perimeterx px3 无感 分析

perimeterx px3 分析

熟悉的环节 😒
工作需要搞一下
只是 无感
目标网站

1
aHR0cHM6Ly93d3cuc3Bpcml0LmNvbS8=

标志

Alt text
Alt text

会有好多这样的请求 基本就是px了

参数加解密

Alt text
会看到 payload 像是base64
实际是base64编码后再次加密的结果
Alt text
追踪他的栈 会发现 是在这里生成的代码
Alt text
Alt text
同时会发现 他的代码中有很多混淆的字符串
可以通过 AST 处理一下
Alt text
得到这种容易读懂的代码 在进行分析
先来看看 payload 是怎么加密的

Alt text
分析一下 就是 先把json字符串的每个字节 ^ 50 再转base64
然后再用uuid 获取一个字符串
再把第一步的 base64 分割插入 uuid 的字符串
再处理一下 就是结果的payload 了 

1
2
3
4
5
6
7
8
9
{
    "do": null,
    "ob": "B1lZWQcHWQcUNxgQDA0UW1tYFFsMUA1ZXFBRXFkMXQpdXwsJXF0LXlhdC1FdDl4MUVENCl9aUFlaXVpdCg4NX15aX19RXglcXVxQDQwMWlBcUF9SDREiWAk/WQQLWzoACjApAScCLVslLCkQJSwtWCc8PR8lLAxRFBwaHQ0UW1hYFhYWFllZWQdZBxRZUFpfWVlcWlxbWFFaXFheWF5bWBYWFhZZWVkHB1kUCwsUXlgUPVouHDI+JhgMLz1RPC8uXCcfVVUWFhYWB1lZB1lZBwcUXVxeUQ1QDl5FUFxaX0VZWQ0NRQpfXVhFW1gJXVkMCQ5QClBbFBwaHQ0WFhYWB1kHB1kHFAoNDFoLWVFYRVBcWl5FWVkNDUUJUV1YRQoMWF1QXAsNX14JURRbWV1bXlhYWBQcGh0NFhYWFgdZB1lZWRQLHRYWFhZZWQdZWVkUX1haCglbXwoLUQsJCl0NCloNXFgJDlsJC1leXl0OClpeUVwOUV1aCwpZWV8JXA1YXApcXgxYX1AOXF1cWQwKChYWFhYHWVkHWVkUXVxeUQ1dXQ1FUFxaX0VZWQ0NRQpfXVhFW1gJXVkMCQ5QClBbFhYWFllZWQcHWRQaDhReWBRZFhYWFgdZWVkHBwdZFFlfWFhZWFlcUV1YWF4WFhYWB1lZWQcHBwcUWVpRXxYWFhZZBwcHB1kUCwQJBhkcDwRdXRteWlwcGwcOXA8="
}
```  
返回结果这里看到的 ob 也是加密的  
这个就比较简单了  
base64 解码后 在 ^ (版本号 % 128)  
当前版本号是 v8.7.2 就是 (872 % 128)

[
“o1oo1o|957a2621-8427-11ee-bdb4-077351f73529|31536000|true”,
“11o111|79bce223313698a7586198b6ab78dc0d56e6f334b3d98ab8d36460a19a6fddda”,
“o11o11oo|96206fb1-8427-11ee-a5c7-ea6a94989dfc|true”,
“o1o111|cu”,
“o111ooo1|1700101605261”,
“111oo1|cc|60|U2FtZVNpdGU9TGF4Ow==”,
“111o1o|15664779070372902995”,
“o11o11|96206bfe-8427-11ee-a5c7-ea6a94989dfc”,
“1oooo1|clanrpe6tl5m24stojmg”,
“o111oooo|292”,
“o111oo1o|_pxde|330|0dee1113d487bf7d78682188d959d13981ba17dcd2af8d264f7d5e6b6c9b2475:eyJ0aW1lc3RhbXAiOjE3MDAxMDE2MDUyNjF9|true|300”
]

1
2
3
4
5
这些值 就是后面参与计算的 一些值了  
1oooo1 开头的这个值 代表他不同的计算逻辑   
![Alt text](image5.png)  
在代码中都可以看到    
初始化完成后 就要去校验浏览器环境了

{
“t”: “PX11590”,
“d”: {
“PX11431”: “1700101605261”,
“PX12454”: 292,
“PX11701”: “15664779070372902995”,
“PX11529”: 80457564,
“PX11555”: 4294705152,
“PX11833”: 61616059,
“PX11840”: “Thu Nov 16 2023 10:26:45 GMT+0800 (China Standard Time)”,
“PX12573”: “58baea05”,
“PX11804”: “c93b435e78883931c991675c088777e3”,
“PX12118”: “clanrpe6tl5m24stojmg”,
“PX11746”: “71f68cf1450d0b31d397705dad72f593”,
“PX11371”: “c73a8f6757304c8bee54230a32cf34ef”,
“PX12501”: “8f5550519283f7b1591b0ea95f4e98ca”,
“PX12169”: 3,
“PX11902”: 1,
“PX11560”: 12110,
“PX11332”: 1700101626566,
“PX12248”: 3600,
“PX11385”: 1700101604530,
“PX12280”: 1700101627175,
