JustAnotherArchivist
/
cloudflare-circumvent
1
0
Fork 0
Code Issues 1 Pull Requests 0 Releases 0 Wiki Activity
A Python module to crack Cloudflare's JavaScript challenge (aka "I'm Under Attack" mode)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
76 KiB
 
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
cloudflare-circumvent/parse.py

294 lines
9.2 KiB
Raw Permalink Blame History 

  1. import enum

  2. import functools

  3. import operator

  4. import re

  5. 

  6. 

  7. class ParsingError(Exception):

  8. 	pass

  9. 

  10. 

  11. class EvaluationError(Exception):

  12. 	pass

  13. 

  14. 

  15. class StrEnum(enum.Enum):

  16. 	def __repr__(self):

  17. 		return str(self)

  18. 

  19. 

  20. class Type(StrEnum):

  21. 	group = 1

  22. 	brackets = 2

  23. 

  24. 

  25. class Modifier(StrEnum):

  26. 	negate = 1

  27. 	plus = 2

  28. 

  29. 

  30. class JSBool:

  31. 	def __init__(self, value):

  32. 		self.value = bool(value)

  33. 

  34. 	def __add__(self, other):

  35. 		if isinstance(other, (JSBool, JSInt)): # bool + bool/int -> int (addition)

  36. 			return JSInt(self) + JSInt(other)

  37. 		elif isinstance(other, JSString): # bool + string -> string (concatenation)

  38. 			return JSString(self) + other

  39. 		else:

  40. 			return NotImplemented

  41. 

  42. 	def __sub__(self, other):

  43. 		if isinstance(other, (JSBool, JSInt, JSString)): # bool - bool/int/string -> int (subtraction)

  44. 			return JSInt(self) - JSInt(other)

  45. 		else:

  46. 			return NotImplemented

  47. 

  48. 	def __mul__(self, other):

  49. 		if isinstance(other, (JSBool, JSInt, JSString)): # bool * bool/int/string -> int (multiplication)

  50. 			return JSInt(self) * JSInt(other)

  51. 		else:

  52. 			return NotImplemented

  53. 

  54. 	def __eq__(self, other):

  55. 		return isinstance(other, JSBool) and self.value == other.value

  56. 

  57. 	def __bool__(self):

  58. 		return self.value

  59. 

  60. 	def __int__(self):

  61. 		return int(self.value)

  62. 

  63. 	def __str__(self):

  64. 		return str(self.value).lower() # 'True' in Python is 'true' in JS

  65. 

  66. 	def __repr__(self):

  67. 		return 'JSBool({!r})'.format(self.value)

  68. 

  69. 

  70. class JSInt:

  71. 	def __init__(self, value):

  72. 		self.value = int(value)

  73. 

  74. 	def __add__(self, other):

  75. 		if isinstance(other, JSInt): # int + int -> int (addition)

  76. 			return JSInt(self.value + other.value)

  77. 		elif isinstance(other, JSBool): # int + bool -> int (addition)

  78. 			return self + JSInt(other)

  79. 		elif isinstance(other, JSString): # int + string -> string (concatenation)

  80. 			return JSString(self) + other

  81. 		else:

  82. 			return NotImplemented

  83. 

  84. 	def __sub__(self, other):

  85. 		if isinstance(other, JSInt): # int - int -> int (subtraction)

  86. 			return JSInt(self.value - other.value)

  87. 		elif isinstance(other, (JSBool, JSString)): # int - bool/string -> int (subtraction)

  88. 			return self - JSInt(other)

  89. 		else:

  90. 			return NotImplemented

  91. 

  92. 	def __mul__(self, other):

  93. 		if isinstance(other, JSInt): # int * int -> int (multiplication)

  94. 			return JSInt(self.value * other.value)

  95. 		elif isinstance(other, (JSBool, JSString)): # int * bool/string -> int (multiplication)

  96. 			return self * JSInt(other)

  97. 		else:

  98. 			return NotImplemented

  99. 

  100. 	def __eq__(self, other):

  101. 		return isinstance(other, JSInt) and self.value == other.value

  102. 

  103. 	def __bool__(self):

  104. 		return self.value != 0 # Any value other than zero is considered 'true'

  105. 

  106. 	def __int__(self):

  107. 		return self.value

  108. 

  109. 	def __str__(self):

  110. 		return str(self.value)

  111. 

  112. 	def __repr__(self):

  113. 		return 'JSInt({!r})'.format(self.value)

  114. 

  115. 

  116. class JSString:

  117. 	def __init__(self, value):

  118. 		self.value = str(value)

  119. 

