1.逆向目标
1.搜索商品功能 2.查看商品详情功能
2.版本选择
在这里我选择的版本是识货7.20.1,可以直接在豌豆荚上搜索
我们一打开app,映入眼前的就是要咱强制更新
哼,以我们的脾气肯定不能顺着它,直接绕过
3.绕过强制更新
先用jadx给它反编译
然后咱直接搜索 “升级”
发现第四个很像是更新的请求
发现不是,大失所望,继续寻找,直接搜索新版本
# 1 反编译apk,找到弹框位置的代码
-找到如上图
# 2 写个hook脚本,不让UpdateDialog 的show不执行
# 3 hook脚本如下
# 4 手机端启动frida-server
adb shell
su
cd /data/local/tmp/
./frida-server
# 5 做端口转发---》
# cmd 窗口中执行
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043
#写成python脚本,右键执行
import subprocess
subprocess.run('adb forward tcp:27042 tcp:27042')
subprocess.run('adb forward tcp:27043 tcp:27043')
# 6 真正在电脑端执行hook脚本3.1 hook更新框脚本
# 打印出前台运行的app的包名
# 枚举手机上的所有进程 & 前台进程,找到 识货的包名
import frida
# 获取设备信息
rdev = frida.get_remote_device()
# 枚举所有的进程
processes = rdev.enumerate_processes()
for process in processes:
print(process)
# 获取在前台运行的APP
front_app = rdev.get_frontmost_application()
print(front_app)import frida
import sys
rdev = frida.get_remote_device()
pid = rdev.spawn(["com.hupu.shihuo"]) # spwan,需要知道包名
session = rdev.attach(pid)
scr = """
Java.perform(function () {
var UpdateDialog = Java.use('com.azhon.appupdate.dialog.UpdateDialog');
UpdateDialog.show.implementation = function(ctx){
console.log("执行了");
//this.show();
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
rdev.resume(pid)
sys.stdin.read()发现一hook就闪退了,很明显,开发者做了frida-hook检测
4 绕过frida反调试
# 写好了hook,运行时,发现,app一执行,里面就崩了,但是不执行hook,app顺利运行
# 识货这款app,做了frida的反调试,检测到只要frida脚本在运行,app就自动结束
# 绕过方式一:
# 这种公司,一般情况下,公司的安全人员写了一个so文件,检测是否在运行frida的hook,如果检测到,就把app强制终止
# 安全人员写的so,一般情况下跟app业务无关,只用来做hook的检测,这种情况下,我们可以尝试删除这个so文件尝试一下,如果删除了,app还能顺利运行,说明这个so跟业务是无关的,就可以删除
# 像识货,得物这种app就是这样的
# 于是,我们要找到 是那个so文件,做了检测
# 通过hook安卓底层,依次打印这款app运行时,加载那些so文件---》这个hook脚本,以后拿着用即可
-依次打印出,这款app运行时,加载了那些so文件4.1 hook安卓底层app加载那些so文件的脚本
import frida
import sys
rdev = frida.get_remote_device()
pid = rdev.spawn(["com.hupu.shihuo"])
session = rdev.attach(pid)
scr = """
Java.perform(function () {
var dlopen = Module.findExportByName(null, "dlopen");
var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");
Interceptor.attach(dlopen, {
onEnter: function (args) {
var path_ptr = args[0];
var path = ptr(path_ptr).readCString();
console.log("[dlopen:]", path);
},
onLeave: function (retval) {
}
});
Interceptor.attach(android_dlopen_ext, {
onEnter: function (args) {
var path_ptr = args[0];
var path = ptr(path_ptr).readCString();
console.log("[dlopen_ext:]", path);
},
onLeave: function (retval) {
}
});
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
rdev.resume(pid)
sys.stdin.read()
#1 操作步骤
# adb shell
# su
# cd 上面的路径
# rm xx.so
# 2 再运行绕过强制更新的hook脚本,就可以绕过了
5.抓包分析(绕过app代理检测)
如图,我们要的就是搜索接口
发现识货的包全是乱码,很明显被拦截请求了,利用了Proxy.noproxy
5.1 抓包分析搜索和详情接口
# 1 配置好charlse的代理
# 2 打开app,运行程序,抓包
-发现请求都是加密了,原因是使用正常手机代理抓包到
# 3 使用一款app,转发更底层的包,实现抓包:有很多,推荐使用: SocksDroid(推荐)
5.2 SocksDroid(推荐)使用
### 重点:删除之前手机代理
# 1 安装SocksDroid
# 2 打开,配置ip地址和端口
# 3 在charles中配置sockets的端口
6.再次抓包
6.1 搜索接口
6.1.1 请求体
这下面就是请求体
6.1.2 参数分析
# 请求地址:
https://sh-api.shihuo.cn/daga/search/goods/v1?
