蘑菇街mw-sign值计算(java版源码)

最新推荐文章于 2021-07-02 10:12:31 发布

小莫理

最新推荐文章于 2021-07-02 10:12:31 发布

阅读量979

点赞数

分类专栏： java

本文链接：https://blog.csdn.net/qq_29556507/article/details/103277125

版权

java 专栏收录该内容

47 篇文章 1 订阅

订阅专栏

一.需求描述

在采集蘑菇街的时候，去水印的接口中有mw-sign参数,经过测试发现此参数无法伪造，可以重放。为了脱离浏览器进行采集，需要将这个值解出来。

在通过浏览器搜索中,找到这个地址,我们发现这个参数

这个是找到的z方法,也是要执行的主要方法 buildQuery

var z = V(function(t) { var v, g, _, w, b; v = U, g = J.utf8, _ = F, w = J.bin, (b = function(t, e) { t.constructor == String ? t = e && "binary" === e.encoding ? w.stringToBytes(t) : g.stringToBytes(t) : _(t) ? t = Array.prototype.slice.call(t, 0) : Array.isArray(t) || (t = t.toString()); for (var n = v.bytesToWords(t), o = 8 * t.length, r = 1732584193, i = -271733879, s = -1732584194, a = 271733878, u = 0; u < n.length; u++) n[u] = 16711935 & (n[u] << 8 | n[u] >>> 24) | 4278255360 & (n[u] << 24 | n[u] >>> 8); n[o >>> 5] |= 128 << o % 32, n[14 + (o + 64 >>> 9 << 4)] = o; var c = b._ff , p = b._gg , l = b._hh , h = b._ii; for (u = 0; u < n.length; u += 16) { var f = r , d = i , y = s , m = a; i = h(i = h(i = h(i = h(i = l(i = l(i = l(i = l(i = p(i = p(i = p(i = p(i = c(i = c(i = c(i = c(i, s = c(s, a = c(a, r = c(r, i, s, a, n[u + 0], 7, -680876936), i, s, n[u + 1], 12, -389564586), r, i, n[u + 2], 17, 606105819), a, r, n[u + 3], 22, -1044525330), s = c(s, a = c(a, r = c(r, i, s, a, n[u + 4], 7, -176418897), i, s, n[u + 5], 12, 1200080426), r, i, n[u + 6], 17, -1473231341), a, r, n[u + 7], 22, -45705983), s = c(s, a = c(a, r = c(r, i, s, a, n[u + 8], 7, 1770035416), i, s, n[u + 9], 12, -1958414417), r, i, n[u + 10], 17, -42063), a, r, n[u + 11], 22, -1990404162), s = c(s, a = c(a, r = c(r, i, s, a, n[u + 12], 7, 1804603682), i, s, n[u + 13], 12, -40341101), r, i, n[u + 14], 17, -1502002290), a, r, n[u + 15], 22, 1236535329), s = p(s, a = p(a, r = p(r, i, s, a, n[u + 1], 5, -165796510), i, s, n[u + 6], 9, -1069501632), r, i, n[u + 11], 14, 643717713), a, r, n[u + 0], 20, -373897302), s = p(s, a = p(a, r = p(r, i, s, a, n[u + 5], 5, -701558691), i, s, n[u + 10], 9, 38016083), r, i, n[u + 15], 14, -660478335), a, r, n[u + 4], 20, -405537848), s = p(s, a = p(a, r = p(r, i, s, a, n[u + 9], 5, 568446438), i, s, n[u + 14], 9, -1019803690), r, i, n[u + 3], 14, -187363961), a, r, n[u + 8], 20, 1163531501), s = p(s, a = p(a, r = p(r, i, s, a, n[u + 13], 5, -1444681467), i, s, n[u + 2], 9, -51403784), r, i, n[u + 7], 14, 1735328473), a, r, n[u + 12], 20, -1926607734), s = l(s, a = l(a, r = l(r, i, s, a, n[u + 5], 4, -378558), i, s, n[u + 8], 11, -2022574463), r, i, n[u + 11], 16, 1839030562), a, r, n[u + 14], 23, -35309556), s = l(s, a = l(a, r = l(r, i, s, a, n[u + 1], 4, -1530992060), i, s, n[u + 4], 11, 1272893353), r, i, n[u + 7], 16, -155497632), a, r, n[u + 10], 23, -1094730640), s = l(s, a = l(a, r = l(r, i, s, a, n[u + 13], 4, 681279174), i, s, n[u + 0], 11, -358537222), r, i, n[u + 3], 16, -722521979), a, r, n[u + 6], 23, 76029189), s = l(s, a = l(a, r = l(r, i, s, a, n[u + 9], 4, -640364487), i, s, n[u + 12], 11, -421815835), r, i, n[u + 15], 16, 530742520), a, r, n[u + 2], 23, -995338651), s = h(s, a = h(a, r = h(r, i, s, a, n[u + 0], 6, -198630844), i, s, n[u + 7], 10, 1126891415), r, i, n[u + 14], 15, -1416354905), a, r, n[u + 5], 21, -57434055), s = h(s, a = h(a, r = h(r, i, s, a, n[u + 12], 6, 1700485571), i, s, n[u + 3], 10, -1894986606), r, i, n[u + 10], 15, -1051523), a, r, n[u + 1], 21, -2054922799), s = h(s, a = h(a, r = h(r, i, s, a, n[u + 8], 6, 1873313359), i, s, n[u + 15], 10, -30611744), r, i, n[u + 6], 15, -1560198380), a, r, n[u + 13], 21, 1309151649), s = h(s, a = h(a, r = h(r, i, s, a, n[u + 4], 6, -145523070), i, s, n[u + 11], 10, -1120210379), r, i, n[u + 2], 15, 718787259), a, r, n[u + 9], 21, -343485551), r = r + f >>> 0, i = i + d >>> 0, s = s + y >>> 0, a = a + m >>> 0 } return v.endian([r, i, s, a]) } )._ff = function(t, e, n, o, r, i, s) { var a = t + (e & n | ~e & o) + (r >>> 0) + s; return (a << i | a >>> 32 - i) + e } , b._gg = function(t, e, n, o, r, i, s) { var a = t + (e & o | n & ~o) + (r >>> 0) + s; return (a << i | a >>> 32 - i) + e } , b._hh = function(t, e, n, o, r, i, s) { var a = t + (e ^ n ^ o) + (r >>> 0) + s; return (a << i | a >>> 32 - i) + e } , b._ii = function(t, e, n, o, r, i, s) { var a = t + (n ^ (e | ~o)) + (r >>> 0) + s; return (a << i | a >>> 32 - i) + e } , b._blocksize = 16, b._digestsize = 16, t.exports = function(t, e) { if (null == t) throw new Error("Illegal argument " + t); var n = v.wordsToBytes(b(t, e)); return e && e.asBytes ? n : e && e.asString ? w.bytesToString(n) : v.bytesToHex(n) } })

拿这个时候,我们也知道java也提供有执行js的方法,,经过测试,完成可以用的

ScriptEngine engine = manager.getEngineByName("javascript"); engine.eval(MoGujieJsUtils.jssign); if (engine instanceof Invocable) { Invocable invocable = (Invocable) engine; JavaScriptInterface executeMethod = invocable.getInterface(JavaScriptInterface.class); String token = executeMethod.z(tokenDataString); }

这里提供的 MoGujieJsUtils.jssign 就是上面提供的那个js中的z方法

结合请求参数，对这一串字符的组成部分进行简单猜测:

大致就是"mw-appkey","mw-ckey","mw-h5-os","mw-t","mw-ttid","mw-uuid",以及部分请求地址("mwp.pagani.search/19/")使用"&"拼接而成，

"b9cab4ab7f543491e2c4f6c556711345"是第一步调用z方法的计算结果，

"39a9ae72d3faec64f157166036f84edd_1564026637963"来自cookie中的"_mwp_h5_token"

不过这种情况在执行一段时间后,就会失效的,这是因为这三个参数进行了控制