对高校体育App的研究(一)

于 2018-10-11 23:23:49 发布
阅读量8.6k 收藏 18
点赞数 3
分类专栏: Android 文章标签: Android 劫持 HTTP Fidder
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_40411846/article/details/83020540
版权

接口相关资料和所有程序都在我的码云

目录

更新 2019年3月10日

对方服务器改了host,代码估计也更了,这个项目已经过时了,但http报文分析的流程是永不过时的。希望能够帮助到大家。

声明

本文谨为对上海微摇网络科技有限公司出品的高校体育(Android App)的接口分析与测试。

鸣谢

感谢CSDN用户@留白大人的BLOG,感谢GITHUB用户@RyuBAI的开源分享和某不愿透露姓名的同学的指导。

摘要

对几个接口进行分析。

开始

分析与测试过程不难,都是基本的网络应用层知识与技术。之后会写一些“一键跑步”的程序

环境

on my X270 Windows10 1809

Fidder v5.0.20182.28034 for .NET 4.6.1

Android emulator Pixel Android Version 9

高校体育 Android 2.2.5 10-10日

环境安装

  1. 安装Fidder(不再赘述)
  2. 安装模拟器(Android官方AVD,cmd打开,在你的emulator目录下emulator.exe -avd [你的AVD名字])
  3. 在模拟器上安装App(把Apk往模拟器窗口里拖)

环境配置

模拟器的网络卡了我很久

Fidder配置

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
你可能还需要做一下这个事情。修改FiddlerScript

模拟器网络配置

在这里插入图片描述
这个IP地址你得自己琢磨一下。
配置好以后上网应该如图:
在这里插入图片描述
这表明我们的模拟器被Fidder监听了。
在这里插入图片描述

App配置

很简单,你需要一个账号……
在这里插入图片描述

配置完毕

在这里插入图片描述
你应该能在fiddler里看到模拟器的网络请求被监听了。

分析

在分析阶段我们只分析每个接口的Header,request和response。
所有接口里的sign都是一串看不懂的乱码,经过BLOG的指导(所以相关图片就不放了,移步ta的blog看ta如何破解这个问题的),发现它是对data的MD5(salt)加密,但salt竟然是一个固定的字符串,这是贵司致命的一个问题,以至于攻击者可以在接口上做很多事情。

公共Header

Accept-Language: en-US,en;q=0.8
User-Agent: okhttp-okgo/jeasonlzy
versionCode: 308
versionName: 2.2.5
platform: android
xxversionxx: 20180601
uuid: B4D724F9EB50E6ED3DF5B571CCD7D4A8
utoken: 
BDA9F42E0C8A294ECDF5CC72AAE6A701: 0,0,0,0,1
Host: gxhttp.chinacloudapp.cn
Connection: Keep-Alive
Accept-Encoding: gzip
Cookie: PHPSESSID=577e4jgq3jjlo3urafc3kl5mm0
3

分析:
versionName,versionCode,platform,xxversionxx可能会被filter,即不同的版本、平台对应不同的业务逻辑;uuid是一个设备的唯一标志;utoken是一个token,我们截取的是login请求的header,login请求成功后服务端会给用户发一个utoken,具体它有什么用我们还不知道(我一直觉得这是用来校验用户身份,登陆情况的,结果有朋友怀疑,朋友自己也测试了,后面再说);BDA9F42E0C8A294ECDF5CC72AAE6A701是一个莫名其妙的字段,经过一些测试,它有时候会是0,0,0,0,1,之前测试发现是0,0,0,0,0,不知道什么含义;host是服务端主机域名;Cookie,和utoken一样关键,解决这些会变的参数的获取后就能完成API调用的自动化。

接口1:登陆请求

Request

GET http://gxhttp.chinacloudapp.cn/api/reg/login?sign=ce688e7d0b2d0ea89a4a902cc79f1fda&data=%7B%22info%22%3A%22B4D724F9EB50E6ED3DF5B571CCD7D4A8%22%2C%22mobile%22%3A%2213917008840%22%2C%22password%22%3A%22123456%22%2C%22type%22%3A%22AndroidSDKbuiltforx86%22%7D HTTP/1.1
Accept-Language: en-US,en;q=0.8
User-Agent: okhttp-okgo/jeasonlzy
versionCode: 308
versionName: 2.2.5
platform: android
xxversionxx: 20180601
uuid: B4D724F9EB50E6ED3DF5B571CCD7D4A8
utoken: 
BDA9F42E0C8A294ECDF5CC72AAE6A701: 0,0,0,0,1
Host: gxhttp.chinacloudapp.cn
Connection: Keep-Alive
Accept-Encoding: gzip
Cookie: PHPSESSID=577e4jgq3jjlo3urafc3kl5mm0

