[JS reverse hundreds of cases] the login of a HN service network is reverse, and the verification code is null and void

Statement

All contents in this article are for learning and communication only , The content of the package 、 Sensitive website 、 All data interfaces have been desensitized , It is strictly prohibited to use for commercial and illegal purposes , Otherwise, all the consequences have nothing to do with the author , If there is infringement , Please contact me to delete ！

Reverse target

• The goal is ： Login interface of a government service network
• Home page ：aHR0cHM6Ly9sb2dpbi5obnp3ZncuZ292LmNuL3RhY3MtdWMvbG9naW4vaW5kZXg=
• Interface ：aHR0cHM6Ly9sb2dpbi5obnp3ZncuZ292LmNuL3RhY3MtdWMvbmF0dXJhbE1hbi9sb2dpbk5v
• Inverse parameter ：

Form Data：loginNo、loginPwd、code、requestUUID

Request Headers：token

Caught analysis

This reverse target comes from the help of a fan ：

Enter your account and password and click login , Packet capture to find the interface Request Headers There is an encryption parameter token,Form Data in loginNo、loginPwd、code、requestUUID It's all encrypted ,loginNo and loginPwd It should be the user name and password , Because you need to pass the sliding verification code before logging in , Therefore, it can be guessed that the other two parameters are related to the verification code , But only from the point of view of capturing bags , The other two parameters are similar to uuid The format of , Not much like the parameters of the verification code .

In addition, you can notice that before landing , Twice csrfSave And once verCode Request , If the normal request is successful, a JSON, There's a data Parameters , It should be used later .

The parameters are reversed

Form Data

First look at Form Data, Search for any parameter , such as loginNo, It's easy to be in login.js Find the encrypted place in , The user name and password have been encrypt This function encrypts ,backUrl This value , It's using localStorage attribute , From the data of key value pairs stored in the browser , Null does not affect .

To follow up encrypt, You can see that JSEncrypt, The standard RSA encryption ：

I want to see others loginCode, Search this value directly , As you can see, yes verCode This request returns ：

And then we'll see requestUUID, The value is UUID, Directly in the current file （login.js） Search inside , You can see where the definition is , There is one uploadUUID() Method , It's setting up UUID Value , The method is to a uploadIdentifier The interface sent post request ：

Note here , If you search globally directly UUID Words , You can also do it in common.js I found a method in , After testing , Directly use this method to generate a uuid It can also be requested to pass , This website may not be rigorous , This value will not be strictly detected .

Request Headers

Form Data It's solved , Look again. Request Headers Inside token Parameters , Because it exists in the request header , So we can pass Hook To find where it was generated ：

(function () {
    var org = window.XMLHttpRequest.prototype.setRequestHeader;
    window.XMLHttpRequest.prototype.setRequestHeader = function (key, value) {
        if (key == 'token') {
            debugger;
        }
        return org.apply(this, arguments);
    };
})();

Here we can also search directly token、setRequestHeader Keywords like , It's easy to be in common.js Found in , When we click login , There will be one. csrfSave Request , Back to data value , after encrypt After the method is encrypted, it is the login request header token 了 .

This token Parameters are used in many requests , The generation method is the same , All take csrfSave Requested returned data after RSA It's encrypted ：

Another thing to note is , All of the above are related to network requests ,Cookie You need one SESSION value , This can be obtained on the first visit page ：

Login process

Here, let's sort out the login process ：

1. Visit the home page to get Cookie Medium SESSION value ;
2. visit csrfSave, To get a data value , after RSA Encrypted to get token, carry token visit uploadIdentifier, Get uuid;
3. visit csrfSave, To get a data value , after RSA Encrypted to get token, carry token visit verCode, Get code;
4. visit csrfSave, To get a data value , after RSA Encrypted to get token, carry token、uuid、code And the encrypted account password , visit loginNo Sign in .

Here I 2 Step , You can also use it directly Python perhaps JS Generate a uuid, Website verification is not strict , It can also be done through , In addition, it can be seen that the slider is fake , Through the code, you can log in regardless of the slider .

