前言

JS攻击, 即JavaScript Attacks,  攻击者利用JavaScript实施攻击。

下面对四种不同等级的js攻击进行分析:

  • Low

服务端核心代码:

<?php
$page[ 'body' ] .= <<<EOF
<script>/*
MD5 code from here
https://github.com/blueimp/JavaScript-MD5
*/!function(n){"use strict";function t(n,t){var r=(65535&n)+(65535&t);return(n>>16)+(t>>16)+(r>>16)<<16|65535&r}function r(n,t){return n<<t|n>>>32-t}function e(n,e,o,u,c,f){return t(r(t(t(e,n),t(u,f)),c),o)}function o(n,t,r,o,u,c,f){return e(t&r|~t&o,n,t,u,c,f)}function u(n,t,r,o,u,c,f){return e(t&o|r&~o,n,t,u,c,f)}function c(n,t,r,o,u,c,f){return e(t^r^o,n,t,u,c,f)}function f(n,t,r,o,u,c,f){return e(r^(t|~o),n,t,u,c,f)}function i(n,r){n[r>>5]|=128<<r%32,n[14+(r+64>>>9<<4)]=r;var e,i,a,d,h,l=1732584193,g=-271733879,v=-1732584194,m=271733878;for(e=0;e<n.length;e+=16)i=l,a=g,d=v,h=m,g=f(g=f(g=f(g=f(g=c(g=c(g=c(g=c(g=u(g=u(g=u(g=u(g=o(g=o(g=o(g=o(g,v=o(v,m=o(m,l=o(l,g,v,m,n[e],7,-680876936),g,v,n[e+1],12,-389564586),l,g,n[e+2],17,606105819),m,l,n[e+3],22,-1044525330),v=o(v,m=o(m,l=o(l,g,v,m,n[e+4],7,-176418897),g,v,n[e+5],12,1200080426),l,g,n[e+6],17,-1473231341),m,l,n[e+7],22,-45705983),v=o(v,m=o(m,l=o(l,g,v,m,n[e+8],7,1770035416),g,v,n[e+9],12,-1958414417),l,g,n[e+10],17,-42063),m,l,n[e+11],22,-1990404162),v=o(v,m=o(m,l=o(l,g,v,m,n[e+12],7,1804603682),g,v,n[e+13],12,-40341101),l,g,n[e+14],17,-1502002290),m,l,n[e+15],22,1236535329),v=u(v,m=u(m,l=u(l,g,v,m,n[e+1],5,-165796510),g,v,n[e+6],9,-1069501632),l,g,n[e+11],14,643717713),m,l,n[e],20,-373897302),v=u(v,m=u(m,l=u(l,g,v,m,n[e+5],5,-701558691),g,v,n[e+10],9,38016083),l,g,n[e+15],14,-660478335),m,l,n[e+4],20,-405537848),v=u(v,m=u(m,l=u(l,g,v,m,n[e+9],5,568446438),g,v,n[e+14],9,-1019803690),l,g,n[e+3],14,-187363961),m,l,n[e+8],20,1163531501),v=u(v,m=u(m,l=u(l,g,v,m,n[e+13],5,-1444681467),g,v,n[e+2],9,-51403784),l,g,n[e+7],14,1735328473),m,l,n[e+12],20,-1926607734),v=c(v,m=c(m,l=c(l,g,v,m,n[e+5],4,-378558),g,v,n[e+8],11,-2022574463),l,g,n[e+11],16,1839030562),m,l,n[e+14],23,-35309556),v=c(v,m=c(m,l=c(l,g,v,m,n[e+1],4,-1530992060),g,v,n[e+4],11,1272893353),l,g,n[e+7],16,-155497632),m,l,n[e+10],23,-1094730640),v=c(v,m=c(m,l=c(l,g,v,m,n[e+13],4,681279174),g,v,n[e],11,-358537222),l,g,n[e+3],16,-722521979),m,l,n[e+6],23,76029189),v=c(v,m=c(m,l=c(l,g,v,m,n[e+9],4,-640364487),g,v,n[e+12],11,-421815835),l,g,n[e+15],16,530742520),m,l,n[e+2],23,-995338651),v=f(v,m=f(m,l=f(l,g,v,m,n[e],6,-198630844),g,v,n[e+7],10,1126891415),l,g,n[e+14],15,-1416354905),m,l,n[e+5],21,-57434055),v=f(v,m=f(m,l=f(l,g,v,m,n[e+12],6,1700485571),g,v,n[e+3],10,-1894986606),l,g,n[e+10],15,-1051523),m,l,n[e+1],21,-2054922799),v=f(v,m=f(m,l=f(l,g,v,m,n[e+8],6,1873313359),g,v,n[e+15],10,-30611744),l,g,n[e+6],15,-1560198380),m,l,n[e+13],21,1309151649),v=f(v,m=f(m,l=f(l,g,v,m,n[e+4],6,-145523070),g,v,n[e+11],10,-1120210379),l,g,n[e+2],15,718787259),m,l,n[e+9],21,-343485551),l=t(l,i),g=t(g,a),v=t(v,d),m=t(m,h);return[l,g,v,m]}function a(n){var t,r="",e=32*n.length;for(t=0;t<e;t+=8)r+=String.fromCharCode(n[t>>5]>>>t%32&255);return r}function d(n){var t,r=[];for(r[(n.length>>2)-1]=void 0,t=0;t<r.length;t+=1)r[t]=0;var e=8*n.length;for(t=0;t<e;t+=8)r[t>>5]|=(255&n.charCodeAt(t/8))<<t%32;return r}function h(n){return a(i(d(n),8*n.length))}function l(n,t){var r,e,o=d(n),u=[],c=[];for(u[15]=c[15]=void 0,o.length>16&&(o=i(o,8*n.length)),r=0;r<16;r+=1)u[r]=909522486^o[r],c[r]=1549556828^o[r];return e=i(u.concat(d(t)),512+8*t.length),a(i(c.concat(e),640))}function g(n){var t,r,e="";for(r=0;r<n.length;r+=1)t=n.charCodeAt(r),e+="0123456789abcdef".charAt(t>>>4&15)+"0123456789abcdef".charAt(15&t);return e}function v(n){return unescape(encodeURIComponent(n))}function m(n){return h(v(n))}function p(n){return g(m(n))}function s(n,t){return l(v(n),v(t))}function C(n,t){return g(s(n,t))}function A(n,t,r){return t?r?s(t,n):C(t,n):r?m(n):p(n)}"function"==typeof define&&define.amd?define(function(){return A}):"object"==typeof module&&module.exports?module.exports=A:n.md5=A}(this);function rot13(inp) {return inp.replace(/[a-zA-Z]/g,function(c){return String.fromCharCode((c<="Z"?90:122)>=(c=c.charCodeAt(0)+13)?c:c-26);});}function generate_token() {var phrase = document.getElementById("phrase").value;document.getElementById("token").value = md5(rot13(phrase));}generate_token();
</script>
EOF;
?>

服务端对输入的Phrase内容处理过程:

1. 先用 rot13() 函数进行ascii码转换;

2. 调用 generate_token() 函数进行md5加密 (加密算法来自github)

然后将加密后的值赋值给token值。

漏洞利用

光看服务端代码是没什么问题的,  但是结合前段代码可以看到:

前段要求我们输入success就赢了,  我们输入再submit,  发现不对:

那么问题来了,到底是怎么回事?