“PX11496”: “03642cf8-0fe5-4c04-b842-1334ee0458f4”,
“PX12330”: “109|66|66|70|80”,
“PX11705”: 1182,
“PX11938”: true,
“PX11602”: true,
“PX12021”: “false”,
“PX12421”: “false”,
“PX12124”: 1,
“PX11609”: 1,
“PX12291”: “”,
“PX11881”: [
“loadTimes”,
“csi”,
“app”
],
“PX12207”: 0,
“PX11538”: 2,
“PX11984”: “TypeError: Cannot read properties of null (reading ‘0’)\n at de (https://client.px-cloud.net/PXVb73hTEg/main.min.js:796:13)\n at Eo (https://client.px-cloud.net/PXVb73hTEg/main.min.js:2294:31)\n at Co (https://client.px-cloud.net/PXVb73hTEg/main.min.js:2316:23)\n at https://client.px-cloud.net/PXVb73hTEg/main.min.js:2152:9“,
“PX11645”: “https://www.spirit.com/“,
“PX11597”: [],
“PX12023”: “”,
“PX11337”: false,
“PX12544”: true,
“PX12589”: “succeeded”,
“PX11524”: true,
“PX11843”: 1920,
“PX11781”: 1080,
“PX12121”: 1920,
“PX12128”: 1055,
“PX12387”: “1920X1080”,
“PX12003”: 24,
“PX11380”: 24,
“PX11494”: 906,
“PX12411”: 853,
“PX12443”: 0,
“PX12447”: 0,
“PX11533”: true,
“PX12079”: false,
“PX12278”: true,
“PX11694”: false,
“PX12294”: false,
“PX12514”: true,
“PX12515”: “TypeError: Cannot read properties of undefined (reading ‘width’)”,
“PX12516”: “webkit”,
“PX12517”: 33,
“PX12518”: false,
“PX12545”: false,
“PX12593”: false,
“PX12595”: “AudioData.SVGAnimatedAngle.SVGMetadataElement”,
“PX12069”: [
“PDF Viewer”,
“Chrome PDF Viewer”,
“Chromium PDF Viewer”,
“Microsoft Edge PDF Viewer”,
“WebKit built-in PDF”
],
“PX12286”: 5,
“PX11576”: true,
“PX12318”: true,
“PX11384”: true,
“PX11886”: true,
“PX11583”: “en-US”,
“PX12458”: “MacIntel”,
“PX11681”: [
“en-US”
],
“PX11754”: “UA”,
“PX12037”: true,
“PX11390”: -480,
“PX11621”: 8,
“PX11657”: 1,
“PX12081”: “Gecko”,
“PX11908”: “20030107”,
“PX12314”: “”,
“PX11829”: true,
“PX11464”: true,
“PX12054”: 2,
“PX11821”: “Netscape”,
“PX11479”: “Mozilla”,
“PX11674”: true,
“PX12241”: 400,
“PX11372”: false,
“PX11683”: 1.5,
“PX11561”: “3g”,
“PX11877”: true,
“PX12100”: true,
“PX12506”: “arm”,
“PX12507”: “64”,
“PX12509”: false,
“PX12510”: “”,
“PX12511”: “macOS”,
“PX12512”: “13.5.0”,
“PX12513”: “117.0.5938.149”,
“PX12548”: true,
“PX12578”: {},
“PX12579”: {
“support”: true,
“status”: {
“effectiveType”: “3g”,
“rtt”: 400,
“downlink”: 1.5,
“saveData”: false
}
},
“PX12508”: [{
“brand”: “Google Chrome”,
“version”: “117”
},
{
“brand”: “Not;A=Brand”,
“version”: “8”
},
{
“brand”: “Chromium”,
“version”: “117”
}
],
“PX12549”: true,
“PX11539”: “sss”,
“PX11528”: “”,
“PX12271”: “sss”,
“PX11849”: “ss”,
“PX12464”: “ss”,
“PX11356”: true,
“PX12426”: true,
“PX11791”: true,
“PX11517”: true,
“PX12520”: true,
“PX12524”: “4YC14YCd4Y6YaI5oCR7r27”,
