反向目标:百度翻译接口参数首页:https://fanyi.youdao.com/接口:https://fanyi.baidu.com/v2tra...反向parameters:FormData:sign:706553.926920token:d838e2bd3d5a3bb67100a7b789463022逆过程抓包分析我们在百度翻译页面随便输入文字,可以看到翻译结果出来了,没有刷新页面,所以可以推断是加载的Ajax,打开开发Reader工具,选择XHR过滤Ajax请求,可以看到有一个POST请求,URL为https://fanyi.baidu.com/v2tra...当我们输入“test”时,返回的数据转换成Unicode中文后类似如下结构:{"trans_result":{"data":[{"dst":"test","prefixWrap":0,"result":[[0,"test",["0|6"],[],["0|6"],["0|4"]]],"src":"test"}],"from":"zh","status":0,"to":"en","type":2},"dict_result":{//省略},"liju_result":{//省略}}trans_result是翻译结果,dict_result是更多的翻译结果,liju_result是例句,标签等,那么这个url就是我们的翻译界面需要。既然是POST请求,我们观察它的FormData:from:languagetobetranslated;至:目标语言;查询:待翻译的字符串;transtype:实时翻译realtime,手动点击翻译translang;simple_means_flag,域:固定值;sign:如果待翻译的字符串发生变化,其值也会发生变化,需要进一步分析;token:虽然它的值不会改变,但是不知道它是怎么来的,需要进一步分析。在抓包过程中,我们还注意到有一个POST请求,URL为https://fanyi.baidu.com/langd...,返回数据如下:{"error":0,"msg":"success","lan":"zh"}很明显,这是一种自动检测待翻译字符串的语言。它的表单数据也很简单。查询是要翻译的字符串。该接口可根据实际场景使用。由于tokentoken的值是固定的,我们可以尝试直接搜索,在首页的源码中可以找到,直接使用正则表达式就可以提取出来。获得标志会改变。怀疑是js动态生成的,于是尝试全局搜索sign。这是一个技巧。仅搜索sign会出现很多结果。您可以添加冒号或等号来缩小范围。Searchforsign:你可以在index_a8b7098.js中找到5个匹配的位置。观察发现第8392行的位置数据最全,与之前抓包看到的FormData数据一致。点击行号,在这里埋下断点,点击translate按钮,可以看到断点成功。此时sign的值就是我们想要的最终值:这里将要翻译的字符串传入L函数,鼠标放在L函数上,直接点击跟随这个函数,可以发现sign的值其实是函数functione(r)经过一系列操作后得到的,直接copy这个函数进行本地调试,在调试的过程中,可以发现在Closure中少了一个i的值右边的列,或者用鼠标选中i,就可以看到i的值。多次调试,发现是固定的,直接写死:继续调试函数e(r),会提示少了一个函数n,直接跟进这个函数,copy函数n在一起。完整代码baidu_encrypt.js获取符号的值:vari='320305.131321201'functionn(r,o){for(vart=0;t=“一个”?a.charCodeAt(0)-87:Number(a),a="+"===o.charAt(t+1)?r>>>a:r<30&&(r=""+r.substr(0,10)+r.substr(Math.floor(t/2)-5,10)+r.substr(-10,10))}else{对于(vare=r.split(/[\uD800-\uDBFF][\uDC00-\uDFFF]/),C=0,h=e.length,f=[];h>C;C++)""!==e[C]&&f.push.apply(f,a(e[C].split(""))),C!==h-1&&f.push(o[C]);varg=f.length;g>30&&(r=f.slice(0,10).join("")+f.slice(Math.floor(g/2)-5,Math.floor(g/2)+5).join("")+f.slice(-10).join(""))}varu=void0,l=""+String.fromCharCode(103)+String.fromCharCode(116)+String.fromCharCode(107);你=空!==我?我:(我=窗口[l]||“”)||"";对于(vard=u.split("."),m=Number(d[0])||0,s=Number(d[1])||0,S=[],c=0,v=0;v一个?S[c++]=A:(2048>A?S[c++]=A>>6|192:(55296===(64512&A)&&v+1>18|240,S[c++]=A>>12&63|128):S[c++]=A>>12|224,S[c++]=A>>6&63|128),S[c++]=63&A|128)}for(varp=m,F=""+String.fromCharCode(43)+String.fromCharCode(45)+String.fromCharCode(97)+(""+String.fromCharCode(94)+String.fromCharCode(43)+String.fromCharCode(54)),D=""+String.fromCharCode(43)+String.fromCharCode(45)+String.fromCharCode(51)+(""+String.fromCharCode(94)+String.fromCharCode(43)+String.fromCharCode(98)))+(""+String.fromCharCode(43)+String.fromCharCode(45)+String.fromCharCode(102)),b=0;bp&&(p=(2147483647&p)+2147483648),p%=1e6,p.toString()+"."+(p^m)}//console.log(e('测试'))baidufanyi.py#!