Itisdeclaredthatallthecontentinthisarticleisforlearningandcommunicationonly.Thecapturedcontent,sensitiveURLs,anddatainterfaceshavebeendesensitized,andarestrictlyprohibitedfrombeingusedforcommercialorillegalpurposes.Otherwise,allconsequencesarisingtherefromhavenothingtodowiththeauthor.Infringement,pleasecontactmetodeleteimmediately!逆向目标目标:某地公共资源交易网主页:aHR0cDovL2dnenkuamNzLmdvdi5jbi93ZWJzaXRlL3RyYW5zYWN0aW9uL2luZGV4接口:aHR0cDovL2dnenkuamNzLmdvdi5jbi9wcm8tYXBpLWNvbnN0cnVjdGlvbi9jb25zdHJ1Y3Rpb24vYmlkZGVyL2JpZFNlY3Rpb24vbGlzdA==逆向参数:URL链接中的projectId、projectInfo参数逆向过程抓包分析通过链接进入到网站,会发现先转会圈才进入到网页,theremaybearenderingandloadingprocesshere,openthedevelopertool,refreshthewebpage,andscrolldowntoseetheinterfacewherethedataisreturnedaftercapturingthepacket:aHR0cDovL2dnenkuamNzLmdvdi5jbi9wcm8tYXBpLWNvbnN0cnVjdGlvbi9jb25zdHJ1Y3Rpb24vYmlkZGVyL2JpZFNlY3Rpb24vbGlzdcanbeseeninthepreviewpageoftheresponseA==bGlzdAllannouncementinformation:QueryStringParameterscontainssomeparameterinformation,andthemeaningofeachtypewillbeexplainedindetaillater:pageNum:thecurrentpagepageSize:pagesizeinformationType:announcementtypeprojectType:projecttypeinformationName:informationtypeandthenclickAnannouncement,jumpingtoanewpage,youwillfindthatthewebpagelinkhasbecomethisformat:XXX/index?projectId=XXX&projectInfo=XXX,twoencryptedparametersprojectIdandprojectInfoaregenerated,andaftertesting,thesameannouncementpagethisThevalues??ofthetwoencryptedparametersarefixed,andnextweneedtotrytofindtheencryptedpositionofthesetwoparameters.DebugginganalysisandpositioningSearchtheprojectIdparametergloballyfromthehomepagelocationCTRL+SHIFT+F,andcompareitinturntofindthatthetwoencryptedparametersprojectIdandprojectInfoareinchunk-63628500.eb5f8d30.js定义,这里是一个三元运算,如果item类型相同则执行后面的方法,如果不相同则稍后执行:上面代码行判断中出现的ZFCG和GTGC是什么意思,CTRL+SHIFT+F全局搜索ZBGG参数,在chunk-043c03b8.34f6abab.js文件中,我们可以找到对应的定义,以下是它们各自的含义:在第267行,在returnt.stop()处设置断点进行调试分析,点击任意公告,会发现断点被打断,即定位成功,鼠标悬停在projectId和projectInfo对应的值上,可以获知如下信息:projectId:项目编号projectInfo:informationtype既然知道了两个加密参数的具体含义,我们就需要找到它的加密位置,projectId和projectInfo参数是通过一个.parameterTool.encryptJumpPage方法执行的,encryptJumpPage跳转页面加密?这不是简单的指示:我们把鼠标悬停在a.parameterTool.encryptJumpPage上,跟进该方法生成的js文件app.3275fd87.js看看:上面我们可以清楚的知道下面的具体含义两个参数:query:加密数据(projectId和projectInfo)nextPath:路由跳转位置在2389行断点处调试分析,从下图可以看出,projectId和projectInfo参数加密在a:进一步追踪位置a的,向上滑动可以看到2335到2356行明显是DES加密:但是不知道是哪个函数部分对query中的projectId和projectInfo参数进行了加密。下面继续破解调试分析。当找到第2341行的断点时,projectId参数对应的值424和projectInfo参数对应的值ZBGG都在函数c(t)中进行了处理,证明这是关键加密位置:functionc(t){returni.a.DES.encrypt(t,o.keyHex,{iv:o.ivHex,模式:i.a.mode.CBC,padding:i.a.pad.Pkcs7}).ciphertext.toString()}分析此密钥加密代码:iv:ivHex十六进制初始向量方式:采用CBC加密方式,为循环方式。对密文与本组明文异或后的padding进行加密:采用Pkcs7padding方法,当padding=blocklength-(datalength%blocklength)时,先得到要填充的字节长度,allinpaddingbytesequence字节填充需要填充的字节长度值ciphertext.toString():以十六进制字符串的形式返回加密后的密文,用于模拟执行这里直接参考JS,使用加密模块nodejs中的crypto-js执行DES加密。如果在调试时提示某个函数未定义,只需添加其定义部分即可。