js逆向-某敏感网站登录参数分析

声明

本文仅供学习参考，如有侵权可私信本人删除，请勿用于其他途径，违者后果自负！

如果觉得文章对你有所帮助，可以给博主点击关注和收藏哦！

前言

目标网站：aHR0cHM6Ly9tZGZnaGcuNXhwb2lqaHRmLmNvbS9kZWZhdWx0Lmh0bWwjLw==

接口：auth.login

参数分析

进入网站后点击登录，会有一个简单的验证码，输入之后才会提交登录参数。

可以看到这个参数很长，肉眼也看不懂不知道是什么东西，毫无疑问是进行了加密。

由于之前我已经分析过了网站，所以直接搜索json=即可定位到加密位置。

ps:最近发现在更新了新版本的谷歌后使用F12的搜索很多内容都搜索不到，上网查了查资料。

然后重启就可以了。

继续回归正题，通过关键字定位后：

观察代码后分别打上断点，重新触发。

单步调试，执行u函数。

一个JSON.stringify的功能，console中输出的参数信息密码是进行了加密，还获取了输入的验证码及验证码id，肯定是要拿到后端进行校验。
通过反复调试发现saltedPassword是动态变化的，截图中的盐值也能够看到这一点。

那么现在的需求就比较明确了，首先将输入的明文密码加密，然后再组装成一个对象，进行一堆乱七八糟的计算当做参数提交由后端验证。

首先查看密码的加密算法，搜索一下关键字。

盐就是当前时间戳，token是密文密码，进行了sha1加盐的双重哈希。（算法见下文）
搞清楚了密码的算法后，就到了登陆提交的表单参数了，其中id值为：

比较简单，没什么说的。
跟了一遍u函数发现还是一个JSON.stringify的操作。
继续就到了加密表单数据的位置：

E = "json=" + Object(m.a)(l.a.stringify(_).slice(5)) + "|" + t.id;

剩下的就是单步然后把代码抠出来，直接放在最下面了。

算法还原

直接把代码拉下来就可以使用

var r = "=", i = 8;function a(t, e) {t[e >> 5] |= 128 << 24 - e % 32,t[15 + (e + 64 >> 9 << 4)] = e;for (var n = Array(80), r = 1732584193, i = -271733879, a = -1732584194, c = 271733878, _ = -1009589776, l = 0; l < t.length; l += 16) {for (var h = r, f = i, g = a, p = c, m = _, y = 0; y < 80; y++) {n[y] = y < 16 ? t[l + y] : d(n[y - 3] ^ n[y - 8] ^ n[y - 14] ^ n[y - 16], 1);var E = u(u(d(r, 5), o(y, i, a, c)), u(u(_, n[y]), s(y)));_ = c,c = a,a = d(i, 30),i = r,r = E}r = u(r, h),i = u(i, f),a = u(a, g),c = u(c, p),_ = u(_, m)}return Array(r, i, a, c, _)
}function o(t, e, n, r) {return t < 20 ? e & n | ~e & r : t < 40 ? e ^ n ^ r : t < 60 ? e & n | e & r | n & r : e ^ n ^ r
}function s(t) {return t < 20 ? 1518500249 : t < 40 ? 1859775393 : t < 60 ? -1894007588 : -899497514
}function u(t, e) {var n = (65535 & t) + (65535 & e);return (t >> 16) + (e >> 16) + (n >> 16) << 16 | 65535 & n
}function d(t, e) {return t << e | t >>> 32 - e
}function c(t) {for (var e = Array(), n = (1 << i) - 1, r = 0; r < t.length * i; r += i)e[r >> 5] |= (t.charCodeAt(r / i) & n) << 32 - i - r % 32;return e
}function _(t) {for (var e = "", n = 0; n < 4 * t.length; n += 3)for (var i = (t[n >> 2] >> 8 * (3 - n % 4) & 255) << 16 | (t[n + 1 >> 2] >> 8 * (3 - (n + 1) % 4) & 255) << 8 | t[n + 2 >> 2] >> 8 * (3 - (n + 2) % 4) & 255, a = 0; a < 4; a++)8 * n + 6 * a > 32 * t.length ? e += r : e += "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".charAt(i >> 6 * (3 - a) & 63);return e
}var encode = {Encode: function () {var t = this, e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";this.encodeBase64 = function (t) {var n, r, i, a, o, s, u, d = "", c = 0;for (t = function (t) {t = t.replace(/\r\n/g, "\n");for (var e = "", n = 0; n < t.length; n++) {var r = t.charCodeAt(n);r < 128 ? e += String.fromCharCode(r) : r > 127 && r < 2048 ? (e += String.fromCharCode(r >> 6 | 192),e += String.fromCharCode(63 & r | 128)) : (e += String.fromCharCode(r >> 12 | 224),e += String.fromCharCode(r >> 6 & 63 | 128),e += String.fromCharCode(63 & r | 128))}return e}(t); c < t.length;)a = (n = t.charCodeAt(c++)) >> 2,o = (3 & n) << 4 | (r = t.charCodeAt(c++)) >> 4,s = (15 & r) << 2 | (i = t.charCodeAt(c++)) >> 6,u = 63 & i,isNaN(r) ? s = u = 64 : isNaN(i) && (u = 64),d = d + e.charAt(a) + e.charAt(o) + e.charAt(s) + e.charAt(u);return d},this.encodeSha1 = function (t) {return _(a(c(e = t), e.length * i));var e},this.encodePsw = function (e) {var n = (new Date).getTime();return {salt: n,token: t.encodeSha1(t.encodeSha1(e) + n)}}}
};var myA = new encode.Encode()
result = myA.encodePsw('明文密码')
console.log(result)

