网址:aHR0cHM6Ly93d3cuaHJkanl1bi5jb20vIy9sb2dpbj9yZWRpcmVjdD0lMkZyZWFsVGltZUxpdmluZw==
登录接口,发现两个参数加密,分别是pwd和sig,t很明显是时间戳。
观察pwd,发现很像md5加密,我输入的密码是123456,在在线加密网站加密,发现果然如此。
但是这次采用扣代码来解决,不用标准库。
参数没有特点,搜索是很难搜的,采用跟栈方法。
还是跟之前一样,点击第一个,在send处打断点,点击登录,前三个是发包,一般不在里面吗加密。
现在就是判断是不是在异步里面加密的,如何判断呢, 进入异步s.requests处,在常见位置打上断点。在控制台打印e,进入第一个函数在return处打上断点,看加密了吗?若是加密了,则并不是在异步中加密的。
发现进入异步的第一个函数接受的参数已经是经过加密的数据,因此跳过异步。
进入下一个栈,G栈,在u处打上断点,释放其他断点,点击登录
看l = l = Object(g["a"])(H(S(e)))就是sig的加密位置,Object(g["a"])代码的意思就是调用g中的a方法。相当于g["a"](H(S(e)),但是这里存在变量污染,传入的参数s不应该含有加密后的sig,所以在前面打上断点,可以更好确定传入的参数是什么形式的。
在这里打上断定,var t = n.split("/") ,再点击跳过下一个函数执行,一步步执行到sig的加密位置。
这时候的传入的参数为e
t由s赋值,s由函数 s = (new Date).getTime();赋值
那么现在还是要先破解pwd是怎么加密的。
先找到pwd的加密位置。由于传入function G(n,e)中的e已经有加密后的pwd了,所以继续往前跟栈。
pwd由pwd: Object(E["a"])(t.loginForm.password)赋值,相当于E["a"](t.loginForm.password),其中t.loginForm.password是密码'123456'
进入E['a']发现是它,复制到pycharm中,传入的n就是密码,运行会发现缺少c,就在前面找c,然后复制
c在哪里,就在这个函数附近。然后运行发现没有o,接着复制一步一步来,最后直到成功。
完整代码:
var a=0;
function i(n) {
return c(o(s(n)))
};
function c(n) {
for (var e, t = a ? "0123456789ABCDEF" : "0123456789abcdef", i = "", o = 0; o < n.length; o++)
e = n.charCodeAt(o),
i += t.charAt(e >>> 4 & 15) + t.charAt(15 & e);
return i
};
function o(n) {
return r(d(l(n), 8 * n.length))
};
function s(n) {
var e, t, a = "", i = -1;
while (++i < n.length)
e = n.charCodeAt(i),
t = i + 1 < n.length ? n.charCodeAt(i + 1) : 0,
55296 <= e && e <= 56319 && 56320 <= t && t <= 57343 && (e = 65536 + ((1023 & e) << 10) + (1023 & t),
i++),
e <= 127 ? a += String.fromCharCode(e) : e <= 2047 ? a += String.fromCharCode(192 | e >>> 6 & 31, 128 | 63 & e) : e <= 65535 ? a += String.fromCharCode(224 | e >>> 12 & 15, 128 | e >>> 6 & 63, 128 | 63 & e) : e <= 2097151 && (a += String.fromCharCode(240 | e >>> 18 & 7, 128 | e >>> 12 & 63, 128 | e >>> 6 & 63, 128 | 63 & e));
return a
};
function r(n) {
for (var e = "", t = 0; t < 32 * n.length; t += 8)
e += String.fromCharCode(n[t >> 5] >>> t % 32 & 255);
return e
};
function d(n, e) {
n[e >> 5] |= 128 << e % 32,
n[14 + (e + 64 >>> 9 << 4)] = e;
for (var t = 1732584193, a = -271733879, i = -1732584194, o = 271733878, c = 0; c < n.length; c += 16) {
var s = t
, l = a
, r = i
, d = o;
t = h(t, a, i, o, n[c + 0], 7, -680876936),
o = h(o, t, a, i, n[c + 1], 12, -389564586),
i = h(i, o, t, a, n[c + 2], 17, 606105819),
a = h(a, i, o, t, n[c + 3], 22, -1044525330),
t = h(t, a, i, o, n[c + 4], 7, -176418897),
o = h(o, t, a, i, n[c + 5], 12, 1200080426),
i = h(i, o, t, a, n[c + 6], 17, -1473231341),
