技術標籤：monkey測試

主要功能：瀏覽器外掛自動點選網站，將流量匯入代理掃描器進行掃描

原始碼：https://github.com/zzzzfeng/Clicker，後附關鍵程式碼

外掛概覽

# 用法

- git clone [email protected]:zzzzfeng/Clicker.git

- 在chrome瀏覽器開發者模式下以資料夾方式載入外掛

- 開啟外掛爬蟲功能

- 開啟網站，比如https://www.mi.com

- 外掛像爬蟲一樣，自動開啟所有相關頁面

- 配合代理掃描器來發現安全漏洞

# 技術細節

- background.js(全域性js)會監聽tab開啟/關閉事件，併發送當前tab總數到所有頁面，以控制同時開啟的tab總數。tab數不夠時部分tab會隨機關閉，防止死鎖

- background.js中陣列儲存所有掃描過url的md5值(取url問號以左計算md5 16位)，所有tab向該陣列傳送資料時，會同時接收到該陣列的值，以避免重複開啟。瀏覽器重啟會重置該陣列

- popup.js(臨時js)可以配置是否開啟掃描/最大tab數/掃描深度/域名白名單等，當值發生更改時，會向所有tab傳送訊息，以實現精準控制

- clicker.js(嵌入到tab頁面的js)會獲取當前頁面所有a.href和form(小米有品很少a標籤，基本為div.data-src)，自動開啟，判斷掃描深度/去重

