当前位置:网站首页>58 sub station Anju, broker marketing management platform login interface encryption reverse

58 sub station Anju, broker marketing management platform login interface encryption reverse

2022-07-28 14:42:00 InfoQ


️  Actual combat scene

The site to be solved this time still comes from  78  Tech community , A friend wants to explain again the encryption parameter search and reverse logic of his login module , In this paper, we will analyze .

The site address is :vip.anjuke.com/portal/login

Through developer tools , You can simply find the corresponding data .

  • Request URL : cloud-passport.anjuke.com/jjr/login/pc/dologin
  • Request method : POST

The screenshot of relevant parameters is as follows , I was surprised when I saw the parameters , So many !

null
The following focuses on  
password
  Analyze the parameters .

️ password  Practical analysis

We use the login button , Find parameter encryption logic , When the tool wakes up , I found a familiar name  - 
bundle.js
? Is this a  webpack  Encrypted site ?

null
I thought after adding breakpoints , You can grab relevant data , But I didn't expect a heartbeat operation .

The domain name pointed to is  
passportdatacollect.58.com/collect/upload
, I always feel like I'm collecting some data .

Since there is no way to track , Then you can only add one  XHR  Break point , But something strange happened again , The breakpoint cannot be broken , Because no  JS  start-up , Strange .

null
That can only rely on string retrieval , Expect its request address to be unencrypted . Global search  
pc/dologin
, Get what's shown in the figure below .

null
Then we continue to search  
mobileLoginUrl
, It turns out that the core logic .

null
among  
password
  The encryption function name is  
r.encrypt(e.passWord)
.

After the breakpoint is added , It's easy to get into the code .

null
Then the encryption function leads us to a  
mobileLogin_ Version number .js
  In file , Drag to the head of the file , See the familiar  
webpack
  structure .

null
Since it is  webpack  packaged  JS, Then it's much easier to solve , Direct buckle  JS  that will do .

This article uses a more
Brutal
Way , Download all directly  JS  file , Then delete the useless part .

complete  JS  You can click the card at the end of the text to get .

Remove the user authentication part from the code , That is, the following .

n(7),
window.$instanceof Function || n(87);

null
Then the technique of using global variables , Expose various functions .

In the position shown in the figure below , Add a global variable .

window.ca =

Then after we run the file , call  
ca
 , You can get the correlation function in the object .

null
Next, when encrypting , The problem arises again , Encryption key  KEY  Can't get , The following error appears .

null
The problem is due to scope scope , Some parameters can be hard coded .

"encrypt": function(e, t, n) {
 var i = this
 , r = 1411093327735 - (new Date).getTime()
 , o = (new Date).getTime() + r;
 return t && (i.rsaExponent = t),
 n && (i.rsaModulus = n),
 u(o + encodeURIComponent(e), i.rsaExponent, i.rsaModulus)
},

The key parameter is  
i
,
i.rsaExponent
,
i.rsaModulus
, Replace it with the actual value .

The modified code is as follows .

null
Solve the problem after running .

null
  You are reading  
【 Dream eraser 】
  The blog of   Finished reading , You can praise it with a little hand   Find the error , Correct it in the direct comment area   The second part of the eraser  <font color=red>668</font>  Original blog

原网站

版权声明
本文为[InfoQ]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/209/202207281343470539.html

边栏推荐

猜你喜欢

随机推荐