Comments (12)
drk1wi
commented on August 20, 2024
I think it might be related to some JS verification code. Can you check the console log if there aren't any errors?
from modlishka.
ciberx
commented on August 20, 2024
log is:
Listening on: [127.0.0.1:80]
Proxying [loopback.modlishka.io:80] via --> [https://mysite.com]
[Sat Jan 12 17:04:50 2019] DBG [RP] Checking domain: mysite.com
[Sat Jan 12 17:04:50 2019] DBG [RP] Checking IP: X.X.X.X
[Sat Jan 12 17:04:50 2019] DBG [RP] Checking IP: X.X.X.X
[Sat Jan 12 17:04:50 2019] DBG [P] Proxying target [https://mysite.com]
via phishing [loopback.modlishka.io]
[Sat Jan 12 17:04:50 2019] DBG PatchHeaders: HTTPRequest took 8.6ยตs
[Sat Jan 12 17:04:50 2019] DBG rewriteRequest took 2.393ms
[Sat Jan 12 17:04:51 2019] DBG Rewriting Set-Cookie Flags: from
[__cfduid=d0e4d63befcf8b48d89c6be8140cdc20f1547312691; expires=Sun,
12-Jan-20 17:04:51 GMT; path=/; domain=.mysite.com; HttpOnly; Secure]
-->
[__cfduid=d0e4d63befcf8b48d89c6be8140cdc20f1547312691; expires=Sun,
12-Jan-20 17:04:51 GMT; path=/; domain=.loopback.modlishka.io; HttpOnly;
Secure]
[Sat Jan 12 17:04:51 2019] DBG PatchHeaders: HTTPResponse took 4.3584ms
[Sat Jan 12 17:04:51 2019] DBG Fallback to default compression ()
[Sat Jan 12 17:04:51 2019] DBG [rw] Rewriting Response Body for (
https://mysite.com): status[503] type[text/html; charset=UTF-8] encoding[]
uncompressedBody[5094 bytes]
[Sat Jan 12 17:04:51 2019] DBG rewriteResponse took 10.31ms
from modlishka.
ciberx
commented on August 20, 2024
I think it might be related to some JS verification code. Can you check the console log if there aren't any errors?
You right, in Cloudflare page JS script, witch generate verification code.
> <script type="text/javascript">
> //<![CDATA[
> (function(){
> var a = function() {try{return !!window.addEventListener} catch(e) {return !1} },
> b = function(b, c) {a() ? document.addEventListener("DOMContentLoaded", b, c) : document.attachEvent("onreadystatechange", b)};
> b(function(){
> var a = document.getElementById('cf-content');a.style.display = 'block';
> setTimeout(function(){
> var s,t,o,p,b,r,e,a,k,i,n,g,f, BrDDXtq={"PaRhNA":+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]))};
> t = document.createElement('div');
> t.innerHTML="<a href='/'>x</a>";
> t = t.firstChild.href;r = t.match(/http?:\/\//)[0];
> t = t.substr(r.length); t = t.substr(0,t.length-1);
> a = document.getElementById('jschl-answer');
> f = document.getElementById('challenge-form');
> ;BrDDXtq.PaRhNA-=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]))/+((+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]));BrDDXtq.PaRhNA-=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(+[]));BrDDXtq.PaRhNA*=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(+!![]))/+((!+[]+!![]+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]));BrDDXtq.PaRhNA*=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]));a.value = +BrDDXtq.PaRhNA.toFixed(10) + t.length; '; 121'
> f.action += location.hash;
> f.submit();
> }, 4000);
> }, false);
> })();
> //]]>
> </script>
>
here domain is parsing
t = document.createElement('div');
t.innerHTML="<a href='/'>x</a>";
t = t.firstChild.href;r = t.match(/http?:\/\//)[0];
t = t.substr(r.length); t = t.substr(0,t.length-1);
other control the form
verification number generate this strings
var s,t,o,p,b,r,e,a,k,i,n,g,f, BrDDXtq={"PaRhNA":+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]))};
BrDDXtq.PaRhNA-=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]))/+((+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]));BrDDXtq.PaRhNA-=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(+[]));BrDDXtq.PaRhNA*=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(+!![]))/+((!+[]+!![]+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]));BrDDXtq.PaRhNA*=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]));a.value = +BrDDXtq.PaRhNA.toFixed(10) + t.length;
from modlishka.
drk1wi
commented on August 20, 2024
this looks like a nice JS obfuscation challenge. You will have to make sure that the challenge response form is submitted to the phishing domain . Did you get any error in the browsers console related to JS or with loading some network resources?
from modlishka.
ciberx
commented on August 20, 2024
error only with code 503
from modlishka.
drk1wi
commented on August 20, 2024
I would have to check it out on a live example. Never had to deal with cloudfire before, so I still didn't create any patch for their obfuscated JS.
from modlishka.
ignaloidas
commented on August 20, 2024
It's obfuscated using JSFuck,when de obfuscated it turns into
var s, t, o, p, b, r, e, a, k, i, n, g, f, BrDDXtq = { "PaRhNA": 0.9449327054957924 };
BrDDXtq.PaRhNA -= 4.6332352977948785;
BrDDXtq.PaRhNA -= 1.0561214128998724;
BrDDXtq.PaRhNA *= 3.8748301060430506
BrDDXtq.PaRhNA *= 0.8603531455472316
a.value = +BrDDXtq.PaRhNA.toFixed(10) + t.length;so BrDDXtq.PaRhNA = -15.816591965380718
Don't have time now to deal with the rest though.
from modlishka.
szmarczak
commented on August 20, 2024
s, t, o, p, b, r, e, a, k, i, n, g,
Stop breaking! :D
from modlishka.
drk1wi
commented on August 20, 2024
This looks interesting, but in general it is related to JS client-side bypass, which is rather out of the scope (still it is definitely doable :-) ).
from modlishka.
drk1wi
commented on August 20, 2024
Actually, if you are able to bypass it please create a PR. We could have a seperate directory for different JS client-side bypasses.
from modlishka.
ciberx
commented on August 20, 2024
There is projects wich bypass cloudflare Antibot page
https://github.com/Anorov/cloudflare-scrape
https://github.com/KyranRana/cloudflare-bypass
https://github.com/codemanki/cloudscraper
i hope this helps
from modlishka.
drk1wi
commented on August 20, 2024
I am closing this issue since it's related to client side JS.
from modlishka.
Related Issues (20)
- Bug when loading password section both on Microsoft office and gmail . HOT 3
- hi i have a problemo to install modlishka on mac os
- !!! x509: malformed certificate . Terminating. HOT 7
- error 509 certificate malformed
- "JsRule": "
- how to make links to social networks do not change?
- Invalid IP address & redirect HOT 1
- Is it possible to use a preloaded cookie?
- RPC executor service threw an error! HOT 1
- Mod
- How to use regex with rules replace HOT 1
- All Request Forwarded
- TLS Handshake Error Unknown Certificate
- Idle. Not Working. Everything seems set HOT 8
- Stuck on re-direction
- How to stop the Target URL in the body being replaced with the Phishing URL HOT 1
- control panel
- Error.
- TLS error
- modlishka socks5 ip not working
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from modlishka.