“PX12527”: “3207084bd110863e23aa78e04”,
“PX12260”: “UA”,
“PX12249”: false,
“PX11897”: “90e65465”,
“PX12597”: 1,
“PX11526”: false,
“PX11684”: false,
“PX11812”: false,
“PX12335”: true,
“PX12080”: 0,
“PX11678”: false,
“PX11349”: “visible”,
“PX12397”: false,
“PX11387”: 0,
“PX12150”: 1920,
“PX12304”: true,
“PX11651”: 970,
“PX11867”: “missing”,
“PX12254”: true,
“PX11540”: true,
“PX11548”: false,
“PX11446”: true,
“PX12550”: 1,
“PX12431”: 0,
“PX11991”: 10,
“PX11837”: 48,
“PX11632”: 0,
“PX11409”: 9,
“PX11508”: “49e5084e”,
“PX11452”: “7c5f9724”,
“PX12218”: “65d826e0”,
“PX12481”: “a9269e00”,
“PX11780”: “50a5ec55”,
“PX12551”: “https:”,
“PX12553”: “Asia/Shanghai”,
“PX12567”: “w3c”,
“PX12576”: “screen”,
“PX12554”: “function getOwnPropertyDescriptors() { [native code] }”,
“PX12577”: “function query() { [native code] }”,
“PX12594”: false,
“PX12566”: false,
“PX12571”: “74d9c66”,
“PX12581”: “default”,
“PX11303”: false,
“PX11515”: false,
“PX12133”: false,
“PX12340”: false,
“PX11738”: false,
“PX11723”: false,
“PX11389”: false,
“PX11839”: false,
“PX11460”: false,
“PX12102”: false,
“PX11378”: false,
“PX12317”: false,
“PX12564”: null,
“PX12565”: -1,
“2655744:343041:31::6”: “3744655;252150;20;;7”
}
}]

1
2
3
4
5
6
7
8
9
有些值 是根据上个请求的返回值 计算的  
![Alt text](image7.png)  

就是这么去跟  然后发两到 三个请求  
![Alt text](image8.png)  
看到 score = 0 就是过了   
这个socre 不是每个站都有的 并不一定给你这个  
看到px2也是基本成功的标志

// 成功的返回值
{“errors”:null,”messages”:null,”data”:{“token”:”eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkb3RSZXpXZWIiLCJqdGkiOiIyYjI0NzZiNi03ZDQ2LWRiYmItN2FlNS0xYzFjMjlhMGQ5M2IiLCJpc3MiOiJkb3RSRVogQVBJIn0.teGGMjUuam-dpY_hM7OmpJqr-jC5GrEZKweVkZ-aF7U”,”idleTimeoutInMinutes”:15},”metadata”:null}
// 没过去的话
{“appId”:”PXkp4CLSb5”,”jsClientSrc”:”/kp4CLSb5/init.js”,”firstPartyEnabled”:true,”vid”:””,”uuid”:”07439816-842d-11ee-9fc1-c57753063f72”,”hostUrl”:”/kp4CLSb5/xhr”,”blockScript”:”/kp4CLSb5/captcha/kp4CLSb5/captcha.js?a=c&u=07439816-842d-11ee-9fc1-c57753063f72&v=&m=0”,”altBlockScript”:”https://captcha.px-cloud.net/PXkp4CLSb5/captcha.js?a=c&u=07439816-842d-11ee-9fc1-c57753063f72&v=&m=0","customLogo":"https://content.spirit.com/a/1679"}
// 就是按压 验证码了


# 结束 

这个网站是 px 和akamai 都有的 所以测试时比较麻烦  

下一步要去捣鼓捣鼓 按压的验证码了  
希望顺利  
🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪  
🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪  
🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪  
🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪  
🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪🤪
perimeterx px3 无感 分析
http://example.com/2023/11/15/px/
作者
故意
发布于
2023年11月15日
许可协议