主页 > 网络编程 > 前端实例:绕过XSS过滤对自动化暗链检测带来的启发(2)

前端实例:绕过XSS过滤对自动化暗链检测带来的启发(2)

例如上述16进制JS代码还可以用JS的eval函数进行混淆,混淆之后的代码如下(网站生成的有点问题,但是正常自己写的应该是没有问题的):

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return p}('1["0"]("9eedggg8 c")',62,17,'open|window|x2e|x2f|x3a|x61|x62|x63|x64|x68|x69|x6d|x6f|x70|x74|x75|x77'.split('|'),0,{}))

网上还有很多在线生成混淆的在线工具,大家可以试用一下。都混淆成这样了,可以说JS代码的亲爹都不认了,但是对于我们baypass来说还远远不够。

 

1609226854_5feada66f2b083d419f73.png!small?1609226854295

 

 

0x02 终极混淆工具:JSfuck

在我们平时使用XSS乱插的时候,还会经常接触一个神器,那就是JSfuck。

 

1609227319_5feadc3788fda48aa81a2.png!small?1609227319073

 

JSFuck 可以让你只用 6 个字符 []()!+ 来编写 JavaScript 程序。

例如你想用 JSFuck 来实现 alert(1)代码如下:

[][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]][([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]]+([][[]]+[])[+[[+!+[]]]]+(![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[+!+[]]]]+([][[]]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]((![]+[])[+[[+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]+(!![]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+[+!+[]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]])()

JSfuck的网址:

至于原理这篇先不展开解释了,如果我们上面的16进制JS+eval函数混淆,再使用上JSFcuk,那画面太美我不敢想。

检测

因为我是从绕过XSS过滤的角度来谈的暗链,那么检测手段就可以模仿过滤XSS的手法来进行。

1.在检测暗链的时候对包括但不限于10进制的unicode编码等各种编码手段进行检测。

2.对于调用eval函数的js代码进行着重的语义反混淆,深度检测代码含义。

3.谨防JSFuck

这些手段都是黑产团伙植入暗链时比较常用的一些手段,我只是通过平时绕过XSS过滤对这些问题做了一些思考,如有错误,还请各位大佬斧正。

说点什么吧
  • 全部评论(0
    还没有评论,快来抢沙发吧!

您可能还会对这些文章感兴趣!