# 侷限性

- 前端框架導致沒有A標籤，全部基於js生成onclick，譬如xiaomi.cn這個站暫未適配

//全域性配置var crawldepth = 1;var crawlon = false;var whitelistArr = [];var maxtabcount = 10;var curtabcount = 0;var downloadfile = ['.apk','.exe','.deb','.dmg','.zip','.rar','.appimage','.tar.bz2','.tar','.jpg','.png','.gif','.bin']//首先獲取配置chrome.storage.local.get({'crawldepth':window.crawldepth, 'crawlon':window.crawlon, 'maxtabcount': window.maxtabcount, 'whitelist':''}, function(data) {  window.crawldepth = data.crawldepth;window.crawlon = data.crawlon;window.maxtabcount = data.maxtabcount;window.whitelistArr = data.whitelist.split(',');crawl();}); //監聽background.js/popup.js訊息chrome.runtime.onMessage.addListener(function(request, sender, sendResponse){if(request.cmd == 'changed'){if(request.depth != undefined){window.crawldepth = request.depth;}else if(request.crawlon  != undefined){window.crawlon = request.crawlon;}else if(request.maxtab  != undefined){window.maxtabcount = request.maxtab;}else if(request.whitelist  != undefined){window.whitelistArr = request.whitelist.split(',');}}else if(request.cmd == 'curtabs'){window.curtabcount = request.curtabs;}}); var globalscannedArr = [];var crawl = async () =>{if(!crawlon){console.log('未啟用');return;} var dhref = document.location.href;var dh = new URL(dhref); //掃描深度處理var curdepth = parseInt(dh.searchParams.get('crawldepth'));if(!curdepth){if(window.opener){//depth丟失，url重寫等原因console.log('depth lost '+dhref);await sleep(3000);try{window.close();}catch(e){}return;}else{//首開頁面console.log('first url '+dhref);if(dhref.indexOf('?') == -1){dhref += '?crawldepth=0';}else{dhref += '&crawldepth=0';}curdepth = 0;}}//超出深度if(curdepth >= window.crawldepth){console.log('curdepth: '+curdepth +' crawldepth: '+window.crawldepth);await sleep(3000);try{window.close();}catch(e){}return;}//本頁面去重var allA=[];var tmp = handleUrl(dhref);if (!tmp)return;allA.push(tmp); //去重chrome.runtime.sendMessage({url: dhref.split('?')[0].MD5()}, function(response) {console.log(response);globalscannedArr = response.split(',');});//等待3s，等js就緒await sleep(3000);var documentAll = document.querySelectorAll('*');for(let i=0;i= window.maxtabcount){console.info('tab not enough');//頁面隨機退出let randomint = Math.ceil(Math.random()*10);if(curdepth == window.crawldepth -1 && randomint < 5){try{window.close();}catch(e){}}else if(curdepth == window.crawldepth -2 && randomint < 4){try{window.close();}catch(e){}}else if(curdepth == window.crawldepth -3 && randomint < 3){try{window.close();}catch(e){}}await sleep(waitcount * 30000);waitcount++;if(!crawlon){try{window.close();}catch(e){}break;}} let v = documentAll[i];if(v.tagName == 'A'){//console.log(v.href);if (!v.href || v.href.indexOf('http') != 0){ continue;}let h = handleUrl(v.href);if(!h){ continue; } //本頁去重if(allA.indexOf(h) != -1){ continue;}allA.push(h);let hh = new URL(h);//去掉主頁連結if((dh.origin+dh.pathname).indexOf((hh.origin+hh.pathname)) != -1){ continue; } //全域性去重let urlmd5 = h.split('?')[0].MD5();if(globalscannedArr.indexOf(urlmd5) != -1){ console.log('scanned '+h); continue; } //開啟頁面console.info(h);h = handleDepth(h, curdepth);window.open(h, '_blank'); //add scannedchrome.runtime.sendMessage({url: urlmd5}, function(response) {console.log(response);globalscannedArr = response.split(',');}); //間隔時間await sleep((window.crawldepth-curdepth) * 2000);}else if(v.tagName == 'FORM'){//新視窗提交v.target = '_blank';if(!handleUrl(v.action)){continue;}v.action = handleDepth(v.action, curdepth); //全域性去重let urlmd5 = v.action.split('?')[0].MD5();if(globalscannedArr.indexOf(urlmd5) != -1){ console.log('scanned '+v.action); continue; }chrome.runtime.sendMessage({url: urlmd5}, function(response) {console.log(response);globalscannedArr = response.split(',');}); //填充表單let formAll = v.querySelectorAll('*');for(let j=0;j {if(!h)return false;let hh = new URL(h);//黑白名單檢測let whitecheck = false;let haswhite = false;for(let wi=0;wi {h = h.replace('crawldepth='+depth, '');if(h.indexOf('?') == -1){h += '?crawldepth='+(depth+1);}else{h += '&crawldepth='+(depth+1);}return h;} var sleep =  (milliseconds) => {return new Promise(resolve => setTimeout(resolve, milliseconds));} String.prototype.MD5=function(bit){var sMessage=this;function RotateLeft(lValue,iShiftBits){return(lValue<>>(32-iShiftBits))}function AddUnsigned(lX,lY){var lX4,lY4,lX8,lY8,lResult;lX8=(lX&0x80000000);lY8=(lY&0x80000000);lX4=(lX&0x40000000);lY4=(lY&0x40000000);lResult=(lX&0x3FFFFFFF)+(lY&0x3FFFFFFF);if(lX4&lY4)return(lResult^0x80000000^lX8^lY8);if(lX4|lY4){if(lResult&0x40000000)return(lResult^0xC0000000^lX8^lY8);else return(lResult^0x40000000^lX8^lY8)}else return(lResult^lX8^lY8)}function F(x,y,z){return(x&y)|((~x)&z)}function G(x,y,z){return(x&z)|(y&(~z))}function H(x,y,z){return(x^y^z)}function I(x,y,z){return(y^(x|(~z)))}function FF(a,b,c,d,x,s,ac){a=AddUnsigned(a,AddUnsigned(AddUnsigned(F(b,c,d),x),ac));return AddUnsigned(RotateLeft(a,s),b)}function GG(a,b,c,d,x,s,ac){a=AddUnsigned(a,AddUnsigned(AddUnsigned(G(b,c,d),x),ac));return AddUnsigned(RotateLeft(a,s),b)}function HH(a,b,c,d,x,s,ac){a=AddUnsigned(a,AddUnsigned(AddUnsigned(H(b,c,d),x),ac));return AddUnsigned(RotateLeft(a,s),b)}function II(a,b,c,d,x,s,ac){a=AddUnsigned(a,AddUnsigned(AddUnsigned(I(b,c,d),x),ac));return AddUnsigned(RotateLeft(a,s),b)}function ConvertToWordArray(sMessage){var lWordCount;var lMessageLength=sMessage.length;var lNumberOfWords_temp1=lMessageLength+8;var lNumberOfWords_temp2=(lNumberOfWords_temp1-(lNumberOfWords_temp1%64))/64;var lNumberOfWords=(lNumberOfWords_temp2+1)*16;var lWordArray=Array(lNumberOfWords-1);var lBytePosition=0;var lByteCount=0;while(lByteCount>>29;return lWordArray}function WordToHex(lValue){var WordToHexValue="",WordToHexValue_temp="",lByte,lCount;for(lCount=0;lCount<=3;lCount++){lByte=(lValue>>>(lCount*8))&255;WordToHexValue_temp="0"+lByte.toString(16);WordToHexValue=WordToHexValue+WordToHexValue_temp.substr(WordToHexValue_temp.length-2,2)}return WordToHexValue}var x=Array();var k,AA,BB,CC,DD,a,b,c,d;var S11=7,S12=12,S13=17,S14=22;var S21=5,S22=9,S23=14,S24=20;var S31=4,S32=11,S33=16,S34=23;var S41=6,S42=10,S43=15,S44=21;x=ConvertToWordArray(sMessage);a=0x67452301;b=0xEFCDAB89;c=0x98BADCFE;d=0x10325476;for(k=0;k