a = h(a, i, o, t, n[c + 7], 22, -45705983),
t = h(t, a, i, o, n[c + 8], 7, 1770035416),
o = h(o, t, a, i, n[c + 9], 12, -1958414417),
i = h(i, o, t, a, n[c + 10], 17, -42063),
a = h(a, i, o, t, n[c + 11], 22, -1990404162),
t = h(t, a, i, o, n[c + 12], 7, 1804603682),
o = h(o, t, a, i, n[c + 13], 12, -40341101),
i = h(i, o, t, a, n[c + 14], 17, -1502002290),
a = h(a, i, o, t, n[c + 15], 22, 1236535329),
t = m(t, a, i, o, n[c + 1], 5, -165796510),
o = m(o, t, a, i, n[c + 6], 9, -1069501632),
i = m(i, o, t, a, n[c + 11], 14, 643717713),
a = m(a, i, o, t, n[c + 0], 20, -373897302),
t = m(t, a, i, o, n[c + 5], 5, -701558691),
o = m(o, t, a, i, n[c + 10], 9, 38016083),
i = m(i, o, t, a, n[c + 15], 14, -660478335),
a = m(a, i, o, t, n[c + 4], 20, -405537848),
t = m(t, a, i, o, n[c + 9], 5, 568446438),
o = m(o, t, a, i, n[c + 14], 9, -1019803690),
i = m(i, o, t, a, n[c + 3], 14, -187363961),
a = m(a, i, o, t, n[c + 8], 20, 1163531501),
t = m(t, a, i, o, n[c + 13], 5, -1444681467),
o = m(o, t, a, i, n[c + 2], 9, -51403784),
i = m(i, o, t, a, n[c + 7], 14, 1735328473),
a = m(a, i, o, t, n[c + 12], 20, -1926607734),
t = A(t, a, i, o, n[c + 5], 4, -378558),
o = A(o, t, a, i, n[c + 8], 11, -2022574463),
i = A(i, o, t, a, n[c + 11], 16, 1839030562),
a = A(a, i, o, t, n[c + 14], 23, -35309556),
t = A(t, a, i, o, n[c + 1], 4, -1530992060),
o = A(o, t, a, i, n[c + 4], 11, 1272893353),
i = A(i, o, t, a, n[c + 7], 16, -155497632),
a = A(a, i, o, t, n[c + 10], 23, -1094730640),
t = A(t, a, i, o, n[c + 13], 4, 681279174),
o = A(o, t, a, i, n[c + 0], 11, -358537222),
i = A(i, o, t, a, n[c + 3], 16, -722521979),
a = A(a, i, o, t, n[c + 6], 23, 76029189),
t = A(t, a, i, o, n[c + 9], 4, -640364487),
o = A(o, t, a, i, n[c + 12], 11, -421815835),
i = A(i, o, t, a, n[c + 15], 16, 530742520),
a = A(a, i, o, t, n[c + 2], 23, -995338651),
t = p(t, a, i, o, n[c + 0], 6, -198630844),
o = p(o, t, a, i, n[c + 7], 10, 1126891415),
i = p(i, o, t, a, n[c + 14], 15, -1416354905),
a = p(a, i, o, t, n[c + 5], 21, -57434055),
t = p(t, a, i, o, n[c + 12], 6, 1700485571),
o = p(o, t, a, i, n[c + 3], 10, -1894986606),
i = p(i, o, t, a, n[c + 10], 15, -1051523),
a = p(a, i, o, t, n[c + 1], 21, -2054922799),
t = p(t, a, i, o, n[c + 8], 6, 1873313359),
o = p(o, t, a, i, n[c + 15], 10, -30611744),
i = p(i, o, t, a, n[c + 6], 15, -1560198380),
a = p(a, i, o, t, n[c + 13], 21, 1309151649),
t = p(t, a, i, o, n[c + 4], 6, -145523070),
o = p(o, t, a, i, n[c + 11], 10, -1120210379),
i = p(i, o, t, a, n[c + 2], 15, 718787259),