首先,  我们可以看到,  POST的token参数值在前端网页中是固定的:

然后再看看网页的index.html代码:

可以看到,  当输入的值是success就对其进行加密处理:(和服务端的处理一致)

1.str_rot13()函数转换字符为ascii码

2. md5函数加密

然后直接用网页中固定的token值与加密后的success比较 (结果肯定是不相等的)

总的来说,  我们需要将token值取success进行同样md5加密后的值。

刚好服务端的代码是在网页代码index.html中的:


所以, 我们可以直接在控制台中调用index.html中的generate_token()函数,  将即将post的token改为success进行同样md5加密后的值。

先在phrase中输入:  success;

然后再在控制台中调用generate_token()函数:

submit之后即可:

  • Medium

服务端核心代码:

<?php
$page[ 'body' ] .= <<<EOF
<script src="/DVWA/vulnerabilities/javascript/source/medium.js"></script>
EOF;
?>

服务端把锅甩给了medium.js:

function do_something(e) {for (var t = "", n = e.length - 1; n >= 0; n--) t += e[n];return t
}
setTimeout(function () {do_elsesomething("XX")
}, 300);function do_elsesomething(e) {document.getElementById("token").value = do_something(e + document.getElementById("phrase").value + "XX")
}
  • do_something() 函数:

进行某种方法的加密。

  • do_elsesomething() 函数:

假设令phrase的值为str,  那么该函数的作用就是将 XX($str)XX 用 do_something()进行加密, 并赋值给token。

漏洞利用

和Low级别的漏油一样的原理,  只是加密函数换了而已。

可以看到,  token的值是固定为: XXeMegnahCXX

我们可以看到前端有 medium.js代码, 所以先在phrase输入success,  然后直接在控制台调用函数就可以了:

  • High

服务端核心代码:

<?php
$page[ 'body' ] .= <<<EOF
<script src="/DVWA/vulnerabilities/javascript/source/high.js"></script>
EOF;
?>

与Medium级别一样,  继续把锅甩给high.js:

