JS 逆向 - 快乐学堂登录

从零开始的编程生活
113 阅读2分钟

目标

aHR0cHM6Ly93d3cuOTExMTguY29tL1Bhc3Nwb3J0L0FjY291bnQvTG9naW4=

破解上述网站登录加密逻辑

逆向流程

首先输入任意账密和验证码,之后打开浏览器自带开发者工具,进行抓包

image.png

这个就是登录的包,之后我们以cURL(bash)格式将它复制下来

import requests

headers = {
    'accept': '*/*',
    'accept-language': 'zh-CN,zh;q=0.9',
    'cache-control': 'no-cache',
    'pragma': 'no-cache',
    'priority': 'u=1, i',
    'referer': 'https://www.91118.com/Passport/Account/Login',
    'sec-ch-ua': '"Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"',
    'sec-ch-ua-mobile': '?0',
    'sec-ch-ua-platform': '"Windows"',
    'sec-fetch-dest': 'empty',
    'sec-fetch-mode': 'cors',
    'sec-fetch-site': 'same-origin',
    'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36',
    'x-requested-with': 'XMLHttpRequest',
}

params = {
    'r': '0.2047177225285708',
    'kds': 'yes',
    'username': 'admin',
    'pass': 'nqJaBewPqcY=',
    'recordPwd': '1',
    'ckcode': '6033',
    'fscode': 'klxt',
    'invite': '',
}

response = requests.get('https://www.91118.com/passport/Account/LoginPost', params=params, headers=headers)

print(response.text)
print(response)

我们把 cookie 去掉后发现并无影响,观察响应结果里面的 ResultCode

之后我们观察 headers,没有发现有加密的东西,再次发送请求,对比请求参数

image.png

显而易见,r 参数不知道,username 是明文,这个 pass 可能就是加密后的密文

之后我们通过 XHR方式定位参数位置

image.png

r参数一看就是随机数,之后我们进去 pass 的加密位置

image.png

DES 加密,秒了,测试一下

image.png

之后改代码,用 python 调用,下面是 python 和 JS 的完整代码

import execjs
import requests

headers = {
    'accept': '*/*',
    'accept-language': 'zh-CN,zh;q=0.9',
    'cache-control': 'no-cache',
    'pragma': 'no-cache',
    'priority': 'u=1, i',
    'referer': 'https://www.91118.com/Passport/Account/Login',
    'sec-ch-ua': '"Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"',
    'sec-ch-ua-mobile': '?0',
    'sec-ch-ua-platform': '"Windows"',
    'sec-fetch-dest': 'empty',
    'sec-fetch-mode': 'cors',
    'sec-fetch-site': 'same-origin',
    'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36',
    'x-requested-with': 'XMLHttpRequest',
}

with open("demo01.js", "r", encoding="utf-8") as f:
    js_code = f.read()

username = "admin"
password = "123456"

params = execjs.compile(js_code).call("encryptByDES", username, password)

response = requests.get('https://www.91118.com/passport/Account/LoginPost', params=params, headers=headers)

print(response.text)
print(response)

const CryptoJS = require("crypto-js")

function encryptByDES(username, message) {
    var _key = 'k1fsa01v';
    var _iv = 'k1fsa01v';
    var keyHex = CryptoJS.enc.Utf8.parse(_key);
    var encrypted = CryptoJS.DES.encrypt(message, keyHex, {
        iv: CryptoJS.enc.Utf8.parse(_iv),
        mode: CryptoJS.mode.ECB,
        padding: CryptoJS.pad.Pkcs7
    });
    return {
        "r": Math.random(),
        "kds": "yes",
        "username": username,
        "pass": encrypted.toString(),
        'recordPwd': '1',
        'ckcode': '6033',
        'fscode': 'klxt',
        'invite': '',
    }
}

运行结果如下

image.png

avatar
文章
阅读
粉丝