当前位置:网站首页>某母婴小程序加密参数解密

某母婴小程序加密参数解密

2022-08-04 04:25:00 Mr丶小煌

抓包

确定加密参数:
POST /category/getFatherCategorys HTTP/1.1
Host: api.mia.com
Connection: keep-alive
Content-Length: 376
charset: utf-8
User-Agent: Mozilla/5.0 (Linux; Android 10; MI 8 Build/QKQ1.190828.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/86.0.4240.99 XWEB/4273 MMWEBSDK/20220604 Mobile Safari/537.36 MMWEBID/8261 MicroMessenger/8.0.24.2180(0x2800187D) WeChat/arm64 Weixin NetType/WIFI Language/zh_CN ABI/arm64 MiniProgramEnv/android
content-type: application/x-www-form-urlencoded
Accept-Encoding: gzip,compress,br,deflate
Referer: https://servicewechat.com/wx2fb74861036b06c9/211/page-frame.html

timestamp=1658891083.489&app_id=xcx_app_id&version=xcx-zx_1_0&session=123&auth_session=&user_plus_type=0&params=mfETUhckN2NvH8TvwKkbgcPfCaA1hCL5AeZ75n6LS8drCKgBVY4D81My6nr3bi%2BOvOW0H08014ut6PL8a4UyLly5MF1HSZdaCTAXLvUiPsgq7NEAeERGy8NFNscQI%2FOE2llN8%2FDX15qtqnKkkDbkFK%2FM7MBgVBhYFujJCzqUEwc%3D&sign=af07c47fb3522a28f2836b8f607cfdbf

从上可以看到加密参数有两个,分别是params和sign

解包微信小程序

在这里插入图片描述

加密参数查找验证

此处我们不使用小程序开发者工具,直接使用vscode读源码的形式解密;
通过搜索相关参数我们可以定位到如下
在这里插入图片描述
但是考虑到一个问题,此处没法动态调试,所以无法看到我们的入参是什么??
那么怎么解决呢????
当然是上web端看看啦!毕竟都是js
在这里插入图片描述
此处我们可以看到具体都由哪些参数以及变化,为我们接下来分析走一波!

加密获取并测试

刚开始建议大家先扣小程序的js,当然有能力的可以直接翻译

在这里插入图片描述

翻译的代码

import hashlib
import time
import urllib.parse
import requests
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5 as PKCS1_cipher
import base64
def params(message1):
    # 使用公钥对内容进行rsa加密
    public_key ="""-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiwJbb2EeK9ZB4Chyj5/mIVPRE od0pJrv3LM2UVtkod+2mPVjV9Xi1E06gUaoexX/ebfRXm1eBwu3LtYbklh5Ji5oF ycoUCFhwzhmm8ZtjdkCIicFfxUU4I5NunL6+37+hy43EgCrao5tFgHtnkeR/vNyG faxdxevPbVEtWlJz6wIDAQAB -----END PUBLIC KEY-----"""
    pub_key = RSA.importKey(str(public_key))
    cipher = PKCS1_cipher.new(pub_key)
    rsa_text = base64.b64encode(cipher.encrypt(bytes(message1.encode("utf8"))))
    return rsa_text.decode('utf-8')

if __name__ == '__main__':
    message1 = '{}'
    params = params(message1)
    ts = round(float(time.time()),3)
    print(ts)
    str = 'app_idxcx_app_idauth_sessionparams{params}session123timestamp{ts}[email protected]!30307'.format(params=params,ts=ts)
    sign = hashlib.md5(str.encode(encoding='UTF-8')).hexdigest()
    url = "https://api.mia.com/category/getFatherCategorys"

    payload = "timestamp={ts}&app_id=xcx_app_id&version=xcx-zx_1_0&session=123&auth_session=&user_plus_type=0&params={params}&sign={sign}".format(ts=ts,params=urllib.parse.quote(params,safe=''),sign=sign)
    headers = {
    
        'Host': 'api.mia.com',
        'charset': 'utf-8',
        'User-Agent': 'Mozilla/5.0 (Linux; Android 10; MI 8 Build/QKQ1.190828.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/86.0.4240.99 XWEB/4267 MMWEBSDK/20220604 Mobile Safari/537.36 MMWEBID/8261 MicroMessenger/8.0.24.2180(0x2800187D) WeChat/arm64 Weixin NetType/WIFI Language/zh_CN ABI/arm64 MiniProgramEnv/android',
        'content-type': 'application/x-www-form-urlencoded'
    }

    response = requests.request("POST", url, headers=headers, data=payload)

    print(response.text)

注意注意

文章仅供学习,如涉及到隐私等信息,可联系我删除!!!!!

原网站

版权声明
本文为[Mr丶小煌]所创,转载请带上原文链接,感谢
https://blog.csdn.net/weixin_45171937/article/details/126010500

边栏推荐

猜你喜欢

随机推荐