var a=['fromCharCode','toString','replace','BeJ','\x5cw+','Lyg','SuR','(w(){\x273M\x203L\x27;q\x201l=\x273K\x203I\x203J\x20T\x27;q\x201R=1c\x202I===\x271n\x27;q\x20Y=1R?2I:{};p(Y.3N){1R=1O}q\x202L=!1R&&1c\x202M===\x271n\x27;q\x202o=!Y.2S&&1c\x202d===\x271n\x27&&2d.2Q&&2d.2Q.3S;p(2o){Y=3R}z\x20p(2L){Y=2M}q\x202G=!Y.3Q&&1c\x202g===\x271n\x27&&2g.X;q\x202s=1c\x202l===\x27w\x27&&2l.3P;q\x201y=!Y.3H&&1c\x20Z!==\x272T\x27;q\x20m=\x273G\x27.3z(\x27\x27);q\x202w=[-3y,3x,3v,3w];q\x20U=[24,16,8,0];q\x20K=[3A,3B,3F,3E,3D,3C,3T,3U,4d,4c,4b,49,4a,4e,4f,4j,4i,4h,3u,48,47,3Z,3Y,3X,3V,3W,40,41,46,45,43,42,4k,3f,38,36,39,37,34,33,2Y,31,2Z,35,3t,3n,3m,3l,3o,3p,3s,3r,3q,3k,3j,3d,3a,3c,3b,3e,3h,3g,3i,4g];q\x201E=[\x271e\x27,\x2727\x27,\x271G\x27,\x272R\x27];q\x20l=[];p(Y.2S||!1z.1K){1z.1K=w(1x){A\x204C.Q.2U.1I(1x)===\x27[1n\x201z]\x27}}p(1y&&(Y.50||!Z.1N)){Z.1N=w(1x){A\x201c\x201x===\x271n\x27&&1x.1w&&1x.1w.1J===Z}}q\x202m=w(1X,x){A\x20w(s){A\x20O\x20N(x,1d).S(s)[1X]()}};q\x202a=w(x){q\x20P=2m(\x271e\x27,x);p(2o){P=2P(P,x)}P.1T=w(){A\x20O\x20N(x)};P.S=w(s){A\x20P.1T().S(s)};1g(q\x20i=0;i<1E.W;++i){q\x20T=1E[i];P[T]=2m(T,x)}A\x20P};q\x202P=w(P,x){q\x201S=2O(\x222N(\x271S\x27)\x22);q\x201Y=2O(\x222N(\x271w\x27).1Y\x22);q\x202n=x?\x271H\x27:\x271q\x27;q\x202z=w(s){p(1c\x20s===\x272p\x27){A\x201S.2x(2n).S(s,\x274S\x27).1G(\x271e\x27)}z{p(s===2q||s===2T){1u\x20O\x201t(1l)}z\x20p(s.1J===Z){s=O\x202r(s)}}p(1z.1K(s)||Z.1N(s)||s.1J===1Y){A\x201S.2x(2n).S(O\x201Y(s)).1G(\x271e\x27)}z{A\x20P(s)}};A\x202z};q\x202k=w(1X,x){A\x20w(G,s){A\x20O\x201P(G,x,1d).S(s)[1X]()}};q\x202f=w(x){q\x20P=2k(\x271e\x27,x);P.1T=w(G){A\x20O\x201P(G,x)};P.S=w(G,s){A\x20P.1T(G).S(s)};1g(q\x20i=0;i<1E.W;++i){q\x20T=1E[i];P[T]=2k(T,x)}A\x20P};w\x20N(x,1v){p(1v){l[0]=l[16]=l[1]=l[2]=l[3]=l[4]=l[5]=l[6]=l[7]=l[8]=l[9]=l[10]=l[11]=l[12]=l[13]=l[14]=l[15]=0;k.l=l}z{k.l=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]}p(x){k.C=4I;k.B=4H;k.E=4l;k.F=4U;k.J=4J;k.I=4K;k.H=4L;k.D=4T}z{k.C=4X;k.B=4W;k.E=4Y;k.F=4Z;k.J=4V;k.I=4O;k.H=4F;k.D=4s}k.1C=k.1A=k.L=k.2i=0;k.1U=k.1L=1O;k.2j=1d;k.x=x}N.Q.S=w(s){p(k.1U){A}q\x202h,T=1c\x20s;p(T!==\x272p\x27){p(T===\x271n\x27){p(s===2q){1u\x20O\x201t(1l)}z\x20p(1y&&s.1J===Z){s=O\x202r(s)}z\x20p(!1z.1K(s)){p(!1y||!Z.1N(s)){1u\x20O\x201t(1l)}}}z{1u\x20O\x201t(1l)}2h=1d}q\x20r,M=0,i,W=s.W,l=k.l;4t(M<W){p(k.1L){k.1L=1O;l[0]=k.1C;l[16]=l[1]=l[2]=l[3]=l[4]=l[5]=l[6]=l[7]=l[8]=l[9]=l[10]=l[11]=l[12]=l[13]=l[14]=l[15]=0}p(2h){1g(i=k.1A;M<W&&i<1k;++M){l[i>>2]|=s[M]<<U[i++&3]}}z{1g(i=k.1A;M<W&&i<1k;++M){r=s.1Q(M);p(r<R){l[i>>2]|=r<<U[i++&3]}z\x20p(r<2v){l[i>>2]|=(2t|(r>>6))<<U[i++&3];l[i>>2]|=(R|(r&V))<<U[i++&3]}z\x20p(r<2A||r>=2E){l[i>>2]|=(2D|(r>>12))<<U[i++&3];l[i>>2]|=(R|((r>>6)&V))<<U[i++&3];l[i>>2]|=(R|(r&V))<<U[i++&3]}z{r=2C+(((r&23)<<10)|(s.1Q(++M)&23));l[i>>2]|=(2X|(r>>18))<<U[i++&3];l[i>>2]|=(R|((r>>12)&V))<<U[i++&3];l[i>>2]|=(R|((r>>6)&V))<<U[i++&3];l[i>>2]|=(R|(r&V))<<U[i++&3]}}}k.2u=i;k.L+=i-k.1A;p(i>=1k){k.1C=l[16];k.1A=i-1k;k.1W();k.1L=1d}z{k.1A=i}}p(k.L>4r){k.2i+=k.L/2H<<0;k.L=k.L%2H}A\x20k};N.Q.1s=w(){p(k.1U){A}k.1U=1d;q\x20l=k.l,i=k.2u;l[16]=k.1C;l[i>>2]|=2w[i&3];k.1C=l[16];p(i>=4q){p(!k.1L){k.1W()}l[0]=k.1C;l[16]=l[1]=l[2]=l[3]=l[4]=l[5]=l[6]=l[7]=l[8]=l[9]=l[10]=l[11]=l[12]=l[13]=l[14]=l[15]=0}l[14]=k.2i<<3|k.L>>>29;l[15]=k.L<<3;k.1W()};N.Q.1W=w(){q\x20a=k.C,b=k.B,c=k.E,d=k.F,e=k.J,f=k.I,g=k.H,h=k.D,l=k.l,j,1a,1b,1j,v,1f,1h,1B,1Z,1V,1D;1g(j=16;j<1k;++j){v=l[j-15];1a=((v>>>7)|(v<<25))^((v>>>18)|(v<<14))^(v>>>3);v=l[j-2];1b=((v>>>17)|(v<<15))^((v>>>19)|(v<<13))^(v>>>10);l[j]=l[j-16]+1a+l[j-7]+1b<<0}1D=b&c;1g(j=0;j<1k;j+=4){p(k.2j){p(k.x){1B=4m;v=l[0]-4n;h=v-4o<<0;d=v+4p<<0}z{1B=4v;v=l[0]-4w;h=v-4G<<0;d=v+4D<<0}k.2j=1O}z{1a=((a>>>2)|(a<<30))^((a>>>13)|(a<<19))^((a>>>22)|(a<<10));1b=((e>>>6)|(e<<26))^((e>>>11)|(e<<21))^((e>>>25)|(e<<7));1B=a&b;1j=1B^(a&c)^1D;1h=(e&f)^(~e&g);v=h+1b+1h+K[j]+l[j];1f=1a+1j;h=d+v<<0;d=v+1f<<0}1a=((d>>>2)|(d<<30))^((d>>>13)|(d<<19))^((d>>>22)|(d<<10));1b=((h>>>6)|(h<<26))^((h>>>11)|(h<<21))^((h>>>25)|(h<<7));1Z=d&a;1j=1Z^(d&b)^1B;1h=(h&e)^(~h&f);v=g+1b+1h+K[j+1]+l[j+1];1f=1a+1j;g=c+v<<0;c=v+1f<<0;1a=((c>>>2)|(c<<30))^((c>>>13)|(c<<19))^((c>>>22)|(c<<10));1b=((g>>>6)|(g<<26))^((g>>>11)|(g<<21))^((g>>>25)|(g<<7));1V=c&d;1j=1V^(c&a)^1Z;1h=(g&h)^(~g&e);v=f+1b+1h+K[j+2]+l[j+2];1f=1a+1j;f=b+v<<0;b=v+1f<<0;1a=((b>>>2)|(b<<30))^((b>>>13)|(b<<19))^((b>>>22)|(b<<10));1b=((f>>>6)|(f<<26))^((f>>>11)|(f<<21))^((f>>>25)|(f<<7));1D=b&c;1j=1D^(b&d)^1V;1h=(f&g)^(~f&h);v=e+1b+1h+K[j+3]+l[j+3];1f=1a+1j;e=a+v<<0;a=v+1f<<0}k.C=k.C+a<<0;k.B=k.B+b<<0;k.E=k.E+c<<0;k.F=k.F+d<<0;k.J=k.J+e<<0;k.I=k.I+f<<0;k.H=k.H+g<<0;k.D=k.D+h<<0};N.Q.1e=w(){k.1s();q\x20C=k.C,B=k.B,E=k.E,F=k.F,J=k.J,I=k.I,H=k.H,D=k.D;q\x201e=m[(C>>28)&o]+m[(C>>24)&o]+m[(C>>20)&o]+m[(C>>16)&o]+m[(C>>12)&o]+m[(C>>8)&o]+m[(C>>4)&o]+m[C&o]+m[(B>>28)&o]+m[(B>>24)&o]+m[(B>>20)&o]+m[(B>>16)&o]+m[(B>>12)&o]+m[(B>>8)&o]+m[(B>>4)&o]+m[B&o]+m[(E>>28)&o]+m[(E>>24)&o]+m[(E>>20)&o]+m[(E>>16)&o]+m[(E>>12)&o]+m[(E>>8)&o]+m[(E>>4)&o]+m[E&o]+m[(F>>28)&o]+m[(F>>24)&o]+m[(F>>20)&o]+m[(F>>16)&o]+m[(F>>12)&o]+m[(F>>8)&o]+m[(F>>4)&o]+m[F&o]+m[(J>>28)&o]+m[(J>>24)&o]+m[(J>>20)&o]+m[(J>>16)&o]+m[(J>>12)&o]+m[(J>>8)&o]+m[(J>>4)&o]+m[J&o]+m[(I>>28)&o]+m[(I>>24)&o]+m[(I>>20)&o]+m[(I>>16)&o]+m[(I>>12)&