minVersion=15670&
clientCode=%7Bholder%7D&
v=7.20.1&
channel=myapp&
device=Pixel%202%20XL&
platform=android&
timestamp=1697030617153&
token=16c2cbda6873dd0215f960823c49fd5a # 不带
# 请求方式
post
# 请求参数:
{
"from": "home",
"isHot": "false",
"keywords": "女鞋", # 搜索关键字
"needAttrs": 1,
"page": "1", # 第几页
"pageSize": "20", # 每页显示多条
"page_route": "homeSearchList",
"predictSex": "2",
"use_type": "2",
"user_input": "%E6%A3%8B%E7%9B%98%E6%A0%BC"
}
# 请求头 经过多次重放攻击,发现headers基本上不用带也能请求成功
platform android
timestamp 1697030617153 #无需带
app-v 7.20.1
sh-token pgRgP20Ay3MTJhNjU0OTI5NTAyNTc3ODg0yXZbCW9YzSS2UyzKZNGip/JC8r9VF1IVVuYc34lEl7uhps6xWOeCgfbs2qnta7JNqIeAgur9WHZk7XGzuYUTg1kvRsygVDAnMSl1PtdFfI6fDqGF/zEZaH1OJRlbT3JxwPvtXp7X/6TSZZMfkL9tyA== #无需带
sh-id 913962kpcbdb29f68fc2552232c86cb3 #无需带
sh-sign B337564EA1DA434586253B59E5AC6BEE #无需带
shreqid 3E0FF336F5CD6192727CED59D1971335 #无需带
osv 11
network 1
sh_session 29adf1f76fe54268bf13a6efb7e12272_foreground_1991176 #无需带
sk 9MJTD4FFJBgRUPSgNfZIKOA8bCGnv4wt7McVWcxBYyOZBJiez6r4AjzcgGweapZa1GGcamedBEXYqzEOVegB7d2klJ1w #无需带
appid app
user-agent Android 11 {Z29vZ2xl} CPU_ABI arm64-v8a CPU_ABI2 HARDWARE taimen MODEL {UGl4ZWwgMiBYTA} network/WIFI shihuo/7.20.1 sc({holder},myapp) minVersion(15670) sh-dv-sign[v1|6bd3e4ffa3ce6c880e6681a9f90775c60d2751f79b8da0aa] #无需带
6.1.3 python代码模拟请求
# -*- coding: utf-8 -*-
'''
@IDE : PyCharm
@version : 3.9
@Auth : gouzi
@time : 2024/2/8 21:19
@Description:
'''
import requests
import urllib3
urllib3.disable_warnings()
# 搜索商品的接口
res = requests.post(
url="https://sh-api.shihuo.cn/daga/search/goods/v1",
json={
"keywords": "女鞋", # 搜索关键字
"needAttrs": 1,
"page": "1", # 第几页
"pageSize": "20", # 每页显示多条
"page_route": "goodsList",
"predictSex": "2",
"use_type": "2",
"pageContext": "{\"pageId\":\"goodsList_1DF64EFB70F703FA43E7A670EA9A454A\",\"ptiRoot\":{\"biz\":\"{\\\"client_cache\\\":true,\\\"layer\\\":\\\"1\\\"}\",\"name\":\"\",\"toInfo\":{\"route\":\"homeSearch\",\"back_keywords\":\"耐克 篮球鞋\"},\"id\":\"home:searchInput\",\"pageId\":\"appHome_80D1DDBE0BA8D931696EAAC238B1DF0E\",\"pageOptions\":{\"haveSkin\":\"1\"}},\"layer\":\"3\"}",
}
, verify=False
)
print('------')
data_dict = res.json()
l = []
for item in data_dict['data']['lists']:
try:
print(item['name'])
for ele in item['style_lists']:
print('-----', ele['goods_id'], ele['name'], ele['price'])
# 通过商品id,获取商品的详情
l.append(ele['goods_id'])
