declaresthatallthecontentinthisarticleisforlearningandcommunicationonly,thecontentofcapturedpackets,sensitiveURLs,anddatainterfaceshavebeendesensitized,anditisstrictlyprohibitedforcommercialuseUseandillegaluse,otherwiseallconsequencesarisingtherefromhavenothingtodowiththeauthor,ifthereisanyinfringement,pleasecontactmetodeleteimmediately!逆向目标目标:某政务服务网登录接口主页:aHR0cHM6Ly9sb2dpbi5obnp3ZncuZ292LmNuL3RhY3MtdWMvbG9naW4vaW5kZXg=接口:aHR0cHM6Ly9sb2dpbi5obnp3ZncuZ292LmNuL3RhY3MtdWMvbmF0dXJhbE1hbi9sb2dpbk5v逆向参数:FormData:loginNo、loginPwd、code、requestUUIDRequestHeaders:token抓包分析本次逆向目标来源于某位粉丝的求助:随便输入Clickontheaccountpasswordtologin,capturethepacketandfindthattheRequestHeadersoftheinterfacehasanencryptedparametertoken,andtheloginNo,loginPwd,code,andrequestUUIDintheFormDataareallencrypted.TheloginNoandloginPwdshouldbetheusernameandpassword.Afterslidingtheverificationcode,youcanguessthattheothertwoparametersarerelatedtotheverificationcode,butonlyfromthepacketcapture,theothertwoparametersaresimilartotheformatofuuid,notquiteliketheparametersoftheverificationcode.Inaddition,youcannoticethatbeforeloggingin,therearetwocsrfSaveandoneverCoderequests.AnormalrequestwillreturnaJSONwithadataparameterinit,whichshouldbeusedlater.ParameterreverseFormDataLookatFormDatafirst,searchforanyparameter,suchasloginNo,itiseasytofindtheencryptedplaceinlogin.js,theusernameandpasswordareencryptedbytheencryptfunction,andthevalueofbackUrlisusingthelocalStorageattribute.Itistakenfromthedataofthekey-valuepairstoredinthebrowser,anditdoesnotaffectifitisempty.跟进encrypt,可以看到使用了JSEncrypt,标准的RSA加密:看loginCode,直接搜索这个值,可以看到是verCode请求返回的:再看requestUUID,它的值是一个UUID,直接在当前文件(login.js)中搜索,就可以看到定义了。有一个uploadUUID()方法,就是设置UUID的值。方法中向一个uploadIdentifier接口发送post请求:这里注意,如果直接全局搜索UUID的话,也可以在common.js中搜索一个方法。经测试,也可以请求直接使用该方法生成UUID。本网站可能不严谨,不会严格检查这个值。RequestHeadersForm数据解决了,我们看一下RequestHeaders中的token参数,因为它存在于请求头中,所以我们可以找到Hook生成它的地方:(function(){varorg=window.XMLHttpRequest.prototype.setRequestHeader;window.XMLHttpRequest.prototype.setRequestHeader=function(key,value){if(key=='token'){debugger;}returnorg.apply(this,arguments);};})();这里我们也可以直接搜索token、setRequestHeader等关键字,在common.js中很容易找到。当我们点击登录时,会有一个csrfSave请求,返回的数据值经过encrypt方法加密后就是登录请求头中的token了。这个token参数在很多请求中都会用到,生成方式都是一样的。它是将csrfSave请求返回的数据经过RSA加密后进行加密得到的:另外需要注意的是,上面提到的所有网络请求都涉及到cookie。SESSION值,可以在第一次访问的页面获取:登录流程下面我们看一下登录流程:访问csrfSave,获取一个数据值,通过RSA加密获取token,携带token访问uploadIdentifier,获取uuid;访问csrfSave,获取一个数据值,通过RSA加密获取token,携带token访问verCode,获取code;访问csrfSave,获取一个数据值,通过RSA加密获取token,携带token、uuid、code和加密后的账号密码,访问loginNo登录。这里第二步也可以直接使用Python或者JS生成一个uuid.网站验证不严格,也能通过。另外可以看出滑块是假的,通过代码不管滑块是可以登录的。完整代码GitHub关注K哥的爬虫,持续分享爬虫相关代码!欢迎加星!https://github.com/kgepachong/下面只是演示了部分关键代码,不能直接运行!完整代码仓库地址:https://github.com/kgepachong...JavaScript加密代码/*=====================================#@Time:2022-01-11#@Author:WeChat公众号:K哥爬虫#@FileName:encrypt.js#@Software:PyCharm#==================================*/JSEncrypt=require("jsencrypt")functionencrypt(pwd){varkey="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsgDq4OqxuEisnk2F0EJFmw4xKa5IrcqEYHvqxPs2CHEg2kolhfWA2SjNuGAHxyDDE5MLtOvzuXjBx/5YJtc9zj2xR/0moesS+Vi/xtG1tkVaTCba+TV+Y5C61iyr3FGqr+KOD4/XECu0Xky1W9ZmmaFADmZi7+6gO9wjgVpU9aLcBcw/loHOeJrCqjp7pA98hRJRY+MML8MK15mnC4ebooOva+mJlstW6t/1lghR8WNV8cocxgcHHuXBxgns2MlACQbSdJ8c6Z3RQeRZBzyjfey6JCCfbEKouVrWIUuPphBL3OANfgp0B+QG31bapvePTfXU48TYK0M5kE+8LgbbWQIDAQAB";varencrypt=newJSEncrypt();加密.setPublicKey(密钥);varencrypted=encrypt.encrypt(密码);返回加密;}//测试示例//console.log(encrypt("15555555555"))Python登录码#======================================#@Time:2022-01-11#@Author:微信公众号:K哥爬虫#@FileName:hnzww_login.py#@Software:PyCharm#=====================================importexecjsimportrequestcookies={}UA="Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/96.0.4664.110Safari/537.36"withopen("encrypt.js",encoding="utf-8")asf:js=execjs.compile(f.read())defcsrf_save():url="脱敏处理,完整代码关注GitHub:https://github.com/kgepachong/crawler"headers={"User-Agent":UA}response=requests.post(url=url,headers=headers,cookies=cookies).json()data=response["data"]returndatadefget_session():url="脱敏处理,完整代码关注github:https://github.com/kgepachong/crawler"headers={"User-Agent":UA}response=requests.get(url=url,headers=headers)cookies.update(response.cookies.get_dict())defget_uuid():url="脱敏处理,完整代码关注GitHub:https://github.com/kgepachong/crawler"headers={“User-Agent”:UA,“token”:js.call(“encrypt”,csrf_save())}response=requests.post(url=url,headers=headers,cookies=cookies).json()uuid=response["data"]returnuuiddefver_code():url="脱敏处理,完整代码关注GitHub:https://github.com/kgepachong/crawler"headers={"User-Agent":UA,"token":js.call("encrypt",csrf_save())}response=requests.post(url=url,headers=headers,cookies=cookies).json()data=response["data"]返回datadeflogin(phone,pwd,code,uuid):url="脱敏处理,完整代码关注GitHub:https://github.com/kgepachong/crawler"headers={"User-Agent":UA,"token":js.call("encrypt",csrf_save())}data={"backUrl":"","loginNo":js.call("encrypt",phone),"loginPwd":js.call("encrypt",pwd),"代码":code,"requestUUID":uuid,"guoBanAuthCode":""}response=requests.post(url=url,headers=headers,cookies=cookies,data=data)print(response.json())defmain():phone=input("请输入账号:")pwd=input("请输入密码:")get_session()uuid=get_uuid()code=ver_code()login(phone,pwd,code,uuid)if__name__=='__main__':main()
