- 网站
aHR0cDovL2FlcmZheWluZy5jb20v - 加密参数
- 参数加密位置
方法:
1. 构造自执行函数
!function(e) {// 加载器
}(// 模块1;// 模块2
)
2. 找到js的加载器
3. 把上述代码放入第一步构造的自执行函数(完整扣取一整个加载器里的代码),并用一个全局参数接收加载器,比如window.zzz = i;
自执行代码如下:
var window=global;
!function(e) {function t(t) {for (var r, i, l = t[0], s = t[1], u = t[2], f = 0, p = []; f < l.length; f++)i = l[f],Object.prototype.hasOwnProperty.call(o, i) && o[i] && p.push(o[i][0]),o[i] = 0;for (r in s)Object.prototype.hasOwnProperty.call(s, r) && (e[r] = s[r]);for (c && c(t); p.length; )p.shift()();return a.push.apply(a, u || []),n()}function n() {for (var e, t = 0; t < a.length; t++) {for (var n = a[t], r = !0, l = 1; l < n.length; l++) {var s = n[l];0 !== o[s] && (r = !1)}r && (a.splice(t--, 1),e = i(i.s = n[0]))}return e}var r = {}, o = {0: 0}, a = [];function i(t) {if (r[t])return r[t].exports;var n = r[t] = {i: t,l: !1,exports: {}};return e[t].call(n.exports, n, n.exports, i),n.l = !0,n.exports}window.zzz = i; // 定义一个参数window.zzz接收加载器;var l = window.webpackJsonp = window.webpackJsonp || [], s = l.push.bind(l);l.push = t,l = l.slice();for (var u = 0; u < l.length; u++)t(l[u]);var c = s;
}({// 模块1;// 模块2
})
4. 把加密位置的代码扣取下来,放入自执行函数的模块里,然后定义一个模块名给,比如jsencrypt,自执行函数代码如下:
var window=global;
!function(e) {function t(t) {for (var r, i, l = t[0], s = t[1], u = t[2], f = 0, p = []; f < l.length; f++)i = l[f],Object.prototype.hasOwnProperty.call(o, i) && o[i] && p.push(o[i][0]),o[i] = 0;for (r in s)Object.prototype.hasOwnProperty.call(s, r) && (e[r] = s[r]);for (c && c(t); p.length; )p.shift()();return a.push.apply(a, u || []),n()}function n() {for (var e, t = 0; t < a.length; t++) {for (var n = a[t], r = !0, l = 1; l < n.length; l++) {var s = n[l];0 !== o[s] && (r = !1)}r && (a.splice(t--, 1),e = i(i.s = n[0]))}return e}var r = {}, o = {0: 0}, a = [];function i(t) {if (r[t])return r[t].exports;var n = r[t] = {i: t,l: !1,exports: {}};return e[t].call(n.exports, n, n.exports, i),n.l = !0,n.exports}window.zzz = i; // 定义一个参数window.zzz接收加载器;var l = window.webpackJsonp = window.webpackJsonp || [], s = l.push.bind(l);l.push = t,l = l.slice();for (var u = 0; u < l.length; u++)t(l[u]);var c = s;}({// 模块名:jsencryptjsencrypt:function(e, t, n) {"use strict";Object.defineProperty(t, "__esModule", {value: !0});t.default = function(e, t) {var n = (new Date).getTime() + 2592e6 + (t || 3e4), r = (e || "") + "&t=" + n;return {t: n,s: Sha1.hash(r)}}
}},
)
5. 对上述代码new一下,然后执行jsencrypt方法,运行代码,发现报错
result = new window.zzz("jsencrypt").default()
console.log(result)
报错:
6. 然后去源码里扣取Sha1的代码
最后所有js代码如下:
var window=global;function Sha1() {}