except:
pass运行结果:
没有啥需要逆向的东西,直接就返回了
6.2商品详情接口
6.2.1 抓包(最难受的一步)
wc,你敢信,我™找这个东西的问题,从年前2月6号一直到年后的2月16号,整整10天啊!!!md,过年都不自在,天天想这个(˚ ˃̣̣̥᷄⌓˂̣̣̥᷅ )
6.2.2 问题发现
这个坑是真™的难受,必须写下来说说,我一开始打开商品详情接口,发现页面打不开
歪日,这是啥情况?平常能够打开的呀,我第一时间以为是代理的问题,仔细检查了SocksDroid的代理,发现没问题。
6.2.3 排查问题一--->代理IP
诶,难道SocksDroid代理没用了吗?更新了版本,不行,去掉SocksDroid代理,直接用WIFI上代理手动不行。
换成Drony、ProxyDroid等代理软件,用了各种不同版本,分别用上Charles本地代理的IP,还是不行
换来换去还是不行,放弃了
6.2.4 排查问题二--->识货app的版本问题
之后我以为是识货app的问题,在豌豆荚上找了旧版的app,分别用adb install装上app
发现还是抓不到包,网络错误
又更新到最新版本还是不行
6.2.5 排查问题三--->Charles证书掉了
后来在网上逛,发现了也有人没法登录抓包,网络错误,可能是Charles的证书掉了,或者过期了
那么,我又重新在手机上配置好证书,下载安装
发现之前就存在在系统证书中,我又去更新了一遍
发现还是抓不到,尤其是之后,爱学生、今日南川app都能抓包,但是车智赢+不知道为啥抽风了,又抓不到包
甚至连叫我更新都没有用到
难道我证书安装方式错误了?我又去网上找解决办法,花了一大片时间,配置了各个地方,没有p用
6.2.6 排查问题四--->手机重新刷机看看
之后我又想到了可能是我刷机的问题,因为我买过来的pixel手机本来就让商家刷好了
于是我又去查找资料,观察如何线刷,重新安装面具软件,刷入img文件,twrp recovery
换了好多个版本,终于刷上了,可惜还是抓不到包
6.2.7 排查问题五--->观察识货app商品详情抓包结果
md,真是不信邪了,人家都好好的,凭啥就我不行
去看看返回的结果到底是啥
日,啥意思,请用客户端访问本接口,难道我不是客户端吗?什么离谱的返回结果,还是406
在网上搜索一下,发现返回的都是些啥啊,根本看不懂,问了GPT也不晓得为啥
6.2.8 排查问题六--->观察其它app抓包结果
之后我在接单群看环球网那个app,也遇到了同样的问题
这次再去看看抓包结果
发现返回的是401,得到的说是HMAC signature cannot be verified, the x-date header is out of date for HMAC Authentication"
在网上一搜索,发现时间戳超时
这下子,我突然间意识到,可能是时间设置的问题
6.2.9 问题解决---->系统时间
于是我就调整了系统时间,调整到目前的时间
歪日,成功了,这™谁能想到,我本来以为工作机时间没有啥用,结果发现还那么重要
现在再去试试
终于出来了,不容易,不容易啊!!!知道我这10天是如何度过的吗?哇~(//̀Д/́/)(//̀Д/́/)(//̀Д/́/)
剩下的感觉没啥技术含量了,先抓包吧
发现是明文,可能是我更新到了最高版本的原因,那这个就好弄,直接破解就行
6.3 如果是明文,直接破解
utils下的包
# -*- coding: utf-8 -*-
'''
@IDE : PyCharm
@version : 3.9
@Auth : gouzi
@time : 2023/10/12 12:36
@Description:
'''
def header_str_to_dict(header_str):
res = [item for item in header_str.split('\n')]
res = res[1:len(res) - 1]
d = {item.split('\t')[0]: item.split('\t')[1] for item in res}
return d实际请求下的包
import requests
from utils import header_str_to_dict
import urllib3
urllib3.disable_warnings()
header_str = '''
platform android
timestamp 1697031573147
app-v 7.20.1
sh-token 57FP4HY1R7MTM1Y2UwZmRiYTExMTVmMzI1Al3TPWc8P4bQyfQYO+qxkcYzvlmwukrvZSuTCSjVWxyix7mPt46ALIpxAJpsIeSWEAA110VChb/JfEi6BRCjamGsg9PGOO3s341BoV3tGKLeOkHxX/dq7/ktzzPhVHkJw+2DMz1ZMHHty7AE/i5khA==
sh-id 913962kpcbdb29f68fc2552232c86cb3
sh-sign 7D38C143D1BFC2AB36DCCFC0FE46B29B
