新浪微博的安全级别还是比较高,前端的信息采用RSA非对称加密方式,加密的内容处理过,不仅仅是用户输入的密码,加密公钥是实时请求而来。
首选抓个包瞧瞧:
entry:weibo
gateway:1
from:
savestate:7
qrcode_flag:false
useticket:1
pagerefer:https://login.sina.com.cn/crossdomain2.php?action=logout&r=https%3A%2F%2Fpassport.weibo.com%2Fwbsso%2Flogout%3Fr%3Dhttps%253A%252F%252Fweibo.com%26returntype%3D1
vsnf:1
su:MjU1MTUxMzI3NyU0MHFxLmNvbQ==
service:miniblog
servertime:1546480046
nonce:I9GQBH
pwencode:rsa2
rsakv:1330428213
sp:9c5a21128f93777c34635102b38b64247b32ad7084baa2acf48ff75bd633e6ffb4ea009083136251fe9846f113a528f4bf4fa002c2539bcd30fcc11a9ffb69bf7432f18e0bf6382bcc245da01db533ba700d19937c467abbfcf6b2281b21c8b0cf663b374d10974eef1d41b49331859c777ca213961c0b82d4252a6ca4abff41
sr:1920*1080
encoding:UTF-8
prelt:132
url:https://weibo.com/ajaxlogin.php?framelogin=1&callback=parent.sinaSSOController.feedBackUrlCallBack
returntype:META
看样子sp就是password的简称了,也就是我们主要分析的东西。
然后在看看其他请求又发现了一个重要的get请求
Request URL:https://login.sina.com.cn/sso/prelogin.php?entry=weibo&callback=sinaSSOController.preloginCallBack&su=MjU1MTUxMzI3NyU0MHFxLmNvbQ%3D%3D&rsakt=mod&checkpin=1&client=ssologin.js(v1.4.19)&_=1546480024174
Request Method:GET
Status Code:200 OK
Remote Address:58.63.236.212:443
Referrer Policy:no-referrer-when-downgrade
这个请求返回的信息如下:
exectime:10
nonce:"I9GQBH"
pcid:"gz-1e98a6711bbfc6a65bdc7e267bfe417d9637"
pubkey:"EB2A38568661887FA180BDDB5CABD5F21C7BFD59C090CB2D245A87AC253062882729293E5506350508E7F9AA3BB77F4333231490F915F6D63C55FE2F08A49B353F444AD3993CACC02DB784ABBB8E42A9B1BBFFFB38BE18D78E87A0E41B9B8F73A928EE0CCEE1F6739884B9777E4FE9E88A1BBE495927AC4A799B3181D6442443"
retcode:0
rsakv:"1330428213"
servertime:1546480024
post请求中有几个参数就是这里面的,可以直接拿来用,但是这个get请求又传回了几个莫名参数如下:
entry:weibo
callback:sinaSSOContr
最低0.47元/天 解锁文章
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