/usr/bin/envpython3#-*-coding:utf-8-*-importreimportexecjsimportrequestsindex_url='https://fanyi.baidu.com/'lang_url='https://fanyi.baidu.com/langdetect'translate_api='https://fanyi.baidu.com/v2transapi'headers={'Accept':'*/*','Accept-Encoding':'gzip,deflate,br','Accept-Language':'zh,zh-CN;q=0.9,en-US;q=0.8,en;q=0.7','Connection':'keep-alive','Content-Type':'application/x-www-form-urlencoded;charset=UTF-8','Cookie':'BIDUPSID=3BE16D933E9C0182F2A6E93D7A9D1424;PSTM=1623723330;百度ID=8496908995397662040287D2CE1C4224:FG=1;__yjs_duid=1_779078c2c847bb3217554b8549ad49bd1623728424311;REALTIME_TRANS_SWITCH=1;HISTORY_SWITCH=1;FANYI_WORD_SWITCH=1;SOUND_SPD_SWITCH=1;SOUND_PREFER_SWITCH=1;BDSFRCVID_BFESS=BkFOJeCT5G3_WP5eFqJ2T4D2p2KKN9OTTPjcTR5qJ04BtyCVNKsaEG0PtOgMNBDbJ2MRogKKLgOTHULF_2uxOjjg8UtVJeC6EG0Ptf8g0M5;H_BDCLCKID_SF_BFESS=tJ4toCPMJI_3fP36q45HMt00qxby26PDajn9aJ5nQI5nhU7505oqDJ0Z0ROOWhRute3i2DTvQUbmjRO206oay6O3LlO83h5wW57KKl0MLPbcep68LxODy6DI0xnMBMnr52OnaU513fAKftnOM46JehL3346-35543bRTLnLy5KJYMDF4D5_ae5O3DGRf-b-XKD600PK8Kb7VbUF6qfnkbft7jtteyhbTJCID-UQKQPnc_pC4yURFef473b3B5h3NJ66ZoIbPbPTTSlroKPQpQT8r5-nMWx6G3IrZoq64ab3vOpRTXpO13fAzBN5thURB2DkO-4bCWJ5TMl5jDh3Mb6ksD-FtqjDjJRCOoI--f-3bfTrP-trf5DCShUFs3tnlB2Q-5M-a3KOrSUtGbfjay6D7j-8HbTjiW2_82MbmLncjSM_GKfC2jMD32tbpWfneKmTxoUJ2Bb3Y8loe-xCKXqDebPRiWPb9QgbP2pQ7tt5W8ncFbT7l5hKpbt-q0x-jLTnhVn0MBCK0HPonHjKbDTvL3f;BDORZ=B490B5EBF6F3CD402E515D22BCDA1598;hm_lvt_64ecd82404c51e03dc91cb9e8c025574=1624438637,1624603638,1624928461,1624953786;H_PS_PSSID=34131_34099_31253_34004_33607_34107_34135;删除=0;PSINO=6;BAIDUID_BFESS=8496908995397662040287D2CE1C4224:FG=1;BDRCVFR[X_XKQks0S63]=mk3SLVN4HKm;hm_lpvt_64ecd82404c51e03dc91cb9e8c025574=1624962661;__yjs_st=2_MzJhZTMxZGU5MjZjNGJiZTJiZjQwYjVkMWM5ZjYyMGFjZDlkMDJmNTU3OGU5ZTM4N2JjNjNkODAwYWJiY2M3NDA1NWEyODNkMzNkMDEzNThiZTU4NzNhMTQxYzIxOTQyMzg3MjhiMzA5ZjY2MDczZTBhZDdmZDg4YTFhNjVmZTMwZTYyZTRjNmRhMWNmYzg3NDFjODYzYTRlZTE2NzBmODAyMWI4MTI3NTZmNjg1MDk4OWIxZTYzNTc4NzhjY2E3NzU3ZGYyZmI1ODdjZTM5ZDNlOGU0ZGQ2NzE5OGU2NzUzM2ZhZTcxZmVjNjI4MDIyN2Y1N2NlMzZmMmRlY2U4Yl83XzQ5NzQ4ZWE4;ab_sr=1.0.1_MmUwODU0NGE4NjIwZmY4NjgxZmM1NGYxOTI5ZWQwOGU2NjU3ZjgwNzhkMTNjNDI5NWE0ODQwYzlkZDVjY2Q1YWEyZDQyZWI0ZjNkMWQ0NTEyMGFjYzdiNDdmNzYxYjNiMjkxZTI1M2I3Y2VhZGE3NDEzOTgyMjY1MjBlZGM4OGJiZGVjMzFkYTM3ODgyMTRkZjJhMGYzNGM0MGJmMGY1Yg==','Host':'fanyi.baidu.com','来源':'https://fanyi.baidu.com','Referer':'https://fanyi.baidu.com/','sec-ch-ua':'"Not;ABrand";v="99","GoogleChrome";v="91","Chromium";v="91"','sec-ch-ua-mobile':'?0','Sec-Fetch-Dest':'empty','Sec-Fetch-Mode':'cors','Sec-Fetch-Site':'同源','User-Agent':'Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,如Gecko)Chrome/91.0.4472.114Safari/537.36','X-Requested-With':'XMLHttpRequest'}defget_token():response=requests.get(url=index_url,headers=headers).texttoken=re.findall(r"token:'([0-9a-z]+)",response)[0]returntokendefget_sign(query):withopen('baidu_encrypt.js','r',编码='utf-8')asf:baidu_js=f.read()sign=execjs.compile(baidu_js).call('e',query)returnsigndefget_result(lang,query,sign,token):data={'from':lang,'to':'en','query':查询,'transtype':'realtime','simple_means_flag':'3','sign':sign,'token':token,}response=requests.post(url=translate_api,headers=headers,data=data)result=response.json()['trans_result']['data'][0]['dst']returnresultdefmain():query=input('请输入要翻译的文本:')response=requests.post(url=lang_url,headers=headers,data={'query':query})lang=response.json()['lan']token=get_token()sign=get_sign(query)result=get_result(lang,query,sign,token)print('结果翻译成英文为:',result)if__name__=='__main__':main()