abtest-control ln=3;eI=3;HN=0;LR=0;Ks=0;eN=2;Gs=2;zF=1;Ta=2;uc=2;aQ=0;Xj=1;zT=0;IG=0;AA=2;Df=13;MQ=1;fK=11;data_community_personal=3;jO=2;UZ=0;fL=0;Lu=1;nY=2;am=0;EQ=2;shrec_is_gdetail=12;RA=2;ev=22;kA=3;kB=11;ay=3;gA=2;mainSearchV3=25;search_wf=3;NI=0;mainSearchV4=27;nj=2;Us=1;nn=0;zz=12;Yz=1;shrec_gdetail_bags=11;Qv=17;Ah=11;data_gdetail_shoes_personal=11;data_gdetail_clothes_personal=11;oZ=12;shoes_ratio_ctrl=0;bn=0;sa=0;Ap=2;gdetail_shoes_brand_rec=11;JZ=1;SD=0;fx=3;sf=12;Av=24;sh=0;Rg=2;cY=1;Rh=15;tK=3;shrec_home_feed=17;Fd=2;gf=12;dD=0;gh=0;CI=1;ou=3;dK=0;Fn=3;CL=2;GP=1;t_s=1697028428463;oy=2;gdetail_brand_rec=11;shrec_cf_mine_v2=11;KY=6;hW=3;Wg=12;pa=0;shrec_gdetail_clothes=11;Od=11;yN=8;By=0;Bz=0;uO=0;data_community_relate=11;dc=1
shreqid 802E1E6101C5315E8F389A00A3B294D0
osv 11
network 1
sh_session 29adf1f76fe54268bf13a6efb7e12272_foreground_2947168
sk 9MJTD4FFJBgRUPSgNfZIKOA8bCGnv4wt7McVWcxBYyOZBJiez6r4AjzcgGweapZa1GGcamedBEXYqzEOVegB7d2klJ1w
appid app
user-agent Android 11 {Z29vZ2xl} CPU_ABI arm64-v8a CPU_ABI2 HARDWARE taimen MODEL {UGl4ZWwgMiBYTA} network/WIFI shihuo/7.20.1 sc({holder},myapp) minVersion(15670) sh-dv-sign[v1|6bd3e4ffa3ce6c880e6681a9f90775c60d2751f79b8da0aa]
'''
headers = header_str_to_dict(header_str)
res = requests.get(
url='https://sh-gateway.shihuo.cn/v4/services/sh-goodsapi/app_swoole_shoe/preload/single?devices=Pixel%202%20XL&dspm=1eca9e150797b336&gender=2&goods_id=3416&sourceLocation=oneRowOne%3A%5BN%5D&style_id=45351573&top_style_id=45351573&tpExtra=%7B%22sourceTp%22%3A%22home%3Asearch%3A%22%2C%22sourceTpName%22%3A%22%E9%9D%A2%E5%8C%85%E9%9E%8B%22%2C%22wsf%22%3A%22normal_search_words%22%2C%22ast%22%3A%22%E9%9D%A2%E5%8C%85%E9%9E%8B%22%2C%22is_inspire%22%3A0%2C%22dgReqId%22%3A%22SHSS_CG-O7DQPLCN9N0T_SPU_1%3A27%22%2C%22si%22%3A%228001%22%2C%22skc%22%3A%2245351573%22%2C%22layer%22%3A%222%22%7D&access_token=b7EM8Up9VSFJUhkyEJ&minVersion=15670&clientCode=%7Bholder%7D&v=7.20.1&channel=myapp&device=Pixel%202%20XL&platform=android×tamp=1697031573147&access_token=b7EM8Up9VSFJUhkyEJ&token=f621020ce7ab2919bee6228a0feeed2b',
verify=False,
headers=headers
)
print(res.text)
# print('付款人数:', res.json()['data']['info']['goods_info']['monthSellPoint'])6.4 如果它加密了,如何处理
# 1 目前咱们通过各种hook尝试破解
-由于加密了,不好破
-尝试各种hook
-1 map.put('data','加密串')---》hook--TreeMap来看看--》没有走,失败了
-2 Hook StringBuilder---》没有走,失败了
-3 hook base64----》确实走了---》我们知道,它把密文做了base64编码,但是不知道如何加密的
-4 hook 拦截器---》okhttp---》拦截器---》看有哪些拦截器
-单个hook,尝试让它不走当前拦截器
-在这样尝试的时候,发现了,只要加密发送请求,返回的也是加密的,只要明文发送请求,返回的就是明文
