一、关于加密解密定位搜索
1、请求堆栈
举例A~E函数,A调用B,B调用C。。。E调用D。根据堆栈不断溯源。
测试代码:
javascript
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
<script>
// JS 代码
function get_data() {
let gf = "高圆圆"
console.log("初始化")
b()
}
function b() {
let apple = "APPLE"
let gf = "刘亦菲"
let enc_data = "asdfg" // 模拟的加密数据
console.log(enc_data)
c(enc_data)
console.log("xxxxx")
}
function c(obj) {
let gf = "赫本"
d({
"a": "aaa",
"b": "bbb",
"enc_data": obj
})
}
function d(data) {
let gf = "橘梨沙"
let x = 10
let y = 100
console.log("发射请求,加密数据:", data.enc_data)
}
// 发射请求
get_data()
</script>
</head>
<body>
</body>
</html>2、关键字搜索
1、方法关键字
-- encrypt decrypt AES
-- Json.stringify Json.parse
2、key关键字(指的是payload(请求体)的key
3、headers关键字
4、路径关键字
5、拦截器关键字
二、请求堆栈
三、hook
补充第8期:day18~20,讲解AES、RSA、MD5等对称和非对称加密的特点!
案例 采招网
url:https://search.bidcenter.com.cn/search?keywords=园林 绿化\&mod=0\&page=2
发现抓包的响应是加密的,就是说浏览器一定有解密的入口才能显示出来
我们直接控制台搜索decrypt(关键字,可能会搜索出来很多个结果。可以将每个结果都加上断点尝试!
找到加密入口之后,缺啥补啥
javascript
AESDecrypt: function (str) {
var nContent = CryptoJS.AES.decrypt(str, variate.key, {
iv: variate.aceIV,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.ZeroPadding
})
if (nContent && nContent != null) {
try {
var constr = CryptoJS.enc.Utf8.stringify(nContent)
if (constr != "") {
var data = JSON.parse(constr);
return data;
}
else
return null;
}
catch (err) {
return null;
}
} else
return null;
}
修改之后的js
javascript
function AESDecrypt(str) {
var variate = {
key: {"words": [863652730, 2036741733, 1164342596, 1782662963], "sigBytes": 16},
aceIV: {"words": [1719227713, 1314533489, 1397643880, 1749959510], "sigBytes": 16},
}
var nContent = CryptoJS.AES.decrypt(str, variate.key, {
iv: variate.aceIV,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.ZeroPadding
})
if (nContent && nContent != null) {
try {
var constr = CryptoJS.enc.Utf8.stringify(nContent)
if (constr != "") {
var data = JSON.parse(constr);
return data;
} else
return null;
} catch (err) {
return null;
}
} else
return null;
}Python调用JS
python
import base64
import requests
from Crypto.Cipher import AES
headers = {
'accept': 'text/plain, */*; q=0.01',
'accept-language': 'zh-CN,zh;q=0.9',
'content-type': 'application/x-www-form-urlencoded; charset=UTF-8',
'origin': 'https://search.bidcenter.com.cn',
'priority': 'u=1, i',
'referer': 'https://search.bidcenter.com.cn/',
'sec-ch-ua': '"Google Chrome";v="141", "Not?A_Brand";v="8", "Chromium";v="141"',
'sec-ch-ua-mobile': '?0',
'sec-ch-ua-platform': '"macOS"',
'sec-fetch-dest': 'empty',
'sec-fetch-mode': 'cors',
'sec-fetch-site': 'same-site',
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36',
}
data = {
'from': '6137',
'guid': '1661ac42-d451-440b-bfcb-f49b00df7a15',
'location': '6138',
'token': '',
'next_token': '',
'keywords': '%E5%9B%AD%E6%9E%97%20%E7%BB%BF%E5%8C%96',
'mod': '0',
'page': '3',
}
response = requests.post('https://interface.bidcenter.com.cn/search/GetSearchProHandler.ashx', headers=headers,
data=data)
print(response.text)
# JS逆向
# import execjs
#
# ret = execjs.compile(open("02 caizhaowang.js").read()).call("AESDecrypt", response.text)
# print(ret)
# Python逆向
# encrypt_data = base64.b64decode(response.text)
# key = '3zKzyf6eEfuDjAG3'.encode()
# iv = 'fyUANZ0qSNZhhNCV'.encode()
# aes = AES.new(key, AES.MODE_CBC, iv)
# data = aes.decrypt(encrypt_data)
# print("data:::", data.decode())