Sha1.hash = function(n, t) {var w = Object.assign({msgFormat: "string",outFormat: "hex"}, t), b, i, f, u, e, r, p, k, h, d;switch (w.msgFormat) {default:case "string":n = Sha1.utf8Encode(n);break;case "hex-bytes":n = Sha1.hexBytesToString(n)}b = [1518500249, 1859775393, 2400959708, 3395469782];i = [1732584193, 4023233417, 2562383102, 271733878, 3285377520];n += String.fromCharCode(128);var g = n.length / 4 + 2, o = Math.ceil(g / 16), s = new Array(o);for (u = 0; u < o; u++)for (s[u] = new Array(16),f = 0; f < 16; f++)s[u][f] = n.charCodeAt(u * 64 + f * 4) << 24 | n.charCodeAt(u * 64 + f * 4 + 1) << 16 | n.charCodeAt(u * 64 + f * 4 + 2) << 8 | n.charCodeAt(u * 64 + f * 4 + 3);for (s[o - 1][14] = (n.length - 1) * 8 / Math.pow(2, 32),s[o - 1][14] = Math.floor(s[o - 1][14]),s[o - 1][15] = (n.length - 1) * 8 & 4294967295,u = 0; u < o; u++) {for (e = new Array(80),r = 0; r < 16; r++)e[r] = s[u][r];for (r = 16; r < 80; r++)e[r] = Sha1.ROTL(e[r - 3] ^ e[r - 8] ^ e[r - 14] ^ e[r - 16], 1);var c = i[0], l = i[1], a = i[2], v = i[3], y = i[4];for (r = 0; r < 80; r++)p = Math.floor(r / 20),k = Sha1.ROTL(c, 5) + Sha1.f(p, l, a, v) + y + b[p] + e[r] >>> 0,y = v,v = a,a = Sha1.ROTL(l, 30) >>> 0,l = c,c = k;i[0] = i[0] + c >>> 0;i[1] = i[1] + l >>> 0;i[2] = i[2] + a >>> 0;i[3] = i[3] + v >>> 0;i[4] = i[4] + y >>> 0}for (h = 0; h < i.length; h++)i[h] = ("00000000" + i[h].toString(16)).slice(-8);return d = w.outFormat == "hex-w" ? " " : "",i.join(d)
}
;
Sha1.f = function(n, t, i, r) {switch (n) {case 0:return t & i ^ ~t & r;case 1:return t ^ i ^ r;case 2:return t & i ^ t & r ^ i & r;case 3:return t ^ i ^ r}
}
;
Sha1.ROTL = function(n, t) {return n << t | n >>> 32 - t
}
;
Sha1.utf8Encode = function(n) {return unescape(encodeURIComponent(n))
}
;
Sha1.hexBytesToString = function(n) {var i, t;for (n = n.replace(" ", ""),i = "",t = 0; t < n.length; t += 2)i += String.fromCharCode(parseInt(n.slice(t, t + 2), 16));return i
}
!function(e) {function t(t) {for (var r, i, l = t[0], s = t[1], u = t[2], f = 0, p = []; f < l.length; f++)i = l[f],Object.prototype.hasOwnProperty.call(o, i) && o[i] && p.push(o[i][0]),o[i] = 0;for (r in s)Object.prototype.hasOwnProperty.call(s, r) && (e[r] = s[r]);for (c && c(t); p.length; )p.shift()();return a.push.apply(a, u || []),n()}function n() {for (var e, t = 0; t < a.length; t++) {for (var n = a[t], r = !0, l = 1; l < n.length; l++) {var s = n[l];0 !== o[s] && (r = !1)}r && (a.splice(t--, 1),e = i(i.s = n[0]))}return e}var r = {}, o = {0: 0}, a = [];function i(t) {if (r[t])return r[t].exports;var n = r[t] = {i: t,l: !1,exports: {}};return e[t].call(n.exports, n, n.exports, i),n.l = !0,n.exports}window.zzz = i; // 定义一个参数window.zzz接收加载器;var l = window.webpackJsonp = window.webpackJsonp || [], s = l.push.bind(l);l.push = t,l = l.slice();for (var u = 0; u < l.length; u++)t(l[u]);var c = s;}({// 模块名:jsencryptjsencrypt:function(e, t, n) {"use strict";Object.defineProperty(t, "__esModule", {value: !0});t.default = function(e, t) {var n = (new Date).getTime() + 2592e6 + (t || 3e4), r = (e || "") + "&t=" + n;return {t: n,s: Sha1.hash(r)}}
}},)result = new window.zzz("jsencrypt").default()
console.log(result)
最后运行结果:
,源码可白嫖!)
建造者模式)
EnumChildWindows+shellcode)