-以后全都强行明文发送,拿到明文即可
-发现他们app机制--》只要加密的拦截器不执行,就是明文发送,返回明文
# 2 后期:咱们学unidbg可以直接把返回的加密数据,跑成明文7 Hook各种尝试
7.1 hook- Map - 失败
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("识货")
scr = """
Java.perform(function () {
var TreeMap = Java.use('java.util.TreeMap');
var Map = Java.use("java.util.Map");
TreeMap.put.implementation = function (key,value) {
if(key=="data"){
console.log(key,value);
}
var res = this.put(key,value);
return res;
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()7.2 Hook StringBuilder-失败
# com.che168.autotradercloud
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("识货")
scr = """
Java.perform(function () {
var StringBuilder = Java.use("java.lang.StringBuilder");
StringBuilder.toString.implementation = function () {
var res = this.toString();
console.log(res);
return res;
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()7.3 使用js的hook
// hook_stringbuilder.js
Java.perform(function () {
var StringBuilder = Java.use("java.lang.StringBuilder");
StringBuilder.toString.implementation = function () {
var res = this.toString();
console.log(res);
return res;
}
});
// frida -UF hook_stringbuilder.js -o string.txt
// 发现并没有输出到string.txt中7.4 Hook-base64-成功
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("识货")
scr = """
Java.perform(function () {
var Base64 = Java.use("android.util.Base64");
Base64.encodeToString.overload('[B', 'int').implementation = function (bArr,val) {
var res = this.encodeToString(bArr,val);
console.log("加密了-->",res);
return res;
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()
# 通过查看输出,那请求的数据搜索,发现hook到了7.5 hook 拦截器
# 请求加密,返回的数据解密,很有可以能是在拦截器中完成处理
7.5.1 js的hook拦截器,hook所有
// hook_Interceptor.js
Java.perform(function () {
var Builder = Java.use('okhttp3.OkHttpClient$Builder');
Builder.addInterceptor.implementation = function (inter) {
console.log(JSON.stringify(inter) );
return this.addInterceptor(inter);
};
})
//frida -Uf com.hupu.shihuo -l hook_Interceptor.js -o all_interceptor3.txt"<instance: okhttp3.Interceptor, $className: com.shizhi.shihuoapp.library.net.h.h>" "<instance: okhttp3.Interceptor, $className: com.shizhi.shihuoapp.library.imageview.loader.c.b$a>" "<instance: okhttp3.Interceptor, $className: com.shizhi.shihuoapp.library.net.h.e>" "<instance: okhttp3.Interceptor, $className: com.shizhi.shihuoapp.library.net.h.d>" "<instance: okhttp3.Interceptor, $className: com.shizhi.shihuoapp.library.net.h.b>" "<instance: okhttp3.Interceptor, $className: com.shizhi.shihuoapp.library.net.h.h>" "<instance: okhttp3.Interceptor, $className: com.shizhi.shihuoapp.library.net.h.g>" "<instance: okhttp3.Interceptor, $className: com.shizhi.shihuoapp.library.net.h.a>" "<instance: okhttp3.Interceptor, $className: cn.shihuo.modulelib.utils.f1.a$a>" "<instance: okhttp3.Interceptor, $className: cn.shihuo.modulelib.startup.core.c.b>" "<instance: okhttp3.Interceptor, $className: cn.shihuo.modulelib.startup.core.c.a>" "<instance: okhttp3.Interceptor, $className: com.shizhi.shihuoapp.library.net.h.d>" "<instance: okhttp3.Interceptor, $className: com.shizhi.shihuoapp.library.net.h.h>" "<instance: okhttp3.Interceptor, $className: com.shizhi.shihuoapp.library.net.h.g>" "<instance: okhttp3.Interceptor, $className: cn.shihuo.modulelib.utils.f1.a$a>" "<instance: okhttp3.Interceptor, $className: cn.shihuo.modulelib.startup.core.c.b>" "<instance: okhttp3.Interceptor, $className: cn.shihuo.modulelib.startup.core.c.a>"
7.5.2 一个个尝试拦截器--查找
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("识货")
scr = """
Java.perform(function () {
var a = Java.use("cn.shihuo.modulelib.startup.core.c.a");
a.intercept.implementation = function (chain) {
var req = chain.request();
var httpUrl = req.url().toString();
if( httpUrl.indexOf("https://sh-gateway.shihuo.cn/v4/services/sh-goodsapi/app_swoole_shoe/preload/single") != -1 ){
console.log('执行前',httpUrl);
}
var res = this.intercept(chain); // 执行自己这个拦截器
return res;
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("识货")
scr = """
Java.perform(function () {
var a = Java.use("cn.shihuo.modulelib.utils.f1.a$a");
a.intercept.implementation = function (chain) {
var req = chain.request();
var httpUrl = req.url().toString();
if( httpUrl.indexOf("https://sh-gateway.shihuo.cn/v4/services/sh-goodsapi/app_swoole_shoe/preload/single") != -1 ){
console.log('执行前',httpUrl);
}
// 不走自己的拦截器了,跳过该拦截器执行,继续执行下面的拦截器
var response = chain.proceed(req);
return response;
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()
#这个拦截器找到了可以发送明文的地址8 python直接发送请求获取详情
import requests
headers = {
# 'platform': 'android',
# 'timestamp': '1690457564391',
# 'app-v': '7.20.1',
# 'osv': '11',
# 'network': '1',
# 'appid': 'app'
'sk': '9MJTD4FFJBgRUPSgNfZIKOA8bCGnv4wt7McVWcxBYyOZBJiez6r4AjzcgGweapZa1GGcamedBEXYqzEOVegB7d2klJ1w',