生成id代码：

function getIdentity() {return (new Date).getTime().toString().slice(2) + "" + Math.floor(900 * Math.random() + 100) + __WEBPACK_IMPORTED_MODULE_13__store__.a.getters.uid // __WEBPACK_IMPORTED_MODULE_13__store__.a.getters.uid = ''
}

l.a.stringify(_)代码:

function u_ (e, n, i, o, a, u, c, f, l, d, h, p) {var v = e;var s = {"delimiter": "&","encode": true,"encodeValuesOnly": false,"skipNulls": false,"strictNullHandling": false,encoder:function(t) {if (0 === t.length)return t;for (var e = "string" == typeof t ? t : String(t), n = "", r = 0; r < e.length; ++r) {var o = e.charCodeAt(r);45 === o || 46 === o || 95 === o || 126 === o || o >= 48 && o <= 57 || o >= 65 && o <= 90 || o >= 97 && o <= 122 ? n += e.charAt(r) : o < 128 ? n += i[o] : o < 2048 ? n += i[192 | o >> 6] + i[128 | 63 & o] : o < 55296 || o >= 57344 ? n += i[224 | o >> 12] + i[128 | o >> 6 & 63] + i[128 | 63 & o] : (r += 1,o = 65536 + ((1023 & o) << 10 | 1023 & e.charCodeAt(r)),n += i[240 | o >> 18] + i[128 | o >> 12 & 63] + i[128 | o >> 6 & 63] + i[128 | 63 & o])}return n},serializeDate: function(t) {return a.call(t)}}if ("function" == typeof c)v = c(n, v);else if (v instanceof Date)v = d(v);else if (null === v) {if (o)return u && !p ? u(n, s.encoder) : n;v = ""}if ("string" == typeof v || "number" == typeof v || "boolean" == typeof v || r.isBuffer(v))return u ? [h(p ? n : u(n, s.encoder)) + "=" + h(u(v, s.encoder))] : [h(n) + "=" + h(String(v))];var m, g = [];if (void 0 === v)return g;if (Array.isArray(c))m = c;else {var y = Object.keys(v);m = f ? y.sort(f) : y}for (var w = 0; w < m.length; ++w) {var b = m[w];a && null === v[b] || (g = Array.isArray(v) ? g.concat(t(v[b], i(n, b), i, o, a, u, c, f, l, d, h, p)) : g.concat(t(v[b], n + (l ? "." + b : "[" + b + "]"), i, o, a, u, c, f, l, d, h, p)))}return g
};
array_i = function() {for (var t = [], e = 0; e < 256; ++e)t.push("%" + ((e < 16 ? "0" : "") + e.toString(16)).toUpperCase());return t
}();
function l_a_stringify(t, e) {var i = {default: "RFC3986",formatters: {RFC1738: function(t) {return r.call(t, i, "+")},RFC3986: function(t) {return t}},RFC1738: "RFC1738",RFC3986: "RFC3986"};var o ={brackets: function(t) {return t + "[]"},indices: function(t, e) {return t + "[" + e + "]"},repeat: function(t) {return t}}var a = Date.prototype.toISOString;var s = {"delimiter": "&","encode": true,"encodeValuesOnly": false,"skipNulls": false,"strictNullHandling": false,encoder:function(t) {if (0 === t.length)return t;for (var e = "string" == typeof t ? t : String(t), n = "", r = 0; r < e.length; ++r) {var o = e.charCodeAt(r);45 === o || 46 === o || 95 === o || 126 === o || o >= 48 && o <= 57 || o >= 65 && o <= 90 || o >= 97 && o <= 122 ? n += e.charAt(r) : o < 128 ? n += array_i[o] : o < 2048 ? n += array_i[192 | o >> 6] + array_i[128 | 63 & o] : o < 55296 || o >= 57344 ? n += array_i[224 | o >> 12] + array_i[128 | o >> 6 & 63] + array_i[128 | 63 & o] : (r += 1,o = 65536 + ((1023 & o) << 10 | 1023 & e.charCodeAt(r)),n += array_i[240 | o >> 18] + array_i[128 | o >> 12 & 63] + array_i[128 | o >> 6 & 63] + array_i[128 | 63 & o])}return n},serializeDate: function(t) {return a.call(t)}}var n = t, a = e ? r.assign({}, e) : {};if (null !== a.encoder && void 0 !== a.encoder && "function" != typeof a.encoder)throw new TypeError("Encoder has to be a function.");var c = void 0 === a.delimiter ? s.delimiter : a.delimiter, f = "boolean" == typeof a.strictNullHandling ? a.strictNullHandling : s.strictNullHandling, l = "boolean" == typeof a.skipNulls ? a.skipNulls : s.skipNulls, d = "boolean" == typeof a.encode ? a.encode : s.encode, h = "function" == typeof a.encoder ? a.encoder : s.encoder, p = "function" == typeof a.sort ? a.sort : null, v = void 0 !== a.allowDots && a.allowDots, m = "function" == typeof a.serializeDate ? a.serializeDate : s.serializeDate, g = "boolean" == typeof a.encodeValuesOnly ? a.encodeValuesOnly : s.encodeValuesOnly;if (void 0 === a.format)a.format = i.default;else if (!Object.prototype.hasOwnProperty.call(i.formatters, a.format))throw new TypeError("Unknown format option provided.");var y, w, b = i.formatters[a.format];"function" == typeof a.filter ? n = (w = a.filter)("", n) : Array.isArray(a.filter) && (y = w = a.filter);var _, D = [];if ("object" != typeof n || null === n)return "";_ = a.arrayFormat in o ? a.arrayFormat : "indices"in a ? a.indices ? "indices" : "repeat" : "indices";var S = o[_];y || (y = Object.keys(n)),p && y.sort(p);for (var M = 0; M < y.length; ++M) {var x = y[M];l && null === n[x] || (D = D.concat(u_(n[x], x, S, f, l, d ? h : null, w, p, v, m, b, g)))}var O = D.join(c), k = !0 === a.addQueryPrefix ? "?" : "";return O.length > 0 ? k + O : ""
}var _ = {"json": "{\"id\":\"00914528435406\",\"jsonrpc\":\"2.0\",\"method\":\"auth.login\",\"params\":{\"sn\":\"wy12\",\"loginId\":\"手机号\",\"saltedPassword\":\"密码\",\"salt\":盐值,\"captchaKey\":\"3763286221\",\"captchaCode\":\"5864\",\"withAuth\":\"1\",\"withProfile\":\"1\",\"withBalance\":\"1\",\"terminal\":1,\"host\":\"mdfghg.5xpoijhtf.com\",\"fingerOSModel\":\"Chrome 117.0.0.0 | Windows 10\",\"ztsLang\":\"zh\"}}"
}
console.log(l_a_stringify(_)) 