a = p(a, i, o, t, n[c + 9], 21, -343485551),
t = f(t, s),
a = f(a, l),
i = f(i, r),
o = f(o, d)
}
return Array(t, a, i, o)
};
function l(n) {
for (var e = Array(n.length >> 2), t = 0; t < e.length; t++)
e[t] = 0;
for (t = 0; t < 8 * n.length; t += 8)
e[t >> 5] |= (255 & n.charCodeAt(t / 8)) << t % 32;
return e
};
function h(n, e, t, a, i, o, c) {
return u(e & t | ~e & a, n, e, i, o, c)
};
function f(n, e) {
var t = (65535 & n) + (65535 & e)
, a = (n >> 16) + (e >> 16) + (t >> 16);
return a << 16 | 65535 & t
};
function g(n, e) {
return n << e | n >>> 32 - e
};
function m(n, e, t, a, i, o, c) {
return u(e & a | t & ~a, n, e, i, o, c)
};
function A(n, e, t, a, i, o, c) {
return u(e ^ t ^ a, n, e, i, o, c)
};
function p(n, e, t, a, i, o, c) {
return u(t ^ (e | ~a), n, e, i, o, c)
};
function u(n, e, t, a, i, o) {
return f(g(f(f(e, n), f(a, o)), i), t)
}
console.log(i('123456'))运行结果
看复制的代码的位置,其实就是'87ff'中的绝大部分代码块,之所以不用webpack是因为'87ff'没有调用其他的模块,所以直接扣就可以。
现在处理sig怎么加密的,先生成e,跟上面的步骤一样来。
然后开始写
g["a"](H(S(e)),回到G栈,找到S函数,H函数,g['a']函数。并复制
它们分别为
g.a其实就是i函数。最后结果。
最终代码:
var a = 0;
function p(n, e, t, a, i, o, c) {
return u(t ^ (e | ~a), n, e, i, o, c)
};
function A(n, e, t, a, i, o, c) {
return u(e ^ t ^ a, n, e, i, o, c)
};
function m(n, e, t, a, i, o, c) {
return u(e & a | t & ~a, n, e, i, o, c)
};
function g(n, e) {
return n << e | n >>> 32 - e
};
function f(n, e) {
var t = (65535 & n) + (65535 & e)
, a = (n >> 16) + (e >> 16) + (t >> 16);
return a << 16 | 65535 & t
};
function u(n, e, t, a, i, o) {
return f(g(f(f(e, n), f(a, o)), i), t)
};
function h(n, e, t, a, i, o, c) {
return u(e & t | ~e & a, n, e, i, o, c)
};
function l(n) {
for (var e = Array(n.length >> 2), t = 0; t < e.length; t++)
e[t] = 0;
for (t = 0; t < 8 * n.length; t += 8)
e[t >> 5] |= (255 & n.charCodeAt(t / 8)) << t % 32;
return e
};
function d(n, e) {
n[e >> 5] |= 128 << e % 32,
n[14 + (e + 64 >>> 9 << 4)] = e;
for (var t = 1732584193, a = -271733879, i = -1732584194, o = 271733878, c = 0; c < n.length; c += 16) {
var s = t
, l = a
, r = i
, d = o;
t = h(t, a, i, o, n[c + 0], 7, -680876936),
o = h(o, t, a, i, n[c + 1], 12, -389564586),
i = h(i, o, t, a, n[c + 2], 17, 606105819),
a = h(a, i, o, t, n[c + 3], 22, -1044525330),
t = h(t, a, i, o, n[c + 4], 7, -176418897),
o = h(o, t, a, i, n[c + 5], 12, 1200080426),
i = h(i, o, t, a, n[c + 6], 17, -1473231341),
a = h(a, i, o, t, n[c + 7], 22, -45705983),
t = h(t, a, i, o, n[c + 8], 7, 1770035416),
o = h(o, t, a, i, n[c + 9], 12, -1958414417),
i = h(i, o, t, a, n[c + 10], 17, -42063),