}
res = requests.get(
'https://sh-gateway.shihuo.cn/v4/services/sh-goodsapi/app_swoole_shoe/preload/single',
params={
'goods_id': '379112',
'v': '7.20.1',
# 'devices': 'Pixel 2 XL',
# 'dspm': 'b073a42a1f6a7180',
# 'gender': '2',
# 'sourceLocation': 'oneRowOne:[N]',
# 'style_id': '33658742',
# 'top_style_id': '33658742',
# 'tpExtra': '''{"sourceTp":"home:search:","sourceTpName":"男士凉鞋","wsf":"normal_search_words","ast":"男士凉鞋","is_inspire":0,"dgReqId":"SHSS_CG-NEU5QK4E76J2_SPU_1:24","si":"8001","skc":"33658742","layer":"2"}''',
# 'access_token': 'b7EM8Up9VSFJUhkyEJ',
# 'minVersion': '15670',
# 'clientCode': '{holder}',
# 'channel': 'myapp',
# 'device': 'Pixel 2 XL',
# 'platform': 'android',
# 'timestamp': '1690457564391'
},
verify=False, headers=headers)
print(res.json())9 代码整合
# -*- coding: utf-8 -*-
'''
@IDE : PyCharm
@version : 3.9
@Auth : gouzi
@time : 2024/2/16 12:45
@Description:
'''
import requests
from utils import header_str_to_dict
import urllib3
urllib3.disable_warnings()
header_str = '''
sh-token 07YHP1RqF2ZjZiZDRlMjg0ZWJlNmY5OWRiVrVJil+FyNFpPfAYRwUnQZjD7Y0EMrH0URCKv764zx2HrJrYl7RugWdY2JZP2mlh2o63ZQhD9f2BlkbdZzS3eRaVNn+LfKaM+2xWa3yAnTwDsBJq658HFt7VNjuaBKnX+e9kjFcgtdCl2h0kIgZyFA=='''
headers = header_str_to_dict(header_str)
# 搜索商品的接口
res = requests.post(
url="https://sh-api.shihuo.cn/daga/search/goods/v1?minVersion=15670&clientCode=%7Bholder%7D&v=7.20.1&channel=myapp&device=Pixel%202%20XL&platform=android×tamp=1697021144536&token=3dec4554119714351dedd1f457099573",
# headers=headers,
json={
"keywords": "帆布鞋",
"pageSize": "20",
"page": "1",
}, verify=False
)
print(res.text)
data_dict = res.json()
print('------')
l = []
for item in data_dict['data']['lists']:
try:
print(item['name'])
for ele in item['style_lists']:
print('-----', ele['goods_id'], ele['name'], ele['price'])
# 通过商品id,获取商品的详情
l.append(ele['goods_id'])
except:
pass
# header_str = '''
# platform android
# timestamp 1697022069424
# app-v 7.20.1
# sh-token 19Zo0LudYxM2M3NDBiZThjNmNjNTM1ZGMwnqndf6tomH872jLQjhgYbdFdIyqJGmWsdG6mb1tPj5mcB/3l6G58H274IwjqbjH09QyGMZg/QEqYOjTFSXdZ6SqroQY0+7KrhcoExdS0hlCpdaSb4FF9/sPivU2Eh9ZoPRaufuOMqX08wzYTIF4eug==
# sh-id 913962kpcbdb29f68fc2552232c86cb3
# sh-sign DF380FBA1CF473B2FDD4BC570F6EB5B1
# abtest-control