分析爱奇艺登陆post参数中的password
email:12345678911
passwd:028d4c1305a6a9baaed3947bade99d4205337fdcabef59b6f7b073f11a220339768b359fd8c8999b934fbf008ee75b9435f23741d3e9251cab8358de6cfde4ac
agenttype:1
__NEW:1
checkExist:1
piccode:
lang:
ptid:01010021010000000000
verifyPhone:1
area_code:86
dfp:a02851d93263354fe2b7f9a1527421045236d10ea384ea0fd798f87000c2f3afac
envinfo:eyJqbiI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS82My4wLjMyMzkuMjYgU2FmYXJpLzUzNy4zNiBDb3JlLzEuNjMuNjc4OC40MDAgUVFCcm93c2VyLzEwLjMuMjg2NC40MDAiLCJjbSI6InpoLUNOIiwiZ3UiOjI0LCJ1ZiI6MSwianIiOlsxMzY2LDc2OF0sImRpIjpbMTM2Niw3MjhdLCJ6cCI6LTQ4MCwidWgiOjEsInNoIjoxLCJoZSI6MSwiem8iOjEsInJ2IjoidW5rbm93biIsIm54IjoiV2luMzIiLCJpdyI6InVua25vd24iLCJxbSI6WyJDaHJvbWl1bSBQREYgUGx1Z2luOjpQb3J0YWJsZSBEb2N1bWVudCBGb3JtYXQ6OmFwcGxpY2F0aW9uL3gtZ29vZ2xlLWNocm9tZS1wZGZ+cGRmIiwiQ2hyb21pdW0gUERGIFZpZXdlcjo6OjphcHBsaWNhdGlvbi9wZGZ+cGRmIiwiTmF0aXZlIENsaWVudDo6OjphcHBsaWNhdGlvbi94LW5hY2x+LGFwcGxpY2F0aW9uL3gtcG5hY2x+IiwiU2hvY2t3YXZlIEZsYXNoOjpTaG9ja3dhdmUgRmxhc2ggMjcuOSByOTo6YXBwbGljYXRpb24veC1zaG9ja3dhdmUtZmxhc2h+c3dmLGFwcGxpY2F0aW9uL2Z1dHVyZXNwbGFzaH5zcGwiLCJXaWRldmluZSBDb250ZW50IERlY3J5cHRpb24gTW9kdWxlOjpFbmFibGVzIFdpZGV2aW5lIGxpY2Vuc2VzIGZvciBwbGF5YmFjayBvZiBIVE1MIGF1ZGlvL3ZpZGVvIGNvbnRlbnQuICh2ZXJzaW9uOiAxLjQuOC4xMDI5KTo6YXBwbGljYXRpb24veC1wcGFwaS13aWRldmluZS1jZG1+Il0sIndyIjoiYzNjOWM3MTdjNzkwODJhZGJlM2YxNDQwNjU3NjVkZWEiLCJ3ZyI6ImI1ZDZkMzY1MmQwZTNkYmI3MDc4YTMzY2JiOWYzZDY0IiwiZmsiOmZhbHNlLCJyZyI6ZmFsc2UsInh5IjpmYWxzZSwiam0iOmZhbHNlLCJiYSI6ZmFsc2UsInRtIjpbMCxmYWxzZSxmYWxzZV0sImF1Ijp0cnVlLCJtaSI6IjZjMmY3ZTNhLTQzMTUtZDkzYi1jZjYxLWIxYWI1MThiOTFmMyIsImNsIjoiUENXRUIiLCJzdiI6IjEuMCIsImpnIjoiYzhjNTQ0Nzk0MTNmZDAyY2NmMzM0MDk3YjVmNWVlODYiLCJmaCI6ImV1anRmbjlqd3BucTltejJ3OWpqcTFvdiIsImlmbSI6W3RydWUsNDYwLDQyMCwiaHR0cHM6Ly93d3cuaXFpeWkuY29tLyJdLCJleCI6IiIsImR2Ijoib24iLCJwdiI6ZmFsc2V9
全局查找password综合分析得到下面发送请求的js
methods: {
send: function(e, t) {
var i=this;
e=e || {},
e.passwd && (e.passwd=r.rsaFun(e.passwd)),
s.getEnvAndDfp(function(a) {
"A00000"==a.code ? (e.dfp=a.data.dfp,
e.envinfo=a.data.env) : (e.dfp="",
e.envinfo=""),
i._remoteInterface.send({
ifname: "login",
param: e,
domain: o
}, function(e) {
t && t(e)
})
})
},
可以知道e.passwd=r.rsaFun(e.passwd)
密码是RSA非对称加密方式,继续查询r.rsaFun得到下面减肥后的函数:
rsaFun: function(e) {
var t="ab86b6371b5318aaa1d3c9e612a9f1264f372323c8c0f19875b5fc3b3fd3afcc1e5bec527aa94bfa85bffc157e4245aebda05389a5357b75115ac94f074aefcd"
, n="10001"
, a=Q.crypto.rsa.RSAUtils.getKeyPair(n, "", t)
, i=Q.crypto.rsa.RSAUtils.encryptedString(a, encodeURIComponent(e)).replace(/\s/g, "-");
return i
}
可以得到公钥和偏移量,再继续查询getKeyPair,可得到加密函数
var c=function(a, b) {
function c(a) {
var b=f
, c=b.biDivideByRadixPower(a, this.k - 1)
, d=b.biMultiply(c, this.mu)
