站点:aHR0cHM6Ly9wYXNzcG9ydC5mYW5nLmNvbS8=
1. 抓包
鼠标右键检查元素,点击开发者工具中的 `Fetch/XHR`,一般的登录接口都能在这里抓到。然后输入账号和一个错误的密码,抓到如下请求:
而请求中的参数如下:
显然,`pwd` 参数,是我们需要逆向的参数。
2. 定位 `pwd` 参数生成逻辑
2.1 全局搜索 `pwd` 参数
一般我们搜索的关键字不要直接搜索如`pwd`这类的,而是应该带有一些特殊字符的关键字,如 `pwd: `、 `pwd = `等,可以过滤很大一部分的无效结果。在本例中,我们使用`pwd:`作为关键字进行搜索,结果如下:
只搜索到一个js文件,并且只有两个地方包含我们搜索到关键字,点击进去之后,在这两个地方分别打上断点,如下:
在登录界面,重新点击 `登录` 按钮,即可触发断点,如下:
2.2 单步调试
鼠标放在 `encryptedString()` 函数上,出现如下提示:
大胆猜测一下,pwd生成调用的函数为 `encryptedString(n, t)`,并且该函数中的参数 n 对应的是`key_to_encode`,参数 t 对应的是 `that.password.val()`,并且加密方法为RSA加密。为了验证我们的猜想,继续单步调试,进入到该函数里边,查看它的具体逻辑,如下:
打印参数n,它是调用RSAKeyPair方法得到的一个对象,并且该函数的返回值 `o.substring(0, o.length - 1)` 为pwd加密后的结果。
2.3 参数获取
2.3.1 参数n,即:`key_to_encode`, 全局搜索 `key_to_encode`,在初始页面的源码中包含该参数的声明,如下:
右键 `查看源码`,搜索该参数,找到之后,全部复制下来即可。
2.3.2 参数t,明文的密码
3. 构造js代码如下
function setMaxDigits(n) {
maxDigits = n;
ZERO_ARRAY = new Array(maxDigits);
for (var t = 0; t < ZERO_ARRAY.length; t++)
ZERO_ARRAY[t] = 0;
bigZero = new BigInt;
bigOne = new BigInt;
bigOne.digits[0] = 1
}
function BigInt(n) {
this.digits = typeof n == "boolean" && n == !0 ? null : ZERO_ARRAY.slice(0);
this.isNeg = !1
}
function biCopy(n) {
var t = new BigInt(!0);
return t.digits = n.digits.slice(0),
t.isNeg = n.isNeg,
t
}
function biFromNumber(n) {
var t = new BigInt, i;
for (t.isNeg = n < 0,
n = Math.abs(n),
i = 0; n > 0;)
t.digits[i++] = n & maxDigitVal,
n = Math.floor(n / biRadix);
return t
}
function reverseStr(n) {
for (var i = "", t = n.length - 1; t > -1; --t)
i += n.charAt(t);
return i
}
function digitToHex(n) {
var t = "";
for (i = 0; i < 4; ++i)
t += hexToChar[n & 15],
n >>>= 4;
return reverseStr(t)
}
function biToHex(n) {
for (var i = "", r = biHighIndex(n), t = biHighIndex(n); t > -1; --t)
i += digitToHex(n.digits[t]);
return i
}
function charToHex(n) {
var t = 48
, u = t + 9
, i = 97
, f = i + 25
, r = 65;
return n >= t && n <= u ? n - t : n >= r && n <= 90 ? 10 + n - r : n >= i && n <= f ? 10 + n - i : 0
}
function hexToDigit(n) {
for (var t = 0, r = Math.min(n.length, 4), i = 0; i < r; ++i)
t <<= 4,
t |= charToHex(n.charCodeAt(i));
return t
}
function biFromHex(n) {
for (var i = new BigInt, u = n.length, t = u, r = 0; t > 0; t -= 4,
++r)
i.digits[r] = hexToDigit(n.substr(Math.max(t - 4, 0), Math.min(t, 4)));
return i
}
function biSubtract(n, t) {
var r, f, u, i;
if (n.isNeg != t.isNeg)
t.isNeg = !t.isNeg,
r = biAdd(n, t),
t.isNeg = !t.isNeg;
else {
for (r = new BigInt,
u = 0,
i = 0; i < n.digits.length; ++i)
f = n.digits[i] - t.digits[i] + u,
r.digits[i] = f % biRadix,
r.digits[i] < 0 && (r.digits[i] += biRadix),
u = 0 - Number(f < 0);
if (u == -1) {
for (u = 0,
i = 0; i < n.digits.length; ++i)
f = 0 - r.digits[i] + u,
r.digits[i] = f % biRadix,
r.digits[i] < 0 && (r.digits[i] += biRadix),
u = 0 - Number(f < 0);
r.isNeg = !n.isNeg
} else
r.isNeg = n.isNeg
}
return r
}
function biHighIndex(n) {
for (var t = n.digits.length - 1; t > 0 && n.digits[t] == 0;)