Complete code

GitHub Focus on K Brother reptile , Continue to share crawler related code ！ welcome star ！https://github.com/kgepachong/

The following shows only part of the key code , Can't run directly ！ Full code warehouse address ：https://github.com/kgepachong/crawler/

JavaScript Encryption code

/* ==================================
# @Time    : 2022-01-11
# @Author  :  WeChat official account ：K Brother reptile 
# @FileName: encrypt.js
# @Software: PyCharm
# ================================== */

JSEncrypt = require("jsencrypt")

function encrypt(pwd){
	var key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsgDq4OqxuEisnk2F0EJFmw4xKa5IrcqEYHvqxPs2CHEg2kolhfWA2SjNuGAHxyDDE5MLtOvzuXjBx/5YJtc9zj2xR/0moesS+Vi/xtG1tkVaTCba+TV+Y5C61iyr3FGqr+KOD4/XECu0Xky1W9ZmmaFADmZi7+6gO9wjgVpU9aLcBcw/loHOeJrCqjp7pA98hRJRY+MML8MK15mnC4ebooOva+mJlstW6t/1lghR8WNV8cocxgcHHuXBxgns2MlACQbSdJ8c6Z3RQeRZBzyjfey6JCCfbEKouVrWIUuPphBL3OANfgp0B+QG31bapvePTfXU48TYK0M5kE+8LgbbWQIDAQAB";
	var encrypt = new JSEncrypt();
    encrypt.setPublicKey(key);
    var encrypted = encrypt.encrypt(pwd);
    return encrypted;
}

//  The test sample 
// console.log(encrypt("15555555555"))

Python Login code

# ==================================
# @Time    : 2022-01-11
# @Author  :  WeChat official account ：K Brother reptile 
# @FileName: hnzww_login.py
# @Software: PyCharm
# ==================================


import execjs
import requests


cookies = {}
UA = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"

with open("encrypt.js", encoding="utf-8") as f:
    js = execjs.compile(f.read())


def csrf_save():
    url = " Desensitization treatment , Full code focus  GitHub：https://github.com/kgepachong/crawler"
    headers = {"User-Agent": UA}
    response = requests.post(url=url, headers=headers, cookies=cookies).json()
    data = response["data"]
    return data


def get_session():
    url = " Desensitization treatment , Full code focus  GitHub：https://github.com/kgepachong/crawler"
    headers = {"User-Agent": UA}
    response = requests.get(url=url, headers=headers)
    cookies.update(response.cookies.get_dict())


def get_uuid():
    url = " Desensitization treatment , Full code focus  GitHub：https://github.com/kgepachong/crawler"
    headers = {
        "User-Agent": UA,
        "token": js.call("encrypt", csrf_save())
    }
    response = requests.post(url=url, headers=headers, cookies=cookies).json()
    uuid = response["data"]
    return uuid


def ver_code():
    url = " Desensitization treatment , Full code focus  GitHub：https://github.com/kgepachong/crawler"
    headers = {
        "User-Agent": UA,
        "token": js.call("encrypt", csrf_save())
    }
    response = requests.post(url=url, headers=headers, cookies=cookies).json()
    data = response["data"]
    return data


def login(phone, pwd, code, uuid):
    url = " Desensitization treatment , Full code focus  GitHub：https://github.com/kgepachong/crawler"
    headers = {
        "User-Agent": UA,
        "token": js.call("encrypt", csrf_save())
    }
    data = {
        "backUrl": "",
        "loginNo": js.call("encrypt", phone),
        "loginPwd": js.call("encrypt", pwd),
        "code": code,
        "requestUUID": uuid,
        "guoBanAuthCode": ""
    }
    response = requests.post(url=url, headers=headers, cookies=cookies, data=data)
    print(response.json())


def main():
    phone = input(" Please enter your account number ：")
    pwd = input(" Please input a password ：")
    get_session()
    uuid = get_uuid()
    code = ver_code()
    login(phone, pwd, code, uuid)


if __name__ == '__main__':
    main()