ln=3;eI=3;HN=0;LR=0;Ks=0;eN=2;Gs=2;zF=1;Ta=2;uc=2;aQ=0;Xj=1;zT=0;IG=0;AA=2;Df=13;MQ=1;fK=11;data_community_personal=3;jO=2;UZ=0;fL=0;Lu=1;nY=2;am=0;EQ=2;shrec_is_gdetail=12;RA=2;ev=22;kA=3;kB=11;ay=3;gA=2;mainSearchV3=25;search_wf=3;NI=0;mainSearchV4=27;nj=2;Us=1;nn=0;zz=12;Yz=1;shrec_gdetail_bags=11;Qv=17;Ah=11;data_gdetail_shoes_personal=11;data_gdetail_clothes_personal=11;oZ=12;shoes_ratio_ctrl=0;bn=0;sa=0;Ap=2;gdetail_shoes_brand_rec=11;JZ=1;SD=0;fx=3;sf=12;Av=24;sh=0;Rg=2;cY=1;Rh=15;tK=3;shrec_home_feed=17;Fd=2;gf=12;dD=0;gh=0;CI=1;ou=3;dK=0;Fn=3;CL=2;GP=1;t_s=1697020869050;oy=2;gdetail_brand_rec=11;shrec_cf_mine_v2=11;KY=6;hW=3;Wg=12;pa=0;shrec_gdetail_clothes=11;Od=11;yN=8;By=0;Bz=0;uO=0;data_community_relate=11;dc=1
# shreqid 57F9D010EF0EA0A05E845396BA6B3E1F
# osv 11
# network 1
# sh_session 7804c48b010b40f699adcc4b4aaa89f0_foreground_1002591
# sk 9MJTD4FFJBgRUPSgNfZIKOA8bCGnv4wt7McVWcxBYyOZBJiez6r4AjzcgGweapZa1GGcamedBEXYqzEOVegB7d2klJ1w
# appid app
# cookie acw_tc=76b20fe616970207931503924e60da603e28e89a17d213f16b5b87b95b3433
# user-agent Android 11 {Z29vZ2xl} CPU_ABI arm64-v8a CPU_ABI2 HARDWARE taimen MODEL {UGl4ZWwgMiBYTA} network/WIFI shihuo/7.20.1 sc({holder},myapp) minVersion(15670) sh-dv-sign[v1|6bd3e4ffa3ce6c880e6681a9f90775c60d2751f79b8da0aa]
# '''
# for good_id in l:
# print(good_id)
# headers = header_str_to_dict(header_str)
# res = requests.get(
# url=f'https://sh-gateway.shihuo.cn/v4/services/sh-goodsapi/app_swoole_shoe/preload/single?devices=Pixel%202%20XL&dspm=95e6ec308860e77a&gender=2&goods_id={good_id}&sourceLocation=oneRowOne%3A%5BN%5D&style_id=40941356&top_style_id=40941356&tpExtra=%7B%22sourceTp%22%3A%22home%3Asearch%3A%22%2C%22sourceTpName%22%3A%22%E5%B8%86%E5%B8%83%E9%9E%8B%22%2C%22wsf%22%3A%22normal_search_words%22%2C%22ast%22%3A%22%E5%B8%86%E5%B8%83%E9%9E%8B%22%2C%22is_inspire%22%3A0%2C%22dgReqId%22%3A%22SHSS_CG-O7CKNHGTO8RT_SPU_1%3A27%22%2C%22si%22%3A%228001%22%2C%22skc%22%3A%2240941356%22%2C%22layer%22%3A%222%22%7D&access_token=b7EM8Up9VSFJUhkyEJ&minVersion=15670&clientCode=%7Bholder%7D&v=7.20.1&channel=myapp&device=Pixel%202%20XL&platform=android×tamp=1697022069424&access_token=b7EM8Up9VSFJUhkyEJ&token=570a49e713cc2b3a2a3a1e627878b86b',
# verify=False,
# headers=headers
# )
# print(res.text)
# break
# print('付款人数:', res.json()['data']['info']['goods_info']['monthSellPoint'])
5123
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