a = h(a, i, o, t, n[c + 11], 22, -1990404162),
t = h(t, a, i, o, n[c + 12], 7, 1804603682),
o = h(o, t, a, i, n[c + 13], 12, -40341101),
i = h(i, o, t, a, n[c + 14], 17, -1502002290),
a = h(a, i, o, t, n[c + 15], 22, 1236535329),
t = m(t, a, i, o, n[c + 1], 5, -165796510),
o = m(o, t, a, i, n[c + 6], 9, -1069501632),
i = m(i, o, t, a, n[c + 11], 14, 643717713),
a = m(a, i, o, t, n[c + 0], 20, -373897302),
t = m(t, a, i, o, n[c + 5], 5, -701558691),
o = m(o, t, a, i, n[c + 10], 9, 38016083),
i = m(i, o, t, a, n[c + 15], 14, -660478335),
a = m(a, i, o, t, n[c + 4], 20, -405537848),
t = m(t, a, i, o, n[c + 9], 5, 568446438),
o = m(o, t, a, i, n[c + 14], 9, -1019803690),
i = m(i, o, t, a, n[c + 3], 14, -187363961),
a = m(a, i, o, t, n[c + 8], 20, 1163531501),
t = m(t, a, i, o, n[c + 13], 5, -1444681467),
o = m(o, t, a, i, n[c + 2], 9, -51403784),
i = m(i, o, t, a, n[c + 7], 14, 1735328473),
a = m(a, i, o, t, n[c + 12], 20, -1926607734),
t = A(t, a, i, o, n[c + 5], 4, -378558),
o = A(o, t, a, i, n[c + 8], 11, -2022574463),
i = A(i, o, t, a, n[c + 11], 16, 1839030562),
a = A(a, i, o, t, n[c + 14], 23, -35309556),
t = A(t, a, i, o, n[c + 1], 4, -1530992060),
o = A(o, t, a, i, n[c + 4], 11, 1272893353),
i = A(i, o, t, a, n[c + 7], 16, -155497632),
a = A(a, i, o, t, n[c + 10], 23, -1094730640),
t = A(t, a, i, o, n[c + 13], 4, 681279174),
o = A(o, t, a, i, n[c + 0], 11, -358537222),
i = A(i, o, t, a, n[c + 3], 16, -722521979),
a = A(a, i, o, t, n[c + 6], 23, 76029189),
t = A(t, a, i, o, n[c + 9], 4, -640364487),
o = A(o, t, a, i, n[c + 12], 11, -421815835),
i = A(i, o, t, a, n[c + 15], 16, 530742520),
a = A(a, i, o, t, n[c + 2], 23, -995338651),
t = p(t, a, i, o, n[c + 0], 6, -198630844),
o = p(o, t, a, i, n[c + 7], 10, 1126891415),
i = p(i, o, t, a, n[c + 14], 15, -1416354905),
a = p(a, i, o, t, n[c + 5], 21, -57434055),
t = p(t, a, i, o, n[c + 12], 6, 1700485571),
o = p(o, t, a, i, n[c + 3], 10, -1894986606),
i = p(i, o, t, a, n[c + 10], 15, -1051523),
a = p(a, i, o, t, n[c + 1], 21, -2054922799),
t = p(t, a, i, o, n[c + 8], 6, 1873313359),
o = p(o, t, a, i, n[c + 15], 10, -30611744),
i = p(i, o, t, a, n[c + 6], 15, -1560198380),
a = p(a, i, o, t, n[c + 13], 21, 1309151649),
t = p(t, a, i, o, n[c + 4], 6, -145523070),
o = p(o, t, a, i, n[c + 11], 10, -1120210379),
i = p(i, o, t, a, n[c + 2], 15, 718787259),
a = p(a, i, o, t, n[c + 9], 21, -343485551),
t = f(t, s),
a = f(a, l),
i = f(i, r),
o = f(o, d)
}
return Array(t, a, i, o)
};
function r(n) {
for (var e = "", t = 0; t < 32 * n.length; t += 8)