解析参数data并格式化后发现:

{
	"info": "B4D724F9EB50E6ED3DF5B571CCD7D4A8",
	#手机号不暴露给大家啦
	"mobile": "1391700****",
	"password": "123456",
	"type": "AndroidSDKbuiltforx86"
}

结论:
不知道info是什么,经过了某种加密或者编码;我们的手机号,密码都是明文传输的,很不安全;type是设备类型。

Response

HTTP/1.1 200 OK
Date: Thu, 11 Oct 2018 14:57:00 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Seq: 5bbf64bcbfb9b
Connection: close
Content-Length: 353
Content-Type: text/html; charset=UTF-8

{
   "code":"200","msg":"登录成功","data":{
   "userid":"155796","school":"上海海洋大学","schoolId":"82","signature":"","username":"小哥哥教我写代码好吗","photo":"http:\/\/gxhttp.chinacloudapp.cn\/static\/images\/auto.jpg","goal":"60.00","surplus":"60.00","last_time":"","teacher":"","course":"","utoken":"4f91e29802ba4fa2ede29d0f90619282"}}

解析参数data并格式化后发现:

{
   
	"code": "200",
	"msg": "登录成功",
	"data": {
   
		"userid": "155796",
		"school": "上海海洋大学",
		"schoolId": "82",
		"signature": "",
		"username": "小哥哥教我写代码好吗",
		"photo": "http:\/\/gxhttp.chinacloudapp.cn\/static\/images\/auto.jpg",
		"goal": "60.00",
		"surplus": "60.00",
		"last_time": "",
		"teacher": "",
		"course": "",
		"utoken": "4f91e29802ba4fa2ede29d0f90619282"
	}
}

分析:
utoken这个时候从服务端发过来了;userid是唯一用户标志;

接口2:跑步界面请求(code=404)

Request

GET http://gxhttp.chinacloudapp.cn/api/run/runPage?sign=3c199389438ec886406e291e5f36037c&data=%7B%22initLocation%22%3A%22121.92209571503255%2C30.869519006815654%22%2C%22type%22%3A%221%22%2C%22userid%22%3A%22155796%22%7D HTTP/1.1
Accept-Language: en-US,en;q=0.8
User-Agent: okhttp-okgo/jeasonlzy
versionCode: 308
versionName: 2.2.5
platform: android
xxversionxx: 20180601
uuid: B4D724F9EB50E6ED3DF5B571CCD7D4A8
utoken: 4f91e29802ba4fa2ede29d0f90619282
BDA9F42E0C8A294ECDF5CC72AAE6A701: 0,0,0,0,1
Host: gxhttp.chinacloudapp.cn
Connection: Keep-Alive
Accept-Encoding: gzip
Cookie: PHPSESSID=577e4jgq3jjlo3urafc3kl5mm0

解析参数data并格式化后发现:

{
   
	"initLocation": "121.92209571503255,30.869519006815654",
	"type": "1",
	"userid": "155796"
}

分析:
把我现在的位置给传了哈;

Respone

HTTP/1.1 200 OK
Date: Thu, 11 Oct 2018 15:13:21 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Seq: 5bbf6891621dc
Content-Length: 84
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/json

{
   "msg":"非学校规定运动时间段,您可以选择“自由跑”","code":404}

解析并格式化:

{
   
	"msg": "非学校规定运动时间段,您可以选择“自由跑”",
	"code": 404
}

分析:
我佛了,现在2018年10月11日23:16:46,超过10点,不给我跑体育锻炼啦!(所以我先写到这里……明天继续……)

2018年10月12日13:02:13 我回来了 --------------------------------------------------------------------------------------------

接口3:跑步界面请求(code=200)

