某航空网站promise异步定位js逆向解析
本次目标地址如下,使用base64解码获得
aHR0cHM6Ly9pbnQtZXQueGlhbWVuYWlyLmNvbS9mbGlnaHRzL3Jlc3VsdHM=
打开网址,抓包分析后,发现响应结果在该请求中:
我们跟栈进去查找,从右边的堆栈调用过程中发现,这是典型的axios请求
针对这种请求,一般加密都是在请求拦截器中,通常定位到加密的有两种方式,找到响应拦截器,因为响应拦截器一般和请求拦截器在一块地方,第二种就是找到请求拦截器,这里就简单讲第一种方式
如上图,找到处理响应结果的地方,通过跳出当前函数这一功能,点击两次后,就找响应拦截器的位置了
并且上方这块就是请求拦截器了,也能找到加密的位置,加密的参数来自于A函数
跳转到A函数之后, 发现就是用一些随机字符串和时间戳,以及一些固定加密参数去使用标准加密算法进行加密,因为加密代码没有任何混淆,所以,破解也很容易
这里可以直接把A函数扣下来,把一些环境补齐,如下
const crypto = require('crypto-js')
window = global;
navigator = {
appCodeName: 'Mozilla',
}
b = {
timeDiff: -693,
reptile: '{"configProperties":[{"key":"external.booking.refund.calc.cancel.failed.support","value":"true"},{"key":"external.booking.refund.supported.banks","value":"01-102584000002-102-\\\\u4e2d\\\\u56fd\\\\u5de5\\\\u5546\\\\u94f6\\\\u884c,02-103584099993-103-\\\\u4e2d\\\\u56fd\\\\u519c\\\\u4e1a\\\\u94f6\\\\u884c,03-104584000003-104-\\\\u4e2d\\\\u56fd\\\\u94f6\\\\u884c,04-105584000005-105-\\\\u4e2d\\\\u56fd\\\\u5efa\\\\u8bbe\\\\u94f6\\\\u884c,05-301584000016-301-\\\\u4ea4\\\\u901a\\\\u94f6\\\\u884c,06-302584043105-302-\\\\u4e2d\\\\u4fe1\\\\u94f6\\\\u884c,07-303584000004-303-\\\\u5149\\\\u5927\\\\u94f6\\\\u884c,08-304584040898-304-\\\\u534e\\\\u590f\\\\u94f6\\\\u884c,09-305584000002-305-\\\\u6c11\\\\u751f\\\\u94f6\\\\u884c,010-306584001261-306-\\\\u5e7f\\\\u53d1\\\\u94f6\\\\u884c,011-307584007998-307-\\\\u5e73\\\\u5b89\\\\u94f6\\\\u884c,012-308584001016-308-\\\\u62db\\\\u5546\\\\u94f6\\\\u884c,013-309584000000-309-\\\\u5174\\\\u4e1a\\\\u94f6\\\\u884c,014-310584000006-310-\\\\u4e0a\\\\u6d77\\\\u6d66\\\\u4e1c\\\\u53d1\\\\u5c55\\\\u94f6\\\\u884c,015-403584099005-403-\\\\u90ae\\\\u653f\\\\u50a8\\\\u84c4\\\\u94f6\\\\u884c,016-313100000013-313100000013-\\\\u5317\\\\u4eac\\\\u94f6\\\\u884c,017-325290000012-325290000012-\\\\u4e0a\\\\u6d77\\\\u94f6\\\\u884c,018-313110000017-313110000017-\\\\u5929\\\\u6d25\\\\u94f6\\\\u884c"},{"key":"password.encode.channel","value":"IBE,CTRIP"},{"key":"external.booking.refund.child.support","value":"false"},{"key":"mfa.sms.disable.verification","value":"false"},{"key":"antispider.sharedPublicCipherKey","value":"ojts"},{"key":"external.booking.bank.account.binding.enabled","value":"true"},{"key":"antispider.enable","value":"false"},{"key":"display.checkin.phase","value":"all"},{"key":"prepareCancelTimeLimit","value":"25"},{"key":"externalFlightBooking.ticketsRetrieval.enabled","value":"true"},{"key":"loginRememberMe.enabled","value":"true"},{"key":"antispider.cipherAndPattern","value":"{\\"0\\":{\\"cipher\\":\\"CipherKey1\\",\\"pattern\\":\\"^[0-9]{32}$\\"},\\"1\\":{\\"cipher\\":\\"CipherKey2\\",\\"pattern\\":\\"^[a-z]{32}$\\"},\\"2\\":{\\"cipher\\":\\"CipherKey3\\",\\"pattern\\":\\"^[A-Z]{32}$\\"},\\"3\\":{\\"cipher\\":\\"CipherKey4\\",\\"pattern\\":\\"^[0-9]{32}$\\"},\\"4\\":{\\"cipher\\":\\"CipherKey5\\",\\"pattern\\":\\"^[a-z]{32}$\\"},\\"5\\":{\\"cipher\\":\\"CipherKey6\\",\\"pattern\\":\\"^[A-Z]{32}$\\"}}"},{"key":"threshold.historyOrderDays","value":"395"},{"key":"antispider.endpointlist","value":"{\\"endpoints\\":[{ \\"methods\\": [\\"POST\\"], \\"url\\": \\"/bookings/*/flight/ancillaries/resultSets\\" },{ \\"methods\\": [\\"GET\\"], \\"url\\": \\"/bookings/*/flight/ancillaries/resultSets/*\\" },{ \\"methods\\": [\\"POST\\"], \\"url\\": \\"/bookings/*/flight/baggage/resultSets\\" },\\n { \\"methods\\": [\\"GET\\"], \\"url\\": \\"/bookings/*/flight/baggage/resultSets/*\\" },{ \\"methods\\": [\\"POST\\"], \\"url\\": \\"/bookings/*/products/*/crossSell\\" },\\n { \\"methods\\": [\\"GET\\"], \\"url\\": \\"/bookings/*/products/*/flight/crossSell/availability\\" },{ \\"methods\\": [\\"POST\\"], \\"url\\": \\"/bookings/*/products/*/switchSell/package\\" },{ \\"methods\\": [\\"POST\\"], \\"url\\": \\"/flight/calendar\\" },\\n { \\"methods\\": [\\"POST\\"], \\"url\\": \\"/flight/resultSets\\" },{ \\"methods\\": [\\"GET\\"], \\"url\\": \\"/flight/resultSets/*\\" },{ \\"methods\\": [\\"GET\\"], \\"url\\": \\"/flightCache/calendarSearch\\" },{ \\"methods\\": [\\"GET\\"], \\"url\\": \\"/flightCache/lowPriceSearch\\" },\\n { \\"methods\\": [\\"GET\\"], \\"url\\": \\"/flightCache/lowPriceSearch/hotRoute\\" },{ \\"methods\\": [\\"GET\\"], \\"url\\": \\"/bookings/*/flight/seatMaps\\" },{ \\"methods\\": [\\"POST\\"], \\"url\\": \\"/order/extract/orderResult\\" },\\n { \\"methods\\": [\\"POST\\"], \\"url\\": \\"/flightFareShopping/all/resultSets\\" },{ \\"methods\\": [\\"GET\\"], \\"url\\": \\"/flightFareShopping/all/resultSets/*\\" }]}"},{"key":"change.voluntary.limit.days","value":"365"},{"key":"ancillary.address.invalid.pattern","value":"[!!*_%&$-]"},{"key":"ancillary.others.invalid.pattern","value":"[!@!*_%&$-]"},{"key":"bundle.comboProduct.enabled","value":"true"},{"key":"bundle.insuranceContinueToBuy.enabled","value":"true"},{"key":"invite.upgrade.prepare.authorization.bankId","value":"YEEPAYAUTH"},{"key":"invite.upgrade.enabled","value":"true"},{"key":"error.refund.enabled","value":"true"},{"key":"limit.locale","value":"US"},{"key":"change.involuntary.limit.days","value":"5"},{"key":"errorRefundTimeLimit","value":"20"},{"key":"mfa.captcha.disable.verification","value":"false"},{"key":"external.booking.refund.open.support","value":"false"},{"key":"serverTimestamp","value":"1706757153827"}]}',
get: function (res){
//console.log(res, this[res]);
return this[res];
}
}
v = {
a: crypto
}
//console.log(v.a);
function A() {
var e = {}
, t = +b.get("timeDiff") || 0
, a = (new Date).getTime() + t
, n = "".concat(window.navigator.appCodeName, "_").concat(function() {
for (var e = [], t = 0; t < 32; t++)
e[t] = "0123456789abcdef".substr(Math.floor(16 * Math.random()), 1);
return e.join("")
}());
e["Device-Id"] = n;
var r = function(e) {
for (var t = JSON.parse(b.get("reptile")), a = arguments.length, n = new Array(a > 1 ? a - 1 : 0), r = 1; r < a; r++)
n[r - 1] = arguments[r];
var i = n[0]
, l = n[1]
, o = JSON.parse(t.configProperties.filter((function(e) {
return "antispider.cipherAndPattern" === e.key
}
))[0].value)[e].cipher
, s = t.configProperties.filter((function(e) {
return "antispider.sharedPublicCipherKey" === e.key
}
))[0].value
, u = {}
, c = ["12345678901234567890123456789012", "qwefqwefqwefqwefqwefqwefqwefqwef", "QWDSQWDSQWDSQWDSQWDSQWDSQWDSQWDS", "12345678901234567890123456789012", "qwefqwefqwefqwefqwefqwefqwefqwef", "QWDSQWDSQWDSQWDSQWDSQWDSQWDSQWDS"]
, d = "".concat(i, "_").concat(c[e])
, p = v.a.MD5("".concat(s).concat(o)).toString().substring(8, 24)
, m = v.a.enc.Utf8.parse(v.a.MD5("".concat(s).concat(o)).toString().substring(8, 24));
u["Crypto-Chars"] = e <= 2 ? v.a.AES.encrypt("".concat(d, "_").concat(l), m, {
mode: v.a.mode.ECB,
padding: v.a.pad.Pkcs7
}).toString() : v.a.MD5("".concat(d, "_").concat(l, "_").concat(p)).toString();
var f = v.a.enc.Utf8.parse(v.a.MD5(s).toString().substring(8, 24));
return u["Crypto-Random"] = v.a.AES.encrypt("".concat(d), f, {
mode: v.a.mode.ECB,
padding: v.a.pad.Pkcs7
}).ciphertext.toString(v.a.enc.Base64),
u
}(Math.abs(a % 6), a, n);
//console.log(r);
return e["Crypto-Chars"] = r["Crypto-Chars"],
e["Crypto-Random"] = r["Crypto-Random"],
e
};
console.log(A());
也能成功运行A函数
加密其实也很简单,加密完成后,直接组装成python请求代码,成功拿到响应结果