改写后完整的JS代码如下:varCryptoJS=require('crypto-js');o={keyHex:CryptoJS.enc.Utf8.parse(Object({NODE_ENV:"production",VUE_APP_BASE_API:"/pro-api",VUE_APP_CONSTRUCTION_API:"/pro-api-construction",VUE_APP_DEV_FILE_PREVIEW:"/lyjcdFileView/onlinePreview",VUE_APP_FILE_ALL_PATH:"http:///www.lyjcd.cn:8089",VUE_APP_FILE_PREFIX:"/mygroup",VUE_APP_LAND_API:"/pro-api-land",VUE_APP_PREVIEW_PREFIX:"/lyjcdFileView",VUE_APP_PROCUREMENT_API:"/pro-api-procurement",VUE_APP_WINDOW_TITLE:"XXXXXX",BASE_URL:"/"}).VUE_APP_CUSTOM_KEY||"54367819"),ivHex:CryptoJS.enc.Utf8.parse(Object({NODE_ENV:"production",VUE_APP_BASE_API:"/pro-api",VUE_APP_CONSTRUCTION_API:"/pro-api-construction",VUE_APP_DEV_FILE_PREVIEW:"/lyjcdFileView/onlinePreview",VUE_APP_FILE_ALL_PATH:"http://www.lyjcd.cn:8089",VUE_APP_FILE_PREFIX:"/mygroup",VUE_APP_LAND_API:"/pro-api-land",VUE_APP_PREVIEW_PREFIX:"/lyjcdFileView",VUE_APP_PROCUREMENT_API:"/pro-api-procurement",VUE_APP_WINDOW_TITLE:"XXXXXX",BASE_URL:"/"}).VUE_APP_CUSTOM_IV||"54367819")};functionc(t){returnCryptoJS.DES.encrypt(t,o.keyHex,{iv:o.ivHex,模式:CryptoJS.mode.CBC,padding:CryptoJS.pad.Pkcs7}).ciphertext.toString()}//test//console.log(c('ZBGG'))//ff15d186c4d5fa7aVUE_APP_WINDOW_TITLE对应值的内容已经脱敏,经过测试,不影响结果输出完整代码GitHub关注K哥的爬虫,持续分享爬虫相关代码!欢迎加星!https://github.com/kgepachong/下面只是演示了部分关键代码,不能直接运行!完整代码仓库地址:https://github.com/kgepachong...本案例代码:https://github.com/kgepachong...#==========================#--*--coding:utf-8--*--#@Author:WeChat公众号:K爬虫哥#@FileName:ggzy.py#@Software:PyCharm#========================importurllib.parseimportexecjsimportrequestsurl='脱敏处理,完整代码参考https://github.com/kgepachong/crawler/'defencrypted_project_id(id_enc):withopen('ggzy_js.js','r',encoding='utf-8')asf:public_js=f.read()project_id=execjs.compile(public_js).call('Public',id_enc)returnproject_iddefencrypted_project_info(info_enc):withopen('ggzy_js.js','r',encoding='utf-8')asf:public_js=f.read()project_info=execjs.compile(public_js)。呼叫('公共',info_enc)returnproject_infodefget_project_info(info_name,info_type):index_url='脱敏处理,完整代码遵循https://github.com/kgepachong/crawler/'urlparse=urllib.parse.urlparse(index_url)project_info=urllib.parse.parse_qs(urlparse.query)['informationName'][0]returnproject_infodefget_content(page,info_name,info_type):headers={"Connection":"keep-alive","Pragma":"no-cache","Cache-Control":"no-cache","Accept":"application/json,text/plain,*/*","User-Agent":"Mozilla/5.0(WindowsNT10.0;WOW64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/86.0.4240.198Safari/537.36","Referer":"脱敏处理,完整代码参考https://github.com/kgepachong/crawler/","Accept-Language":"zh-CN,zh;q=0.9"}url_param="脱敏处理,完整代码关注https://github.com/kgepachong/crawler/"params={"pageNum":page,"pageSize":"20","releaseTime":"","search":"","informationType":info_type,"departmentId":"","projectType":"SZFJ","informationName":info_name,"onlyCanBidSectionFlag":"NO"}response=requests.get(url=url_param,headers=headers,params=params)returnresponsedefmain():print("脱敏处理,For完整代码见https://github.com/kgepachong/crawler/")info_name=input("请输入信息类型:")info_type=input("请输入公告类型:")page=input("Do你想获取数据页数:")get_content(page,info_name,info_type)response=get_content(page,info_name.upper(),info_type.upper())num=int(page)*20print("A共获得%d个项目"%num)foriinrange(20):title=response.json()['rows'][i]['content']query_id=response.json()['rows'][i]['projectId']query_info=get_project_info(info_name.upper(),info_type.upper())project_id_enc=encrypted_project_id(str(query_id))project_info_enc=encrypted_project_info(query_info)project_url='%s?projectId=%s&projectInfo=%s'%(url,project_id_enc,project_info_encd%)打印(:"%(i+1)+"\n"+"项目名称:%s项目编号:%d"%(title,query_id)+"\n"+"项目链接:%s"%project_url)if__name__=='__main__':main()代码实现效果:
