js逆向笔记_1_空中网
逆向目标
网站地址
http://www.kongzhong.com/
逆向功能->登录验证
https://passport.kongzhong.com/login?backurl=http://www.kongzhong.com
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Xf8kWLEW-1635144476220)(en-resource://database/675:1)]
加密参数分析
fiddler抓包
GET
https://sso.kongzhong.com/ajaxLogin?j=j&&type=1&service=https://passport.kongzhong.com/&username=18702508957&password=61adf62d8656d3020b2a7a&vcode=&toSave=0&_=1618191035675 HTTP/1.1
Host: sso.kongzhong.com
Connection: keep-alive
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: */*
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: script
Referer: https://passport.kongzhong.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: KSPSSIONID=3BDFC830159C4428854858F8EE5ABA2F;
SSO-KGZQRT=78D1C24711C2CD871A3ECED2E9CB9777; SESSION_COOKIE=105;
Hm_lvt_1287c2225a527abe3386233dd9316f99=1618190722;
Hm_lpvt_1287c2225a527abe3386233dd9316f99=1618190722;
SSO-KGZLT=d86e2fcd-e15e-4931-9420-aa7a8d2692b7
response-format: json
发现加密参数 密码被加密 需要解开
assword=61adf62d8656d3020b2a7a
调试分析密码寻找加密方法
F12调试
1.勾上Preserve log
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-3uzPRyKV-1635144476223)(en-resource://database/676:1)]
2.元素审查 分析数据来源 查看控件id
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-kSySXvJk-1635144476223)(en-resource://database/677:1)]
password_txt
3.随意输入密码 反正直接跳转 搜索 password_txt
因为从控件取值拿去做加密
取值方法.val
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-XUm7anpO-1635144476224)(en-resource://database/679:1)]
4.下断点追踪具体在哪里
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-uls1Dw1B-1635144476225)(en-resource://database/678:1)]
下断点 重新发起登录请求
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-KZe4tcPN-1635144476225)(en-resource://database/681:1)]
断点往下走
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Q2RX9l4w-1635144476226)(en-resource://database/680:1)]
点击第二个 慢慢走下去
发现直接跳过了 因为这个方法只有一行 所以直接断在里面
确定了加密登录操作在这个KZLoginHandler.login里面
现在就是要一步一步断进去了
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-CeSsQefE-1635144476227)(en-resource://database/683:1)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-o6zO9Hm0-1635144476227)(en-resource://database/684:1)]
非常简单的追踪到了加密方法了
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-NvQS0F2z-1635144476228)(en-resource://database/682:1)]
其中另一个参数来自一个新的接口
调试结果分析
第一步请求了一个code用于加密password
GET
https://sso.kongzhong.com/ajaxLogin?j=j&jsonp=j&service=https://passport.kongzhong.com/&_=1618195173696 HTTP/1.1
Host: sso.kongzhong.com
Connection: keep-alive
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: */*
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: script
Referer: https://passport.kongzhong.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: SESSION_COOKIE=105; trackingId=7675811b-df50-4d57-ac3c-2c9b2b3ada6f;
kzu-er=18702508957; SSO-KGZQRT=FC538140747CEE40BFE1711314F9F78F;
Hm_lvt_1287c2225a527abe3386233dd9316f99=1618190722;
Hm_lpvt_1287c2225a527abe3386233dd9316f99=1618192487;
SSO-KGZLT=7283f228-c2a6-4fcd-a8be-445ecbfabb5b;
SSO-KGZIT=f5fa2e47-2a1f-4d52-9486-bcef089d03eb
response-format: json
返回
KZLoginHandler.jsonpCallbackKongZ({
"dc":"9B157E8A942991A9D94C0391B62C1EE5","kzmsg":"","service":"https://passport.kongzhong.com/","state":"0","requirevcode":"1"})
第二步 自写算法加密password
'encrypt': function(str, pwd) {
if (pwd == null || pwd.length <= 0) {
return null
}
;var prand = "";
for (var i = 0; i < pwd.length; i++) {
prand += pwd.charCodeAt(i).toString()
}
;var sPos = Math.floor(prand.length / 5);
var mult = parseInt(prand.charAt(sPos) + prand.charAt(sPos * 2) + prand.charAt(sPos * 3) + prand.charAt(sPos * 4) + prand.charAt(sPos * 5));
var incr = Math.ceil(pwd.length / 2);
var modu = Math.pow(2, 31) - 1;
if (mult < 2) {
return null
}
;var salt = Math.round(Math.random() * 1000000000) % 100000000;
prand += salt;
while (prand.length > 10) {
var a = prand.substring(0, 1);
var b = prand.substring(10, prand.length);
if (b.length > 10) {
prand = b
} else {
prand = (parseInt(a) + parseInt(b)).toString()
}
}
;prand = (mult * prand + incr) % modu;
var enc_chr = "";
var enc_str = "";
for (var i = 0; i < str.length; i++) {
enc_chr = parseInt(str.charCodeAt(i) ^ Math.floor((prand / modu) * 255));
if (enc_chr < 16) {
enc_str += "0" + enc_chr.toString(16)
} else
enc_str += enc_chr.toString(16);
prand = (mult * prand + incr) % modu
}
;salt = salt.toString(16);
while (salt.length < 8)
salt = "0" + salt;
enc_str += salt;
return enc_str
}
python编写调用方法
接口1调用–获取加密pass的key
def password_sign_key():
time_ = get_now_int_time(False)
url = 'https://sso.kongzhong.com/ajaxLogin?j=j&jsonp=j&service=https://passport.kongzhong.com/&_=' + str(time_)
headers = {
'Connection': 'keep-alive',
'sec-ch-ua': '"Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"',
'sec-ch-ua-mobile': '?0',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36',
'Accept': '*/*',
'Sec-Fetch-Site': 'same-site',
'Sec-Fetch-Mode': 'no-cors',
'Sec-Fetch-Dest': 'script',
'Referer': 'https://passport.kongzhong.com/',
'Accept-Encoding': 'gzip, deflate, br',
'Accept-Language': 'zh-CN,zh;q=0.9',
'response-format': 'json',
'Cookie':cookie
}
res = requests.get(url, headers=headers, verify=False)
print(res.text)
return res.text
接口2调用–调用加密方法加密pass
调用js方法加密pass
with open("encrypt.js", 'r', encoding="UTF-8") as f:
js = f.read().encode().decode("gbk", "ignore")
context1 = execjs.compile(js)
data = context1.call("encrypt", '1234567!',key)
传入接口
def login_kongzhongwang(password):
time_ = get_now_int_time(False)
url = f'https://sso.kongzhong.com/ajaxLogin?j=j&&type=1&service=https://passport.kongzhong.com/&username=18702508957&password={
password}&vcode=&toSave=0&_={
str(time_)}'
headers = {
'Connection': 'keep-alive',
'sec-ch-ua': '"Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"',
'sec-ch-ua-mobile': '?0',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36',
'Accept': '*/*',
'Sec-Fetch-Site': 'same-site',
'Sec-Fetch-Mode': 'no-cors',
'Sec-Fetch-Dest': 'script',
'Referer': 'https://passport.kongzhong.com/',
'Accept-Encoding': 'gzip, deflate, br',
'Accept-Language': 'zh-CN,zh;q=0.9',
'response-format': 'json',
'Cookie': cookie
}
res = requests.get(url, headers=headers, verify=False)
print(res.text)
总结
难度不大 使用好搜索和调试就行