Request

GET http://gxhttp.chinacloudapp.cn/api/run/runPage?sign=1fbb365d8f34abcb08b7fbc567c2bfc3&data=%7B%22initLocation%22%3A%22-122.084082%2C37.422075%22%2C%22type%22%3A%221%22%2C%22userid%22%3A%22155796%22%7D HTTP/1.1
Accept-Language: en-US,en;q=0.8
User-Agent: okhttp-okgo/jeasonlzy
versionCode: 308
versionName: 2.2.5
platform: android
xxversionxx: 20180601
uuid: B4D724F9EB50E6ED3DF5B571CCD7D4A8
utoken: 4f91e29802ba4fa2ede29d0f90619282
BDA9F42E0C8A294ECDF5CC72AAE6A701: 0,0,0,0,1
Host: gxhttp.chinacloudapp.cn
Connection: Keep-Alive
Accept-Encoding: gzip
Cookie: PHPSESSID=577e4jgq3jjlo3urafc3kl5mm0

解析并格式化参数:

{
   
	"initLocation": "-122.084082,37.422075",
	"type": "1",
	"userid": "155796"
}

分析:

Response

HTTP/1.1 200 OK
Date: Fri, 12 Oct 2018 05:16:16 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Seq: 5bc02e202cff6
Content-Length: 866
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

{
   "code":"200","msg":"获取成功","data":{
   "beaconcount":1,"beaconsinfo":[],"gpscount":2,"distance":20,"peisu":600,"gpsinfo":[{
   "latitude":"30.8858690000","longitude":"121.9000200000"},{
   "latitude":"30.8829940000","longitude":"121.9014370000"},{
   "latitude":"30.8827890000","longitude":"121.9032190000"},{
   "latitude":"30.8806310000","longitude":"121.8929770000"}],"length":"1.50","dayTarget":"1.50","ibeacon":[{
   "name":"shhy100006","type":1,"number":"shhy100006","position":{
   "latitude":"30.8818340000","longitude":"121.8991570000"},"id":"736","uuid":"FDA50693-A4E2-4FB1-AFCF-C6EB07647825","major":"shhy1","minor":"00006"},{
   "name":"shhy100015","type":1,"number":"shhy100015","position":{
   "latitude":"30.8868180000","longitude":"121.8979010000"},"id":"745","uuid":"FDA50693-A4E2-4FB1-AFCF-C6EB07647825","major":"shhy1","minor":"00015"}],"runPageId":6971323,"maxSeconds":"0"}}

解析并格式化:

{
   
	"code": "200",
	"msg": "获取成功",
	"data": {
   
		"beaconcount": 1,
		"beaconsinfo": [],
		"gpscount": 2,
		"distance": 20,
		"peisu": 600,
		"gpsinfo": [{
   
			"latitude": "30.8858690000",
			"longitude": "121.9000200000"
		}, {
   
			"latitude": "30.8829940000",
			"longitude": "121.9014370000"
		}, {
   
			"latitude": "30.8827890000",
			"longitude": "121.9032190000"
		}, {
   
			"latitude": "30.8806310000",
			"longitude": "121.8929770000"
		}],
		"length": "1.50",
		"dayTarget": "1.50",
		"ibeacon": [{
   
			"name": "shhy100006",
			"type": 1,
			"number": "shhy100006",
			"position": {
   
				"latitude": "30.8818340000",
				"longitude": "121.8991570000"
			},
			"id": "736",
			"uuid": "FDA50693-A4E2-4FB1-AFCF-C6EB07647825",
			"major": "shhy1",
			"minor": "00006"
		}, {
   
			"name": "shhy100015",
			"type": 1,
			"number": "shhy100015",
			"position": {
   
				"latitude": "30.8868180000",
				"longitude": "121.8979010000"
			},
			"id": "745",
			"uuid": "FDA50693-A4E2-4FB1-AFCF-C6EB07647825",
			"major": "shhy1",
			"minor": "00015"
		}],
		"runPageId": 6971323,
		"maxSeconds": "0"
	}
}

分析:
gpsinfo字段是个数组,里面有4个经纬度坐标,经过比对发现是4个选到点,传这些数据是为了在地图上渲染出选到点并在最后上传跑步信息的时候放到对应位置去;ibeacon字段也是个数组,里面2个包含经纬度坐标的对象,经过对比发现是2个必到点:必到点对象包括:name(以学校为前缀数字为后缀的字符串),type(可能自由跑不是1是2吧),number(不明含义),id(唯一标志),uuid(不明含义,我收到的必到点的uuid都是一样的),major,minor都不明含义;最关键的是“runPageId”,这是服务器发给我们的关于一次体育锻炼的唯一标志,我们自己没法生成,要靠它来进行数据的上传,上传过的runPageId就作废了。