  120. 	def __add__(self, other):

  121. 		if isinstance(other, JSString): # string + string -> string (concatenation)

  122. 			return JSString(self.value + other.value)

  123. 		elif isinstance(other, (JSInt, JSBool)): # string + int/bool -> string (concatenation)

  124. 			return self + JSString(other)

  125. 		else:

  126. 			return NotImplemented

  127. 

  128. 	def __sub__(self, other):

  129. 		if isinstance(other, (JSBool, JSInt, JSString)): # string - bool/int/string -> int (subtraction)

  130. 			return JSInt(self) - JSInt(other)

  131. 		else:

  132. 			return NotImplemented

  133. 

  134. 	def __mul__(self, other):

  135. 		if isinstance(other, (JSBool, JSInt, JSString)): # string * bool/int/string -> int (multiplication)

  136. 			return JSInt(self) * JSInt(other)

  137. 		else:

  138. 			return NotImplemented

  139. 

  140. 	def __eq__(self, other):

  141. 		return isinstance(other, JSString) and self.value == other.value

  142. 

  143. 	def __bool__(self):

  144. 		return self.value != '' # Any non-empty string is considered 'true'

  145. 

  146. 	def __int__(self):

  147. 		if self.value == '':

  148. 			return 0

  149. 		return int(self.value)

  150. 

  151. 	def __str__(self):

  152. 		return self.value

  153. 

  154. 	def __repr__(self):

  155. 		return 'JSString({!r})'.format(self.value)

  156. 

  157. 

  158. _itemModifierToResultMapping = {

  159. 	(): JSString(''),

  160. 	(Modifier.plus,): JSInt(0),

  161. 	(Modifier.negate,): JSBool(False),

  162. 	#(Modifier.plus, Modifier.plus): syntax error

  163. 	(Modifier.plus, Modifier.negate): JSInt(0),

  164. 	(Modifier.negate, Modifier.plus): JSBool(True),

  165. 	(Modifier.negate, Modifier.negate): JSBool(True),

  166. 	#(Modifier.plus, Modifier.plus, Modifier.plus): syntax error

  167. 	#(Modifier.plus, Modifier.plus, Modifier.negate): syntax error

  168. 	(Modifier.plus, Modifier.negate, Modifier.plus): JSInt(1),

  169. 	(Modifier.plus, Modifier.negate, Modifier.negate): JSInt(1),

  170. 	#(Modifier.negate, Modifier.plus, Modifier.plus): syntax error

  171. 	(Modifier.negate, Modifier.plus, Modifier.negate): JSBool(True),

  172. 	(Modifier.negate, Modifier.negate, Modifier.plus): JSBool(False),

  173. 	(Modifier.negate, Modifier.negate, Modifier.negate): JSBool(False),

  174. }

  175. 

  176. 

  177. class Item:

  178. 	def __init__(self, type, modifiers, values = None):

  179. 		if type not in (Type.group, Type.brackets):

  180. 			raise ValueError('type must be Type.group or Type.brackets')

  181. 		iter(modifiers) # Test whether modifiers is an iterable, and let the potential TypeError bubble up

  182. 		if not all(x in (Modifier.negate, Modifier.plus) for x in modifiers):

  183. 			raise ValueError('modifiers must be an iterable that can only contain Modifier.negate or Modifier.plus')

  184. 		if values is not None and type != Type.group:

  185. 			raise ValueError('values can only be specified for group items')

  186. 		if type == Type.group and values is None:

  187. 			raise ValueError('values are required for group items')

  188. 		self.type = type

  189. 		self.modifiers = modifiers

  190. 		self.values = values

  191. 

  192. 	def evaluate(self, evaluateFunction = None):

  193. 		if self.type == Type.group:

  194. 			if evaluateFunction is None or not callable(evaluateFunction):

  195. 				raise ValueError('must specify a callable evaluateFunction when evaluating a group item')

  196. 			return evaluateFunction(self.values, self.modifiers)

  197. 		else:

  198. 			try:

  199. 				return _itemModifierToResultMapping[tuple(self.modifiers)]

  200. 			except KeyError:

  201. 				raise EvaluationError('Unrecognised modifier pattern {!r}'.format(self.modifiers))

  202. 

  203. 	def __eq__(self, other):

  204. 		return isinstance(other, Item) and self.type == other.type and self.modifiers == other.modifiers and self.values == other.values

  205. 

  206. 	def __repr__(self):

  207. 		return 'Item({!r}, {!r}{})'.format(self.type, self.modifiers, ', values = {!r}'.format(self.values) if self.values is not None else '')

  208. 

  209. 

  210. def parse(s):

  211. 	'''

  212. 	Parse expression s into a tree of Items.

  213. 

  214. 	Argument: s (string), the expression to evaluate

  215. 

  216. 	Returns: tree (list of Items)

  217. 	'''

  218. 

