免责声明:仅用于学习逆向,严禁用于商业,如有侵权,联系作者删除
第一步:切换登陆方式
第二步:查看抓包情况
第三步:模拟登陆后抓包
查看发包参数,本次主要处理password这个参数
l是对字符串处理的方法
可以看出先对原密码进行了加密,然后用l方法对密码又进行了处理
将代码添加到浏览器的Overrides,方便改写调试
第四步:改写js并进行分析
var aaa;
!function(n) {
var r = {};
function i(t) {
if (r[t])
return r[t].exports;
var e = r[t] = {
i: t,
l: !1,
exports: {}
};
return n[t].call(e.exports, e, e.exports, i),
e.l = !0,
e.exports
}
i.m = n,
i.c = r,
i.d = function(t, e, n) {
i.o(t, e) || Object.defineProperty(t, e, {
enumerable: !0,
get: n
})
}
,
i.r = function(t) {
"undefined" != typeof Symbol && Symbol.toStringTag && Object.defineProperty(t, Symbol.toStringTag, {
value: "Module"
}),
Object.defineProperty(t, "__esModule", {
value: !0
})
}
,
i.t = function(e, t) {
if (1 & t && (e = i(e)),
8 & t)
return e;
if (4 & t && "object" == typeof e && e && e.__esModule)
return e;
var n = Object.create(null);
if (i.r(n),
Object.defineProperty(n, "default", {
enumerable: !0,
value: e
}),
2 & t && "string" != typeof e)
for (var r in e)
i.d(n, r, function(t) {
return e[t]
}
.bind(null, r));
return n
}
,
i.n = function(t) {
var e = t && t.__esModule ? function() {
return t.default
}
: function() {
return t
}
;
return i.d(e, "a", e),
e
}
,
i.o = function(t, e) {
return Object.prototype.hasOwnProperty.call(t, e)
}
,
i.p = "/",
i(i.s = 20)
aaa=i
}
定义一个全局变量,把加载器赋值到全局变量,查看该变量
控制台打印输出,可以看出导出了59个方法
加密位置
所有代码:
js太多,放图片代替
aaa(50).default();
// console.log(ddd);
function get_pw(mm) {
var e = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCCB81pk1Go/d7K8unYqeB6YyQdDgIRsLji7BxlBfMC2U8/0lyOLxJ6sQb1RmKaILuxN0hRci4zWPfkkPhttWaogq3XABYiDYbx0843ge4D79pG21+qWplw43uHZNs0B6iUChJW1O3DDJPXGwj50L1ySTVt7G7iqsIr9PLZVRSZmQIDAQAB"
ddd.ec.setPublicKey(e)
// ddd.loginTicketId = ""
ddd.publicKey = e
// ddd.encodeVersion = "2.0"
console.log(ddd.ec.encrypt(mm))
return ddd.ec.encrypt(mm)
}
最后一步:模拟请求
import json
import requests
import execjs
headers = {
"Accept": "application/json, text/plain, */*",
"Accept-Encoding": "gzip, deflate, br",
'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6',
'Content-Type': "application/json;charset=UTF-8",
"Host": "clogin.ke.com",
'Origin': 'https://su.ke.com',
"Referer": "https://su.ke.com",
"sec-ch-ua-platform": "Windows",
'Sec-Fetch-Dest': 'empty',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Site': 'same-site',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36',
}
data = {"service": "https://ajax.api.ke.com/login/login/getuserinfo", "version": "2.0"}
# response = requests.post("https://clogin.ke.com/authentication/initialize", headers=headers, data=json.dumps(data))
response = requests.post("https://clogin.ke.com/authentication/initialize", headers=headers, json=data)
# print(response.json())
# 知识点
# 如果参数为JSON数据,可以直接传⼊json参数,它将⾃动编码并将Content-Type的置为application/json
# 如果data传递的参数为字符串,例如【json.dumps(payload)】,则request对参数进⾏url编码,Content-Type的值为None,所以
# data传字符串时,⼀定要在header中指定Content-Type为application/json
# 如果data传递的是字典、元组组成的列表或列表作为值的字典,则request对参数进⾏url编码,Content-Type的值为
# application/x-www-form-urlencoded
with open("rsa_webpack2.js", encoding="utf-8") as f:
js_str = f.read()
password = execjs.compile(js_str).call("get_pw", "asd123456")
print(password)
data = {"service": "https://ajax.api.ke.com/login/login/getuserinfo",
"mainAuthMethodName": "username-password",
"accountSystem": "customer",
"credential": {"username": "18511111111",
"password": password,
"encodeVersion": "1"},
"context": {},
"loginTicketId": response.json().get("loginTicketId"),
"version": "2.0",
"srcId": "eyJ0Ijoie1wiZGF0YVwiOlwiOGZlZDVjZTdlMTQ4MzIwMjNkNzQ4YTk4NTlkZmU0NzM3ZWJiNWUxNzYxYmVjZTY4ZTliN2U1N2M1YTk1NGI3MDczYTkzMDgxMmUzMjQ2MGZiMzgwZjg4ZWE3OTQ4MGExZWY2ZGU2MWMzNDgxMDg3ZjAyZDdmMzNiZTBhNjJmZThhNDNhNWQ5MzAyMmRmZjNjM2QyMzYwNGIxMDcwYTllYzlmZGJhODVjMmY4OGU4MTc4MzhkOWNiNTkwNjNiODA1MmM0MzBhMzhkOWVlYWRmMjZmNjk3ZDA3NjRhMmFhN2E5YzdjZDJhZDY5ZmUzZWM0NGE0ZjEwZjc5ZTUwNDAzM1wiLFwia2V5X2lkXCI6XCIxXCIsXCJzaWduXCI6XCIzZmIzZjM4ZlwifSIsInIiOiJodHRwczovL3N1LmtlLmNvbS8/dXRtX3NvdXJjZT1iYWlkdSZ1dG1fbWVkaXVtPXBpbnpodWFuJnV0bV90ZXJtPWJpYW90aSZ1dG1fY29udGVudD1iaWFvdGltaWFvc2h1JnV0bV9jYW1wYWlnbj13eXN1emhvdSIsIm9zIjoid2ViIiwidiI6IjAuMSJ9",
"ticketMaxAge": 604800}
# response = requests.post("https://clogin.ke.com/authentication/authenticate", headers=headers, data=json.dumps(data))
response = requests.post("https://clogin.ke.com/authentication/authenticate", headers=headers, json=data)
print(response.text)