--t;
return t
}
function biNumBits(n) {
for (var i = biHighIndex(n), r = n.digits[i], u = (i + 1) * bitsPerDigit, t = u; t > u - bitsPerDigit; --t) {
if ((r & 32768) != 0)
break;
r <<= 1
}
return t
}
function biMultiply(n, t) {
for (var i = new BigInt, u, o = biHighIndex(n), s = biHighIndex(t), e, f, r = 0; r <= s; ++r) {
for (u = 0,
f = r,
j = 0; j <= o; ++j,
++f)
e = i.digits[f] + n.digits[j] * t.digits[r] + u,
i.digits[f] = e & maxDigitVal,
u = e >>> biRadixBits;
i.digits[r + o + 1] = u
}
return i.isNeg = n.isNeg != t.isNeg,
i
}
function biMultiplyDigit(n, t) {
var u, r, f, i;
for (result = new BigInt,
u = biHighIndex(n),
r = 0,
i = 0; i <= u; ++i)
f = result.digits[i] + n.digits[i] * t + r,
result.digits[i] = f & maxDigitVal,
r = f >>> biRadixBits;
return result.digits[1 + u] = r,
result
}
function arrayCopy(n, t, i, r, u) {
for (var o = Math.min(t + u, n.length), f = t, e = r; f < o; ++f,
++e)
i[e] = n[f]
}
function biShiftLeft(n, t) {
var e = Math.floor(t / bitsPerDigit), i = new BigInt, u, o, r, f;
for (arrayCopy(n.digits, 0, i.digits, e, i.digits.length - e),
u = t % bitsPerDigit,
o = bitsPerDigit - u,
r = i.digits.length - 1,
f = r - 1; r > 0; --r,
--f)
i.digits[r] = i.digits[r] << u & maxDigitVal | (i.digits[f] & highBitMasks[u]) >>> o;
return i.digits[0] = i.digits[r] << u & maxDigitVal,
i.isNeg = n.isNeg,
i
}
function biShiftRight(n, t) {
var e = Math.floor(t / bitsPerDigit), i = new BigInt, u, o, r, f;
for (arrayCopy(n.digits, e, i.digits, 0, n.digits.length - e),
u = t % bitsPerDigit,
o = bitsPerDigit - u,
r = 0,
f = r + 1; r < i.digits.length - 1; ++r,
++f)
i.digits[r] = i.digits[r] >>> u | (i.digits[f] & lowBitMasks[u]) << o;
return i.digits[i.digits.length - 1] >>>= u,
i.isNeg = n.isNeg,
i
}
function biMultiplyByRadixPower(n, t) {
var i = new BigInt;
return arrayCopy(n.digits, 0, i.digits, t, i.digits.length - t),
i
}
function biDivideByRadixPower(n, t) {
var i = new BigInt;
return arrayCopy(n.digits, t, i.digits, 0, i.digits.length - t),
i
}
function biModuloByRadixPower(n, t) {
var i = new BigInt;
return arrayCopy(n.digits, 0, i.digits, 0, t),
i
}
function biCompare(n, t) {
if (n.isNeg != t.isNeg)
return 1 - 2 * Number(n.isNeg);
for (var i = n.digits.length - 1; i >= 0; --i)
if (n.digits[i] != t.digits[i])
return n.isNeg ? 1 - 2 * Number(n.digits[i] > t.digits[i]) : 1 - 2 * Number(n.digits[i] < t.digits[i]);
return 0
}
function biDivideModulo(n, t) {
var a = biNumBits(n), s = biNumBits(t), v = t.isNeg, r, i, u, e, h, o, f, y, p;
if (a < s)
return n.isNeg ? (r = biCopy(bigOne),
r.isNeg = !t.isNeg,
n.isNeg = !1,
t.isNeg = !1,
i = biSubtract(t, n),
n.isNeg = !0,
t.isNeg = v) : (r = new BigInt,
i = biCopy(n)),
[r, i];
for (r = new BigInt,
i = n,
u = Math.ceil(s / bitsPerDigit) - 1,
e = 0; t.digits[u] < biHalfRadix;)
t = biShiftLeft(t, 1),
++e,
++s,
u = Math.ceil(s / bitsPerDigit) - 1;
for (i = biShiftLeft(i, e),
a += e,