o]+m[(I>>8)&o]+m[(I>>4)&o]+m[I&o]+m[(H>>28)&o]+m[(H>>24)&o]+m[(H>>20)&o]+m[(H>>16)&o]+m[(H>>12)&o]+m[(H>>8)&o]+m[(H>>4)&o]+m[H&o];p(!k.x){1e+=m[(D>>28)&o]+m[(D>>24)&o]+m[(D>>20)&o]+m[(D>>16)&o]+m[(D>>12)&o]+m[(D>>8)&o]+m[(D>>4)&o]+m[D&o]}A\x201e};N.Q.2U=N.Q.1e;N.Q.1G=w(){k.1s();q\x20C=k.C,B=k.B,E=k.E,F=k.F,J=k.J,I=k.I,H=k.H,D=k.D;q\x202b=[(C>>24)&u,(C>>16)&u,(C>>8)&u,C&u,(B>>24)&u,(B>>16)&u,(B>>8)&u,B&u,(E>>24)&u,(E>>16)&u,(E>>8)&u,E&u,(F>>24)&u,(F>>16)&u,(F>>8)&u,F&u,(J>>24)&u,(J>>16)&u,(J>>8)&u,J&u,(I>>24)&u,(I>>16)&u,(I>>8)&u,I&u,(H>>24)&u,(H>>16)&u,(H>>8)&u,H&u];p(!k.x){2b.4A((D>>24)&u,(D>>16)&u,(D>>8)&u,D&u)}A\x202b};N.Q.27=N.Q.1G;N.Q.2R=w(){k.1s();q\x201w=O\x20Z(k.x?28:32);q\x201i=O\x204x(1w);1i.1p(0,k.C);1i.1p(4,k.B);1i.1p(8,k.E);1i.1p(12,k.F);1i.1p(16,k.J);1i.1p(20,k.I);1i.1p(24,k.H);p(!k.x){1i.1p(28,k.D)}A\x201w};w\x201P(G,x,1v){q\x20i,T=1c\x20G;p(T===\x272p\x27){q\x20L=[],W=G.W,M=0,r;1g(i=0;i<W;++i){r=G.1Q(i);p(r<R){L[M++]=r}z\x20p(r<2v){L[M++]=(2t|(r>>6));L[M++]=(R|(r&V))}z\x20p(r<2A||r>=2E){L[M++]=(2D|(r>>12));L[M++]=(R|((r>>6)&V));L[M++]=(R|(r&V))}z{r=2C+(((r&23)<<10)|(G.1Q(++i)&23));L[M++]=(2X|(r>>18));L[M++]=(R|((r>>12)&V));L[M++]=(R|((r>>6)&V));L[M++]=(R|(r&V))}}G=L}z{p(T===\x271n\x27){p(G===2q){1u\x20O\x201t(1l)}z\x20p(1y&&G.1J===Z){G=O\x202r(G)}z\x20p(!1z.1K(G)){p(!1y||!Z.1N(G)){1u\x20O\x201t(1l)}}}z{1u\x20O\x201t(1l)}}p(G.W>1k){G=(O\x20N(x,1d)).S(G).27()}q\x201F=[],2e=[];1g(i=0;i<1k;++i){q\x20b=G[i]||0;1F[i]=4z^b;2e[i]=4y^b}N.1I(k,x,1v);k.S(2e);k.1F=1F;k.2c=1d;k.1v=1v}1P.Q=O\x20N();1P.Q.1s=w(){N.Q.1s.1I(k);p(k.2c){k.2c=1O;q\x202W=k.27();N.1I(k,k.x,k.1v);k.S(k.1F);k.S(2W);N.Q.1s.1I(k)}};q\x20X=2a();X.1q=X;X.1H=2a(1d);X.1q.2V=2f();X.1H.2V=2f(1d);p(2G){2g.X=X}z{Y.1q=X.1q;Y.1H=X.1H;p(2s){2l(w(){A\x20X})}}})();w\x202y(e){1g(q\x20t=\x22\x22,n=e.W-1;n>=0;n--)t+=e[n];A\x20t}w\x202J(t,y=\x224B\x22){1m.1o(\x221M\x22).1r=1q(1m.1o(\x221M\x22).1r+y)}w\x202B(e=\x224E\x22){1m.1o(\x221M\x22).1r=1q(e+1m.1o(\x221M\x22).1r)}w\x202K(a,b){1m.1o(\x221M\x22).1r=2y(1m.1o(\x222F\x22).1r)}1m.1o(\x222F\x22).1r=\x22\x22;4u(w(){2B(\x224M\x22)},4N);1m.1o(\x224P\x22).4Q(\x224R\x22,2J);2K(\x223O\x22,44);','||||||||||||||||||||this|blocks|HEX_CHARS||0x0F|if|var|code|message||0xFF|t1|function|is224||else|return|h1|h0|h7|h2|h3|key|h6|h5|h4||bytes|index|Sha256|new|method|prototype|0x80|update|type|SHIFT|0x3f|length|exports|root|ArrayBuffer|||||||||||s0|s1|typeof|true|hex|t2|for|ch|dataView|maj|64|ERROR|document|object|getElementById|setUint32|sha256|value|finalize|Error|throw|sharedMemory|buffer|obj|ARRAY_BUFFER|Array|start|ab|block|bc|OUTPUT_TYPES|oKeyPad|digest|sha224|call|constructor|isArray|hashed|token|isView|false|HmacSha256|charCodeAt|WINDOW|crypto|create|finalized|cd|hash|outputType|Buffer|da||||0x3ff||||array|||createMethod|arr|inner|process|iKeyPad|createHmacMethod|module|notString|hBytes|first|createHmacOutputMethod|define|createOutputMethod|algorithm|NODE_JS|string|null|Uint8Array|AMD|0xc0|lastByteIndex|0x800|EXTRA|createHash|do_something|nodeMethod|0xd800|token_part_2|0x10000|0xe0|0xe000|phrase|COMMON_JS|4294967296|window|token_part_3|token_part_1|WEB_WORKER|self|require|eval|nodeWrap|versions|arrayBuffer|JS_SHA256_NO_NODE_JS|undefined|toString|hmac|innerHash|0xf0|0xa2bfe8a1|0xc24b8b70||0xa81a664b||0x92722c85|0x81c2c92e|0xc76c51a3|0x53380d13|0x766a0abb|0x4d2c6dfc|0x650a7354|0x748f82ee|0x84c87814|0x78a5636f|0x682e6ff3|0x8cc70208|0x2e1b2138|0xa4506ceb|0x90befffa|0xbef9a3f7|0x5b9cca4f|0x4ed8aa4a|0x106aa070|0xf40e3585|0xd6990624|0x19a4c116|0x1e376c08|0x391c0cb3|0x34b0bcb5|0x2748774c|0xd192e819|0x0fc19dc6|32768|128|8388608|2147483648|split|0x428a2f98|0x71374491|0x59f111f1|0x3956c25b|0xe9b5dba5|0xb5c0fbcf|0123456789abcdef|JS_SHA256_NO_ARRAY_BUFFER|is|invalid|input|strict|use|JS_SHA256_NO_WINDOW|ABCD|amd|JS_SHA256_NO_COMMON_JS|global|node|0x923f82a4|0xab1c5ed5|0x983e5152|0xa831c66d|0x76f988da|0x5cb0a9dc|0x4a7484aa|0xb00327c8|0xbf597fc7|0x14292967|0x06ca6351||0xd5a79147|0xc6e00bf3|0x2de92c6f|0x240ca1cc|0x550c7dc3|0x72be5d74|0x243185be|0x12835b01|0xd807aa98|0x80deb1fe|0x9bdc06a7|0xc67178f2|0xefbe4786|0xe49b69c1|0xc19bf174|0x27b70a85|0x3070dd17|300032|1413257819|150054599|24177077|56|4294967295|0x5be0cd19|while|setTimeout|704751109|210244248|DataView|0x36|0x5c|push|ZZ|Object|143694565|YY|0x1f83d9ab|1521486534|0x367cd507|0xc1059ed8|0xffc00b31|0x68581511|0x64f98fa7|XX|300|0x9b05688c|send|addEventListener|click|utf8|0xbefa4fa4|0xf70e5939|0x510e527f|0xbb67ae85|0x6a09e667|0x3c6ef372|0xa54ff53a|JS_SHA256_NO_ARRAY_BUFFER_IS_VIEW','split'];(function(c,d){var e=function(f){while(--f){c['push'](c['shift']());}};e(++d);}(a,0x1f4));var b=function(c,d){c=c-0x0;var e=a[c];return e;};eval(function(d,e,f,g,h,i){h=function(j){return(j<e?'':h(parseInt(j/e)))+((j=j%e)>0x23?String[b('0x0')](j+0x1d):j[b('0x1')](0x24));};if(!''[b('0x2')](/^/,String)){while(f--){i[h(f)]=g[f]||h(f);}g=[function(k){if('wpA'!==b('0x3')){return i[k];}else{while(f--){i[k(f)]=g[f]||k(f);}g=[function(l){return i[l];}];k=function(){return b('0x4');};f=0x1;}}];h=function(){return b('0x4');};f=0x1;};while(f--){if(g[f]){if(b('0x5')===b('0x6')){return i[h];}else{d=d[b('0x2')](new RegExp('\x5cb'+h(f)+'\x5cb','g'),g[f]);}}}return d;}(b('0x7'),0x3e,0x137,b('0x8')[b('0x9')]('|'),0x0,{}));

