作死必備 請摸著良心使用
瀏覽器驗證跳過
Cloudflare目前使用JS的一個奇技淫巧來作JS的瀏覽器上下文驗證,先來看個實例:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
<script type="text/javascript"> //<![CDATA[ (function(){ var a = function() {try{return !!window.addEventListener} catch(e) {return !1} }, b = function(b, c) {a() ? document.addEventListener("DOMContentLoaded", b, c) : document.attachEvent("onreadystatechange", b)}; b(function(){ var a = document.getElementById('cf-content');a.style.display = 'block'; setTimeout(function(){ var s,t,o,p,b,r,e,a,k,i,n,g,f, UzCuIyc={"sLjBILq":+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]))}; t = document.createElement('div'); t.innerHTML="<a href='/'>x</a>"; t = t.firstChild.href;r = t.match(/https?:\/\//)[0]; t = t.substr(r.length); t = t.substr(0,t.length-1); a = document.getElementById('jschl-answer'); f = document.getElementById('challenge-form'); ;UzCuIyc.sLjBILq+=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+!![])+(!+[]+!![])+(+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]));UzCuIyc.sLjBILq*=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]));UzCuIyc.sLjBILq-=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]));UzCuIyc.sLjBILq*=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![])+(+!![])+(+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]));UzCuIyc.sLjBILq+=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+[])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(+[])+(!+[]+!![]+!![])+(+[])+(+[])+(!+[]+!![]+!![]));UzCuIyc.sLjBILq*=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+!![]));UzCuIyc.sLjBILq+=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]));UzCuIyc.sLjBILq*=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+!![])+(+[])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![])+(+[])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]));UzCuIyc.sLjBILq-=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(+[])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]));a.value = +UzCuIyc.sLjBILq.toFixed(10) + t.length; '; 121' f.action += location.hash; f.submit(); }, 4000); }, false); })(); //]]> </script> <!--...--> <form id="challenge-form" action="/cdn-cgi/l/chk_jschl" method="get"> <input type="hidden" name="jschl_vc" value="c202221f62ef11037cf13c1391ca4df1"/> <input type="hidden" id="jschl-answer" name="jschl_answer"/> </form> |
2018年更新後,變數名變成了stop breaking
這是一個challange/response模式。關鍵部分就是那一堆[]和!了。F12一下可以得到一個等價替換表達式
- ! = true
- [] = false
- !![] = true
還有就是布爾值和布爾值相加會變成數字。我們使用正則表達式取出變數名,然後對於運算符(*=也可能是+=、-=)直接代入eval運算。當然如果你直接用Js2Py我也不攔你。目前金盾的CC防火牆還只能用Js2Py來擼233
而這幾句就是JS的瀏覽器上下文驗證啦
|
1 2 3 4 |
t = document.createElement('div'); t.innerHTML="<a href='/'>x</a>"; t = t.firstChild.href;r = t.match(/https?:\/\//)[0]; t = t.substr(r.length); t = t.substr(0,t.length-1); |
如果只有JS運行時而沒有瀏覽器上下文,document就是undefined,這幾句就坑爹了。實際上它只是將hostname取了出來,運行結果和location.hostname是等價的,這裡就不解釋了。
看完整代碼:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
import re def get_cv(ct, host_name): #ct = ct.replace('\n', '').replace('\r', '') #find all hidden form value hidden = re.findall('<input type="hidden" name="([^"]+)" value="([^\"]+)"', ct) hidden = '&'.join(map(lambda x:'='.join(x), hidden)) url = re.findall('<form id="[^"]+" action="([^"]+)" method="get">', ct)[0] # get var name # var t,r,a,f, kMuTlpA={"t":+((!+[]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]))}; _, n, m, v = re.findall('var (:?[^,]+,)+ ([^=]+)={"([^"]+)":([^}]+)};', ct, re.DOTALL)[0] v = calc_symbol(v) for op, arg in re.findall('%s\.%s(.)=([^;]+);' % (n, m), ct): # preserve maxium precision possible v = eval('1.0 * (%.15f %s %.15f)' % (v, op, calc_symbol(arg))) # t = re.findall('\+\s*([^\.]+)\.length', ct, re.DOTALL)[0] # print '%s\.innerHTML\s*=\s*"([^"])";' % t # new_len = len(re.findall('%s\.innerHTML\s*=\s*"([^"]+)";' % t, ct, re.DOTALL)[0]) # print new_len v = round(v, 10) + len(host_name) wait = re.findall('}, (\d+)\);', ct, re.DOTALL)[0] return hidden, v, url, wait def calc_symbol(s): # +((symbols)+(symbols)+...) vmap = {'!':1, '[]':0, '!![]':1, '':0} # step 1: replace symbols into number # (!+[]) becomes "1" for sym in re.findall('\(([^\(\)]+)\)', s): s = s.replace("(" + sym + ")", str(sum(map(lambda x:vmap[x], sym.split('+'))))) # step 2: concat the string # +(1+2+3+4+6) becomes "12346" for num in re.findall("\([\d\+]+\)", s): s = s.replace(num, re.sub('[\(\)\+]', '', num)) # step 3: get the actual decimal value return eval("1.0*" + s) |
調用get_cv後得到的四個返回值依次是 原始的challange值,計算的answer值,challange的提交地址,等待時間。
|
1 2 3 4 5 |
cfduid = re.findall('__cfduid=([^;]+);', resp['set-cookie'])[0] c, v, u, w = get_cv(ct, 'example.com') time.sleep(int(w)/1000) resp, ct = requests.get('http://example.com%s?%s&jschl_answer=%s' % (u, c, v), headers = {'cookie':'__cfduid='+cfduid) cf_clearance = re.findall('cf_clearance=([^;]+);', resp['set-cookie'])[0] |
然後用這兩個cookie即可
郵箱反混淆
這個就比較簡單啦,純粹是js
這裡有一個郵箱地址-> [email protected] ,混淆之後大致會是這個樣子的:
|
1 2 |
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="314554424571455442451f525e5c">[email protected]</a><script cf-hash='f9e31' type="text/javascript"> /* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script> |
主要就是這句for (e = “”, r = parseInt(a.substr(0, 2), 16), n = 2; a.length – n; n += 2) i = parseInt(a.substr(n, 2), 16)^r, e += String.fromCharCode(i);
聰明的你一定看出來了,實際上就是把一串字元串當成16進位和第一個字元異或再按照asc碼變回相應字元就行了。
|
1 2 3 4 5 6 7 8 9 10 11 12 |
def strip_email_protection(s): fp = re.findall('data-cfemail="([^"]+)">', s) if not fp:#no email obfuscation return s #parse email fp = fp[0] r = int(fp[:2], 16) email = ''.join([chr(int(fp[i:i+2], 16) ^ r) for i in range(2, len(fp), 2)]) s = re.sub(r'<a ([^\s]+ )?class="__cf_email__".*?</a>', email, s) #strip <script> s = re.sub('<script.*?</script>', '', s, flags = re.DOTALL) return s |
看到import re我就給菊苣跪了/w
哇!冒出一個^光頭$
奇技淫巧
[doge]