h = Math.ceil(a / bitsPerDigit) - 1,
o = biMultiplyByRadixPower(t, h - u); biCompare(i, o) != -1;)
++r.digits[h - u],
i = biSubtract(i, o);
for (f = h; f > u; --f) {
var c = f >= i.digits.length ? 0 : i.digits[f]
, w = f - 1 >= i.digits.length ? 0 : i.digits[f - 1]
, b = f - 2 >= i.digits.length ? 0 : i.digits[f - 2]
, l = u >= t.digits.length ? 0 : t.digits[u]
, k = u - 1 >= t.digits.length ? 0 : t.digits[u - 1];
for (r.digits[f - u - 1] = c == l ? maxDigitVal : Math.floor((c * biRadix + w) / l),
y = r.digits[f - u - 1] * (l * biRadix + k),
p = c * biRadixSquared + (w * biRadix + b); y > p;)
--r.digits[f - u - 1],
y = r.digits[f - u - 1] * (l * biRadix | k),
p = c * biRadix * biRadix + (w * biRadix + b);
o = biMultiplyByRadixPower(t, f - u - 1);
i = biSubtract(i, biMultiplyDigit(o, r.digits[f - u - 1]));
i.isNeg && (i = biAdd(i, o),
--r.digits[f - u - 1])
}
return i = biShiftRight(i, e),
r.isNeg = n.isNeg != v,
n.isNeg && (r = v ? biAdd(r, bigOne) : biSubtract(r, bigOne),
t = biShiftRight(t, e),
i = biSubtract(t, i)),
i.digits[0] == 0 && biHighIndex(i) == 0 && (i.isNeg = !1),
[r, i]
}
function biDivide(n, t) {
return biDivideModulo(n, t)[0]
}
function BarrettMu(n) {
this.modulus = biCopy(n);
this.k = biHighIndex(this.modulus) + 1;
var t = new BigInt;
t.digits[2 * this.k] = 1;
this.mu = biDivide(t, this.modulus);
this.bkplus1 = new BigInt;
this.bkplus1.digits[this.k + 1] = 1;
this.modulo = BarrettMu_modulo;
this.multiplyMod = BarrettMu_multiplyMod;
this.powMod = BarrettMu_powMod
}
function BarrettMu_modulo(n) {
var r = biDivideByRadixPower(n, this.k - 1), u = biMultiply(r, this.mu), f = biDivideByRadixPower(u, this.k + 1),
e = biModuloByRadixPower(n, this.k + 1), o = biMultiply(f, this.modulus),
s = biModuloByRadixPower(o, this.k + 1), t = biSubtract(e, s), i;
for (t.isNeg && (t = biAdd(t, this.bkplus1)),
i = biCompare(t, this.modulus) >= 0; i;)
t = biSubtract(t, this.modulus),
i = biCompare(t, this.modulus) >= 0;
return t
}
function BarrettMu_multiplyMod(n, t) {
var i = biMultiply(n, t);
return this.modulo(i)
}
function BarrettMu_powMod(n, t) {
var u = new BigInt, r, i;
for (u.digits[0] = 1,
r = n,
i = t; ;) {
if ((i.digits[0] & 1) != 0 && (u = this.multiplyMod(u, r)),
i = biShiftRight(i, 1),
i.digits[0] == 0 && biHighIndex(i) == 0)
break;
r = this.multiplyMod(r, r)
}
return u
}
function RSAKeyPair(n, t, i) {
this.e = biFromHex(n);
this.d = biFromHex(t);
this.m = biFromHex(i);
this.digitSize = 2 * biHighIndex(this.m) + 2;
this.chunkSize = this.digitSize - 11;
this.radix = 16;
this.barrett = new BarrettMu(this.m)
}
function encryptedString(n, t) {
var e, o, s, h, c, i, f, u, v, l, y;
if (n.chunkSize > n.digitSize - 11)
return "Error";
for (var a = [], p = t.length, r = 0; r < p;)
a[r] = t.charCodeAt(r),
r++;
for (e = a.length,
o = "",
r = 0; r < e; r += n.chunkSize) {
for (c = new BigInt,
s = 0,
f = r + n.chunkSize > e ? e % n.chunkSize : n.chunkSize,
u = [],