大概是对代码进行了某种混淆,  导致无法阅读源码。

漏洞利用

为了解除混淆,  可以使用 http://deobfuscatejavascript.com 这个网站可以解除混淆

解码后的 medium.js:  (其实同级目录下有一个high_unobfuscated.js就是解码后的源码)

(function() {'use strict';var ERROR = 'input is invalid type';var WINDOW = typeof window === 'object';var root = WINDOW ? window : {};if (root.JS_SHA256_NO_WINDOW) {WINDOW = false}var WEB_WORKER = !WINDOW && typeof self === 'object';var NODE_JS = !root.JS_SHA256_NO_NODE_JS && typeof process === 'object' && process.versions && process.versions.node;if (NODE_JS) {root = global} else if (WEB_WORKER) {root = self}var COMMON_JS = !root.JS_SHA256_NO_COMMON_JS && typeof module === 'object' && module.exports;var AMD = typeof define === 'function' && define.amd;var ARRAY_BUFFER = !root.JS_SHA256_NO_ARRAY_BUFFER && typeof ArrayBuffer !== 'undefined';var HEX_CHARS = '0123456789abcdef'.split('');var EXTRA = [-2147483648, 8388608, 32768, 128];var SHIFT = [24, 16, 8, 0];var K = [0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2];var OUTPUT_TYPES = ['hex', 'array', 'digest', 'arrayBuffer'];var blocks = [];if (root.JS_SHA256_NO_NODE_JS || !Array.isArray) {Array.isArray = function(obj) {return Object.prototype.toString.call(obj) === '[object Array]'}}if (ARRAY_BUFFER && (root.JS_SHA256_NO_ARRAY_BUFFER_IS_VIEW || !ArrayBuffer.isView)) {ArrayBuffer.isView = function(obj) {return typeof obj === 'object' && obj.buffer && obj.buffer.constructor === ArrayBuffer}}var createOutputMethod = function(outputType, is224) {return function(message) {return new Sha256(is224, true).update(message)[outputType]()}};var createMethod = function(is224) {var method = createOutputMethod('hex', is224);if (NODE_JS) {method = nodeWrap(method, is224)}method.create = function() {return new Sha256(is224)};method.update = function(message) {return method.create().update(message)};for (var i = 0; i < OUTPUT_TYPES.length; ++i) {var type = OUTPUT_TYPES[i];method[type] = createOutputMethod(type, is224)}return method};var nodeWrap = function(method, is224) {var crypto = eval("require('crypto')");var Buffer = eval("require('buffer').Buffer");var algorithm = is224 ? 'sha224' : 'sha256';var nodeMethod = function(message) {if (typeof message === 'string') {return crypto.createHash(algorithm).update(message, 'utf8').digest('hex')} else {if (message === null || message === undefined) {throw new Error(ERROR)} else if (message.constructor === ArrayBuffer) {message = new Uint8Array(message)}}if (Array.isArray(message) || ArrayBuffer.isView(message) || message.constructor === Buffer) {return crypto.createHash(algorithm).update(new Buffer(message)).digest('hex')} else {return method(message)}};return nodeMethod};var createHmacOutputMethod = function(outputType, is224) {return function(key, message) {return new HmacSha256(key, is224, true).update(message)[outputType]()}};var createHmacMethod = function(is224) {var method = createHmacOutputMethod('hex', is224);method.create = function(key) {return new HmacSha256(key, is224)};method.update = function(key, message) {return method.create(key).update(message)};for (var i = 0; i < OUTPUT_TYPES.length; ++i) {var type = OUTPUT_TYPES[i];method[type] = createHmacOutputMethod(type, is224)}return method};function Sha256(is224, sharedMemory) {if (sharedMemory) {blocks[0] = blocks[16] = blocks[1] = blocks[2] = blocks[3] = blocks[4] = blocks[5] = blocks[6] = blocks[7] = blocks[8] = blocks[9] = blocks[10] = blocks[11] = blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0;this.blocks = blocks} else {this.blocks = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]}if (is224) {this.h0 = 0xc1059ed8;this.h1 = 0x367cd507;this.h2 = 0x3070dd17;this.h3 = 0xf70e5939;this.h4 = 0xffc00b31;this.h5 = 0x68581511;this.h6 = 0x64f98fa7;this.h7 = 0xbefa4fa4} else {this.h0 = 0x6a09e667;this.h1 = 0xbb67ae85;this.h2 = 0x3c6ef372;this.h3 = 0xa54ff53a;this.h4 = 0x510e527f;this.h5 = 0x9b05688c;this.h6 = 0x1f83d9ab;this.h7 = 0x5be0cd19}this.block = this.start = this.bytes = this.hBytes = 0;this.finalized = this.hashed = false;this.first = true;this.is224 = is224}Sha256.prototype.update = function(message) {if (this.finalized) {return}var notString, type = typeof message;if (type !== 'string') {if (type === 'object') {if (message === null) {throw new Error(ERROR)} else if (ARRAY_BUFFER && message.constructor === ArrayBuffer) {message = new Uint8Array(message)} else if (!Array.isArray(message)) {if (!ARRAY_BUFFER || !ArrayBuffer.isView(message)) {throw new Error(ERROR)}}} else {throw new Error(ERROR)}notString = true}var code, index = 0,i, length = message.length,blocks = this.blocks;while (index < length) {if (this.hashed) {this.hashed = false;blocks[0] = this.block;blocks[16] = blocks[1] = blocks[2] = blocks[3] = blocks[4] = blocks[5] = blocks[6] = blocks[7] = blocks[8] = blocks[9] = blocks[10] = blocks[11] = blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0}if (notString) {for (i = this.start; index < length && i < 64; ++index) {blocks[i >> 2] |= message[index] << SHIFT[i++ & 3]}} else {for (i = this.start; index < length && i < 64; ++index) {code = message.charCodeAt(index);if (code < 0x80) {blocks[i >> 2] |= code << SHIFT[i++ & 3]} else if (code < 0x800) {blocks[i >> 2] |= (0xc0 | (code >> 6)) << SHIFT[i++ & 3];blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3]} else if (code < 0xd800 || code >= 0xe000) {blocks[i >> 2] |= (0xe0 | (code >> 12)) << SHIFT[i++ & 3];blocks[i >> 2] |= (0x80 | ((code >> 6) & 0x3f)) << SHIFT[i++ & 3];blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3]} else {code = 0x10000 + (((code & 0x3ff) << 10) | (message.charCodeAt(++index) & 0x3ff));blocks[i >> 2] |= (0xf0 | (code >> 18)) << SHIFT[i++ & 3];blocks[i >> 2] |= (0x80 | ((code >> 12) & 0x3f)) << SHIFT[i++ & 3];blocks[i >> 2] |= (0x80 | ((code >> 6) & 0x3f)) << SHIFT[i++ & 3];blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3]}}}this.lastByteIndex = i;this.bytes += i - this.start;if (i >= 64) {this.block = blocks[16];this.start = i - 64;this.hash();this.hashed = true} else {this.start = i}}if (this.bytes > 4294967295) {this.hBytes += this.bytes / 4294967296 << 0;this.bytes = this.bytes % 4294967296}return this};Sha256.prototype.finalize = function() {if (this.finalized) {return}this.finalized = true;var blocks = this.blocks,i = this.lastByteIndex;blocks[16] = this.block;blocks[i >> 2] |= EXTRA[i & 3];this.block = blocks[16];if (i >= 56) {if (!this.hashed) {this.hash()}blocks[0] = this.block;blocks[16] = blocks[1] = blocks[2] = blocks[3] = blocks[4] = blocks[5] = blocks[6] = blocks[7] = blocks[8] = blocks[9] = blocks[10] = blocks[11] = blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0}blocks[14] = this.hBytes << 3 | this.bytes >>> 29;blocks[15] = this.bytes << 3;this.hash()};Sha256.prototype.hash = function() {var a = this.h0,b = this.h1,c = this.h2,d = this.h3,e = this.h4,f = this.h5,g = this.h6,h = this.h7,blocks = this.blocks,j, s0, s1, maj, t1, t2, ch, ab, da, cd, bc;for (j = 16; j < 64; ++j) {t1 = blocks[j - 15];s0 = ((t1 >>> 7) | (t1 << 25)) ^ ((t1 >>> 18) | (t1 << 14)) ^ (t1 >>> 3);t1 = blocks[j - 2];s1 = ((t1 >>> 17) | (t1 << 15)) ^ ((t1 >>> 19) | (t1 << 13)) ^ (t1 >>> 10);blocks[j] = blocks[j - 16] + s0 + blocks[j - 7] + s1 << 0}bc = b & c;for (j = 0; j < 64; j += 4) {if (this.first) {if (this.is224) {ab = 300032;t1 = blocks[0] - 1413257819;h = t1 - 150054599 << 0;d = t1 + 24177077 << 0} else {ab = 704751109;t1 = blocks[0] - 210244248;h = t1 - 1521486534 << 0;d = t1 + 143694565 << 0}this.first = false} else {s0 = ((a >>> 2) | (a << 30)) ^ ((a >>> 13) | (a << 19)) ^ ((a >>> 22) | (a << 10));s1 = ((e >>> 6) | (e << 26)) ^ ((e >>> 11) | (e << 21)) ^ ((e >>> 25) | (e << 7));ab = a & b;maj = ab ^ (a & c) ^ bc;ch = (e & f) ^ (~e & g);t1 = h + s1 + ch + K[j] + blocks[j];t2 = s0 + maj;h = d + t1 << 0;d = t1 + t2 << 0}s0 = ((d >>> 2) | (d << 30)) ^ ((d >>> 13) | (d << 19)) ^ ((d >>> 22) | (d << 10));s1 = ((h >>> 6) | (h << 26)) ^ ((h >>> 11) | (h << 21)) ^ ((h >>> 25) | (h << 7));da = d & a;maj = da ^ (d & b) ^ ab;ch = (h & e) ^ (~h & f);t1 = g + s1 + ch + K[j + 1] + blocks[j + 1];t2 = s0 + maj;g = c + t1 << 0;c = t1 + t2 << 0;s0 = ((c >>> 2) | (c << 30)) ^ ((c >>> 13) | (c << 19)) ^ ((c >>> 22) | (c << 10));s1 = ((g >>> 6) | (g << 26)) ^ ((g >>> 11) | (g << 21)) ^ ((g >>> 25) | (g << 7));cd = c & d;maj = cd ^ (c & a) ^ da;ch = (g & h) ^ (~g & e);t1 = f + s1 + ch + K[j + 2] + blocks[j + 2];t2 = s0 + maj;f = b + t1 << 0;b = t1 + t2 << 0;s0 = ((b >>> 2) | (b << 30)) ^ ((b >>> 13) | (b << 19)) ^ ((b >>> 22) | (b << 10));s1 = ((f >>> 6) | (f << 26)) ^ ((f >>> 11) | (f << 21)) ^ ((f >>> 25) | (f << 7));bc = b & c;maj = bc ^ (b & d) ^ cd;ch = (f & g) ^ (~f & h);t1 = e + s1 + ch + K[j + 3] + blocks[j + 3];t2 = s0 + maj;e = a + t1 << 0;a = t1 + t2 << 0}this.h0 = this.h0 + a << 0;this.h1 = this.h1 + b << 0;this.h2 = this.h2 + c << 0;this.h3 = this.h3 + d << 0;this.h4 = this.h4 + e << 0;this.h5 = this.h5 + f << 0;this.h6 = this.h6 + g << 0;this.h7 = this.h7 + h << 0};Sha256.prototype.hex = function() {this.finalize();var h0 = this.h0,h1 = this.h1,h2 = this.h2,h3 = this.h3,h4 = this.h4,h5 = this.h5,h6 = this.h6,h7 = this.h7;var hex = HEX_CHARS[(h0 >> 28) & 0x0F] + HEX_CHARS[(h0 >> 24) & 0x0F] + HEX_CHARS[(h0 >> 20) & 0x0F] + HEX_CHARS[(h0 >> 16) & 0x0F] + HEX_CHARS[(h0 >> 12) & 0x0F] + HEX_CHARS[(h0 >> 8) & 0x0F] + HEX_CHARS[(h0 >> 4) & 0x0F] + HEX_CHARS[h0 & 0x0F] + HEX_CHARS[(h1 >> 28) & 0x0F] + HEX_CHARS[(h1 >> 24) & 0x0F] + HEX_CHARS[(h1 >> 20) & 0x0F] + HEX_CHARS[(h1 >> 16) & 0x0F] + HEX_CHARS[(h1 >> 12) & 0x0F] + HEX_CHARS[(h1 >> 8) & 0x0F] + HEX_CHARS[(h1 >> 4) & 0x0F] + HEX_CHARS[h1 & 0x0F] + HEX_CHARS[(h2 >> 28) & 0x0F] + HEX_CHARS[(h2 >> 24) & 0x0F] + HEX_CHARS[(h2 >> 20) & 0x0F] + HEX_CHARS[(h2 >> 16) & 0x0F] + HEX_CHARS[(h2 >> 12) & 0x0F] + HEX_CHARS[(h2 >> 8) & 0x0F] + HEX_CHARS[(h2 >> 4) & 0x0F] + HEX_CHARS[h2 & 0x0F] + HEX_CHARS[(h3 >> 28) & 0x0F] + HEX_CHARS[(h3 >> 24) & 0x0F] + HEX_CHARS[(h3 >> 20) & 0x0F] + HEX_CHARS[(h3 >> 16) & 0x0F] + HEX_CHARS[(h3 >> 12) & 0x0F] + HEX_CHARS[(h3 >> 8) & 0x0F] + HEX_CHARS[(h3 >> 4) & 