  219. 	itemStack = {0: []}

  220. 	modifierStack = {0: []}

  221. 	currentItemStack = itemStack[0]

  222. 	currentModifierStack = modifierStack[0]

  223. 	stackLevel = 0

  224. 	finishedItem = False

  225. 	pos = 0

  226. 	length = len(s)

  227. 	while pos < length:

  228. 		char = s[pos]

  229. 		if char == '+':

  230. 			if pos == 0 or not finishedItem:

  231. 				finishedItem = False

  232. 				currentModifierStack.append(Modifier.plus)

  233. 			# else: addition, nothing to do

  234. 		elif char == '!':

  235. 			finishedItem = False

  236. 			currentModifierStack.append(Modifier.negate)

  237. 		elif char == '(':

  238. 			finishedItem = False

  239. 			stackLevel += 1

  240. 			currentItemStack = itemStack[stackLevel] = []

  241. 			currentModifierStack = modifierStack[stackLevel] = []

  242. 		elif char == ')':

  243. 			if stackLevel == 0:

  244. 				raise ParsingError('Encountered ) without matching (')

  245. 			stackLevel -= 1

  246. 			currentItemStack = itemStack[stackLevel]

  247. 			currentItemStack.append(Item(type = Type.group, modifiers = modifierStack[stackLevel], values = itemStack[stackLevel + 1]))

  248. 			currentModifierStack = modifierStack[stackLevel] = []

  249. 			finishedItem = True

  250. 		elif char == '[':

  251. 			if s[pos + 1] != ']':

  252. 				raise ParsingError('Invalid byte found at position {}; expected ] but got {}'.format(pos + 1, s[pos + 1]))

  253. 			# End of modifier sequence

  254. 			currentItemStack.append(Item(type = Type.brackets, modifiers = currentModifierStack))

  255. 			currentModifierStack = []

  256. 			pos += 1 # Skip over closing bracket

  257. 			finishedItem = True

  258. 		pos += 1

  259. 	return itemStack[0]

  260. 

  261. 

  262. def evaluate(tree, modifiers = None):

  263. 	t = map(lambda x: x.evaluate(evaluate), tree)

  264. 	if len(tree) > 1:

  265. 		result = functools.reduce(operator.add, t) # Concatenation or addition, but this is all handled in the JS* classes

  266. 	else:

  267. 		result = next(t)

  268. 	if modifiers == [Modifier.plus]:

  269. 		return JSInt(result)

  270. 	return result

  271. 

  272. 

  273. def crack(url, html):

  274. 	m = re.search(r'setTimeout\(function\(\)\{\s+var\s+s,t,o,p,b,r,e,a,k,i,n,g,f,\s*(?P<parent>[a-zA-Z]+)=\{"(?P<child>[a-zA-Z]+)":(?P<initialExpression>[^}]+)\};' +

  275. 	  r'\s*t\s*=\s*document\.createElement\(\'div\'\);' +

  276. 	  r'\s*t\.innerHTML="<a href=\'/\'>x</a>";' +

  277. 	  r'\s*t\s*=\s*t\.firstChild\.href;\s*r\s*=\s*t\.match\(/https\?:\\/\\//\)\[0\];' +

  278. 	  r'\s*t\s*=\s*t\.substr\(r\.length\);\s*t\s*=\s*t\.substr\(0,t\.length-1\);' +

  279. 	  r'\s*a\s*=\s*document\.getElementById\(\'jschl-answer\'\);' +

  280. 	  r'\s*f\s*=\s*document\.getElementById\(\'challenge-form\'\);' +

  281. 	  r'\s*;((?P=parent)\.(?P=child)\s*[*+-]=\s*[^;]+\s*;\s*)+a\.value\s*=\s*parseInt\((?P=parent)\.(?P=child),\s*10\)\s*\+\s*t\.length;\s*\';\s*121\'' +

  282. 	  r'\s*f\.action\s*\+=\s*location\.hash;' +

  283. 	  r'\s*f\.submit\(\);' +

  284. 	  r'\s*\},\s*4000\);', html)

  285. 	if not m:

  286. 		return None

  287. 	d = m.groupdict()

  288. 	operators = {'*': operator.mul, '+': operator.add, '-': operator.sub}

  289. 	result = evaluate(parse(d['initialExpression']))

  290. 	for m in re.finditer(d['parent'] + r'\.' + d['child'] + r'\s*(?P<operator>[*+-])=\s*(?P<expression>[^;]+)', html):

  291. 		result = operators[m.group('operator')](result, evaluate(parse(m.group('expression'))))

  292. 	domain = re.search(r'^https?://([^/]+)/', url).group(1)

  293. 	return result + JSInt(len(domain))