接口4:上传跑步信息请求

Request

POST http://gxhttp.chinacloudapp.cn/api/run/saveRunV2 HTTP/1.1
Accept-Language: en-US,en;q=0.8
User-Agent: okhttp-okgo/jeasonlzy
versionCode: 308
versionName: 2.2.5
platform: android
xxversionxx: 20180601
uuid: B4D724F9EB50E6ED3DF5B571CCD7D4A8
utoken: 4f91e29802ba4fa2ede29d0f90619282
BDA9F42E0C8A294ECDF5CC72AAE6A701: 0,0,0,0,1
Content-Type: application/x-www-form-urlencoded
Content-Length: 14486
Host: gxhttp.chinacloudapp.cn
Connection: Keep-Alive
Accept-Encoding: gzip
Cookie: PHPSESSID=577e4jgq3jjlo3urafc3kl5mm0

sign=dfc82a560078aaf7e83e3b4097af696b&data=%7B%22bNode%22%3A%5B%5D%2C%22buPin%22%3A%220.0%22%2C%22duration%22%3A%22651%22%2C%22endTime%22%3A%222018-10-12%2005%3A27%3A21%22%2C%22frombp%22%3A%220%22%2C%22goal%22%3A%221.50%22%2C%22real%22%3A%222080.5564%22%2C%22runPageId%22%3A%226971323%22%2C%22speed%22%3A%2205%5Cu002712%5Cu0027%5Cu0027%22%2C%22startTime%22%3A%222018-10-12%2005%3A16%3A15%22%2C%22tNode%22%3A%5B%5D%2C%22totalNum%22%3A%220%22%2C%22track%22%3A%5B%7B%22latitude%22%3A30.869519006815654%2C%22longitude%22%3A121.92209571503255%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.865014722558694%2C%22longitude%22%3A121.92209538907402%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.865214838728928%2C%22longitude%22%3A121.92209540355543%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.86531489681845%2C%22longitude%22%3A121.92209541079615%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.865515013006245%2C%22longitude%22%3A121.9220954252776%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.865615071104532%2C%22longitude%22%3A121.92209543251835%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.865816854944928%2C%22longitude%22%3A121.92209544712051%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.86591691305199%2C%22longitude%22%3A121.92209545436127%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.866117029274836%2C%22longitude%22%3A121.9220954688428%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.86621708739061%2C%22longitude%22%3A121.92209547608357%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.866417203630842%2C%22longitude%22%3A121.92209549056514%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.866517261755288%2C%22longitude%22%3A121.92209549780593%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.866715710377314%2C%22longitude%22%3A121.92209551216685%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.866815768510357%2C%22longitude%22%3A121.92209551940766%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.86701588478508%2C%22longitude%22%3A121.9220955338893%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.867115942926745%2C%22longitude%22%3A121.92209554113013%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.867317726854484%2C%22longitude%22%3A121.92209555573248%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.867417785004786%2C%22longitude%22%3A121.92209556297333%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.86761790131395%2C%22longitude%22%3A121.92209557745504%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.86771795947281%2C%22longitude%22%3A121.92209558469591%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.867918075799054%2C%22longitude%22%3A121.92209559917767%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.868018133966448%2C%22longitude%22%3A121.92209560641855%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.86821658267348%2C%22longitude%22%3A121.92209562077966%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.86831664084931%2C%22longitude%22%3A121.92209562802056%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.868516757209463%2C%22longitude%22%3A121.92209564250238%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.86861681539376%2C%22longitude%22%3A121.9220956497433%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.868818599407334%2C%22longitude%22%3A121.92209566434585%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.868918657600123%2C%22longitude%22%3A121.92209567158679%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.869118773994114%2C%22longitude%22%3A121.92209568606869%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.869218832195305%2C%22longitude%22%3A121.92209569330964%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.869418948606086%2C%22longitude%22%3A121.92209570779157%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.869519006815654%2C%22longitude%22%3A121.92209571503255%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.865014722558694%2C%22longitude%22%3A121.92209538907402%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.865114780642347%2C%22longitude%22%3A121.92209539631472%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.86531489681845%2C%22longitude%22%3A121.92209541079615%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.865414954910886%2C%22longitude%22%3A121.92209541803688%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.865515013006245%2C%22longitude%22%3A121.9220954252776%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.865615071104532%2C%22longitude%22%3A121.92209543251835%2C%22speed%22%3A0.0%7D%2C%7B%22latitude%22%3A30.86571512920572%2C%22longitude%22%3A121.92209543975909%2C%22speed
最低0.47元/天 解锁文章
评论 6
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值