, e=b.biDivideByRadixPower(d, this.k + 1)
, g=b.biModuloByRadixPower(a, this.k + 1)
, h=b.biMultiply(e, this.modulus)
, i=b.biModuloByRadixPower(h, this.k + 1)
, j=b.biSubtract(g, i);
j.isNeg && (j=b.biAdd(j, this.bkplus1));
for (var k=b.biCompare(j, this.modulus) >=0; k; )
j=b.biSubtract(j, this.modulus),
k=b.biCompare(j, this.modulus) >=0;
return j
}
function d(a, b) {
var c=f.biMultiply(a, b);
return this.modulo(c)
}
function e(a, b) {
var c=new t;
c.digits[0]=1;
for (var d=a, e=b; ; ) {
if (0 !=(1 & e.digits[0]) && (c=this.multiplyMod(c, d)),
e=f.biShiftRight(e, 1),
0==e.digits[0] && 0==f.biHighIndex(e))
break;
d=this.multiplyMod(d, d)
}
return c
}
var f, g={};
"undefined"==typeof g.RSAUtils && (f=g.RSAUtils={});
var h, k, l, m, n=16, o=n, p=65536, q=p >>> 1, r=p * p, s=p - 1, t=g.BigInt=function(a) {
this.digits="boolean"==typeof a && a===!0 ? null : k.slice(0),
this.isNeg=!1
}
;
f.setMaxDigits=function(a) {
h=a,
k=new Array(h);
for (var b=0; b < k.length; b++)
k[b]=0;
l=new t,
m=new t,
m.digits[0]=1
}
,
f.setMaxDigits(20);
var u=15;
f.biFromNumber=function(a) {
var b=new t;
b.isNeg=0 > a,
a=Math.abs(a);
for (var c=0; a > 0; )
b.digits[c++]=a & s,
a=Math.floor(a / p);
return b
}
;
var v=f.biFromNumber(1e15);
f.biFromDecimal=function(a) {
for (var b, c="-"==a.charAt(0), d=c ? 1 : 0; d < a.length && "0"==a.charAt(d); )
++d;
字数超限,有删除
f.encryptedString=function(a, b) {
for (var c=[], d=b.length, e=0; d > e; )
c[e]=b.charCodeAt(e),
e++;
for (; 0 !=c.length % a.chunkSize; )
c[e++]=0;
var g, h, i, j=c.length, k="";
for (e=0; j > e; e +=a.chunkSize) {
for (i=new t,
g=0,
h=e; h < e + a.chunkSize; ++g)
i.digits[g]=c[h++],
i.digits[g] +=c[h++] << 8;
var l=a.barrett.powMod(i, a.e)
, m=16==a.radix ? f.biToHex(l) : f.biToString(l, a.radix);
k +=m + " "
}
return k.substring(0, k.length - 1)
}
,
f.decryptedString=function(a, b) {
var c, d, e, g=b.split(" "), h="";
for (c=0; c < g.length; ++c) {
var i;
for (i=16==a.radix ? f.biFromHex(g[c]) : f.biFromString(g[c], a.radix),
e=a.barrett.powMod(i, a.d),
d=0; d <=f.biHighIndex(e); ++d)
h +=String.fromCharCode(255 & e.digits[d], e.digits[d] >> 8)
}
return 0==h.charCodeAt(h.length - 1) && (h=h.substring(0, h.length - 1)),
h
}
,
f.setMaxDigits(130),
b[a]=g
}(a, b);
对其进行调试改写
var b={};
var a={};
function c(a) {
var b=f,
c=b.biDivideByRadixPower(a, this.k - 1),
d=b.biMultiply(c, this.mu),
e=b.biDivideByRadixPower(d, this.k + 1),
g=b.biModuloByRadixPower(a, this.k + 1),
h=b.biMultiply(e, this.modulus),
i=b.biModuloByRadixPower(h, this.k + 1),
j=b.biSubtract(g, i);
j.isNeg && (j=b.biAdd(j, this.bkplus1));
for (var k=b.biCompare(j, this.modulus) >=0; k;) j=b.biSubtract(j, this.modulus),
k=b.biCompare(j, this.modulus) >=0;
