Exercises Crazy Trial: Find the Flag
It can be seen that the prompt is hook eval, then we will try it, then we will use the oil monkey script to hook it
var _eval=eval;
eval=function (){
console.log(arguments)
return _eval(arguments)
}
An error was reported, the script cannot be run in strict mode, then we will cancel the strict mode, and hook his eval function at the beginning, and
a false answer appears, uh... (huh, funny), enter the false answer to see What is it?
Excessive amount and detection, then use the trick, use the proxy to hook the eval function
eval = new Proxy(eval,{
apply(target, thisArg, argArray) {
let result = Reflect.apply(target, thisArg, argArray)
console.log(`function name is ${
target.name}, thisArg is ${
thisArg}, argArray is [${
argArray}], result is ${
result}.`)
return result
},
construct(target, argArray, newTarget) {
var result = Reflect.construct(target, argArray, newTarget)
console.log(`construct function name is ${
target.name}, argArray is [${
argArray}], result is ${
JSON.stringify(result)}.`)
return result;
}
, get(target, p, receiver) {
let res=Reflect.get(target, p, receiver);
console.log(`get ${
target.name} ${
res}`)
return res
}
,set(target, p, value, receiver) {
let res=Reflect.set(target, p, value, receiver);
console.log(` set ${
target.name} ${
value}`)
return res;
}
})
Let me see it, call toString, follow up and take a look, hit a breakpoint, f10 starts to
confuse 5555, it looks so messy, let's take a look at what it does one by one
eval[_0x5572a4(0x132)]() === _0x5572a4(0x13d) ? window['$eval1'] = !![] : window[_0x5572a4(0x137)] = ![],
Function[_0x5572a4(0x134)][_0x5572a4(0x132)][_0x5572a4(0x136)](eval) === 'function\x20eval()\x20{\x20[native\x20code]\x20}' ? window[_0x5572a4(0x131)] = !![] : window[_0x5572a4(0x131)] = ![];
_0x5572a4(0x132)="toString"
_0x5572a4(0x13d)="function eval() { [native code] }"
_0x5572a4(0x137)="$eval1"
_0x5572a4(0x134)="prototype"
_0x5572a4(0x132)="toString"
_0x5572a4(0x136)="call"
_0x5572a4(0x131)="$eval2"
translate it is
eval["toString"]=="function eval() { [native code] }"?window['$eval1']=!![]:window['$eval1']=![]
Function['prototype']['toString']['call'](eval)==='function\x20eval()\x20{\x20[native\x20code]\x20}'?window["$eval2"]=!![]:window["$eval2"]=![]
Then it will be clear. Master Lan has monitored the toString method and the toString method on the prototype chain
. Then we can hook these two methods. The final code is as follows
var _eval=eval;
eval=function (){
console.log(arguments)
return _eval(arguments)
}
eval.toString=function (){
console.log(1111)
return "function eval() { [native code] }"
}
Function.prototype.toString=function(){
return "function eval() { [native code] }"}
Then refresh the interface, take a look,
enter it 欢迎来到大数据安全技术学习JS课程, it is successful
Topic 2021 June JS Reverse Topic 3
There is only one button to observe, and the device fingerprint of the browser appears after clicking the button.
Check the network request to see if it has sent a package.
If there is any, it means that it has passed the back-end verification. This is obtained by hooking AJAX or viewing the call stack of the network request. We use the method of viewing the call stack of the package to track the content of the package, and
follow up in app.js to have a look
this.fingerprint = this.$Encrypt.sign(e),
p()({
method: "post",
url: "http://www.dtasecurity.cn:35555/subject3202106",
data: {
sign: this.fingerprint,
fingerprint: window.btoa(e)
},
transformRequest: [function (e) {
var t = "";
for (var a in e)
t += encodeURIComponent(a) + "=" + encodeURIComponent(e[a]) + "&";
return t = t.substring(0, t.lastIndexOf("&"))
}
],
headers: {
"Content-Type": "application/x-www-form-urlencoded"
}
I know the way of sending the contract. The key parameters are sign and fingerprint. First, let’s take a look at how the sign is generated. After tracking it this.$Encrypt.signand e, e is in plain text and it is easy to understand. The key is the sign function. We continued to track and
found the word md5. md5 algorithm, try it, and find it is exactly the same, then here is the md5 algorithm
Then analyze the fingerprint, that is, how e comes from, you can see the following line of code, then analyze the getfingerprint function, and track it in
var e = this.getfingerprint();
getfingerprint: function () {
var e = []
