PhantomJS is a headless WebKit
with JavaScript API. It has fast and native support for various web standards:
DOM handling, CSS selector, JSON, Canvas, and SVG. We can make use of PhantomJS
to print out various information from exploit kit landing pages. Mainly it can
be put into use to extract the de-obfuscated code from highly obfuscated
scripts.
You can download PhantomJS from
here - http://phantomjs.org/download.html
Once downloaded you can use
existing PhantomJS examples to build a script file for our purpose. We can see
how PhantomJS can help get the de-obfuscated code from Blackhole Toolkit. Take
a look at the below script,
If one has exposure towards
Blackhole served obfuscated script he/she can de-obfuscate the script in a
quick span of time. But when we come across some new kits, it can take a
considerable amount of time to de-obfuscate the script. In such cases PhantomJS
can speed things.
It can print properties/values of
DOM objects, can print individual variables, can help manipulate DOMs and much
more.
Looking at the above script we
can have find multiple variables in the encoder part. To print a variable from
that block we can have PhantomJS do the work for us. We should let PhantomJS
know what variable needs to be printed to the console, for example to print the
variable ‘c’, we can use the below script.
This instructs PhantomJS to
return the variable ‘c’, so that we can output the variable to the console and
determine what the variable holds. Below is what you get when you run “PhantomJS.exe
Blackhole.js > out.txt” (save the above script in Blackhole.js and
redirect the output to out.txt. out.txt will then hold the variable ‘c’).
Likewise we can instruct
PhantomJS to display a whole DOM tree like,
The output in this case prints
the whole ‘document’ DOM to the console in JSON format. We can parse the JSON
output to filter out all the required data J.
We can have PhatomJS print individual DOM properties, for
instance if you wanted to print the baseURI of the webpage requested you can “return
window.document.baseURI”. PhantomJS boasts multiple other features that can
be put into great use. The above mentioned examples are just a startup and
there’s lot more that can added to the blend.
PS: Take a look at the examples after installation. It can
help take snapshots of websites well J
No comments:
Post a Comment