return j
}
function d(a, b) {
var c=f.biMultiply(a, b);
return this.modulo(c)
}
function e(a, b) {
var c=new t;
c.digits[0]=1;
for (var d=a,
e=b;;) {
if (0 !=(1 & e.digits[0]) && (c=this.multiplyMod(c, d)), e=f.biShiftRight(e, 1), 0==e.digits[0] && 0==f.biHighIndex(e)) break;
d=this.multiplyMod(d, d)
}
return c
}
f.biDivide=function(a, b) {
return f.biDivideModulo(a, b)[0]
},
f.biModulo=function(a, b) {
return f.biDivideModulo(a, b)[1]
},
f.biMultiplyMod=function(a, b, c) {
return f.biModulo(f.biMultiply(a, b), c)
},
f.biPow=function(a, b) {
for (var c=m,
d=a;;) {
if (0 !=(1 & b) && (c=f.biMultiply(c, d)), b >>=1, 0==b) break;
d=f.biMultiply(d, d)
}
return c
},
f.biPowMod=function(a, b, c) {
for (var d=m,
e=a,
g=b;;) {
if (0 !=(1 & g.digits[0]) && (d=f.biMultiplyMod(d, e, c)), g=f.biShiftRight(g, 1), 0==g.digits[0] && 0==f.biHighIndex(g)) break;
e=f.biMultiplyMod(e, e, c)
}
return d
},
g.BarrettMu=function(a) {
this.modulus=f.biCopy(a),
this.k=f.biHighIndex(this.modulus) + 1;
var b=new t;
b.digits[2 * this.k]=1,
this.mu=f.biDivide(b, this.modulus),
this.bkplus1=new t,
this.bkplus1.digits[this.k + 1]=1,
this.modulo=c,
this.multiplyMod=d,
this.powMod=e
};
var A=function(a, b, c) {
var d=f;
this.e=d.biFromHex(a),
this.d=d.biFromHex(b),
this.m=d.biFromHex(c),
this.chunkSize=2 * d.biHighIndex(this.m),
this.radix=16,
this.barrett=new g.BarrettMu(this.m)
};
f.getKeyPair=function(a, b, c) {
return new A(a, b, c)
},
"undefined"==typeof g.twoDigit && (g.twoDigit=function(a) {
return (10 > a ? "0" : "") + String(a)
}),
f.encryptedString=function(a, b) {
for (var c=[], d=b.length, e=0; d > e;) c[e]=b.charCodeAt(e),
e++;
for (; 0 !=c.length % a.chunkSize;) c[e++]=0;
var g, h, i, j=c.length,
k="";
for (e=0; j > e; e +=a.chunkSize) {
for (i=new t, g=0, h=e; h < e + a.chunkSize; ++g) i.digits[g]=c[h++],
i.digits[g] +=c[h++] << 8;
var l=a.barrett.powMod(i, a.e),
m=16==a.radix ? f.biToHex(l) : f.biToString(l, a.radix);
k +=m + " "
}
return k.substring(0, k.length - 1)
},
f.decryptedString=function(a, b) {
var c, d, e, g=b.split(" "),
h="";
for (c=0; c < g.length; ++c) {
var i;
for (i=16==a.radix ? f.biFromHex(g[c]) : f.biFromString(g[c], a.radix), e=a.barrett.powMod(i, a.d), d=0; d <=f.biHighIndex(e); ++d) h +=String.fromCharCode(255 & e.digits[d], e.digits[d] >> 8)
}
return 0==h.charCodeAt(h.length - 1) && (h=h.substring(0, h.length - 1)),
h
},
f.setMaxDigits(130),
b[a]=g
function getpwd(e) {
var t="ab86b6371b5318aaa1d3c9e612a9f1264f372323c8c0f19875b5fc3b3fd3afcc1e5bec527aa94bfa85bffc157e4245aebda05389a5357b75115ac94f074aefcd",
n="10001",
a=f.getKeyPair(n, "", t),
i=f.encryptedString(a, encodeURIComponent(e)).replace(/\s/g, "-");
return i
};
简化了调用方式,测试一下getpwd(666666)
返回结果和传递的值一致。