e += String.fromCharCode(n[t >> 5] >>> t % 32 & 255);
return e
};
function c(n) {
for (var e, t = a ? "0123456789ABCDEF" : "0123456789abcdef", i = "", o = 0; o < n.length; o++)
e = n.charCodeAt(o),
i += t.charAt(e >>> 4 & 15) + t.charAt(15 & e);
return i
};
function o(n) {
return r(d(l(n), 8 * n.length))
};
function i(n) {
return c(o(s(n)))
};
function s(n) {
var e, t, a = "", i = -1;
while (++i < n.length)
e = n.charCodeAt(i),
t = i + 1 < n.length ? n.charCodeAt(i + 1) : 0,
55296 <= e && e <= 56319 && 56320 <= t && t <= 57343 && (e = 65536 + ((1023 & e) << 10) + (1023 & t),
i++),
e <= 127 ? a += String.fromCharCode(e) : e <= 2047 ? a += String.fromCharCode(192 | e >>> 6 & 31, 128 | 63 & e) : e <= 65535 ? a += String.fromCharCode(224 | e >>> 12 & 15, 128 | e >>> 6 & 63, 128 | 63 & e) : e <= 2097151 && (a += String.fromCharCode(240 | e >>> 18 & 7, 128 | e >>> 12 & 63, 128 | e >>> 6 & 63, 128 | 63 & e));
return a
};
function H(n) {
var e = []
, t = "";
for (var a in n)
e.push(n[a]);
for (var i = 0; i < e.length; i++)
t += e[i] + "";
return t += "JzyqgcoojMiQNuQoTlbR5EBT8TsqzJ",
t
};
function S(n) {
for (var e = Object.keys(n).sort(), t = {}, a = 0; a < e.length; a++)
t[e[a]] = n[e[a]];
return t
};
password = '123456'
phoneNum = "18720180853"
function get_info(phoneNum,password){
pwd = i(password)
e = {
"phoneNum": phoneNum,
"pwd": pwd,
"t": (new Date).getTime(),
"tenant": 1,
}
// console.log(i(password))
sig = i(H(S(e)))
return [pwd,sig,e.t]
}
console.log(get_info(phoneNum,password))用python调用访问代码:
import requests
import execjs
f = open('红人点集.js','r',encoding='utf-8').read()
json_code = execjs.compile(f)
data = json_code.call('get_info','18720180853','123456')
print(data)
headers = {
'Accept': 'application/json, text/plain, */*',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Cache-Control': 'no-cache',
'Connection': 'keep-alive',
'Content-Type': 'application/json',
'Origin': 'https://www.hrdjyun.com',
'Pragma': 'no-cache',
'Sec-Fetch-Dest': 'empty',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Site': 'same-site',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
'sec-ch-ua': '"Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120"',
'sec-ch-ua-mobile': '?0',
'sec-ch-ua-platform': '"Windows"',
}
json_data = {
'phoneNum': '18720180853',
'pwd': data[0],
't': data[2],
'tenant': 1,
'sig': data[1],
}
response = requests.post('https://user.hrdjyun.com/wechat/phonePwdLogin', headers=headers, json=json_data)
print(response.json())
扫一扫
617
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