Object(m.a)代码：

function object_m_a(t) {var e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";function n(t, e) {return Math.floor(Math.random() * (e - t)) + t}var r = function(t) {for (var r = Array(t), i = e.slice(0, 52), a = 0; a < r.length; a++)r[a] = i[n(0, i.length)];return r.join("")}(24), i = function(t) {var n, r, i, a, o, s, u, d = "", c = 0;for (t = function(t) {t = t.replace(/\r\n/g, "\n");for (var e = "", n = 0; n < t.length; n++) {var r = t.charCodeAt(n);r < 128 ? e += String.fromCharCode(r) : r > 127 && r < 2048 ? (e += String.fromCharCode(r >> 6 | 192),e += String.fromCharCode(63 & r | 128)) : (e += String.fromCharCode(r >> 12 | 224),e += String.fromCharCode(r >> 6 & 63 | 128),e += String.fromCharCode(63 & r | 128))}return e}(t); c < t.length; )a = (n = t.charCodeAt(c++)) >> 2,o = (3 & n) << 4 | (r = t.charCodeAt(c++)) >> 4,s = (15 & r) << 2 | (i = t.charCodeAt(c++)) >> 6,u = 63 & i,isNaN(r) ? s = u = 64 : isNaN(i) && (u = 64),d = d + e.charAt(a) + e.charAt(o) + e.charAt(s) + e.charAt(u);return d}(t);return "pwv|13|" + function(t, e) {for (var n = "", r = 0, i = 0; i < e.length; i++) {var a = t.charCodeAt(r % t.length), o = e.charCodeAt(i), s = o;o >= 65 && o <= 90 && (a >= 65 && a <= 90 && (s = (a - 65 + (o - 65)) % 26 + 65),a >= 97 && a <= 122 && (s = (a - 97 + (o - 65)) % 26 + 65),r++),o >= 97 && o <= 122 && (a >= 65 && a <= 90 && (s = (a - 65 + (o - 97)) % 26 + 97),a >= 97 && a <= 122 && (s = (a - 97 + (o - 97)) % 26 + 97),r++),n += String.fromCharCode(s)}return n}(r + "wxfEZdkAYYyBqbnMN", i) + "|" + r}

总结

此网站内容还是比较简单，我这里分析的比较乱，自己分析的话可以参考一下。
另外，登陆的验证码可以使用python的ddddocr，然后把整个流程串通起来就可以实现登陆了。