, t = e.push.bind(e);
return [navigator, location, history].forEach(function (e) {
for (var a in _()(window, e),
e) {
var n = e[a];
n && "string" == typeof n && t(a + ":" + n)
}
}),
e.join("###")
}
The getfingerprint function is very simple, you can simulate it through nodejs, try to make up its environment, start to make up the environment as shown in the figure below
let rawindexof = String.prototype.indexOf
String.prototype.indexOf = function (str) {
var res = rawindexof.call(this, str)
console.log(`[String] "${
this}" is indexof "${
str}", res is ${
res}`)
return res
}
let mydocument = {
"head": {
},
"documentElement": {
"getAttribute": function () {
}
},
"readyState": "complete",
"addEventListener": function () {
},
"createElement": function () {
return {
}
},
"getElementsByTagName": function (str) {
console.log(str)
if (str === "meta") {
let metaRes = []
metaRes["meta-pro"] = {
"content": {
"length": 6
}
}
return metaRes
}
}
}
let mynavigator = Object.create({
"vendorSub": "",
"productSub": "20030107",
"vendor": "Google Inc.",
"maxTouchPoints": 0,
"userActivation": {
},
"doNotTrack": null,
"geolocation": {
},
"connection": {
},
"plugins": {
"0": {
"0": {
}
},
"1": {
"0": {
}
},
"2": {
"0": {
},
"1": {
}
}
},
"mimeTypes": {
"0": {
},
"1": {
},
"2": {
},
"3": {
}
},
"webkitTemporaryStorage": {
},
"webkitPersistentStorage": {
},
"hardwareConcurrency": 4,
"cookieEnabled": true,
"appCodeName": "Mozilla",
"appName": "Netscape",
"appVersion": "5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36",
"platform": "Linux x86_64",
"product": "Gecko",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36",
"language": "zh",
"languages": [
"zh",
"en-US",
"en"
],
"onLine": true,
"webdriver": false,
"scheduling": {
},
"mediaCapabilities": {
},
"permissions": {
},
"mediaSession": {
}
});
let mysrceen = Object.create({
height: 852,
width: 1918,
colorDepth: 24,
});
let mylocation = {
"ancestorOrigins": {
},
"href": "http://www.dtasecurity.cn:11080/details?url=http%3A%2F%2Fwww.dtasecurity.cn%3A30080%2Fsubject%2F%23%2F202106subject3",
"origin": "http://www.dtasecurity.cn:11080",
"protocol": "http:",
"host": "www.dtasecurity.cn:11080",
"hostname": "www.dtasecurity.cn",
"port": "11080",
"pathname": "/details",
"search": "?url=http%3A%2F%2Fwww.dtasecurity.cn%3A30080%2Fsubject%2F%23%2F202106subject3",
"hash": ""
}
let myhistory = {
"length": 4,
"scrollRestoration": "manual",
"state": {
"key": "680.400"
}
}
let mywindow = {
XMLHttpRequest: function () {
},
sessionStorage: {
},
localStorage: {
},
navigator: mynavigator,
scrollTo: function () {
},
addEventListener: function () {
},
attachEvent: function () {
},
screen: mysrceen,
location: mylocation,
chrome: {
},
document: mydocument,
};
let Image = function () {
};
let rawstringify = JSON.stringify;
JSON.stringify = function (Object) {
if ((Object?.value ?? Object) === global) {
return "global"
} else {
return rawstringify(Object)
}
}
function checkproxy() {
//Object.keys(window)
window.a = {
"b": {
"c": {
"d": 123
}
}
}
window.a.b.c.d = 456
window.a.b
window.btoa("123")
window.atob.name
"c" in window.a
delete window.a.b
Object.defineProperty(window, "b", {
value: "bbb"
})
Object.getOwnPropertyDescriptor(window, "b")
Object.getPrototypeOf(window)
Object.setPrototypeOf(window, {
"dta": "dta"})
// for (let windowKey in window) {
// windowKey
// }
Object.preventExtensions(window)
Object.isExtensible(window)
}
function getMethodHandler(WatchName) {
let methodhandler = {
apply(target, thisArg, argArray) {
let result = Reflect.apply(target, thisArg, argArray)
console.log(`[${
WatchName}] apply function name is [${
target.name}], argArray is [${
argArray}], result is [${
result}].`)
return result
},
construct(target, argArray, newTarget) {
var result = Reflect.construct(target, argArray, newTarget)
console.log(`[${
WatchName}] construct function name is [${
target.name}], argArray is [${
argArray}], result is [${
JSON.stringify(result)}].`)
return result;
}
}
return methodhandler
}
function getObjhandler(WatchName) {
let handler = {
get(target, propKey, receiver) {
let result = Reflect.get(target, propKey, receiver)
if (result instanceof Object) {
if (typeof result === "function") {
//console.log(`[${WatchName}] getting propKey is [${propKey}] , it is function`)
//return new Proxy(result,getMethodHandler(WatchName))
} else {
console.log(`[${