i = 0; i < f; i++)
u[i] = a[r + f - 1 - i];
for (u[f] = 0,
v = Math.max(8, n.digitSize - 3 - f),
i = 0; i < v; i++)
u[f + 1 + i] = Math.floor(Math.random() * 254) + 1;
for (u[n.digitSize - 2] = 2,
u[n.digitSize - 1] = 0,
h = 0; h < n.digitSize; ++s)
c.digits[s] = u[h++],
c.digits[s] += u[h++] << 8;
l = n.barrett.powMod(c, n.e);
y = n.radix == 16 ? biToHex(l) : biToString(l, n.radix);
o += y + " "
}
return o.substring(0, o.length - 1)
}
var biRadixBase = 2, biRadixBits = 16, bitsPerDigit = biRadixBits, biRadix = 65536, biHalfRadix = biRadix >>> 1,
biRadixSquared = biRadix * biRadix, maxDigitVal = biRadix - 1, maxInteger = 9999999999999998, maxDigits, ZERO_ARRAY,
bigZero, bigOne, dpl10, lr10, hexatrigesimalToChar, hexToChar, highBitMasks, lowBitMasks;
setMaxDigits(20);
dpl10 = 15;
lr10 = biFromNumber(1e15);
hexatrigesimalToChar = ["0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z"];
hexToChar = ["0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "a", "b", "c", "d", "e", "f"];
highBitMasks = [0, 32768, 49152, 57344, 61440, 63488, 64512, 65024, 65280, 65408, 65472, 65504, 65520, 65528, 65532, 65534, 65535];
lowBitMasks = [0, 1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, 2047, 4095, 8191, 16383, 32767, 65535];
setMaxDigits(129);
function get_password(pwd) {
var key_to_encode = new RSAKeyPair("010001", "", "978C0A92D2173439707498F0944AA476B1B62595877DD6FA87F6E2AC6DCB3D0BF0B82857439C99B5091192BC134889DFF60C562EC54EFBA4FF2F9D55ADBCCEA4A2FBA80CB398ED501280A007C83AF30C3D1A142D6133C63012B90AB26AC60C898FB66EDC3192C3EC4FF66925A64003B72496099F4F09A9FB72A2CF9E4D770C41");
return encryptedString(key_to_encode, pwd)
}
// res = get_password('123456')
// console.log(res)
4. python代码如下:
# _*_ coding: utf-8 _*_
# @Time: 3:11 下午
# @File: demo.py
# @Author: liyf
import requests
import execjs
from loguru import logger
def get_js_pwd(password):
with open('demo.js', 'r') as f:
js_str = f.readlines()
ctx = execjs.compile(''.join(js_str))
return ctx.call('get_password', password)
def get_json_data(user, pwd):
headers = {
'Accept': '*/*',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Connection': 'keep-alive',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'Referer': 'aHR0cHM6Ly9wYXNzcG9ydC5mYW5nLmNvbS8=', # 这个请求头不能少,否则报错
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36',
}
data = {
'uid': user,
'pwd': get_js_pwd(pwd),
'Service': 'soufun-passport-web',
'AutoLogin': '1',
}
response = requests.post('aHR0cHM6Ly9wYXNzcG9ydC5mYW5nLmNvbS8=', headers=headers, data=data)
return response.json()
def main():
user = 'username'
pwd = 'password'
results = get_json_data(user, pwd)
print(results)
msg = results['Message']
tip = results['Tip']
if msg == 'Success':
logger.info(f'\n账号信息\nUserID: {results["UserID"]}\nUserName: {results["UserName"]}n\nCurrentIP: {results["Ip"]}')
else:
logger.info(f'Account Login Status: {msg}\t{tip}')
if __name__ == '__main__':
main()