一、案例地址
aHR0cDovL3d3dy5pd2VuY2FpLmNvbS91bmlmaWVkd2FwL2hvbWUvaW5kZXg= (某花顺)
二、Hook到cookie生成跟栈
// ==UserScript==
// @name http cookie
// @namespace http://tampermonkey.net/
// @version 0.1
// @description try to take over the world!
// @author You
// @match http://*/*
// @grant none
// ==/UserScript==
(function(){
'use strict'
var _cookie = "";
Object.defineProperty(document, 'cookie', {
set: function(val) {
console.log(val);
debugger
_cookie = val;
return val;
},
get: function() {
return _cookie;
},
});
})()
三、分析流程
跟进rt.update()
通过查看对象中的方法,可进入该对象, 如图:
综上图所示,最后可通过document.cookie获取,且js为动态js
四、补环境(补头)
4.1、将本次获取的js, 复制到pycharm中,点击运行(下载node插件)。
补上最基本的头部,document和window
window = this;
Document = function (){
}
document = new Document()
document、navigation 最好补为
new
的方式。
根据运行报错补环境
Document.prototype.getElementsByTagName = function (params){
if(params == "head"){
return [{}]
}
return [{}]
}
// 检测onwheel方法
Document.prototype.createElement = function (params){
if (params == "div"){
return {"onwheel": function (){}}
}
return {}
}
Document.prototype.attachEvent = function (params1, params2){
// 接收两个参数 params1 为onwheel params2位传入的函数
this[params1] = params2
}
按页面运行顺序, 跟值进去发现这里没执行,报错了,进行补代码
Navigator.prototype.javaEnabled = function (){
return false
}
补充location
Location = function () {
}
Location.prototype.href = 'http://www.iwencai.com/unifiedwap/home/index'
Location.prototype.hostname = 'www.iwencai.com'
Location.prototype.host = 'www.iwencai.com'
Location.prototype.protocol = 'http:'
location = new Location()
五、生成cookie验证是否有效
// 全部的头
// 检测中有从window中拿navigator 添加到window对象中
Navigator = function () {
}
Navigator.prototype.vendor = function (params) {
if (params == "vendor") {
return "Google Inc."
}
return params
}
Navigator.prototype.userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
Navigator.prototype.javaEnabled = function () {
return false
}
Navigator.prototype.plugins = []
Navigator.prototype.webdriver = false
navigator = new Navigator()
let _window = {
XMLHttpRequest: function () {
},
sessionStorage: function () {
},
localStorage: function () {
},
navigator: navigator,
};
window = Object.assign(this, _window)
setInterval = function (func1, int_){
func1();
}
Document = function () {
}
Document.prototype.getElementsByTagName = function (params) {
if (params == "head") {
return [{}]
}
return [{}]
}
Document.prototype.createElement = function (params) {
if (params == "div") {
return {
"onwheel": function () {
}
}
}
return {}
}
// Document.prototype.onwheel = function (){
//
// }
Document.prototype.attachEvent = function (params1, params2) {
// 接收两个参数 params1 为onwheel params2位传入的函数
this[params1] = params2
}
document = new Document()
Location = function () {
}
Location.prototype.href = 'http://www.iwencai.com/unifiedwap/home/index'
Location.prototype.hostname = 'www.iwencai.com'
Location.prototype.host = 'www.iwencai.com'
Location.prototype.protocol = 'http:'
location = new Location()