WatchName}] getting propKey is [${
propKey}], result is [${
JSON.stringify(result)}]`);
}
return new Proxy(result, getObjhandler(`${
WatchName}.${
propKey}`))
}
console.log(`[${
WatchName}] getting propKey is [${
propKey?.description ?? propKey}], result is [${
result}]`);
return result;
},
set(target, propKey, value, receiver) {
if (value instanceof Object) {
console.log(`[${
WatchName}] setting propKey is [${
propKey}], value is [${
JSON.stringify(value)}]`);
} else {
console.log(`[${
WatchName}] setting propKey is [${
propKey}], value is [${
value}]`);
}
return Reflect.set(target, propKey, value, receiver);
},
has(target, propKey) {
var result = Reflect.has(target, propKey);
console.log(`[${
WatchName}] has propKey [${
propKey}], result is [${
result}]`)
return result;
},
deleteProperty(target, propKey) {
var result = Reflect.deleteProperty(target, propKey);
console.log(`[${
WatchName}] delete propKey [${
propKey}], result is [${
result}]`)
return result;
},
getOwnPropertyDescriptor(target, propKey) {
var result = Reflect.getOwnPropertyDescriptor(target, propKey);
console.log(`[${
WatchName}] getOwnPropertyDescriptor propKey [${
propKey}] result is [${
JSON.stringify(result)}]`)
return result;
},
defineProperty(target, propKey, attributes) {
var result = Reflect.defineProperty(target, propKey, attributes);
console.log(`[${
WatchName}] defineProperty propKey [${
propKey}] attributes is [${
JSON.stringify(attributes)}], result is [${
result}]`)
return result
},
getPrototypeOf(target) {
var result = Reflect.getPrototypeOf(target)
console.log(`[${
WatchName}] getPrototypeOf result is [${
JSON.stringify(result)}]`)
return result;
},
setPrototypeOf(target, proto) {
console.log(`[${
WatchName}] setPrototypeOf proto is [${
JSON.stringify(proto)}]`)
return Reflect.setPrototypeOf(target, proto);
},
preventExtensions(target) {
console.log(`[${
WatchName}] preventExtensions`)
return Reflect.preventExtensions(target);
},
isExtensible(target) {
var result = Reflect.isExtensible(target)
console.log(`[${
WatchName}] isExtensible, result is [${
result}]`)
return result;
},
ownKeys(target) {
var result = Reflect.ownKeys(target)
console.log(`[${
WatchName}] invoke ownkeys, result is [${
JSON.stringify(result)}]`)
return result
},
apply(target, thisArg, argArray) {
let result = Reflect.apply(target, thisArg, argArray)
console.log(`[${
WatchName}] apply function name is [${
target.name}], argArray is [${
argArray}], result is [${
result}].`)
return result
},
construct(target, argArray, newTarget) {
var result = Reflect.construct(target, argArray, newTarget)
console.log(`[${
WatchName}] construct function name is [${
target.name}], argArray is [${
argArray}], result is [${
JSON.stringify(result)}].`)
return result;
}
}
return handler;
}
const navigator = new Proxy(mynavigator, getObjhandler("navigator"));
const screen = new Proxy(mysrceen, getObjhandler("screen"));
const location = new Proxy(mylocation, getObjhandler("location"));
const document = new Proxy(mydocument, getObjhandler("document"));
const history = new Proxy(myhistory, getObjhandler("history"));
const window = new Proxy(Object.assign(global, mywindow), getObjhandler("window"));
//checkproxy()
module.exports = {
window,
navigator,
screen,
location,
String,
Image,
document,
history
}
(ps: It’s really nice to directly use Master Lan’s environment), I won’t say much about it before, and then we encountered our first error_not defined Go back to the browser to check what it is, and found it
below here, and then continue to breakpoint trace
var n = r && r.__esModule ? function() {
return r.default
}
Check out what r.default is, it is an attribute deletion function, then the logic of this section is that these attributes cannot be deleted on the browser, but can be deleted on nodejs, then in fact, the _ method is invalid and we do not use it at all. If you need this deletion method, just delete it,
it can run normally,
and finally print this anonymous method
console.log((function () {
var e = []
, t = e.push.bind(e);
return [navigator, location, history].forEach(function (e) {
for (var a in e) {
var n = e[a];
n && "string" == typeof n && t(a + ":" + n)
}
}),
e.join("###")
})());
Copy it and visit it to see if you can
pass it. You can see that the environment of Master Lan is really easy to use. If you are
interested, you can learn it together.