0x0F] + HEX_CHARS[h3 & 0x0F] + HEX_CHARS[(h4 >> 28) & 0x0F] + HEX_CHARS[(h4 >> 24) & 0x0F] + HEX_CHARS[(h4 >> 20) & 0x0F] + HEX_CHARS[(h4 >> 16) & 0x0F] + HEX_CHARS[(h4 >> 12) & 0x0F] + HEX_CHARS[(h4 >> 8) & 0x0F] + HEX_CHARS[(h4 >> 4) & 0x0F] + HEX_CHARS[h4 & 0x0F] + HEX_CHARS[(h5 >> 28) & 0x0F] + HEX_CHARS[(h5 >> 24) & 0x0F] + HEX_CHARS[(h5 >> 20) & 0x0F] + HEX_CHARS[(h5 >> 16) & 0x0F] + HEX_CHARS[(h5 >> 12) & 0x0F] + HEX_CHARS[(h5 >> 8) & 0x0F] + HEX_CHARS[(h5 >> 4) & 0x0F] + HEX_CHARS[h5 & 0x0F] + HEX_CHARS[(h6 >> 28) & 0x0F] + HEX_CHARS[(h6 >> 24) & 0x0F] + HEX_CHARS[(h6 >> 20) & 0x0F] + HEX_CHARS[(h6 >> 16) & 0x0F] + HEX_CHARS[(h6 >> 12) & 0x0F] + HEX_CHARS[(h6 >> 8) & 0x0F] + HEX_CHARS[(h6 >> 4) & 0x0F] + HEX_CHARS[h6 & 0x0F];if (!this.is224) {hex += HEX_CHARS[(h7 >> 28) & 0x0F] + HEX_CHARS[(h7 >> 24) & 0x0F] + HEX_CHARS[(h7 >> 20) & 0x0F] + HEX_CHARS[(h7 >> 16) & 0x0F] + HEX_CHARS[(h7 >> 12) & 0x0F] + HEX_CHARS[(h7 >> 8) & 0x0F] + HEX_CHARS[(h7 >> 4) & 0x0F] + HEX_CHARS[h7 & 0x0F]}return hex};Sha256.prototype.toString = Sha256.prototype.hex;Sha256.prototype.digest = function() {this.finalize();var h0 = this.h0,h1 = this.h1,h2 = this.h2,h3 = this.h3,h4 = this.h4,h5 = this.h5,h6 = this.h6,h7 = this.h7;var arr = [(h0 >> 24) & 0xFF, (h0 >> 16) & 0xFF, (h0 >> 8) & 0xFF, h0 & 0xFF, (h1 >> 24) & 0xFF, (h1 >> 16) & 0xFF, (h1 >> 8) & 0xFF, h1 & 0xFF, (h2 >> 24) & 0xFF, (h2 >> 16) & 0xFF, (h2 >> 8) & 0xFF, h2 & 0xFF, (h3 >> 24) & 0xFF, (h3 >> 16) & 0xFF, (h3 >> 8) & 0xFF, h3 & 0xFF, (h4 >> 24) & 0xFF, (h4 >> 16) & 0xFF, (h4 >> 8) & 0xFF, h4 & 0xFF, (h5 >> 24) & 0xFF, (h5 >> 16) & 0xFF, (h5 >> 8) & 0xFF, h5 & 0xFF, (h6 >> 24) & 0xFF, (h6 >> 16) & 0xFF, (h6 >> 8) & 0xFF, h6 & 0xFF];if (!this.is224) {arr.push((h7 >> 24) & 0xFF, (h7 >> 16) & 0xFF, (h7 >> 8) & 0xFF, h7 & 0xFF)}return arr};Sha256.prototype.array = Sha256.prototype.digest;Sha256.prototype.arrayBuffer = function() {this.finalize();var buffer = new ArrayBuffer(this.is224 ? 28 : 32);var dataView = new DataView(buffer);dataView.setUint32(0, this.h0);dataView.setUint32(4, this.h1);dataView.setUint32(8, this.h2);dataView.setUint32(12, this.h3);dataView.setUint32(16, this.h4);dataView.setUint32(20, this.h5);dataView.setUint32(24, this.h6);if (!this.is224) {dataView.setUint32(28, this.h7)}return buffer};function HmacSha256(key, is224, sharedMemory) {var i, type = typeof key;if (type === 'string') {var bytes = [],length = key.length,index = 0,code;for (i = 0; i < length; ++i) {code = key.charCodeAt(i);if (code < 0x80) {bytes[index++] = code} else if (code < 0x800) {bytes[index++] = (0xc0 | (code >> 6));bytes[index++] = (0x80 | (code & 0x3f))} else if (code < 0xd800 || code >= 0xe000) {bytes[index++] = (0xe0 | (code >> 12));bytes[index++] = (0x80 | ((code >> 6) & 0x3f));bytes[index++] = (0x80 | (code & 0x3f))} else {code = 0x10000 + (((code & 0x3ff) << 10) | (key.charCodeAt(++i) & 0x3ff));bytes[index++] = (0xf0 | (code >> 18));bytes[index++] = (0x80 | ((code >> 12) & 0x3f));bytes[index++] = (0x80 | ((code >> 6) & 0x3f));bytes[index++] = (0x80 | (code & 0x3f))}}key = bytes} else {if (type === 'object') {if (key === null) {throw new Error(ERROR)} else if (ARRAY_BUFFER && key.constructor === ArrayBuffer) {key = new Uint8Array(key)} else if (!Array.isArray(key)) {if (!ARRAY_BUFFER || !ArrayBuffer.isView(key)) {throw new Error(ERROR)}}} else {throw new Error(ERROR)}}if (key.length > 64) {key = (new Sha256(is224, true)).update(key).array()}var oKeyPad = [],iKeyPad = [];for (i = 0; i < 64; ++i) {var b = key[i] || 0;oKeyPad[i] = 0x5c ^ b;iKeyPad[i] = 0x36 ^ b}Sha256.call(this, is224, sharedMemory);this.update(iKeyPad);this.oKeyPad = oKeyPad;this.inner = true;this.sharedMemory = sharedMemory}HmacSha256.prototype = new Sha256();HmacSha256.prototype.finalize = function() {Sha256.prototype.finalize.call(this);if (this.inner) {this.inner = false;var innerHash = this.array();Sha256.call(this, this.is224, this.sharedMemory);this.update(this.oKeyPad);this.update(innerHash);Sha256.prototype.finalize.call(this)}};var exports = createMethod();exports.sha256 = exports;exports.sha224 = createMethod(true);exports.sha256.hmac = createHmacMethod();exports.sha224.hmac = createHmacMethod(true);if (COMMON_JS) {module.exports = exports} else {root.sha256 = exports.sha256;root.sha224 = exports.sha224;if (AMD) {define(function() {return exports})}}
})();function do_something(e) {for (var t = "", n = e.length - 1; n >= 0; n--) t += e[n];return t
}
function token_part_3(t, y = "ZZ") {document.getElementById("token").value = sha256(document.getElementById("token").value + y)
}
function token_part_2(e = "YY") {document.getElementById("token").value = sha256(e + document.getElementById("token").value)
}
function token_part_1(a, b) {document.getElementById("token").value = do_something(document.getElementById("phrase").value)
}
document.getElementById("phrase").value = "";
setTimeout(function() {token_part_2("XX")
}, 300);
document.getElementById("send").addEventListener("click", token_part_3);
token_part_1("ABCD", 44);

