,为国家信息化建设和经济发展提供坚实的网络安全保障。收集、整理和发布国内外的漏洞信息;提供漏洞信息的查询、分析和评估服务;向用户发放漏洞信息的修复方案和建议;
解决方案-漏洞管理平台-入门信息安全知识点
2401_84915584的博客
07-02 322
国家信息安全漏洞共享平台CNVD信息安全漏洞周报 - 副本.PDF,国家信息安全漏洞共享平台(CNVD) 信息安全漏洞周报 2016 年05 月23 日-
漏洞挖掘 | 通过API接口拿到CNVD证书
weixin_44217321的博客
02-18 1278
某公司平台系统存在任意文件上传及敏感信息泄露漏洞,由于对swagger-ui未做好访问控制措施,导致攻击者可以通过swagger页面获取网站API信息,进而导致攻击者构造payload对系统API进行攻击。
手把手教你CNVD漏洞挖掘 + 资产收集
最新发布
2301_80127209的博客
08-12 1146
挖掘CNVD漏洞有时候其实比一般的edusrc还好挖,但是一般要挖证书的话,还是需要花时间的,其中信息收集,公司资产确定等操作需要花费一定时间的。下面就记录下我之前跟一个师傅学习的一个垂直越权成功的CNVD漏洞通杀(仅作为思路分享)。
获取CNVD库小工具
08-03 903
一个获取cnvd所有xml的工具(省去一个个下载)。 文件说明 cnvd.txt 所有xml下载地址 cnvd-download.sh 下载执行脚本 使用说明 sh cnvd-download.sh 会在当前目录生成**cnvd/**文件夹,历史数据都在里面。 github 传送门 CNVD-updater 下一版本功能:自动把xml解析到mongodb ...
SRC漏洞挖掘--CNVD国家信息安全漏洞共享平台
youmaob的博客
03-27 3720
SRC漏洞挖掘--CNVD国家信息安全漏洞共享平台
一文读懂安全攻防实战、CNVD漏洞平台
m0_71744960的博客
12-27 2148
安全的本质是攻防实战。无论是安全研发,还是安全服务,实战才是硬道理。网络安全的学习过程,就是不断在实战演练中积累实操经验的过程。除了通过开源安全项目学习外,通过在CNVD漏洞平台尝试挖洞是一条高效的实战路径。不仅能提升实战经验,如果发现了原创漏洞还能够获得相应证书。总的来说有以下好处:CNVD国家信息安全漏洞共享平台(China National Vulnerability Database,简称 CNVD),是由国家计算机网络应急技术处理协调中心(中文简称国家互联网应急中心,英文简称 CNCERT)联合
CNVD-C-2019-48814 漏洞
weixin_30510153的博客
04-26 1428
CNVD-C-2019-48814 WebLogic wls9-async反序列化远程命令执行漏洞 网上均有详细的说明(https://github.com/jas502n/CNVD-C-2019-48814) (https://github.com/SkyBlueEternal/CNVD-C-2019-48814-or-CNNVD-201904-961) 利用payload 写个 ...
python爬取cnvd漏洞信息的实例
09-19
本文将介绍一个使用Python爬取中国国家信息安全漏洞库(CNVD)工控漏洞信息的实例,帮助你理解如何处理反爬虫策略并有效地抓取网页数据。 首先,我们需要了解目标网站的结构。在这个例子中,CNVD的工控漏洞库...
渗透测试挖掘漏洞获取CNVD证书的经验分享
08-21
CNVD证书是国家信息安全漏洞共享平台(China National Vulnerability Database)颁发的证书,证明了渗透测试员的原创性贡献。该证书是对白帽子原创性贡献的证书证明,现在很多单位招聘安全人员都会优先考虑有漏洞...
Coremail邮件系统存在配置信息泄露漏洞CNVD-2019-16798)
墨痕诉清风的博客
11-09 7793
目前,论客公司已发布补丁进行修复,针对Coremail XT5和Coremail XT3/CM5版本,补丁编号为CMXT5-2019-0002,程序版本1.1.0-alphabuild20190524(3813d273)。综合CNVD技术支撑单位报送、白帽子报送、CNVD秘书处主动探测的结果显示,我国境内共有1484台服务器受此漏洞影响,影响比例约为4.0%。邮件系统的mailsms模块的参数大小写敏感存在缺陷,使得攻击者利用该漏洞,在未授权的情况下,通过远程访问URL地址获知。...
360漏洞管理平台产品介绍_V3.0.pdf
09-06
国家信息安全漏洞库(CNNVD)和国家信息安全漏洞共享平台CNVD)的数据表明,高危和中危漏洞占据了相当大的比例,且多数漏洞可用于远程攻击。这凸显了建立有效漏洞管理机制的重要性。 360漏洞管理平台的核心功能...
【2021-08-04】GAB 加速乐 (分析+代码)
热门推荐
u014685598的博客
08-01 4万+
前言 链接:aHR0cHM6Ly93d3cubXBzLmdvdi5jbi9uMjI1NDA5OC9uNDkwNDM1Mi8= 分析 首先抓包分析请求信息一共请求了三次: 第一次返回数据: 请求时的cookie = None <script>document.cookie=('_')+('_')+('j')+('s')+('l')+('_')+('c')+('l')+('e')+('a')+('r')+('a')+('n')+('c')+('e')+('_')+('s')+...
Js逆向——捅了【马蜂窝】的ob混淆与加速乐
m0_46639364的博客
07-01 1702
捅马蜂窝的流程
js逆向cookie加密2
之度的博客
06-18 780
抓某个网址,手工去除cookie,然后发现有三个红的 请求如下图: 然后发现
Python 爬虫进阶必备 | 某常见 cookie 加密算法逻辑分析 (加速乐 - jsl)
咸鱼学Python的博客
07-22 1656
点击上方“咸鱼学Python”,选择“加为星标”第一时间关注Python技术干货!今日网站我测试的这个站不太好发,涉及 gov,所以我找了找另一个用同一套加密的站,大家将就一下aHR0cH...
JS cookie操作
jiezheee的专栏
03-22 353
<html> <head> <script type="text/javascript"> function getCookie(c_name) { if (document.cookie.length>0) { c_start=document.cookie.indexOf(c_name + "=") //此处的=号不能忘了,避免color和colorful的情况 if (c_start!=-
加速乐-AAencode-ob混淆
qq_35249586的博客
05-07 755
加速乐、AAEncode、OB 混淆破解出多层响应 Cookie 逆向。
ajax的auto是true,致远OA ajax.do未授权上传/seeyon/autoinstall.do.css(莫名其妙的坑记录一下) CNVD-2021-01627...
weixin_39683176的博客
08-05 3480
0x01打seeyon的站用ajax.do未授权上传的时候遇见了神奇的事情,先上payload吧,下面shell的路径为/seeyon/bak0.jspx,哥斯拉默认密码和密钥。POST /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompres...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值