大概意思就是:

1. 由于有300毫秒延时,所以先执行了token_part_1("ABCD", 44);
2. 然后再执行了 token_part_2("XX")
3. token_part_3被添加在提交按钮的click事件上,也就是点提交会触发执行。

再看看index源码:

知道了加密过程后 (完全不用看加密函数是怎么运作的, 直接调用就好了), 我们在控制台中直接按顺序调用就好了:

  • Impossible

服务端核心代码:

哦,  服务端无代码 = = !,

就是告诉我们-----Token最好是不要靠前端JS生成

JavaScript Attacks相关推荐

  1. Security ❀ JavaScript Attacks 前端攻击

    文章目录 JavaScript Attacks 前端攻击 1 Low Level 2 Medium Level 3 High Level 4 Impossible Level JavaScript A ...

  2. DVWA之前端攻击(JavaScript Attacks)

    前端攻击(JavaScript Attacks) 这是一种比较新颖的玩法,通过捕获js中的漏洞进行,成功提交success就算赢 Security Level: low 源码 <?php $pa ...

  3. DVWA 之 JavaScript Attacks

    目录 1.级别:Low 2.级别:Medium 3.级别:High 1.级别:Low 一进去看见提示写着 Submit the word "success" to win. 就提交 ...

  4. 2019-3-16 dvwa学习(16)--JavaScript Attacks JS攻击

    DVWA的JS攻击练习是为了帮助用户了解如何在浏览器中使用JavaScript和攻击者如何控制JavaScript实施攻击. 看实例:成功提交success low 界面上尝试一下,输入success ...

  5. DVWA 通关笔记:JavaScript Attacks

    概述 什么是JavaScript Attack? JavaScript Attack即JS攻击, 攻击者可以利用JavaScript实施攻击. 通关要求 提交"success"一词 ...

  6. DVWA靶场通关教程

    目录 Burt Force(爆破) (low) (medium) ​(high) (impossible) Command Injection(命令执行) (low) (medium) (high) ...

  7. 【WEB安全】PHP靶场实战分析——DVWA

    文章目录 前言 一.实战前的准备: 1.dvwa靶场安装 2.代码审计工具介绍 2.1.seay代码审计工具的介绍 2.2.rips 审计工具介绍 二.DVWA通关讲解 1. brute force ...

  8. dvwa靶场的简单练习

    此文章仅为记录自己打靶场的过程 一.dvwa靶场的搭建 (1)phpstudy的下载安装以及配置 下载phpstudy,官网链接:小皮面板(phpstudy) - 让天下没有难配的服务器环境! (xp ...

  9. 2020-08-29 Python的lambda函数用法

    在Python中有两种函数,一种是def定义的函数,另一种是lambda函数,也就是大家常说的匿名函数.今天我就和大家聊聊lambda函数,在Python编程中,大家习惯将其称为表达式. 1.为什么要 ...

最新文章

  1. 服务器文件数量监控,服务器监控指标有哪些?好文章一定要收藏
  2. 简单回声服务器的实现
  3. 生成对抗网络gan原理_生成对抗网络(GAN)的半监督学习
  4. Message 消息提示
  5. php怎么实现商品评论功能,php购物车功能如何实现
  6. 点击底部input输入框,弹出的软键盘挡住input(苹果手机使用第三方输入法 )
  7. 2018.9.18opencv3.4.1 + vs 2017 community +win 10 x64+cmake 3.11.3终终终章!
  8. 拒绝干扰 解决Wi-Fi的最大问题
  9. html attr src,jQuery中css()和attr()方法的区别
  10. Python 高阶函数,匿名函数 思维导图
  11. 深入浅出 卡尔曼滤波
  12. 人民币大写金额转换为数字
  13. 微信H5活动抽奖单页面模板源码
  14. word自动生成目录的最后一个大标题页码前没有点点点连接线解决方案
  15. JSP隐式对象——out对象、pageContext对象、exception对象
  16. 【修电脑】每次关机提示rundll32.exe程序没有响应,修改注册表解决问题
  17. mac c语言运行程序,Mac运行C语言
  18. LeetCode-589. N-ary Tree Preorder Traversal
  19. 谷歌浏览器记住密码功能 input框黄色背景
  20. 计算神经科学和人工智能,人工智能神经网络算法

热门文章

  1. 制作FLASH透明背景
  2. java汽车总里程_总里程计数的发展
  3. 100天从 Python 小白到大神的学习资源,都在这了。
  4. logstash 同时支持多个管道_Logstash Multiple Pipelines
  5. 【HaaS Python硬件积木】乙醇传感器
  6. 单击事件 - 删除表单数据时提示是否确认删除
  7. 用好crm客户管理系统,很重要
  8. No.20 不深入而浅出 Roaring Bitmaps 的基本原理
  9. Android仿茄子快传-实现面对面快传功能
  10. Deep Subspace Clustering Networks